feat: in-app deeplink viewer

2026-05-18 13:32:16 -04:00 · 2026-01-25 17:27:04 -06:00
2872 changed files with 130136 additions and 206637 deletions
@@ -2,7 +2,6 @@
  "name": "Immich - Backend, Frontend and ML",
  "service": "immich-server",
  "runServices": [
    "immich-init",
    "immich-server",
    "redis",
    "database",
@@ -27,59 +26,7 @@
        "vitest.explorer",
        "ms-playwright.playwright",
        "ms-azuretools.vscode-docker"
-      ],
+      ]
      "settings": {
        "tasks": {
          "version": "2.0.0",
          "tasks": [
            {
              "label": "Immich API Server (Nest)",
              "type": "shell",
              "command": "[ -f /immich-devcontainer/container-start-backend.sh ] && /immich-devcontainer/container-start-backend.sh || exit 0",
              "isBackground": true,
              "presentation": {
                "echo": true,
                "reveal": "always",
                "focus": false,
                "panel": "dedicated",
                "showReuseMessage": true,
                "clear": false,
                "group": "Devcontainer tasks",
                "close": true
              },
              "runOptions": {
                "runOn": "folderOpen"
              },
              "problemMatcher": []
            },
            {
              "label": "Immich Web Server (Vite)",
              "type": "shell",
              "command": "[ -f /immich-devcontainer/container-start-frontend.sh ] && /immich-devcontainer/container-start-frontend.sh || exit 0",
              "isBackground": true,
              "presentation": {
                "echo": true,
                "reveal": "always",
                "focus": false,
                "panel": "dedicated",
                "showReuseMessage": true,
                "clear": false,
                "group": "Devcontainer tasks",
                "close": true
              },
              "runOptions": {
                "runOn": "folderOpen"
              },
              "problemMatcher": []
            },
            {
              "label": "Build Immich CLI",
              "type": "shell",
              "command": "pnpm --filter @immich/cli build:dev"
            }
          ]
        }
      }
    }
  },
  "features": {
@@ -109,8 +56,8 @@
    }
  },
  "overrideCommand": true,
-  "workspaceFolder": "/usr/src/app",
+  "workspaceFolder": "/workspaces/immich",
-  "remoteUser": "root",
+  "remoteUser": "node",
  "userEnvProbe": "loginInteractiveShell",
  "remoteEnv": {
    // The location where your uploaded files are stored
@@ -1,17 +1,23 @@
 services:
  immich-app-base:
    image: busybox
  immich-server:
    extends:
      service: immich-app-base
    profiles: !reset []
    image: immich-server-dev:latest
    build:
      target: dev-container-mobile
    environment:
      - IMMICH_SERVER_URL=http://127.0.0.1:2283/
-    volumes:
+    volumes: !override # bind mount host to /workspaces/immich
      - ..:/workspaces/immich
      - ${UPLOAD_LOCATION:-upload-devcontainer-volume}${UPLOAD_LOCATION:+/photos}:/data
      - pnpm-store:/usr/src/app/.pnpm-store
      - server-node_modules:/usr/src/app/server/node_modules
      - web-node_modules:/usr/src/app/web/node_modules
      - github-node_modules:/usr/src/app/.github/node_modules
      - cli-node_modules:/usr/src/app/cli/node_modules
      - docs-node_modules:/usr/src/app/docs/node_modules
      - e2e-node_modules:/usr/src/app/e2e/node_modules
      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
      - app-node_modules:/usr/src/app/node_modules
      - sveltekit:/usr/src/app/web/.svelte-kit
      - coverage:/usr/src/app/web/coverage
      - /etc/localtime:/etc/localtime:ro
  immich-web:
    env_file: !reset []
@@ -2,7 +2,6 @@
  "name": "Immich - Mobile",
  "service": "immich-server",
  "runServices": [
    "immich-init",
    "immich-server",
    "redis",
    "database",
@@ -36,7 +35,7 @@
  },
  "forwardPorts": [],
  "overrideCommand": true,
-  "workspaceFolder": "/usr/src/app",
+  "workspaceFolder": "/workspaces/immich",
  "remoteUser": "node",
  "userEnvProbe": "loginInteractiveShell",
  "remoteEnv": {
@@ -2,6 +2,11 @@
 export IMMICH_PORT="${DEV_SERVER_PORT:-2283}"
 export DEV_PORT="${DEV_PORT:-3000}"
 # search for immich directory inside workspace.
 # /workspaces/immich is the bind mount, but other directories can be mounted if runing
 # Devcontainer: Clone [repository|pull request] in container volumne
 WORKSPACES_DIR="/workspaces"
 IMMICH_DIR="$WORKSPACES_DIR/immich"
 IMMICH_DEVCONTAINER_LOG="$HOME/immich-devcontainer.log"
 log() {
@@ -25,8 +30,52 @@ run_cmd() {
    return "${PIPESTATUS[0]}"
 }
-export IMMICH_WORKSPACE="/usr/src/app"
+# Find directories excluding /workspaces/immich
 mapfile -t other_dirs < <(find "$WORKSPACES_DIR" -mindepth 1 -maxdepth 1 -type d ! -path "$IMMICH_DIR" ! -name ".*")
 if [ ${#other_dirs[@]} -gt 1 ]; then
    log "Error: More than one directory found in $WORKSPACES_DIR other than $IMMICH_DIR."
    exit 1
 elif [ ${#other_dirs[@]} -eq 1 ]; then
    export IMMICH_WORKSPACE="${other_dirs[0]}"
 else
    export IMMICH_WORKSPACE="$IMMICH_DIR"
 fi
 log "Found immich workspace in $IMMICH_WORKSPACE"
 log ""
 fix_permissions() {
    log "Fixing permissions for ${IMMICH_WORKSPACE}"
    # Change ownership for directories that exist
    for dir in "${IMMICH_WORKSPACE}/.vscode" \
        "${IMMICH_WORKSPACE}/server/upload" \
        "${IMMICH_WORKSPACE}/.pnpm-store" \
        "${IMMICH_WORKSPACE}/.github/node_modules" \
        "${IMMICH_WORKSPACE}/cli/node_modules" \
        "${IMMICH_WORKSPACE}/e2e/node_modules" \
        "${IMMICH_WORKSPACE}/open-api/typescript-sdk/node_modules" \
        "${IMMICH_WORKSPACE}/server/node_modules" \
        "${IMMICH_WORKSPACE}/server/dist" \
        "${IMMICH_WORKSPACE}/web/node_modules" \
        "${IMMICH_WORKSPACE}/web/dist"; do
        if [ -d "$dir" ]; then
            run_cmd sudo chown node -R "$dir"
        fi
    done
    log ""
 }
 install_dependencies() {
    log "Installing dependencies"
    (
        cd "${IMMICH_WORKSPACE}" || exit 1
        export CI=1 FROZEN=1 OFFLINE=1
        run_cmd make setup-web-dev setup-server-dev
    )
    log ""
 }
@@ -1,22 +1,27 @@
 services:
  immich-app-base:
    image: busybox
  immich-server:
    extends:
      service: immich-app-base
    profiles: !reset []
    image: immich-server-dev:latest
    build:
      target: dev-container-server
    env_file: !reset []
    hostname: immich-dev
    environment:
      - IMMICH_SERVER_URL=http://127.0.0.1:2283/
-    volumes:
+    volumes: !override
      - ..:/workspaces/immich
      - ${UPLOAD_LOCATION:-upload-devcontainer-volume}${UPLOAD_LOCATION:+/photos}:/data
      - /etc/localtime:/etc/localtime:ro
-      - pnpm_store_server:/buildcache/pnpm-store
+      - pnpm-store:/usr/src/app/.pnpm-store
-      - ../packages/plugins:/build/corePlugin
+      - server-node_modules:/usr/src/app/server/node_modules
      - web-node_modules:/usr/src/app/web/node_modules
      - github-node_modules:/usr/src/app/.github/node_modules
      - cli-node_modules:/usr/src/app/cli/node_modules
      - docs-node_modules:/usr/src/app/docs/node_modules
      - e2e-node_modules:/usr/src/app/e2e/node_modules
      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
      - app-node_modules:/usr/src/app/node_modules
      - sveltekit:/usr/src/app/web/.svelte-kit
      - coverage:/usr/src/app/web/coverage
      - ../plugins:/build/corePlugin
  immich-web:
    env_file: !reset []
  immich-machine-learning:
@@ -0,0 +1,17 @@
 #!/bin/bash
 # shellcheck source=common.sh
 # shellcheck disable=SC1091
 source /immich-devcontainer/container-common.sh
 log "Setting up Immich dev container..."
 fix_permissions
 log "Setup complete, please wait while backend and frontend services automatically start"
 log
 log "If necessary, the services may be manually started using"
 log
 log "$ /immich-devcontainer/container-start-backend.sh"
 log "$ /immich-devcontainer/container-start-frontend.sh"
 log
 log "From different terminal windows, as these scripts automatically restart the server"
 log "on error, and will continuously run in a loop"
@@ -30,7 +30,9 @@ machine-learning/
 misc/
 mobile/
-packages/sdk/build/
+open-api/typescript-sdk/build/
 !open-api/typescript-sdk/package.json
 !open-api/typescript-sdk/package-lock.json
 server/upload/
 server/src/queries
@@ -6,12 +6,6 @@ mobile/openapi/**/*.dart linguist-generated=true
 mobile/lib/**/*.g.dart -diff -merge
 mobile/lib/**/*.g.dart linguist-generated=true
 mobile/android/**/*.g.kt -diff -merge
 mobile/android/**/*.g.kt linguist-generated=true
 mobile/ios/**/*.g.swift -diff -merge
 mobile/ios/**/*.g.swift linguist-generated=true
 mobile/lib/**/*.drift.dart -diff -merge
 mobile/lib/**/*.drift.dart linguist-generated=true
@@ -24,7 +18,7 @@ mobile/lib/infrastructure/repositories/db.repository.steps.dart linguist-generat
 mobile/test/drift/main/generated/** -diff -merge
 mobile/test/drift/main/generated/** linguist-generated=true
-packages/sdk/fetch-client.ts -diff -merge
+open-api/typescript-sdk/fetch-client.ts -diff -merge
-packages/sdk/fetch-client.ts linguist-generated=true
+open-api/typescript-sdk/fetch-client.ts linguist-generated=true
 *.sh text eol=lf
@@ -0,0 +1 @@
 24.13.0
@@ -1,7 +1,7 @@
 cli:
  - changed-files:
      - any-glob-to-any-file:
-          - packages/cli/src/**
+          - cli/src/**
 documentation:
  - changed-files:
@@ -1,7 +1,7 @@
 {
  "scripts": {
-    "format": "prettier --cache --check .",
+    "format": "prettier --check .",
-    "format:fix": "prettier --cache --write --list-different ."
+    "format:fix": "prettier --write ."
  },
  "devDependencies": {
    "prettier": "^3.7.4"
@@ -26,7 +26,6 @@ The `/api/something` endpoint is now `/api/something-else`
 ## Checklist:
 - [ ] I have carefully read CONTRIBUTING.md
 - [ ] I have performed a self-review of my own code
 - [ ] I have made corresponding changes to the documentation if applicable
 - [ ] I have no unrelated changes in the PR.
@@ -1,148 +0,0 @@
 name: Auto-close PRs
 on:
  pull_request_target: # zizmor: ignore[dangerous-triggers]
    types: [opened, edited, labeled]
 permissions: {}
 jobs:
  parse_template:
    runs-on: ubuntu-latest
    if: ${{ github.event.action != 'labeled' && github.event.pull_request.head.repo.fork == true }}
    permissions:
      contents: read
    outputs:
      uses_template: ${{ steps.check.outputs.uses_template }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: .github/pull_request_template.md
          sparse-checkout-cone-mode: false
          persist-credentials: false
      - name: Check required sections
        id: check
        env:
          BODY: ${{ github.event.pull_request.body }}
        run: |
          OK=true
          while IFS= read -r header; do
            printf '%s\n' "$BODY" | grep -qF "$header" || OK=false
          done < <(sed '/<!--/,/-->/d' .github/pull_request_template.md | grep "^## ")
          echo "uses_template=$OK" | tee --append "$GITHUB_OUTPUT"
  close_template:
    runs-on: ubuntu-latest
    needs: parse_template
    if: >-
      ${{
        needs.parse_template.outputs.uses_template == 'false'
        && github.event.pull_request.state != 'closed'
        && !contains(github.event.pull_request.labels.*.name, 'auto-closed:template')
      }}
    permissions:
      pull-requests: write
    steps:
      - name: Comment and close
        env:
          GH_TOKEN: ${{ github.token }}
          NODE_ID: ${{ github.event.pull_request.node_id }}
        run: |
          gh api graphql \
            -f prId="$NODE_ID" \
            -f body="This PR has been automatically closed as the description doesn't follow [our template](https://github.com/immich-app/immich/blob/main/.github/pull_request_template.md). After you edit it to match the template, the PR will automatically be reopened." \
            -f query='
              mutation CommentAndClosePR($prId: ID!, $body: String!) {
                addComment(input: {
                  subjectId: $prId,
                  body: $body
                }) {
                  __typename
                }
                closePullRequest(input: {
                  pullRequestId: $prId
                }) {
                  __typename
                }
              }'
      - name: Add label
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --add-label "auto-closed:template"
  close_llm:
    runs-on: ubuntu-latest
    if: ${{ github.event.action == 'labeled' && github.event.label.name == 'auto-closed:llm' }}
    permissions:
      pull-requests: write
    steps:
      - name: Comment and close
        env:
          GH_TOKEN: ${{ github.token }}
          NODE_ID: ${{ github.event.pull_request.node_id }}
        run: |
          gh api graphql \
            -f prId="$NODE_ID" \
            -f body="Thank you for your interest in contributing to Immich! Unfortunately this PR looks like it was generated using an LLM. As noted in our [CONTRIBUTING.md](https://github.com/immich-app/immich/blob/main/CONTRIBUTING.md#use-of-generative-ai), we request that you don't use LLMs to generate PRs as those are not a good use of maintainer time." \
            -f query='
              mutation CommentAndClosePR($prId: ID!, $body: String!) {
                addComment(input: {
                  subjectId: $prId,
                  body: $body
                }) {
                  __typename
                }
                closePullRequest(input: {
                  pullRequestId: $prId
                }) {
                  __typename
                }
              }'
  reopen:
    runs-on: ubuntu-latest
    needs: parse_template
    if: >-
      ${{
        needs.parse_template.outputs.uses_template == 'true'
        && github.event.pull_request.state == 'closed'
        && contains(github.event.pull_request.labels.*.name, 'auto-closed:template')
      }}
    permissions:
      pull-requests: write
    steps:
      - name: Remove template label
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --remove-label "auto-closed:template" || true
      - name: Check for remaining auto-closed labels
        id: check_labels
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          REMAINING=$(gh pr view "$PR_NUMBER" --repo "${{ github.repository }}" --json labels \
            --jq '[.labels[].name | select(startswith("auto-closed:"))] | length')
          echo "remaining=$REMAINING" | tee --append "$GITHUB_OUTPUT"
      - name: Reopen PR
        if: ${{ steps.check_labels.outputs.remaining == '0' }}
        env:
          GH_TOKEN: ${{ github.token }}
          NODE_ID: ${{ github.event.pull_request.node_id }}
        run: |
          gh api graphql \
            -f prId="$NODE_ID" \
            -f query='
              mutation ReopenPR($prId: ID!) {
                reopenPullRequest(input: {
                  pullRequestId: $prId
                }) {
                  __typename
                }
              }'
@@ -51,14 +51,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -73,53 +73,55 @@ jobs:
    needs: pre-job
    permissions:
      contents: read
-      pull-requests: write
+    # Skip when PR from a fork
-    if: ${{ github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
+    if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
    runs-on: mich
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup Mise
        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
        with:
          github_token: ${{ steps.token.outputs.token }}
      - name: Create the Keystore
        if: ${{ !github.event.pull_request.head.repo.fork }}
        env:
          KEY_JKS: ${{ secrets.KEY_JKS }}
        working-directory: ./mobile
        run: printf "%s" $KEY_JKS | base64 -d > android/key.jks
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
        with:
          distribution: 'zulu'
          java-version: '17'
      - name: Restore Gradle Cache
        id: cache-gradle-restore
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
            ~/.android/sdk
            mobile/android/.gradle
            mobile/.dart_tool
          key: build-mobile-gradle-${{ runner.os }}-main
      - name: Setup Flutter SDK
        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
          cache: true
      - name: Setup Android SDK
-        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
+        uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2
        with:
          packages: ''
@@ -128,10 +130,11 @@ jobs:
        run: flutter pub get
      - name: Generate translation file
-        run: mise //mobile:codegen:translation
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
        working-directory: ./mobile
      - name: Generate platform APIs
-        run: mise //mobile:codegen:pigeon
+        run: make pigeon
        working-directory: ./mobile
      - name: Build Android App Bundle
@@ -141,46 +144,23 @@ jobs:
          ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
          ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
          IS_MAIN: ${{ github.ref == 'refs/heads/main' }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          if [[ $IS_MAIN == 'true' ]]; then
            flutter build apk --release
            flutter build apk --release --split-per-abi --target-platform android-arm,android-arm64,android-x64
          else
-            flutter build apk --release
+            flutter build apk --debug --split-per-abi --target-platform android-arm64
          fi
      - name: Publish Android Artifact
-        id: upload-apk
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk
      - name: Comment APK download link on PR
        if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork }}
        uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
        env:
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
          APK_URL: ${{ steps.upload-apk.outputs.artifact-url }}
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'mobile-android-apk'
          message: |
            📱 **Android release APK (universal)** — `${{ env.HEAD_SHA }}`
            Download: ${{ env.APK_URL }}
            <details>
              <summary>QR code</summary>
              <img src="https://api.qrserver.com/v1/create-qr-code/?size=240x240&data=${{ env.APK_URL }}" alt="QR code" />
            </details>
            Installs as a separate app (applicationId `app.alextran.immich.pr${{ github.event.pull_request.number }}`), so it coexists with the Play Store version and any other PR builds.
      - name: Save Gradle Cache
        id: cache-gradle-save
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        if: github.ref == 'refs/heads/main'
        with:
          path: |
@@ -188,6 +168,7 @@ jobs:
            ~/.gradle/wrapper
            ~/.android/sdk
            mobile/android/.gradle
            mobile/.dart_tool
          key: ${{ steps.cache-gradle-restore.outputs.cache-primary-key }}
  build-sign-ios:
@@ -197,41 +178,36 @@ jobs:
      contents: read
    # Run on main branch or workflow_dispatch, or on PRs/other branches (build only, no upload)
    if: ${{ !github.event.pull_request.head.repo.fork && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
-    runs-on: macos-15
+    runs-on: macos-latest
    steps:
      - id: token
        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Select Xcode 26
        run: sudo xcode-select -s /Applications/Xcode_26.2.app/Contents/Developer
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
-      - name: Setup Mise
+      - name: Setup Flutter SDK
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
          cache: true
      - name: Install Flutter dependencies
        working-directory: ./mobile
        run: flutter pub get
      - name: Generate translation files
-        run: mise //mobile:codegen:translation
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
        working-directory: ./mobile
      - name: Generate platform APIs
-        run: mise //mobile:codegen:pigeon
+        run: make pigeon
        working-directory: ./mobile
      - name: Setup Ruby
-        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.3'
          bundler-cache: true
@@ -290,8 +266,6 @@ jobs:
          ENVIRONMENT: ${{ inputs.environment || 'development' }}
          BUNDLE_ID_SUFFIX: ${{ inputs.environment == 'production' && '' || 'development' }}
          GITHUB_REF: ${{ github.ref }}
          FASTLANE_XCODEBUILD_SETTINGS_TIMEOUT: 120
          FASTLANE_XCODEBUILD_SETTINGS_RETRIES: 6
        working-directory: ./mobile/ios
        run: |
          # Only upload to TestFlight on main branch
@@ -312,7 +286,7 @@ jobs:
          security delete-keychain build.keychain || true
      - name: Upload IPA artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: ios-release-ipa
          path: mobile/ios/Runner.ipa
@@ -19,13 +19,13 @@ jobs:
      actions: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -1,31 +0,0 @@
 name: Check OpenAPI
 on:
  workflow_dispatch:
  pull_request:
    paths:
      - 'open-api/**'
      - '.github/workflows/check-openapi.yml'
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 permissions: {}
 jobs:
  check-openapi:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Check for breaking API changes
        uses: oasdiff/oasdiff-action/breaking@26ccb332c67a45ca649de9faf60552ef1b8260d9 # v0.0.46
        with:
          base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
          revision: open-api/immich-openapi-specs.json
          fail-on: ERR
@@ -3,11 +3,11 @@ on:
  push:
    branches: [main]
    paths:
-      - 'packages/cli/**'
+      - 'cli/**'
      - '.github/workflows/cli.yml'
  pull_request:
    paths:
-      - 'packages/cli/**'
+      - 'cli/**'
      - '.github/workflows/cli.yml'
  release:
    types: [published]
@@ -24,32 +24,43 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    defaults:
      run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - name: Checkout code
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup Mise
+      - name: Setup pnpm
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
        with:
          github_token: ${{ steps.token.outputs.token }}
-      - name: Publish
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './cli/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Setup typescript-sdk
        run: pnpm install && pnpm run build
        working-directory: ./open-api/typescript-sdk
      - run: pnpm install --frozen-lockfile
      - run: pnpm build
      - run: pnpm publish --no-git-checks
        if: ${{ github.event_name == 'release' }}
-        run: mise run ci-publish
+        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  docker:
    name: Docker
@@ -61,25 +72,25 @@ jobs:
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          registry: ghcr.io
@@ -89,12 +100,12 @@ jobs:
      - name: Get package version
        id: package-version
        run: |
-          version=$(jq -r '.version' packages/cli/package.json)
+          version=$(jq -r '.version' cli/package.json)
          echo "version=$version" >> "$GITHUB_OUTPUT"
      - name: Generate docker image tags
        id: metadata
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          flavor: |
            latest=false
@@ -105,9 +116,9 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}
      - name: Build and push image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
-          file: packages/cli/Dockerfile
+          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name == 'release' }}
          cache-from: type=gha
@@ -35,7 +35,7 @@ jobs:
    needs: [get_body, should_run]
    if: ${{ needs.should_run.outputs.should_run == 'true' }}
    container:
-      image: ghcr.io/immich-app/mdq:main@sha256:0a8b8867773a0f8368061f47578603f438349f8f1f28b0e16105f481e5c794e0
+      image: ghcr.io/immich-app/mdq:main@sha256:ab9f163cd5d5cec42704a26ca2769ecf3f10aa8e7bae847f1d527cdf075946e6
    outputs:
      checked: ${{ steps.get_checkbox.outputs.checked }}
    steps:
@@ -44,20 +44,20 @@ jobs:
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{matrix.language}}'
@@ -23,14 +23,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -60,7 +60,7 @@ jobs:
        suffix: ['', '-cuda', '-rocm', '-openvino', '-armnn', '-rknn']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -90,7 +90,7 @@ jobs:
        suffix: ['']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -131,8 +131,8 @@ jobs:
          - device: rocm
            suffixes: '-rocm'
            platforms: linux/amd64
-            runner-mapping: '{"linux/amd64": "pokedex-large"}'
+            runner-mapping: '{"linux/amd64": "mich"}'
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@0477486d82313fba68f7c82c034120a4b8981297 # multi-runner-build-workflow-v2.1.0
    permissions:
      contents: read
      actions: read
@@ -155,7 +155,7 @@ jobs:
    name: Build and Push Server
    needs: pre-job
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == true }}
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@0477486d82313fba68f7c82c034120a4b8981297 # multi-runner-build-workflow-v2.1.0
    permissions:
      contents: read
      actions: read
@@ -178,7 +178,7 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}
@@ -189,6 +189,6 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}
@@ -21,14 +21,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -54,21 +54,27 @@ jobs:
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
          fetch-depth: 0
-      - name: Setup Mise
+      - name: Setup pnpm
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './docs/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Run install
        run: pnpm install
@@ -80,7 +86,7 @@ jobs:
        run: pnpm build
      - name: Upload build output
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: docs-build-output
          path: docs/build/
@@ -20,16 +20,16 @@ jobs:
      artifact: ${{ steps.get-artifact.outputs.result }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - if: ${{ github.event.workflow_run.conclusion != 'success' }}
        run: echo 'The triggering workflow did not succeed' && exit 1
      - name: Get artifact
        id: get-artifact
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          script: |
@@ -48,7 +48,7 @@ jobs:
            return { found: true, id: matchArtifact.id };
      - name: Determine deploy parameters
        id: parameters
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
        with:
@@ -119,25 +119,23 @@ jobs:
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0
        with:
          github_token: ${{ steps.token.outputs.token }}
      - name: Load parameters
        id: parameters
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          PARAM_JSON: ${{ needs.checks.outputs.parameters }}
        with:
@@ -149,7 +147,7 @@ jobs:
            core.setOutput("shouldDeploy", parameters.shouldDeploy);
      - name: Download artifact
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
        with:
@@ -194,13 +192,16 @@ jobs:
          ' >> $GITHUB_OUTPUT
      - name: Publish to Cloudflare Pages
-        working-directory: docs
+        # TODO: Action is deprecated
-        env:
+        uses: cloudflare/pages-action@f0a1cd58cd66095dee69bfa18fa5efd1dde93bca # v1.5.0
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
+        with:
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
-          PROJECT_NAME: ${{ steps.docs-output.outputs.projectName }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          BRANCH_NAME: ${{ steps.parameters.outputs.name }}
+          projectName: ${{ steps.docs-output.outputs.projectName }}
-        run: mise run //docs:deploy
+          workingDirectory: 'docs'
          directory: 'build'
          branch: ${{ steps.parameters.outputs.name }}
          wranglerVersion: '3'
      - name: Deploy Docs Release Domain
        if: ${{ steps.parameters.outputs.event == 'release' }}
@@ -213,7 +214,7 @@ jobs:
        run: 'mise run //deployment:tf apply'
      - name: Comment
-        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
        if: ${{ steps.parameters.outputs.event == 'pr' }}
        with:
          token: ${{ steps.token.outputs.token }}
@@ -17,21 +17,19 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0
        with:
          github_token: ${{ steps.token.outputs.token }}
      - name: Destroy Docs Subdomain
        env:
@@ -44,7 +42,7 @@ jobs:
        run: 'mise run //deployment:tf destroy -- -refresh=false'
      - name: Comment
-        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
        with:
          token: ${{ steps.token.outputs.token }}
          number: ${{ github.event.number }}
@@ -14,35 +14,41 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - id: token
+      - name: Generate a token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        id: generate-token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - name: Checkout code
+      - name: 'Checkout'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          token: ${{ steps.token.outputs.token }}
-      - name: Setup Mise
+      - name: Setup pnpm
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Fix formatting
-        run: pnpm --recursive install && pnpm run --recursive --if-present --parallel format:fix
+        run: pnpm --recursive install && pnpm run --recursive --parallel fix:format
      - name: Commit and push
-        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: fix formatting'
      - name: Remove label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        if: always()
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
@@ -4,7 +4,7 @@ on:
  workflow_dispatch:
  workflow_call:
    secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID:
+      PUSH_O_MATIC_APP_ID:
        required: true
      PUSH_O_MATIC_APP_KEY:
        required: true
@@ -31,9 +31,9 @@ jobs:
      - name: Generate a token
        id: generate_token
        if: ${{ inputs.skip != true }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Find translation PR
@@ -14,13 +14,13 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Require PR to have a changelog label
-        uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5.5.2
+        uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1
        with:
          token: ${{ steps.token.outputs.token }}
          mode: exactly
@@ -12,11 +12,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
          repo-token: ${{ steps.token.outputs.token }}
@@ -36,7 +36,7 @@ jobs:
    permissions:
      pull-requests: write
    secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}
@@ -48,27 +48,32 @@ jobs:
      version: ${{ steps.output.outputs.version }}
    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
-      - id: token
+      - name: Generate a token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        id: generate-token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - name: Checkout code
+      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
-          token: ${{ steps.token.outputs.token }}
+          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main
      - name: Setup Mise
        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
        with:
          github_token: ${{ steps.token.outputs.token }}
      # TODO move to mise
      - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Bump version
        env:
@@ -81,7 +86,7 @@ jobs:
      - name: Commit and tag
        id: push-tag
-        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: version ${{ steps.output.outputs.version }}'
@@ -104,6 +109,12 @@ jobs:
      APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
      IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
      IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
      IOS_PROVISIONING_PROFILE: ${{ secrets.IOS_PROVISIONING_PROFILE }}
      IOS_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_SHARE_EXTENSION }}
      IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
      FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}
    with:
@@ -119,25 +130,25 @@ jobs:
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
      - name: Download APK
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}
      - name: Create draft release
-        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          draft: true
          tag_name: ${{ needs.bump_version.outputs.version }}
@@ -146,7 +157,6 @@ jobs:
          body_path: misc/release/notes.tmpl
          files: |
            docker/docker-compose.yml
            docker/docker-compose.rootless.yml
            docker/example.env
            docker/hwaccel.ml.yml
            docker/hwaccel.transcoding.yml
@@ -14,12 +14,12 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
@@ -32,12 +32,12 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          script: |
@@ -48,14 +48,14 @@ jobs:
              name: 'preview'
            })
-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        if: ${{ github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
          message: 'PRs from forks cannot have preview environments.'
-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
@@ -0,0 +1,170 @@
 name: Manage release PR
 on:
  workflow_dispatch:
  push:
    branches:
      - main
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true
 permissions: {}
 jobs:
  bump:
    runs-on: ubuntu-latest
    steps:
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main
      - name: Install uv
        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Determine release type
        id: bump-type
        uses: ietf-tools/semver-action@c90370b2958652d71c06a3484129a4d423a6d8a8 # v1.11.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
      - name: Bump versions
        env:
          TYPE: ${{ steps.bump-type.outputs.bump }}
        run: |
          if [ "$TYPE" == "none" ]; then
            exit 1 # TODO: Is there a cleaner way to abort the workflow?
          fi
          misc/release/pump-version.sh -s $TYPE -m true
      - name: Manage Outline release document
        id: outline
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          OUTLINE_API_KEY: ${{ secrets.OUTLINE_API_KEY }}
          NEXT_VERSION: ${{ steps.bump-type.outputs.next }}
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const fs = require('fs');
            const outlineKey = process.env.OUTLINE_API_KEY;
            const parentDocumentId = 'da856355-0844-43df-bd71-f8edce5382d9'
            const collectionId = 'e2910656-714c-4871-8721-447d9353bd73';
            const baseUrl = 'https://outline.immich.cloud';
            const listResponse = await fetch(`${baseUrl}/api/documents.list`, {
              method: 'POST',
              headers: {
                'Authorization': `Bearer ${outlineKey}`,
                'Content-Type': 'application/json'
              },
              body: JSON.stringify({ parentDocumentId })
            });
            if (!listResponse.ok) {
              throw new Error(`Outline list failed: ${listResponse.statusText}`);
            }
            const listData = await listResponse.json();
            const allDocuments = listData.data || [];
            const document = allDocuments.find(doc => doc.title === 'next');
            let documentId;
            let documentUrl;
            let documentText;
            if (!document) {
              // Create new document
              console.log('No existing document found. Creating new one...');
              const notesTmpl = fs.readFileSync('misc/release/notes.tmpl', 'utf8');
              const createResponse = await fetch(`${baseUrl}/api/documents.create`, {
                method: 'POST',
                headers: {
                  'Authorization': `Bearer ${outlineKey}`,
                  'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                  title: 'next',
                  text: notesTmpl,
                  collectionId: collectionId,
                  parentDocumentId: parentDocumentId,
                  publish: true
                })
              });
              if (!createResponse.ok) {
                throw new Error(`Failed to create document: ${createResponse.statusText}`);
              }
              const createData = await createResponse.json();
              documentId = createData.data.id;
              const urlId = createData.data.urlId;
              documentUrl = `${baseUrl}/doc/next-${urlId}`;
              documentText = createData.data.text || '';
              console.log(`Created new document: ${documentUrl}`);
            } else {
              documentId = document.id;
              const docPath = document.url;
              documentUrl = `${baseUrl}${docPath}`;
              documentText = document.text || '';
              console.log(`Found existing document: ${documentUrl}`);
            }
            // Generate GitHub release notes
            console.log('Generating GitHub release notes...');
            const releaseNotesResponse = await github.rest.repos.generateReleaseNotes({
              owner: context.repo.owner,
              repo: context.repo.repo,
              tag_name: `${process.env.NEXT_VERSION}`,
            });
            // Combine the content
            const changelog = `
            # ${process.env.NEXT_VERSION}
            ${documentText}
            ${releaseNotesResponse.data.body}
            ---
            `
            const existingChangelog = fs.existsSync('CHANGELOG.md') ? fs.readFileSync('CHANGELOG.md', 'utf8') : '';
            fs.writeFileSync('CHANGELOG.md', changelog + existingChangelog, 'utf8');
            core.setOutput('document_url', documentUrl);
      - name: Create PR
        id: create-pr
        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          commit-message: 'chore: release ${{ steps.bump-type.outputs.next }}'
          title: 'chore: release ${{ steps.bump-type.outputs.next }}'
          body: 'Release notes: ${{ steps.outline.outputs.document_url }}'
          labels: 'changelog:skip'
          branch: 'release/next'
          draft: true
@@ -0,0 +1,148 @@
 name: release.yml
 on:
  pull_request:
    types: [closed]
    paths:
      - CHANGELOG.md
 jobs:
  # Maybe double check PR source branch?
  merge_translations:
    uses: ./.github/workflows/merge-translations.yml
    permissions:
      pull-requests: write
    secrets:
      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}
  build_mobile:
    uses: ./.github/workflows/build-mobile.yml
    needs: merge_translations
    permissions:
      contents: read
    secrets:
      KEY_JKS: ${{ secrets.KEY_JKS }}
      ALIAS: ${{ secrets.ALIAS }}
      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
      ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
      # iOS secrets
      APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
      APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
      APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
      IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
      IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
      IOS_PROVISIONING_PROFILE: ${{ secrets.IOS_PROVISIONING_PROFILE }}
      IOS_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_SHARE_EXTENSION }}misc/release/notes.tmpl
      IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
      FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}
    with:
      ref: main
      environment: production
  prepare_release:
    runs-on: ubuntu-latest
    needs: build_mobile
    permissions:
      actions: read # To download the app artifact
    steps:
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
          ref: main
      - name: Extract changelog
        id: changelog
        run: |
          CHANGELOG_PATH=$RUNNER_TEMP/changelog.md
          sed -n '1,/^---$/p' CHANGELOG.md | head -n -1 > $CHANGELOG_PATH
          echo "path=$CHANGELOG_PATH" >> $GITHUB_OUTPUT
          VERSION=$(sed -n 's/^# //p' $CHANGELOG_PATH)
          echo "version=$VERSION" >> $GITHUB_OUTPUT
      - name: Download APK
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}
      - name: Create draft release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          tag_name: ${{ steps.version.outputs.result }}
          token: ${{ steps.generate-token.outputs.token }}
          body_path: ${{ steps.changelog.outputs.path }}
          draft: true
          files: |
            docker/docker-compose.yml
            docker/example.env
            docker/hwaccel.ml.yml
            docker/hwaccel.transcoding.yml
            docker/prometheus.yml
            *.apk
      - name: Rename Outline document
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        continue-on-error: true
        env:
          OUTLINE_API_KEY: ${{ secrets.OUTLINE_API_KEY }}
          VERSION: ${{ steps.changelog.outputs.version }}
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const outlineKey = process.env.OUTLINE_API_KEY;
            const version = process.env.VERSION;
            const parentDocumentId = 'da856355-0844-43df-bd71-f8edce5382d9';
            const baseUrl = 'https://outline.immich.cloud';
            const listResponse = await fetch(`${baseUrl}/api/documents.list`, {
              method: 'POST',
              headers: {
                'Authorization': `Bearer ${outlineKey}`,
                'Content-Type': 'application/json'
              },
              body: JSON.stringify({ parentDocumentId })
            });
            if (!listResponse.ok) {
              throw new Error(`Outline list failed: ${listResponse.statusText}`);
            }
            const listData = await listResponse.json();
            const allDocuments = listData.data || [];
            const document = allDocuments.find(doc => doc.title === 'next');
            if (document) {
              console.log(`Found document 'next', renaming to '${version}'...`);
              const updateResponse = await fetch(`${baseUrl}/api/documents.update`, {
                method: 'POST',
                headers: {
                  'Authorization': `Bearer ${outlineKey}`,
                  'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                  id: document.id,
                  title: version
                })
              });
              if (!updateResponse.ok) {
                throw new Error(`Failed to rename document: ${updateResponse.statusText}`);
              }
            } else {
              console.log('No document titled "next" found to rename');
            }
@@ -12,31 +12,36 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
-      id-token: write
+    defaults:
-      packages: write
+      run:
        working-directory: ./open-api/typescript-sdk
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - name: Checkout code
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup Mise
+      - name: Setup pnpm
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      # Setup .npmrc file to publish to npm
      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './open-api/typescript-sdk/.nvmrc'
-
+          registry-url: 'https://registry.npmjs.org'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install deps
-        run: pnpm --filter @immich/sdk install --frozen-lockfile
+        run: pnpm install --frozen-lockfile
      - name: Build
-        run: pnpm --filter @immich/sdk build
+        run: pnpm build
      - name: Publish
-        run: pnpm --filter @immich/sdk publish --provenance --no-git-checks
+        run: pnpm publish --no-git-checks
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -20,14 +20,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -49,41 +49,41 @@ jobs:
        working-directory: ./mobile
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup Mise
+      - name: Setup Flutter SDK
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
      - name: Install dependencies
-        run: flutter pub get
+        run: dart pub get
-      - name: Install dependencies for UI package
+      - name: Install DCM
-        run: flutter pub get
+        uses: CQLabs/setup-dcm@8697ae0790c0852e964a6ef1d768d62a6675481a # v2.0.1
-        working-directory: ./mobile/packages/ui
+        with:
          github-token: ${{ steps.token.outputs.token }}
          version: auto
          working-directory: ./mobile
-      - name: Install dependencies for UI Showcase
+      - name: Generate translation file
-        run: flutter pub get
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
        working-directory: ./mobile/packages/ui/showcase
      - name: Generate translation files
        run: mise //mobile:codegen:translation
      - name: Run Build Runner
-        run: mise //mobile:codegen:dart
+        run: make build
      - name: Generate platform API
-        run: mise //mobile:codegen:pigeon
+        run: make pigeon
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
@@ -99,16 +99,20 @@ jobs:
        env:
          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
-          echo "ERROR: Generated files not up to date! Run 'mise //mobile:codegen:dart' and 'mise //mobile:codegen:pigeon'"
+          echo "ERROR: Generated files not up to date! Run 'make build' and 'make pigeon' inside the mobile directory"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1
-      - name: Run analyze
+      - name: Run dart analyze
-        run: mise //mobile:analyze
+        run: dart analyze --fatal-infos
-      - name: Run format
+      - name: Run dart format
-        run: mise //mobile:format
+        run: make format
      # TODO: Re-enable after upgrading custom_lint
      # - name: Run dart custom_lint
      #   run: dart run custom_lint
      # TODO: Use https://github.com/CQLabs/dcm-action
      - name: Run DCM
        run: dcm analyze lib --fatal-style --fatal-warnings
@@ -17,14 +17,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -33,18 +33,14 @@ jobs:
            web:
              - 'web/**'
              - 'i18n/**'
-              - 'packages/sdk/**'
+              - 'open-api/typescript-sdk/**'
              - 'pnpm-lock.yaml'
            server:
              - 'server/**'
              - 'pnpm-lock.yaml'
            cli:
-              - 'packages/cli/**'
+              - 'cli/**'
-              - 'packages/sdk/**'
+              - 'open-api/typescript-sdk/**'
              - 'pnpm-lock.yaml'
            e2e:
              - 'e2e/**'
              - 'pnpm-lock.yaml'
            mobile:
              - 'mobile/**'
            machine-learning:
@@ -67,25 +63,39 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup Mise
+      - name: Setup pnpm
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './server/.nvmrc'
-
+          cache: 'pnpm'
-      - name: Run ci-unit
+          cache-dependency-path: '**/pnpm-lock.yaml'
-        run: mise run ci-unit
+      - name: Run package manager install
-
+        run: pnpm install
      - name: Run linter
        run: pnpm lint
        if: ${{ !cancelled() }}
      - name: Run formatter
        run: pnpm format
        if: ${{ !cancelled() }}
      - name: Run tsc
        run: pnpm check
        if: ${{ !cancelled() }}
      - name: Run small tests & coverage
        run: pnpm test
        if: ${{ !cancelled() }}
  cli-unit-tests:
    name: Unit Test CLI
    needs: pre-job
@@ -95,28 +105,44 @@ jobs:
      contents: read
    defaults:
      run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './cli/.nvmrc'
-
+          cache: 'pnpm'
-      - name: Run ci-unit
+          cache-dependency-path: '**/pnpm-lock.yaml'
-        run: mise run ci-unit
+      - name: Setup typescript-sdk
-
+        run: pnpm install && pnpm run build
        working-directory: ./open-api/typescript-sdk
      - name: Install deps
        run: pnpm install
      - name: Run linter
        run: pnpm lint
        if: ${{ !cancelled() }}
      - name: Run formatter
        run: pnpm format
        if: ${{ !cancelled() }}
      - name: Run tsc
        run: pnpm check
        if: ${{ !cancelled() }}
      - name: Run unit tests & coverage
        run: pnpm test
        if: ${{ !cancelled() }}
  cli-unit-tests-win:
    name: Unit Test CLI (Windows)
    needs: pre-job
@@ -126,41 +152,39 @@ jobs:
      contents: read
    defaults:
      run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './cli/.nvmrc'
-
+          cache: 'pnpm'
-      - name: Run setup @immich/sdk
+          cache-dependency-path: '**/pnpm-lock.yaml'
-        run: mise run //:sdk:install && mise run //:sdk:build
+      - name: Setup typescript-sdk
-
+        run: pnpm install --frozen-lockfile && pnpm build
-      - name: Run pnpm install
+        working-directory: ./open-api/typescript-sdk
      - name: Install deps
        run: pnpm install --frozen-lockfile
      # Skip linter & formatter in Windows test.
      - name: Run tsc
        run: pnpm check
        if: ${{ !cancelled() }}
      - name: Run unit tests & coverage
        run: pnpm test
        if: ${{ !cancelled() }}
  web-lint:
    name: Lint Web
    needs: pre-job
@@ -173,32 +197,38 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './web/.nvmrc'
-
+          cache: 'pnpm'
-      - name: Run setup @immich/sdk
+          cache-dependency-path: '**/pnpm-lock.yaml'
-        run: mise run //:sdk:install && mise run //:sdk:build
+      - name: Run setup typescript-sdk
-
+        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./open-api/typescript-sdk
      - name: Run pnpm install
-        run: pnpm install --frozen-lockfile
+        run: pnpm rebuild && pnpm install --frozen-lockfile
      - name: Run linter
        run: pnpm lint
        if: ${{ !cancelled() }}
-
+      - name: Run formatter
        run: pnpm format
        if: ${{ !cancelled() }}
      - name: Run svelte checks
        run: pnpm check:svelte
        if: ${{ !cancelled() }}
  web-unit-tests:
    name: Test Web
    needs: pre-job
@@ -211,25 +241,35 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './web/.nvmrc'
-
+          cache: 'pnpm'
-      - name: Run ci-unit
+          cache-dependency-path: '**/pnpm-lock.yaml'
-        run: mise run ci-unit
+      - name: Run setup typescript-sdk
-
+        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./open-api/typescript-sdk
      - name: Run npm install
        run: pnpm install --frozen-lockfile
      - name: Run tsc
        run: pnpm check:typescript
        if: ${{ !cancelled() }}
      - name: Run unit tests & coverage
        run: pnpm test
        if: ${{ !cancelled() }}
  i18n-tests:
    name: Test i18n
    needs: pre-job
@@ -239,35 +279,34 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './web/.nvmrc'
-
+          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install dependencies
-        run: pnpm -w install --frozen-lockfile
+        run: pnpm --filter=immich-i18n install --frozen-lockfile
      - name: Format
-        run: pnpm format:fix
+        run: pnpm --filter=immich-i18n format:fix
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            i18n/**
      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -276,7 +315,6 @@ jobs:
          echo "ERROR: i18n files not up to date!"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1
  e2e-tests-lint:
    name: End-to-End Lint
    needs: pre-job
@@ -289,26 +327,40 @@ jobs:
        working-directory: ./e2e
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './e2e/.nvmrc'
-
+          cache: 'pnpm'
-      - name: Run ci-unit
+          cache-dependency-path: '**/pnpm-lock.yaml'
-        run: mise run ci-unit
+      - name: Run setup typescript-sdk
        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./open-api/typescript-sdk
        if: ${{ !cancelled() }}
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
      - name: Run linter
        run: pnpm lint
        if: ${{ !cancelled() }}
      - name: Run formatter
        run: pnpm format
        if: ${{ !cancelled() }}
      - name: Run tsc
        run: pnpm check
        if: ${{ !cancelled() }}
  server-medium-tests:
    name: Medium Tests (Server)
    needs: pre-job
@@ -321,27 +373,30 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './server/.nvmrc'
-
+          cache: 'pnpm'
-      - name: Run ci-medium
+          cache-dependency-path: '**/pnpm-lock.yaml'
-        run: mise run ci-medium
+      - name: Run pnpm install
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
      - name: Run medium tests
        run: pnpm test:medium
        if: ${{ !cancelled() }}
  e2e-tests-server-cli:
    name: End-to-End Tests (Server & CLI)
    needs: pre-job
@@ -357,68 +412,46 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          node-version-file: '.nvmrc'
+          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
-
+      - name: Run setup typescript-sdk
-      - name: Setup packages
+        run: pnpm install --frozen-lockfile && pnpm build
-        run: pnpm --filter "@immich/*" install --frozen-lockfile && pnpm --filter "@immich/*" build
+        working-directory: ./open-api/typescript-sdk
-
+        if: ${{ !cancelled() }}
      - name: Run setup web
        run: pnpm install --frozen-lockfile && pnpm exec svelte-kit sync
        working-directory: ./web
        if: ${{ !cancelled() }}
-
+      - name: Run setup cli
        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./cli
        if: ${{ !cancelled() }}
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
-
+      - name: Docker build
-      - name: Start Docker Compose
+        run: docker compose build
        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
      - name: Run e2e tests (api & cli)
        env:
          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test
        if: ${{ !cancelled() }}
      - name: Run e2e tests (maintenance)
        env:
          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test:maintenance
        if: ${{ !cancelled() }}
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
        working-directory: ./e2e
      - name: Archive Docker logs
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: e2e-server-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
  e2e-tests-web:
    name: End-to-End Tests (Web)
    needs: pre-job
@@ -434,95 +467,60 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          node-version-file: '.nvmrc'
+          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
-
+      - name: Run setup typescript-sdk
-      - name: Run setup @immich/sdk
+        run: pnpm install --frozen-lockfile && pnpm build
-        run: pnpm --filter @immich/sdk install --frozen-lockfile && pnpm --filter @immich/sdk build
+        working-directory: ./open-api/typescript-sdk
        if: ${{ !cancelled() }}
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
      - name: Install Playwright Browsers
-        run: pnpm exec playwright install chromium --only-shell
+        run: npx playwright install chromium --only-shell
        if: ${{ !cancelled() }}
      - name: Docker build
-        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+        run: docker compose build
        if: ${{ !cancelled() }}
      - name: Run e2e tests (web)
        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
+          CI: true
-        run: pnpm test:web
+        run: npx playwright test --project=chromium
        if: ${{ !cancelled() }}
-
+      - name: Archive web results
-      - name: Archive e2e test (web) results
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-web-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
      - name: Run ui tests (web)
        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
+          CI: true
-        run: pnpm test:web:ui
+        run: npx playwright test --project=ui
        if: ${{ !cancelled() }}
-
+      - name: Archive ui results
-      - name: Archive ui test (web) results
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-ui-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
      - name: Run maintenance tests
        env:
          PLAYWRIGHT_DISABLE_WEBSERVER: true
        run: pnpm test:web:maintenance
        if: ${{ !cancelled() }}
      - name: Archive maintenance tests (web) results
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-maintenance-isolated-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
        working-directory: ./e2e
      - name: Archive Docker logs
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: e2e-web-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
  success-check-e2e:
    name: End-to-End Tests Success
    needs: [e2e-tests-server-cli, e2e-tests-web]
@@ -530,7 +528,7 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}
  mobile-unit-tests:
@@ -542,31 +540,26 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup Flutter SDK
-      - name: Setup Mise
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0
        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          channel: 'stable'
-
+          flutter-version-file: ./mobile/pubspec.yaml
-      - name: Install dependencies
+      - name: Generate translation file
-        run: flutter pub get
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
        working-directory: ./mobile
      - name: Generate translation files
        run: mise //mobile:codegen:translation
      - name: Run tests
-        run: mise //mobile:test
+        working-directory: ./mobile
-
+        run: flutter test -j 1
  ml-unit-tests:
    name: Unit Test ML
    needs: pre-job
@@ -579,24 +572,34 @@ jobs:
        working-directory: ./machine-learning
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Install uv
-      - name: Setup Mise
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          python-version: 3.11
-
+      - name: Install dependencies
-      - name: Run ci-unit
+        run: |
-        run: mise run ci-unit
+          uv sync --extra cpu
-
+      - name: Lint with ruff
        run: |
          uv run ruff check --output-format=github immich_ml
      - name: Check black formatting
        run: |
          uv run black --check immich_ml
      - name: Run mypy type checking
        run: |
          uv run mypy --strict immich_ml/
      - name: Run tests and coverage
        run: |
          uv run pytest --cov=immich_ml --cov-report term-missing
  github-files-formatting:
    name: .github Files Formatting
    needs: pre-job
@@ -609,29 +612,29 @@ jobs:
        working-directory: ./.github
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './.github/.nvmrc'
-
+          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Run pnpm install
        run: pnpm install --frozen-lockfile
      - name: Run formatter
        run: pnpm format
        if: ${{ !cancelled() }}
  shellcheck:
    name: ShellCheck
    runs-on: ubuntu-latest
@@ -639,12 +642,12 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -660,38 +663,39 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './server/.nvmrc'
-
+          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install server dependencies
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm --filter immich install --frozen-lockfile
-
+      - name: Build the app
        run: pnpm --filter immich build
      - name: Run API generation
-        run: mise //:open-api
+        run: ./bin/generate-open-api.sh
        working-directory: open-api
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            mobile/openapi
-            packages/sdk
+            open-api/typescript-sdk
            open-api/immich-openapi-specs.json
      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -700,7 +704,6 @@ jobs:
          echo "ERROR: Generated files not up to date!"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1
  sql-schema-up-to-date:
    name: SQL Schema Checks
    runs-on: ubuntu-latest
@@ -722,45 +725,41 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
+      - name: Setup pnpm
-      - name: Setup Mise
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './server/.nvmrc'
-
+          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install server dependencies
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
      - name: Build the app
        run: pnpm build
      - name: Run existing migrations
        run: pnpm migrations:run
      - name: Test npm run schema:reset command works
        run: pnpm schema:reset
      - name: Generate new migrations
        continue-on-error: true
        run: pnpm migrations:generate src/TestMigration
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            server/src
      - name: Verify migration files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -770,19 +769,16 @@ jobs:
          echo "Changed files: ${CHANGED_FILES}"
          cat ./src/*-TestMigration.ts
          exit 1
      - name: Run SQL generation
-        run: mise //:sql
+        run: pnpm sync:sql
        env:
          DB_URL: postgres://postgres:postgres@localhost:5432/immich
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-sql-files
        with:
          files: |
            server/src/queries
      - name: Verify SQL files have not changed
        if: steps.verify-changed-sql-files.outputs.files_changed == 'true'
        env:
@@ -24,14 +24,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -47,9 +47,9 @@ jobs:
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).i18n == true }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      - name: Bot review status
@@ -68,6 +68,6 @@ jobs:
    permissions: {}
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}
@@ -20,7 +20,7 @@ mobile/openapi/doc
 mobile/openapi/.openapi-generator/FILES
 mobile/ios/build
-packages/**/build
+open-api/typescript-sdk/build
 mobile/android/fastlane/report.xml
 mobile/ios/fastlane/report.xml
@@ -28,5 +28,3 @@ vite.config.js.timestamp-*
 .pnpm-store
 .devcontainer/library
 .devcontainer/.env*
 *.tsbuildinfo
 *.tsbuildInfo
@@ -1,3 +1,6 @@
 [submodule "mobile/.isar"]
 	path = mobile/.isar
 	url = https://github.com/isar/isar
 [submodule "e2e/test-assets"]
 	path = e2e/test-assets
 	url = https://github.com/immich-app/test-assets
@@ -1 +0,0 @@
 24.15.0
@@ -4,18 +4,12 @@ module.exports = {
      if (!pkg.name) {
        return pkg;
      }
      // make exiftool-vendored.pl a regular dependency since Docker prod
      // images build with --no-optional to reduce image size
      if (pkg.name === "exiftool-vendored") {
-        const binaryPackage =
+        if (pkg.optionalDependencies["exiftool-vendored.pl"]) {
-          process.platform === "win32"
+          // make exiftool-vendored.pl a regular dependency
-            ? "exiftool-vendored.exe"
+          pkg.dependencies["exiftool-vendored.pl"] =
-            : "exiftool-vendored.pl";
+            pkg.optionalDependencies["exiftool-vendored.pl"];
-
+          delete pkg.optionalDependencies["exiftool-vendored.pl"];
        if (pkg.optionalDependencies[binaryPackage]) {
          pkg.dependencies[binaryPackage] =
            pkg.optionalDependencies[binaryPackage];
          delete pkg.optionalDependencies[binaryPackage];
        }
      }
      return pkg;
@@ -5,13 +5,6 @@
    "dbaeumer.vscode-eslint",
    "dart-code.flutter",
    "dart-code.dart-code",
-    "dcmdev.dcm-vscode-extension",
+    "dcmdev.dcm-vscode-extension"
    "bradlc.vscode-tailwindcss",
    "ms-playwright.playwright",
    "vitest.explorer",
    "editorconfig.editorconfig",
    "foxundermoon.shell-format",
    "timonwong.shellcheck",
    "bluebrown.yamlfmt"
  ]
 }
@@ -23,17 +23,15 @@
      "type": "node",
      "request": "launch",
      "name": "Immich CLI",
-      "program": "${workspaceFolder}/packages/cli/dist/index.js",
+      "program": "${workspaceFolder}/cli/dist/index.js",
      "args": ["upload", "--help"],
      "runtimeArgs": ["--enable-source-maps"],
      "console": "integratedTerminal",
-      "resolveSourceMapLocations": [
+      "resolveSourceMapLocations": ["${workspaceFolder}/cli/dist/**/*.js.map"],
        "${workspaceFolder}/packages/cli/dist/**/*.js.map"
      ],
      "sourceMaps": true,
-      "outFiles": ["${workspaceFolder}/packages/cli/dist/**/*.js"],
+      "outFiles": ["${workspaceFolder}/cli/dist/**/*.js"],
      "skipFiles": ["<node_internals>/**"],
-      "preLaunchTask": "Build @immich/cli"
+      "preLaunchTask": "Build Immich CLI"
    }
  ]
 }
@@ -1,7 +1,8 @@
 {
  "[css]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true
+    "editor.formatOnSave": true,
    "editor.tabSize": 2
  },
  "[dart]": {
    "editor.defaultFormatter": "Dart-Code.dart-code",
@@ -13,66 +14,51 @@
    "editor.wordBasedSuggestions": "off"
  },
  "[javascript]": {
    "editor.codeActionsOnSave": {
      "source.organizeImports": "explicit",
      "source.removeUnusedImports": "explicit"
    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true
+    "editor.formatOnSave": true,
    "editor.tabSize": 2
  },
  "[json]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true
+    "editor.formatOnSave": true,
    "editor.tabSize": 2
  },
  "[jsonc]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true
+    "editor.formatOnSave": true,
    "editor.tabSize": 2
  },
  "[svelte]": {
    "editor.codeActionsOnSave": {
      "source.organizeImports": "explicit",
      "source.removeUnusedImports": "explicit"
    },
    "editor.defaultFormatter": "svelte.svelte-vscode",
    "editor.formatOnSave": true,
-    "tailwindCSS.lint.suggestCanonicalClasses": "ignore"
+    "editor.tabSize": 2
  },
  "svelte.plugin.svelte.compilerWarnings": {
    "state_referenced_locally": "ignore"
  },
  "[typescript]": {
    "editor.codeActionsOnSave": {
      "source.organizeImports": "explicit",
      "source.removeUnusedImports": "explicit"
    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true
+    "editor.formatOnSave": true,
    "editor.tabSize": 2
  },
  "cSpell.words": ["immich"],
  "css.lint.unknownAtRules": "ignore",
  "editor.bracketPairColorization.enabled": true,
  "editor.formatOnSave": true,
  "eslint.useFlatConfig": true,
  "eslint.validate": ["javascript", "typescript", "svelte"],
  "eslint.workingDirectories": [
    { "directory": "cli", "changeProcessCWD": true },
    { "directory": "e2e", "changeProcessCWD": true },
    { "directory": "server", "changeProcessCWD": true },
    { "directory": "web", "changeProcessCWD": true }
  ],
  "files.watcherExclude": {
    "**/.jj/**": true,
    "**/.git/**": true,
    "**/node_modules/**": true,
    "**/build/**": true,
    "**/dist/**": true,
    "**/.svelte-kit/**": true
  },
  "explorer.fileNesting.enabled": true,
  "explorer.fileNesting.patterns": {
    "*.dart": "${capture}.g.dart,${capture}.gr.dart,${capture}.drift.dart",
    "*.ts": "${capture}.spec.ts,${capture}.mock.ts",
    "package.json": "package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lockb, bun.lock, pnpm-workspace.yaml, .pnpmfile.cjs"
  },
  "search.exclude": {
    "**/node_modules": true,
    "**/build": true,
    "**/dist": true,
    "**/.svelte-kit": true,
    "**/open-api/typescript-sdk/src": true
  },
  "svelte.enable-ts-plugin": true,
-  "tailwindCSS.experimental.configFile": {
+  "typescript.preferences.importModuleSpecifier": "non-relative"
    "web/src/app.css": "web/src/**"
  },
  "js/ts.preferences.importModuleSpecifier": "non-relative",
  "vitest.maximumConfigs": 10
 }
@@ -0,0 +1,80 @@
 {
  "version": "2.0.0",
  "tasks": [
    {
      "label": "Fix Permissions, Install Dependencies",
      "type": "shell",
      "command": "[ -f /immich-devcontainer/container-start.sh ] && /immich-devcontainer/container-start.sh || exit 0",
      "isBackground": true,
      "presentation": {
        "echo": true,
        "reveal": "always",
        "focus": false,
        "panel": "dedicated",
        "showReuseMessage": true,
        "clear": false,
        "group": "Devcontainer tasks",
        "close": true
      },
      "runOptions": {
        "runOn": "default"
      },
      "problemMatcher": []
    },
    {
      "label": "Immich API Server (Nest)",
      "dependsOn": ["Fix Permissions, Install Dependencies"],
      "type": "shell",
      "command": "[ -f /immich-devcontainer/container-start-backend.sh ] && /immich-devcontainer/container-start-backend.sh || exit 0",
      "isBackground": true,
      "presentation": {
        "echo": true,
        "reveal": "always",
        "focus": false,
        "panel": "dedicated",
        "showReuseMessage": true,
        "clear": false,
        "group": "Devcontainer tasks",
        "close": true
      },
      "runOptions": {
        "runOn": "default"
      },
      "problemMatcher": []
    },
    {
      "label": "Immich Web Server (Vite)",
      "dependsOn": ["Fix Permissions, Install Dependencies"],
      "type": "shell",
      "command": "[ -f /immich-devcontainer/container-start-frontend.sh ] && /immich-devcontainer/container-start-frontend.sh || exit 0",
      "isBackground": true,
      "presentation": {
        "echo": true,
        "reveal": "always",
        "focus": false,
        "panel": "dedicated",
        "showReuseMessage": true,
        "clear": false,
        "group": "Devcontainer tasks",
        "close": true
      },
      "runOptions": {
        "runOn": "default"
      },
      "problemMatcher": []
    },
    {
      "label": "Immich Server and Web",
      "dependsOn": ["Immich Web Server (Vite)", "Immich API Server (Nest)"],
      "runOptions": {
        "runOn": "folderOpen"
      },
      "problemMatcher": []
    },
    {
      "label": "Build Immich CLI",
      "type": "shell",
      "command": "pnpm --filter cli build:dev"
    }
  ]
 }
@@ -15,31 +15,17 @@ Please try to keep pull requests as focused as possible. A PR should do exactly
 If you are looking for something to work on, there are discussions and issues with a `good-first-issue` label on them. These are always a good starting point. If none of them sound interesting or fit your skill set, feel free to reach out on our Discord. We're happy to help you find something to work on!
 We usually do not assign issues to new contributors, since it happens often that a PR is never even opened. Again, reach out on Discord if you fear putting a lot of time into fixing an issue, but ending up with a duplicate PR.
 ## Use of generative AI
-We ask you not to open PRs generated with an LLM. We find that code generated like this tends to need a large amount of back-and-forth, which is a very inefficient use of our time. If we want LLM-generated code, it's much faster for us to use an LLM ourselves than to go through an intermediary via a pull request.
+We generally discourage PRs entirely generated by an LLM. For any part generated by an LLM, please put extra effort into your self-review. By using generative AI without proper self-review, the time you save ends up being more work we need to put in for proper reviews and code cleanup. Please keep that in mind when submitting code by an LLM. Clearly state the use of LLMs/(generative) AI in your pull request as requested by the template.
 ## Feature freezes
 From time to time, we put a feature freeze on parts of the codebase. For us, this means we won't accept most PRs that make changes in that area. Exempted from this are simple bug fixes that require only minor changes. We will close feature PRs that target a feature-frozen area, even if that feature is highly requested and you put a lot of work into it. Please keep that in mind, and if you're ever uncertain if a PR would be accepted, reach out to us first (e.g., in the aforementioned `#contributing` channel). We hate to throw away work. Currently, we have feature freezes on:
- Sharing/Asset ownership
+* Sharing/Asset ownership
- (External) libraries
+* (External) libraries
 ## Non-code contributions
-If you want to contribute to Immich but you don't feel comfortable programming in our tech stack, there are other ways you can help the team.
+If you want to contribute to Immich but you don't feel comfortable programming in our tech stack, there are other ways you can help the team. All our translations are done through [Weblate](https://hosted.weblate.org/projects/immich). These rely entirely on the community; if you speak a language that isn't fully translated yet, submitting translations there is greatly appreciated! If you like helping others, answering Q&A discussions here on GitHub and replying to people on our Discord is also always appreciated.
 ### Translations
 All our translations are done through [Weblate](https://hosted.weblate.org/projects/immich). These rely entirely on the community; if you speak a language that isn't fully translated yet, submitting translations there is greatly appreciated!
 ### Datasets
 Help us improve our [Immich Datasets](https://datasets.immich.app) by submitting photos and videos taken from a variety of devices, including smartphones, DSLRs, and action cameras, as well as photos with unique features, such as panoramas, burst photos, and photo spheres. These datasets will be publically available for anyone to use, do not submit private/sensitive photos.
 ### Community support
 If you like helping others, answering Q&A discussions here on GitHub and replying to people on our Discord is also always appreciated.
@@ -37,24 +37,105 @@ prod-scale:
 .PHONY: open-api
 open-api:
-	@printf "This command has been removed. Please use:\n\n    mise open-api          # or mise //:open-api from another directory\n\n"\n\n >&2 && exit 1
+	cd ./open-api && bash ./bin/generate-open-api.sh
 open-api-dart:
 	cd ./open-api && bash ./bin/generate-open-api.sh dart
 open-api-typescript:
 	cd ./open-api && bash ./bin/generate-open-api.sh typescript
 sql:
-	@printf "This command has been removed. Please use:\n\n    mise sql               # or mise //:sql from another directory\n\n"\n\n >&2 && exit 1
+	pnpm --filter immich run sync:sql
 attach-server:
 	docker exec -it docker_immich-server_1 sh
 renovate:
-  LOG_LEVEL=debug pnpm exec renovate --platform=local --repository-cache=reset
+  LOG_LEVEL=debug npx renovate --platform=local --repository-cache=reset
 # Directories that need to be created for volumes or build output
 VOLUME_DIRS = \
 	./.pnpm-store \
 	./web/.svelte-kit \
 	./web/node_modules \
 	./web/coverage \
 	./e2e/node_modules \
 	./docs/node_modules \
 	./server/node_modules \
 	./open-api/typescript-sdk/node_modules \
 	./.github/node_modules \
 	./node_modules \
 	./cli/node_modules
 # Include .env file if it exists
 -include docker/.env
 MODULES = e2e server web cli sdk docs .github
 # directory to package name mapping function
 #   cli     = @immich/cli
 #   docs    = documentation
 #   e2e     = immich-e2e
 #   open-api/typescript-sdk = @immich/sdk
 #   server  = immich
 #   web     = immich-web
 map-package = $(subst sdk,@immich/sdk,$(subst cli,@immich/cli,$(subst docs,documentation,$(subst e2e,immich-e2e,$(subst server,immich,$(subst web,immich-web,$1))))))
 audit-%:
 	pnpm --filter $(call map-package,$*) audit fix
 install-%:
 	pnpm --filter $(call map-package,$*) install $(if $(FROZEN),--frozen-lockfile) $(if $(OFFLINE),--offline)
 build-cli: build-sdk
 build-web: build-sdk
 build-%: install-%
 	pnpm --filter $(call map-package,$*) run build
 format-%:
 	pnpm --filter $(call map-package,$*) run format:fix
 lint-%:
 	pnpm --filter $(call map-package,$*) run lint:fix
 check-%:
 	pnpm --filter $(call map-package,$*) run check
 check-web:
 	pnpm --filter immich-web run check:typescript
 	pnpm --filter immich-web run check:svelte
 test-%:
 	pnpm --filter $(call map-package,$*) run test
 test-e2e:
 	docker compose -f ./e2e/docker-compose.yml build
 	pnpm --filter immich-e2e run test
 	pnpm --filter immich-e2e run test:web
 test-medium:
 	docker run \
    --rm \
    -v ./server/src:/usr/src/app/src \
    -v ./server/test:/usr/src/app/test \
    -v ./server/vitest.config.medium.mjs:/usr/src/app/vitest.config.medium.mjs \
    -v ./server/tsconfig.json:/usr/src/app/tsconfig.json \
    -e NODE_ENV=development \
    immich-server:latest \
    -c "pnpm test:medium -- --run"
 test-medium-dev:
 	docker exec -it immich_server /bin/sh -c "pnpm run test:medium"
 install-all:
 	pnpm -r --filter '!documentation' install
 build-all: $(foreach M,$(filter-out e2e docs .github,$(MODULES)),build-$M) ;
 check-all:
 	pnpm -r --filter '!documentation' run "/^(check|check\:svelte|check\:typescript)$/"
 lint-all:
 	pnpm -r --filter '!documentation' run lint:fix
 format-all:
 	pnpm -r --filter '!documentation' run format:fix
 audit-all:
 	pnpm -r --filter '!documentation' audit fix
 hygiene-all: audit-all
 	pnpm -r --filter '!documentation' run "/(format:fix|check|check:svelte|check:typescript|sql)/"
 test-all:
 	pnpm -r --filter '!documentation' run "/^test/"
 clean:
 	find . -name "node_modules" -type d -prune -exec rm -rf {} +
@@ -65,3 +146,7 @@ clean:
 	find . -name ".pnpm-store" -type d -prune -exec rm -rf '{}' +
 	command -v docker >/dev/null 2>&1 && docker compose -f ./docker/docker-compose.dev.yml down -v --remove-orphans || true
 	command -v docker >/dev/null 2>&1 && docker compose -f ./e2e/docker-compose.yml down -v --remove-orphans || true
 setup-server-dev: install-server
 setup-web-dev: install-sdk build-sdk install-web
@@ -0,0 +1 @@
 24.13.0
@@ -0,0 +1,14 @@
 FROM node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25 AS core
 WORKDIR /usr/src/app
 COPY package* pnpm* .pnpmfile.cjs ./
 COPY ./cli ./cli/
 COPY ./open-api/typescript-sdk ./open-api/typescript-sdk/
 RUN corepack enable pnpm && \
  pnpm install --filter @immich/sdk --filter @immich/cli --frozen-lockfile && \
  pnpm --filter @immich/sdk build && \
  pnpm --filter @immich/cli build
 WORKDIR /import
 ENTRYPOINT ["node", "/usr/src/app/cli/dist"]
@@ -4,9 +4,14 @@ Please see the [Immich CLI documentation](https://docs.immich.app/features/comma
 # For developers
-Before building the CLI, you must build the immich server and the open-api client. You can use the following command:
+Before building the CLI, you must build the immich server and the open-api client. To build the server run the following in the server folder:
-    $ mise //:open-api
+    $ pnpm install
    $ pnpm run build
 Then, to build the open-api client run the following in the open-api folder:
    $ ./bin/generate-open-api.sh
 ## Run from build
@@ -7,7 +7,7 @@ run = "vite build"
 [tasks.test]
 env._.path = "./node_modules/.bin"
-run = "vitest"
+run = "vite"
 [tasks.lint]
 env._.path = "./node_modules/.bin"
@@ -27,26 +27,3 @@ run = "prettier --write ."
 [tasks.check]
 env._.path = "./node_modules/.bin"
 run = "tsc --noEmit"
 [tasks.ci-publish]
 depends = ["//:sdk:install", "//:sdk:build"]
 run = [
  { task = ":install" },
  { task = ":build" },
  "pnpm publish --provenance --no-git-checks",
 ]
 [tasks.ci-unit]
 depends = ["//:sdk:install", "//:sdk:build"]
 run = [
  { task = ":install" },
  { task = ":format" },
  { task = ":lint" },
  { task = ":check" },
  { task = ":test --run" },
 ]
 [tasks.checklist]
 run = [
 { task = ":ci-unit" },
 ]
@@ -1,12 +1,7 @@
 {
  "name": "@immich/cli",
-  "version": "2.7.5",
+  "version": "2.2.105",
  "description": "Command Line Interface (CLI) for Immich",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/immich-app/immich.git",
    "directory": "packages/cli"
  },
  "type": "module",
  "exports": "./dist/index.js",
  "bin": {
@@ -18,30 +13,31 @@
    "cli"
  ],
  "devDependencies": {
-    "@eslint/js": "^10.0.0",
+    "@eslint/js": "^9.8.0",
-    "@immich/sdk": "workspace:*",
+    "@immich/sdk": "file:../open-api/typescript-sdk",
    "@types/byte-size": "^8.1.0",
    "@types/cli-progress": "^3.11.0",
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.10.8",
-    "@vitest/coverage-v8": "^4.0.0",
+    "@vitest/coverage-v8": "^3.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
    "commander": "^12.0.0",
-    "eslint": "^10.0.0",
+    "eslint": "^9.14.0",
    "eslint-config-prettier": "^10.1.8",
    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-unicorn": "^64.0.0",
+    "eslint-plugin-unicorn": "^62.0.0",
-    "globals": "^17.0.0",
+    "globals": "^16.0.0",
    "mock-fs": "^5.2.0",
    "prettier": "^3.7.4",
    "prettier-plugin-organize-imports": "^4.0.0",
-    "typescript": "^6.0.0",
+    "typescript": "^5.3.3",
-    "typescript-eslint": "^8.58.0",
+    "typescript-eslint": "^8.28.0",
-    "vite": "^8.0.0",
+    "vite": "^7.0.0",
-    "vitest": "^4.0.0",
+    "vite-tsconfig-paths": "^6.0.0",
    "vitest": "^3.0.0",
    "vitest-fetch-mock": "^0.4.0",
    "yaml": "^2.3.1"
  },
@@ -49,14 +45,19 @@
    "build": "vite build",
    "build:dev": "vite build --sourcemap true",
    "lint": "eslint \"src/**/*.ts\" --max-warnings 0",
-    "lint:fix": "pnpm run lint --fix",
+    "lint:fix": "npm run lint -- --fix",
-    "prepack": "pnpm run build",
+    "prepack": "npm run build",
    "test": "vitest",
    "test:cov": "vitest --coverage",
-    "format": "prettier --cache --check .",
+    "format": "prettier --check .",
-    "format:fix": "prettier --cache --write --list-different .",
+    "format:fix": "prettier --write .",
    "check": "tsc --noEmit"
  },
  "repository": {
    "type": "git",
    "url": "git+https://github.com/immich-app/immich.git",
    "directory": "cli"
  },
  "engines": {
    "node": ">=20.0.0"
  },
@@ -66,5 +67,8 @@
    "fastq": "^1.17.1",
    "lodash-es": "^4.17.21",
    "micromatch": "^4.0.8"
  },
  "volta": {
    "node": "24.13.0"
  }
 }
@@ -1,21 +1,13 @@
-import fs from 'node:fs';
+import * as fs from 'node:fs';
-import os from 'node:os';
+import * as os from 'node:os';
-import path from 'node:path';
+import * as path from 'node:path';
 import { setTimeout as sleep } from 'node:timers/promises';
 import { describe, expect, it, MockedFunction, vi } from 'vitest';
-import { AssetRejectReason, AssetUploadAction, checkBulkUpload, defaults, getSupportedMediaTypes } from '@immich/sdk';
+import { Action, checkBulkUpload, defaults, getSupportedMediaTypes, Reason } from '@immich/sdk';
 import createFetchMock from 'vitest-fetch-mock';
-import {
+import { checkForDuplicates, getAlbumName, startWatch, uploadFiles, UploadOptionsDto } from 'src/commands/asset';
  checkForDuplicates,
  deleteFiles,
  findSidecar,
  getAlbumName,
  startWatch,
  uploadFiles,
  UploadOptionsDto,
 } from 'src/commands/asset';
 vi.mock('@immich/sdk');
@@ -58,7 +50,7 @@ describe('uploadFiles', () => {
  });
  it('returns new assets when upload file is successful', async () => {
-    fetchMocker.doMockIf(new RegExp(`${baseUrl}/assets$`), function () {
+    fetchMocker.doMockIf(new RegExp(`${baseUrl}/assets$`), () => {
      return {
        status: 200,
        body: JSON.stringify({ id: 'fc5621b1-86f6-44a1-9905-403e607df9f5', status: 'created' }),
@@ -75,7 +67,7 @@ describe('uploadFiles', () => {
  it('returns new assets when upload file retry is successful', async () => {
    let counter = 0;
-    fetchMocker.doMockIf(new RegExp(`${baseUrl}/assets$`), function () {
+    fetchMocker.doMockIf(new RegExp(`${baseUrl}/assets$`), () => {
      counter++;
      if (counter < retry) {
        throw new Error('Network error');
@@ -96,7 +88,7 @@ describe('uploadFiles', () => {
  });
  it('returns new assets when upload file retry is failed', async () => {
-    fetchMocker.doMockIf(new RegExp(`${baseUrl}/assets$`), function () {
+    fetchMocker.doMockIf(new RegExp(`${baseUrl}/assets$`), () => {
      throw new Error('Network error');
    });
@@ -120,7 +112,7 @@ describe('checkForDuplicates', () => {
    vi.mocked(checkBulkUpload).mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
          id: testFilePath,
        },
      ],
@@ -144,10 +136,10 @@ describe('checkForDuplicates', () => {
    vi.mocked(checkBulkUpload).mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Reject,
+          action: Action.Reject,
          id: testFilePath,
          assetId: 'fc5621b1-86f6-44a1-9905-403e607df9f5',
-          reason: AssetRejectReason.Duplicate,
+          reason: Reason.Duplicate,
        },
      ],
    });
@@ -167,7 +159,7 @@ describe('checkForDuplicates', () => {
    vi.mocked(checkBulkUpload).mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
          id: testFilePath,
        },
      ],
@@ -187,7 +179,7 @@ describe('checkForDuplicates', () => {
    mocked.mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
          id: testFilePath,
        },
      ],
@@ -236,19 +228,16 @@ describe('startWatch', () => {
    await sleep(100); // to debounce the watcher from considering the test file as a existing file
    await fs.promises.writeFile(testFilePath, 'testjpg');
-    await vi.waitFor(
+    await vi.waitUntil(() => checkBulkUploadMocked.mock.calls.length > 0, 3000);
-      () =>
+    expect(checkBulkUpload).toHaveBeenCalledWith({
-        expect(checkBulkUpload).toHaveBeenCalledWith({
+      assetBulkUploadCheckDto: {
-          assetBulkUploadCheckDto: {
+        assets: [
-            assets: [
+          expect.objectContaining({
-              expect.objectContaining({
+            id: testFilePath,
-                id: testFilePath,
+          }),
-              }),
+        ],
-            ],
+      },
-          },
+    });
        }),
      { timeout: 5000 },
    );
  });
  it('should filter out unsupported files', async () => {
@@ -260,19 +249,16 @@ describe('startWatch', () => {
    await fs.promises.writeFile(testFilePath, 'testjpg');
    await fs.promises.writeFile(unsupportedFilePath, 'testtxt');
-    await vi.waitFor(
+    await vi.waitUntil(() => checkBulkUploadMocked.mock.calls.length > 0, 3000);
-      () =>
+    expect(checkBulkUpload).toHaveBeenCalledWith({
-        expect(checkBulkUpload).toHaveBeenCalledWith({
+      assetBulkUploadCheckDto: {
-          assetBulkUploadCheckDto: {
+        assets: expect.arrayContaining([
-            assets: expect.arrayContaining([
+          expect.objectContaining({
-              expect.objectContaining({
+            id: testFilePath,
-                id: testFilePath,
+          }),
-              }),
+        ]),
-            ]),
+      },
-          },
+    });
        }),
      { timeout: 5000 },
    );
    expect(checkBulkUpload).not.toHaveBeenCalledWith({
      assetBulkUploadCheckDto: {
@@ -297,19 +283,16 @@ describe('startWatch', () => {
    await fs.promises.writeFile(testFilePath, 'testjpg');
    await fs.promises.writeFile(ignoredFilePath, 'ignoredjpg');
-    await vi.waitFor(
+    await vi.waitUntil(() => checkBulkUploadMocked.mock.calls.length > 0, 3000);
-      () =>
+    expect(checkBulkUpload).toHaveBeenCalledWith({
-        expect(checkBulkUpload).toHaveBeenCalledWith({
+      assetBulkUploadCheckDto: {
-          assetBulkUploadCheckDto: {
+        assets: expect.arrayContaining([
-            assets: expect.arrayContaining([
+          expect.objectContaining({
-              expect.objectContaining({
+            id: testFilePath,
-                id: testFilePath,
+          }),
-              }),
+        ]),
-            ]),
+      },
-          },
+    });
        }),
      { timeout: 5000 },
    );
    expect(checkBulkUpload).not.toHaveBeenCalledWith({
      assetBulkUploadCheckDto: {
@@ -326,85 +309,3 @@ describe('startWatch', () => {
    await fs.promises.rm(testFolder, { recursive: true, force: true });
  });
 });
 describe('findSidecar', () => {
  let testDir: string;
  let testFilePath: string;
  beforeEach(() => {
    testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-sidecar-'));
    testFilePath = path.join(testDir, 'test.jpg');
    fs.writeFileSync(testFilePath, 'test');
  });
  afterEach(() => {
    fs.rmSync(testDir, { recursive: true, force: true });
  });
  it('should find sidecar file with photo.xmp naming convention', () => {
    const sidecarPath = path.join(testDir, 'test.xmp');
    fs.writeFileSync(sidecarPath, 'xmp data');
    const result = findSidecar(testFilePath);
    expect(result).toBe(sidecarPath);
  });
  it('should find sidecar file with photo.ext.xmp naming convention', () => {
    const sidecarPath = path.join(testDir, 'test.jpg.xmp');
    fs.writeFileSync(sidecarPath, 'xmp data');
    const result = findSidecar(testFilePath);
    expect(result).toBe(sidecarPath);
  });
  it('should prefer photo.ext.xmp over photo.xmp when both exist', () => {
    const sidecarPath1 = path.join(testDir, 'test.xmp');
    const sidecarPath2 = path.join(testDir, 'test.jpg.xmp');
    fs.writeFileSync(sidecarPath1, 'xmp data 1');
    fs.writeFileSync(sidecarPath2, 'xmp data 2');
    const result = findSidecar(testFilePath);
    // Should return the first one found (photo.xmp) based on the order in the code
    expect(result).toBe(sidecarPath1);
  });
  it('should return undefined when no sidecar file exists', () => {
    const result = findSidecar(testFilePath);
    expect(result).toBeUndefined();
  });
 });
 describe('deleteFiles', () => {
  let testDir: string;
  let testFilePath: string;
  beforeEach(() => {
    testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-delete-'));
    testFilePath = path.join(testDir, 'test.jpg');
    fs.writeFileSync(testFilePath, 'test');
  });
  afterEach(() => {
    fs.rmSync(testDir, { recursive: true, force: true });
  });
  it('should delete asset and sidecar file when main file is deleted', async () => {
    const sidecarPath = path.join(testDir, 'test.xmp');
    fs.writeFileSync(sidecarPath, 'xmp data');
    await deleteFiles([{ id: 'test-id', filepath: testFilePath }], [], { delete: true, concurrency: 1 });
    expect(fs.existsSync(testFilePath)).toBe(false);
    expect(fs.existsSync(sidecarPath)).toBe(false);
  });
  it('should not delete sidecar file when delete option is false', async () => {
    const sidecarPath = path.join(testDir, 'test.xmp');
    fs.writeFileSync(sidecarPath, 'xmp data');
    await deleteFiles([{ id: 'test-id', filepath: testFilePath }], [], { delete: false, concurrency: 1 });
    expect(fs.existsSync(testFilePath)).toBe(true);
    expect(fs.existsSync(sidecarPath)).toBe(true);
  });
 });
@@ -1,10 +1,9 @@
 import {
  Action,
  AssetBulkUploadCheckItem,
  AssetBulkUploadCheckResult,
  AssetMediaResponseDto,
  AssetMediaStatus,
  AssetUploadAction,
  Permission,
  addAssetsToAlbum,
  checkBulkUpload,
  createAlbum,
@@ -17,15 +16,17 @@ import { Matcher, watch as watchFs } from 'chokidar';
 import { MultiBar, Presets, SingleBar } from 'cli-progress';
 import { chunk } from 'lodash-es';
 import micromatch from 'micromatch';
-import { Stats, createReadStream, existsSync } from 'node:fs';
+import { Stats, createReadStream } from 'node:fs';
 import { stat, unlink } from 'node:fs/promises';
 import path, { basename } from 'node:path';
 import { Queue } from 'src/queue';
-import { BaseOptions, Batcher, authenticate, crawl, requirePermissions, s, sha1 } from 'src/utils';
+import { BaseOptions, Batcher, authenticate, crawl, sha1 } from 'src/utils';
 const UPLOAD_WATCH_BATCH_SIZE = 100;
 const UPLOAD_WATCH_DEBOUNCE_TIME_MS = 10_000;
 const s = (count: number) => (count === 1 ? '' : 's');
 // TODO figure out why `id` is missing
 type AssetBulkUploadCheckResults = Array<AssetBulkUploadCheckResult & { id: string }>;
 type Asset = { id: string; filepath: string };
@@ -135,7 +136,6 @@ export const startWatch = async (
 export const upload = async (paths: string[], baseOptions: BaseOptions, options: UploadOptionsDto) => {
  await authenticate(baseOptions);
  await requirePermissions([Permission.AssetUpload]);
  const scanFiles = await scan(paths, options);
@@ -180,49 +180,18 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
  }
  let multiBar: MultiBar | undefined;
  let totalSize = 0;
  const statsMap = new Map<string, Stats>();
  // Calculate total size first
  for (const filepath of files) {
    const stats = await stat(filepath);
    statsMap.set(filepath, stats);
    totalSize += stats.size;
  }
  if (progress) {
    multiBar = new MultiBar(
-      {
+      { format: '{message} | {bar} | {percentage}% | ETA: {eta}s | {value}/{total} assets' },
        format: '{message} | {bar} | {percentage}% | ETA: {eta_formatted} | {value}/{total}',
        formatValue: (v: number, options, type) => {
          // Don't format percentage
          if (type === 'percentage') {
            return v.toString();
          }
          return byteSize(v).toString();
        },
        etaBuffer: 100, // Increase samples for ETA calculation
      },
      Presets.shades_classic,
    );
    // Ensure we restore cursor on interrupt
    process.on('SIGINT', () => {
      if (multiBar) {
        multiBar.stop();
      }
      process.exit(0);
    });
  } else {
-    console.log(`Received ${files.length} files (${byteSize(totalSize)}), hashing...`);
+    console.log(`Received ${files.length} files, hashing...`);
  }
-  const hashProgressBar = multiBar?.create(totalSize, 0, {
+  const hashProgressBar = multiBar?.create(files.length, 0, { message: 'Hashing files          ' });
-    message: 'Hashing files          ',
+  const checkProgressBar = multiBar?.create(files.length, 0, { message: 'Checking for duplicates' });
  });
  const checkProgressBar = multiBar?.create(totalSize, 0, {
    message: 'Checking for duplicates',
  });
  const newFiles: string[] = [];
  const duplicates: Asset[] = [];
@@ -234,7 +203,7 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
      const results = response.results as AssetBulkUploadCheckResults;
      for (const { id: filepath, assetId, action } of results) {
-        if (action === AssetUploadAction.Accept) {
+        if (action === Action.Accept) {
          newFiles.push(filepath);
        } else {
          // rejects are always duplicates
@@ -242,13 +211,7 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
        }
      }
-      // Update progress based on total size of processed files
+      checkProgressBar?.increment(assets.length);
      let processedSize = 0;
      for (const asset of assets) {
        const stats = statsMap.get(asset.id);
        processedSize += stats?.size || 0;
      }
      checkProgressBar?.increment(processedSize);
    },
    { concurrency, retry: 3 },
  );
@@ -258,10 +221,6 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
  const queue = new Queue<string, AssetBulkUploadCheckItem[]>(
    async (filepath: string): Promise<AssetBulkUploadCheckItem[]> => {
      const stats = statsMap.get(filepath);
      if (!stats) {
        throw new Error(`Stats not found for ${filepath}`);
      }
      const dto = { id: filepath, checksum: await sha1(filepath) };
      results.push(dto);
@@ -272,7 +231,7 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
        void checkBulkUploadQueue.push(batch);
      }
-      hashProgressBar?.increment(stats.size);
+      hashProgressBar?.increment();
      return results;
    },
    { concurrency, retry: 3 },
@@ -403,22 +362,34 @@ export const uploadFiles = async (
 const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaResponseDto> => {
  const { baseUrl, headers } = defaults;
  const assetPath = path.parse(input);
  const noExtension = path.join(assetPath.dir, assetPath.name);
  const sidecarsFiles = await Promise.all(
    // XMP sidecars can come in two filename formats. For a photo named photo.ext, the filenames are photo.ext.xmp and photo.xmp
    [`${noExtension}.xmp`, `${input}.xmp`].map(async (sidecarPath) => {
      try {
        const stats = await stat(sidecarPath);
        return new UploadFile(sidecarPath, stats.size);
      } catch {
        return false;
      }
    }),
  );
  const sidecarData = sidecarsFiles.find((file): file is UploadFile => file !== false);
  const formData = new FormData();
  formData.append('deviceAssetId', `${basename(input)}-${stats.size}`.replaceAll(/\s+/g, ''));
  formData.append('deviceId', 'CLI');
  formData.append('fileCreatedAt', stats.mtime.toISOString());
  formData.append('fileModifiedAt', stats.mtime.toISOString());
  formData.append('fileSize', String(stats.size));
  formData.append('isFavorite', 'false');
  formData.append('assetData', new UploadFile(input, stats.size));
-  const sidecarPath = findSidecar(input);
+  if (sidecarData) {
-  if (sidecarPath) {
+    formData.append('sidecarData', sidecarData);
    try {
      const stats = await stat(sidecarPath);
      const sidecarData = new UploadFile(sidecarPath, stats.size);
      formData.append('sidecarData', sidecarData);
    } catch {
      // noop
    }
  }
  const response = await fetch(`${baseUrl}/assets`, {
@@ -434,19 +405,7 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
  return response.json();
 };
-export const findSidecar = (filepath: string): string | undefined => {
+const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], options: UploadOptionsDto): Promise<void> => {
  const assetPath = path.parse(filepath);
  const noExtension = path.join(assetPath.dir, assetPath.name);
  // XMP sidecars can come in two filename formats. For a photo named photo.ext, the filenames are photo.ext.xmp and photo.xmp
  for (const sidecarPath of [`${noExtension}.xmp`, `${filepath}.xmp`]) {
    if (existsSync(sidecarPath)) {
      return sidecarPath;
    }
  }
 };
 export const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], options: UploadOptionsDto): Promise<void> => {
  let fileCount = 0;
  if (options.delete) {
    fileCount += uploaded.length;
@@ -474,15 +433,7 @@ export const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], option
  const chunkDelete = async (files: Asset[]) => {
    for (const assetBatch of chunk(files, options.concurrency)) {
-      await Promise.all(
+      await Promise.all(assetBatch.map((input: Asset) => unlink(input.filepath)));
        assetBatch.map(async (input: Asset) => {
          await unlink(input.filepath);
          const sidecarPath = findSidecar(input.filepath);
          if (sidecarPath) {
            await unlink(sidecarPath);
          }
        }),
      );
      deletionProgress.update(assetBatch.length);
    }
  };
@@ -1,15 +1,7 @@
-import { getMyUser, Permission } from '@immich/sdk';
+import { getMyUser } from '@immich/sdk';
 import { existsSync } from 'node:fs';
 import { mkdir, unlink } from 'node:fs/promises';
-import {
+import { BaseOptions, connect, getAuthFilePath, logError, withError, writeAuthFile } from 'src/utils';
  BaseOptions,
  connect,
  getAuthFilePath,
  logError,
  requirePermissions,
  withError,
  writeAuthFile,
 } from 'src/utils';
 export const login = async (url: string, key: string, options: BaseOptions) => {
  console.log(`Logging in to ${url}`);
@@ -17,7 +9,6 @@ export const login = async (url: string, key: string, options: BaseOptions) => {
  const { configDirectory: configDir } = options;
  await connect(url, key);
  await requirePermissions([Permission.UserRead]);
  const [error, user] = await withError(getMyUser());
  if (error) {
@@ -1,9 +1,8 @@
-import { getAssetStatistics, getMyUser, getServerVersion, getSupportedMediaTypes, Permission } from '@immich/sdk';
+import { getAssetStatistics, getMyUser, getServerVersion, getSupportedMediaTypes } from '@immich/sdk';
-import { authenticate, BaseOptions, requirePermissions } from 'src/utils';
+import { BaseOptions, authenticate } from 'src/utils';
 export const serverInfo = async (options: BaseOptions) => {
  const { url } = await authenticate(options);
  await requirePermissions([Permission.ServerAbout, Permission.AssetStatistics, Permission.UserRead]);
  const [versionInfo, mediaTypes, stats, userInfo] = await Promise.all([
    getServerVersion(),
@@ -1,4 +1,4 @@
-import { ApiKeyResponseDto, getMyApiKey, getMyUser, init, isHttpError, Permission } from '@immich/sdk';
+import { getMyUser, init, isHttpError } from '@immich/sdk';
 import { convertPathToPattern, glob } from 'fast-glob';
 import { createHash } from 'node:crypto';
 import { createReadStream } from 'node:fs';
@@ -34,36 +34,6 @@ export const authenticate = async (options: BaseOptions): Promise<AuthDto> => {
  return auth;
 };
 export const s = (count: number) => (count === 1 ? '' : 's');
 let _apiKey: ApiKeyResponseDto;
 export const requirePermissions = async (permissions: Permission[]) => {
  if (!_apiKey) {
    _apiKey = await getMyApiKey();
  }
  if (_apiKey.permissions.includes(Permission.All)) {
    return;
  }
  const missing: Permission[] = [];
  for (const permission of permissions) {
    if (!_apiKey.permissions.includes(permission)) {
      missing.push(permission);
    }
  }
  if (missing.length > 0) {
    const combined = missing.map((permission) => `"${permission}"`).join(', ');
    console.log(
      `Missing required permission${s(missing.length)}: ${combined}.
 Please make sure your API key has the correct permissions.`,
    );
    process.exit(1);
  }
 };
 export const connect = async (url: string, key: string) => {
  const wellKnownUrl = new URL('.well-known/immich', url);
  try {
@@ -81,7 +51,7 @@ export const connect = async (url: string, key: string) => {
  const [error] = await withError(getMyUser());
  if (isHttpError(error)) {
-    logError(error, `Failed to connect to server ${url}`);
+    logError(error, 'Failed to connect to server');
    process.exit(1);
  }
@@ -15,12 +15,8 @@
    "incremental": true,
    "skipLibCheck": true,
    "esModuleInterop": true,
-    "rootDir": "./src",
+    "baseUrl": "./",
    "paths": {
      "src/*": ["./src/*"],
    },
    "tsBuildInfoFile": "./dist/tsconfig.tsbuildinfo",
    "types": ["vitest/globals"]
  },
-  "exclude": ["dist", "node_modules", "vite.config.ts"]
+  "exclude": ["dist", "node_modules"]
 }
@@ -1,12 +1,10 @@
-import { defineConfig, UserConfig } from 'vite';
+import { defineConfig } from 'vite';
 import tsconfigPaths from 'vite-tsconfig-paths';
 export default defineConfig({
-  resolve: {
+  resolve: { alias: { src: '/src' } },
    alias: { src: '/src' },
    tsconfigPaths: true,
  },
  build: {
-    rolldownOptions: {
+    rollupOptions: {
      input: 'src/index.ts',
      output: {
        dir: 'dist',
@@ -18,8 +16,5 @@ export default defineConfig({
    // bundle everything except for Node built-ins
    noExternal: /^(?!node:).*$/,
  },
-  test: {
+  plugins: [tsconfigPaths()],
-    name: 'cli:unit',
+});
    globals: true,
  },
 } as UserConfig);
@@ -0,0 +1,7 @@
 import { defineConfig } from 'vitest/config';
 export default defineConfig({
  test: {
    globals: true,
  },
 });
@@ -1,6 +1,6 @@
 [tools]
-terragrunt = "1.0.3"
+terragrunt = "0.93.10"
-opentofu = "1.11.6"
+opentofu = "1.10.7"
 [tasks."tg:fmt"]
 run = "terragrunt hclfmt"
@@ -2,37 +2,37 @@
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/cloudflare/cloudflare" {
-  version     = "4.52.7"
+  version     = "4.52.5"
-  constraints = "4.52.7"
+  constraints = "4.52.5"
  hashes = [
-    "h1:+O72J3QYiZtYmYYZM/Eh0f4NNfl1BvjX1eju43qTQsQ=",
+    "h1:+rfzF+16ZcWZWnTyW/p1HHTzYbPKX8Zt2nIFtR/+f+E=",
-    "h1:0oqjYIPXcXh7XiDiKI085cHDYQQ5mh8kDl9dmBtvtog=",
+    "h1:18bXaaOSq8MWKuMxo/4y7EB7/i7G90y5QsKHZRmkoDo=",
-    "h1:4b4ESb87MGv5bnadgYe7sK5rEkKMZhbkQcwPubQTsR4=",
+    "h1:4vZVOpKeEQZsF2VrARRZFeL37Ed/gD4rRMtfnvWQres=",
-    "h1:6mTr3eA1Ddb348lLmJuyvn98z4KF+ejqaUEJ76D1rzQ=",
+    "h1:BZOsTF83QPKXTAaYqxPKzdl1KRjk/L2qbPpFjM0w28A=",
-    "h1:9/3YH+9k9HqsvFtbmBf7SO2+xqZeZrXNKzLkjNuhUEA=",
+    "h1:CDuC+HXLvc1z6wkCRsSDcc/+QENIHEtssYshiWg3opA=",
-    "h1:Jcq4tBWgyH4/2JsojNBSRaN0mcItVMchO+lynonrlqc=",
+    "h1:DE+YFzLnqSe79pI2R4idRGx5QzLdrA7RXvngTkGfZ30=",
-    "h1:Y4Vv/2RdP0Q+uxqhOxzOdKxuuEMjXPDcU0vPc5bCQzI=",
+    "h1:DfaJwH3Ml4yrRbdAY4AcDVy0QTQk5T3A622TXzS/u2E=",
-    "h1:a0gW8FBKsbP9Fi0HEDoy49WIbEWVHk9+BR4/iwuBdDQ=",
+    "h1:EIDXP0W3kgIv2pecrFmqtK/DnlqkyckzBzhxKaXU+4A=",
-    "h1:gElv6iqJtg8OKN77gbw+MjrkrQmJHPkkMEi1J+0xkpU=",
+    "h1:EV4kYyaOnwGA0bh/3hU6Ezqnt1PFDxopH7i85e48IzY=",
-    "h1:oslXUugD/NQ+duJgT4BhKQyfGbuFOANknMvR73fiOeM=",
+    "h1:M0iXabfzamU+MPDi0G9XACpbacFKMakmM+Z9HZ8HrsM=",
-    "h1:pPItIWii5oymR+geZB219ROSPuSODPLTlM4S/u8xLvM=",
+    "h1:YWmCbGF/KbsrUzcYVBLscwLizidbp95TDQa0N2qpmVo=",
-    "h1:u67GWw8GwD9NDlDzp9Y5VRnSQGcCrE8rSpkGPaBpDl0=",
+    "h1:cxPcCB5gbrpUO1+IXkQYs1YTY50/0IlApCzGea0cwuQ=",
-    "h1:uUUa9dY0XQOycI8pxg16PFFtL0WCTi9uEJz8trTQ7pU=",
+    "h1:g6DldikTV2HXUu9uoeNY5FuLufgaYWF4ufgZg7wq62s=",
-    "h1:y3rV8KF2q6GEMANNlf5EkKJurlfbKlIKpjGcdxoy7pQ=",
+    "h1:oi/Hrx9pwoQ+Z52CBC+rrowVH387EIj0qvnxQgDeI+0=",
-    "zh:0c904ce31a4c6c4a5b3bf7ff1560e77c0cc7e2450c8553ded8e8c90398e1418b",
+    "zh:1a3400cb38863b2585968d1876706bcfc67a148e1318a1d325c6c7704adc999b",
-    "zh:36183d310c36373fe4cb936b83c595c6fd3b0a94bc7827f28e5789ccbf59752e",
+    "zh:4c5062cb9e9da1676f06ae92b8370186d98976cc4c7030d3cd76df12af54282a",
-    "zh:556a568a6f0235e8f41647de9e4d3a1e7b1d6502df8b19b54ec441f1c653ea10",
+    "zh:52110f493b5f0587ef77a1cfd1a67001fd4c617b14c6502d732ab47352bdc2f7",
-    "zh:633ebbd5b0245e75e500ef9be4d9e62288f97e8da3baaa51323892a786d90285",
+    "zh:5aa536f9eaeb43823aaf2aa80e7d39b25ef2b383405ed034aa16a28b446a9238",
-    "zh:6acfe60cf52a65ba8f044f748548d2119e7f4fd7f8ebcb14698960d87c68f529",
+    "zh:5cc39459a1c6be8a918f17054e4fbba573825ed5597dcada588fe99614d98a5b",
    "zh:629ae6a7ba298815131da826474d199312d21cec53a4d5ded4fa56a692e6f072",
    "zh:719cc7c75dc1d3eb30c22ff5102a017996d9788b948078c7e1c5b3446aeca661",
    "zh:8698635a3ca04383c1e93b21d6963346bdae54d27177a48e4b1435b7f731731c",
    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:904acc31ebb9d6ef68c792074b30532ee61bf515f19e0a3c75b46f126cca1f13",
+    "zh:8a9993f1dcadf1dd6ca43b23348abe374605d29945a2fafc07fb3457644e6a54",
-    "zh:a1d0a81246afc8750286d3f6fe7a8fbe6460dd2662407b28dbfbabb612e5fa9d",
+    "zh:b1b9a1e6bcc24d5863a664a411d2dc906373ae7a2399d2d65548ce7377057852",
-    "zh:a41a36fe253fc365fe2b7ffc749624688b2693b4634862fda161179ab100029f",
+    "zh:b270184cdeec277218e84b94cb136fead753da717f9b9dc378e51907f3f00bb0",
-    "zh:a7ef269e77ffa8715c8945a2c14322c7ff159ea44c15f62505f3cbb2cae3b32d",
+    "zh:dff2bc10071210181726ce270f954995fe42c696e61e2e8f874021fed02521e5",
-    "zh:b01aa3bed30610633b762df64332b26f8844a68c3960cebcb30f04918efc67fe",
+    "zh:e8e87b40b6a87dc097b0fdc20d3f725cec0d82abc9cc3755c1f89f8f6e8b0036",
-    "zh:b069cc2cd18cae10757df3ae030508eac8d55de7e49eda7a5e3e11f2f7fe6455",
+    "zh:ee964a6573d399a5dd22ce328fb38ca1207797a02248f14b2e4913ee390e7803",
    "zh:b2d2c6313729ebb7465dceece374049e2d08bda34473901be9ff46a8836d42b2",
    "zh:db0e114edaf4bc2f3d4769958807c83022bfbc619a00bdf4c4bd17faa4ab2d8b",
    "zh:ecc0aa8b9044f664fd2aaf8fa992d976578f78478980555b4b8f6148e8d1a5fe",
  ]
 }
@@ -5,7 +5,7 @@ terraform {
  required_providers {
    cloudflare = {
      source = "cloudflare/cloudflare"
-      version = "4.52.7"
+      version = "4.52.5"
    }
  }
 }
@@ -2,37 +2,37 @@
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/cloudflare/cloudflare" {
-  version     = "4.52.7"
+  version     = "4.52.5"
-  constraints = "4.52.7"
+  constraints = "4.52.5"
  hashes = [
-    "h1:+O72J3QYiZtYmYYZM/Eh0f4NNfl1BvjX1eju43qTQsQ=",
+    "h1:+rfzF+16ZcWZWnTyW/p1HHTzYbPKX8Zt2nIFtR/+f+E=",
-    "h1:0oqjYIPXcXh7XiDiKI085cHDYQQ5mh8kDl9dmBtvtog=",
+    "h1:18bXaaOSq8MWKuMxo/4y7EB7/i7G90y5QsKHZRmkoDo=",
-    "h1:4b4ESb87MGv5bnadgYe7sK5rEkKMZhbkQcwPubQTsR4=",
+    "h1:4vZVOpKeEQZsF2VrARRZFeL37Ed/gD4rRMtfnvWQres=",
-    "h1:6mTr3eA1Ddb348lLmJuyvn98z4KF+ejqaUEJ76D1rzQ=",
+    "h1:BZOsTF83QPKXTAaYqxPKzdl1KRjk/L2qbPpFjM0w28A=",
-    "h1:9/3YH+9k9HqsvFtbmBf7SO2+xqZeZrXNKzLkjNuhUEA=",
+    "h1:CDuC+HXLvc1z6wkCRsSDcc/+QENIHEtssYshiWg3opA=",
-    "h1:Jcq4tBWgyH4/2JsojNBSRaN0mcItVMchO+lynonrlqc=",
+    "h1:DE+YFzLnqSe79pI2R4idRGx5QzLdrA7RXvngTkGfZ30=",
-    "h1:Y4Vv/2RdP0Q+uxqhOxzOdKxuuEMjXPDcU0vPc5bCQzI=",
+    "h1:DfaJwH3Ml4yrRbdAY4AcDVy0QTQk5T3A622TXzS/u2E=",
-    "h1:a0gW8FBKsbP9Fi0HEDoy49WIbEWVHk9+BR4/iwuBdDQ=",
+    "h1:EIDXP0W3kgIv2pecrFmqtK/DnlqkyckzBzhxKaXU+4A=",
-    "h1:gElv6iqJtg8OKN77gbw+MjrkrQmJHPkkMEi1J+0xkpU=",
+    "h1:EV4kYyaOnwGA0bh/3hU6Ezqnt1PFDxopH7i85e48IzY=",
-    "h1:oslXUugD/NQ+duJgT4BhKQyfGbuFOANknMvR73fiOeM=",
+    "h1:M0iXabfzamU+MPDi0G9XACpbacFKMakmM+Z9HZ8HrsM=",
-    "h1:pPItIWii5oymR+geZB219ROSPuSODPLTlM4S/u8xLvM=",
+    "h1:YWmCbGF/KbsrUzcYVBLscwLizidbp95TDQa0N2qpmVo=",
-    "h1:u67GWw8GwD9NDlDzp9Y5VRnSQGcCrE8rSpkGPaBpDl0=",
+    "h1:cxPcCB5gbrpUO1+IXkQYs1YTY50/0IlApCzGea0cwuQ=",
-    "h1:uUUa9dY0XQOycI8pxg16PFFtL0WCTi9uEJz8trTQ7pU=",
+    "h1:g6DldikTV2HXUu9uoeNY5FuLufgaYWF4ufgZg7wq62s=",
-    "h1:y3rV8KF2q6GEMANNlf5EkKJurlfbKlIKpjGcdxoy7pQ=",
+    "h1:oi/Hrx9pwoQ+Z52CBC+rrowVH387EIj0qvnxQgDeI+0=",
-    "zh:0c904ce31a4c6c4a5b3bf7ff1560e77c0cc7e2450c8553ded8e8c90398e1418b",
+    "zh:1a3400cb38863b2585968d1876706bcfc67a148e1318a1d325c6c7704adc999b",
-    "zh:36183d310c36373fe4cb936b83c595c6fd3b0a94bc7827f28e5789ccbf59752e",
+    "zh:4c5062cb9e9da1676f06ae92b8370186d98976cc4c7030d3cd76df12af54282a",
-    "zh:556a568a6f0235e8f41647de9e4d3a1e7b1d6502df8b19b54ec441f1c653ea10",
+    "zh:52110f493b5f0587ef77a1cfd1a67001fd4c617b14c6502d732ab47352bdc2f7",
-    "zh:633ebbd5b0245e75e500ef9be4d9e62288f97e8da3baaa51323892a786d90285",
+    "zh:5aa536f9eaeb43823aaf2aa80e7d39b25ef2b383405ed034aa16a28b446a9238",
-    "zh:6acfe60cf52a65ba8f044f748548d2119e7f4fd7f8ebcb14698960d87c68f529",
+    "zh:5cc39459a1c6be8a918f17054e4fbba573825ed5597dcada588fe99614d98a5b",
    "zh:629ae6a7ba298815131da826474d199312d21cec53a4d5ded4fa56a692e6f072",
    "zh:719cc7c75dc1d3eb30c22ff5102a017996d9788b948078c7e1c5b3446aeca661",
    "zh:8698635a3ca04383c1e93b21d6963346bdae54d27177a48e4b1435b7f731731c",
    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:904acc31ebb9d6ef68c792074b30532ee61bf515f19e0a3c75b46f126cca1f13",
+    "zh:8a9993f1dcadf1dd6ca43b23348abe374605d29945a2fafc07fb3457644e6a54",
-    "zh:a1d0a81246afc8750286d3f6fe7a8fbe6460dd2662407b28dbfbabb612e5fa9d",
+    "zh:b1b9a1e6bcc24d5863a664a411d2dc906373ae7a2399d2d65548ce7377057852",
-    "zh:a41a36fe253fc365fe2b7ffc749624688b2693b4634862fda161179ab100029f",
+    "zh:b270184cdeec277218e84b94cb136fead753da717f9b9dc378e51907f3f00bb0",
-    "zh:a7ef269e77ffa8715c8945a2c14322c7ff159ea44c15f62505f3cbb2cae3b32d",
+    "zh:dff2bc10071210181726ce270f954995fe42c696e61e2e8f874021fed02521e5",
-    "zh:b01aa3bed30610633b762df64332b26f8844a68c3960cebcb30f04918efc67fe",
+    "zh:e8e87b40b6a87dc097b0fdc20d3f725cec0d82abc9cc3755c1f89f8f6e8b0036",
-    "zh:b069cc2cd18cae10757df3ae030508eac8d55de7e49eda7a5e3e11f2f7fe6455",
+    "zh:ee964a6573d399a5dd22ce328fb38ca1207797a02248f14b2e4913ee390e7803",
    "zh:b2d2c6313729ebb7465dceece374049e2d08bda34473901be9ff46a8836d42b2",
    "zh:db0e114edaf4bc2f3d4769958807c83022bfbc619a00bdf4c4bd17faa4ab2d8b",
    "zh:ecc0aa8b9044f664fd2aaf8fa992d976578f78478980555b4b8f6148e8d1a5fe",
  ]
 }
@@ -5,7 +5,7 @@ terraform {
  required_providers {
    cloudflare = {
      source = "cloudflare/cloudflare"
-      version = "4.52.7"
+      version = "4.52.5"
    }
  }
 }
@@ -14,67 +14,34 @@
 name: immich-dev
 services:
  immich-app-base:
    profiles: ['_base']
    tmpfs:
      - /tmp
    volumes:
      - ..:/usr/src/app
      # - ../../ui:/usr/src/ui
      - pnpm_cache:/buildcache/pnpm_cache
      - server_node_modules:/usr/src/app/server/node_modules
      - web_node_modules:/usr/src/app/web/node_modules
      - github_node_modules:/usr/src/app/.github/node_modules
      - cli_node_modules:/usr/src/app/packages/cli/node_modules
      - docs_node_modules:/usr/src/app/docs/node_modules
      - e2e_node_modules:/usr/src/app/e2e/node_modules
      - sdk_node_modules:/usr/src/app/packages/sdk/node_modules
      - app_node_modules:/usr/src/app/node_modules
      - sveltekit:/usr/src/app/web/.svelte-kit
      - coverage:/usr/src/app/web/coverage
  immich-init:
    extends:
      service: immich-app-base
    profiles: !reset []
    container_name: immich_init
    image: immich-server-dev:latest
    build:
      context: ../
      dockerfile: server/Dockerfile.dev
      target: dev
    command:
      - |
        pnpm install
        touch /tmp/init-complete
        exec tail -f /dev/null
    volumes:
      - pnpm_store_server:/buildcache/pnpm-store
    restart: 'no'
    healthcheck:
      test: ['CMD', 'test', '-f', '/tmp/init-complete']
      interval: 2s
      timeout: 3s
      retries: 300
      start_period: 300s
  immich-server:
    extends:
      service: immich-app-base
    profiles: !reset []
    container_name: immich_server
    command: ['immich-dev']
    image: immich-server-dev:latest
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    build:
      context: ../
      dockerfile: server/Dockerfile.dev
      target: dev
    restart: unless-stopped
    volumes:
      - ..:/usr/src/app
      - ${UPLOAD_LOCATION}/photos:/data
      - /etc/localtime:/etc/localtime:ro
-      - pnpm_store_server:/buildcache/pnpm-store
+      - pnpm-store:/usr/src/app/.pnpm-store
-      - ../packages/plugins:/build/corePlugin
+      - server-node_modules:/usr/src/app/server/node_modules
      - web-node_modules:/usr/src/app/web/node_modules
      - github-node_modules:/usr/src/app/.github/node_modules
      - cli-node_modules:/usr/src/app/cli/node_modules
      - docs-node_modules:/usr/src/app/docs/node_modules
      - e2e-node_modules:/usr/src/app/e2e/node_modules
      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
      - app-node_modules:/usr/src/app/node_modules
      - sveltekit:/usr/src/app/web/.svelte-kit
      - coverage:/usr/src/app/web/coverage
      - ../plugins:/build/corePlugin
    env_file:
      - .env
    environment:
@@ -91,14 +58,11 @@ services:
      IMMICH_THIRD_PARTY_BUG_FEATURE_URL: https://github.com/immich-app/immich/issues
      IMMICH_THIRD_PARTY_DOCUMENTATION_URL: https://docs.immich.app
      IMMICH_THIRD_PARTY_SUPPORT_URL: https://docs.immich.app/community-guides
      IMMICH_HELMET_FILE: 'true'
    ports:
      - 9230:9230
      - 9231:9231
      - 2283:2283
    depends_on:
      immich-init:
        condition: service_healthy
      redis:
        condition: service_started
      database:
@@ -107,9 +71,6 @@ services:
      disable: false
  immich-web:
    extends:
      service: immich-app-base
    profiles: !reset []
    container_name: immich_web
    image: immich-web-dev:latest
    build:
@@ -123,11 +84,20 @@ services:
      - 3000:3000
      - 24678:24678
    volumes:
-      - pnpm_store_web:/buildcache/pnpm-store
+      - ..:/usr/src/app
      - pnpm-store:/usr/src/app/.pnpm-store
      - server-node_modules:/usr/src/app/server/node_modules
      - web-node_modules:/usr/src/app/web/node_modules
      - github-node_modules:/usr/src/app/.github/node_modules
      - cli-node_modules:/usr/src/app/cli/node_modules
      - docs-node_modules:/usr/src/app/docs/node_modules
      - e2e-node_modules:/usr/src/app/e2e/node_modules
      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
      - app-node_modules:/usr/src/app/node_modules
      - sveltekit:/usr/src/app/web/.svelte-kit
      - coverage:/usr/src/app/web/coverage
    restart: unless-stopped
    depends_on:
      immich-init:
        condition: service_healthy
      immich-server:
        condition: service_started
@@ -146,7 +116,7 @@ services:
      - 3003:3003
    volumes:
      - ../machine-learning/immich_ml:/usr/src/immich_ml
-      - model_cache:/cache
+      - model-cache:/cache
    env_file:
      - .env
    depends_on:
@@ -157,7 +127,7 @@ services:
  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
    healthcheck:
      test: redis-cli ping || exit 1
@@ -186,7 +156,7 @@ services:
  #   image: prom/prometheus
  #   volumes:
  #     - ./prometheus.yml:/etc/prometheus/prometheus.yml
-  #     - prometheus_data:/prometheus
+  #     - prometheus-data:/prometheus
  # first login uses admin/admin
  # add data source for http://immich-prometheus:9090 to get started
@@ -197,22 +167,20 @@ services:
  #     - 3000:3000
  #   image: grafana/grafana:10.3.3-ubuntu
  #   volumes:
-  #     - grafana_data:/var/lib/grafana
+  #     - grafana-data:/var/lib/grafana
 volumes:
-  model_cache:
+  model-cache:
-  prometheus_data:
+  prometheus-data:
-  grafana_data:
+  grafana-data:
-  pnpm_cache:
+  pnpm-store:
-  pnpm_store_server:
+  server-node_modules:
-  pnpm_store_web:
+  web-node_modules:
-  server_node_modules:
+  github-node_modules:
-  web_node_modules:
+  cli-node_modules:
-  github_node_modules:
+  docs-node_modules:
-  cli_node_modules:
+  e2e-node_modules:
-  docs_node_modules:
+  sdk-node_modules:
-  e2e_node_modules:
+  app-node_modules:
  sdk_node_modules:
  app_node_modules:
  sveltekit:
  coverage:
@@ -56,7 +56,7 @@ services:
  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -85,7 +85,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:e4254400b85610324913f0dc4acf92603d9984e7519414c5a12811aa6146acc3
+    image: prom/prometheus@sha256:1f0f50f06acaceb0f5670d2c8a658a599affe7b0d8e78b898c1035653849a702
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@@ -97,7 +97,7 @@ services:
    command: ['./run.sh', '-disable-reporting']
    ports:
      - 3000:3000
-    image: grafana/grafana:12.4.3-ubuntu@sha256:ca3f764fdc48cebdf22dd206f33ecb0795a9a7210eacd1b5c02204aebd78b223
+    image: grafana/grafana:12.3.1-ubuntu@sha256:d57f1365197aec34c4d80869d8ca45bb7787c7663904950dab214dfb40c1c2fd
    volumes:
      - grafana-data:/var/lib/grafana
@@ -1,97 +0,0 @@
 #
 # WARNING: To install Immich, follow our guide: https://docs.immich.app/install/docker-compose
 #
 # Make sure to use the docker-compose.yml of the current release:
 #
 # https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
 #
 # The compose file on main may not be compatible with the latest release.
 name: immich
 services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    user: '1000:1000'
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - NET_RAW
    volumes:
      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
      - ${UPLOAD_LOCATION}:/data
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - '2283:2283'
    depends_on:
      - redis
      - database
    restart: always
    healthcheck:
      disable: false
  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    user: '1000:1000'
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - NET_RAW
    volumes:
      - ./ml-model-cache:/cache
      - ./ml-dotcache:/.cache
      - ./ml-config:/.config
    env_file:
      - .env
    restart: always
    healthcheck:
      disable: false
  redis:
    container_name: immich_redis
    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
    user: '1000:1000'
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - NET_RAW
    volumes:
      - ./redis:/data
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
  database:
    container_name: immich_postgres
    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
    user: '1000:1000'
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - NET_RAW
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
      # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
      # DB_STORAGE_TYPE: 'HDD'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    shm_size: 128mb
    restart: always
    healthcheck:
      disable: false
@@ -49,7 +49,7 @@ services:
  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -0,0 +1 @@
 24.13.0
@@ -402,9 +402,6 @@ To decrease Redis logs, you can add the following line to the `redis:` section o
 ### How can I run Immich as a non-root user?
 You can change the user in the container by setting the `user` argument in `docker-compose.yml` for each service.
 [Example docker-compose.yml file](https://github.com/immich-app/immich/blob/main/docker/docker-compose.rootless.yml)
 You may need to add mount points or docker volumes for the following internal container paths:
 - `immich-machine-learning:/.config`
@@ -140,8 +140,7 @@ For advanced users or automated recovery scenarios, you can restore a database b
 ```bash title='Backup'
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
-# Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.
+docker exec -t immich_postgres pg_dumpall --clean --if-exists --username=<DB_USERNAME> | gzip > "/path/to/backup/dump.sql.gz"
 docker exec -t immich_postgres pg_dump --clean --if-exists --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME> | gzip > "/path/to/backup/dump.sql.gz"
 ```
 ```bash title='Restore'
@@ -154,10 +153,9 @@ docker start immich_postgres    # Start Postgres server
 sleep 10                        # Wait for Postgres server to start up
 # Check the database user if you deviated from the default
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
 # Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.
 gunzip --stdout "/path/to/backup/dump.sql.gz" \
 | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" \
-| docker exec -i immich_postgres psql --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME> --single-transaction --set ON_ERROR_STOP=on  # Restore Backup
+| docker exec -i immich_postgres psql --dbname=postgres --username=<DB_USERNAME>  # Restore Backup
 docker compose up -d            # Start remainder of Immich apps
 ```
@@ -166,8 +164,7 @@ docker compose up -d            # Start remainder of Immich apps
 ```powershell title='Backup'
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
-# Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.
+[System.IO.File]::WriteAllLines("C:\absolute\path\to\backup\dump.sql", (docker exec -t immich_postgres pg_dumpall --clean --if-exists --username=<DB_USERNAME>))
 [System.IO.File]::WriteAllLines("C:\absolute\path\to\backup\dump.sql", (docker exec -t immich_postgres pg_dump --clean --if-exists --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME>))
 ```
 ```powershell title='Restore'
@@ -182,9 +179,8 @@ sleep 10                                          # Wait for Postgres server to
 docker exec -it immich_postgres bash              # Enter the Docker shell and run the following command
 # If your backup ends in `.gz`, replace `cat` with `gunzip --stdout`
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
 # Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.
-cat "/dump.sql" | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" | psql --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME>  --single-transaction --set ON_ERROR_STOP=on
+cat "/dump.sql" | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" | psql --dbname=postgres --username=<DB_USERNAME>
 exit                                              # Exit the Docker shell
 docker compose up -d                              # Start remainder of Immich apps
 ```
@@ -192,10 +188,6 @@ docker compose up -d                              # Start remainder of Immich ap
  </TabItem>
 </Tabs>
 :::warning
 The backup and restore process changed in v2.5.0, if you have a backup created with an older version of Immich, use the documentation version selector to find manual restore instructions for your backup.
 :::
 :::note
 For the database restore to proceed properly, it requires a completely fresh install (i.e., the Immich server has never run since creating the Docker containers). If the Immich app has run, you may encounter Postgres conflicts (relation already exists, violated foreign key constraints, etc.). In this case, delete the `DB_DATA_LOCATION` folder to reset the database.
 :::
@@ -204,13 +196,9 @@ For the database restore to proceed properly, it requires a completely fresh ins
 Some deployment methods make it difficult to start the database without also starting the server. In these cases, set the environment variable `DB_SKIP_MIGRATIONS=true` before starting the services. This prevents the server from running migrations that interfere with the restore process. Remove this variable and restart services after the database is restored.
 :::
 :::tip
 The provided restore process ensures your database is never in a broken state by committing all changes in one transaction. This may be undesirable behaviour in some circumstances, you can disable it by removing `--single-transaction --set ON_ERROR_STOP=on` from the command.
 :::
 ## Filesystem
-Immich does not handle filesystem backups for you. You have to arrange these yourself! Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:
+Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:
 1. `UPLOAD_LOCATION/library`
 2. `UPLOAD_LOCATION/upload`
@@ -67,8 +67,7 @@ graph TD
    C --> D["Thumbnail Generation (Large, small, blurred and person)"]
    D --> E[Smart Search]
    D --> F[Face Detection]
-    D --> G[OCR]
+    D --> G[Video Transcoding]
-    D --> H[Video Transcoding]
+    E --> H[Duplicate Detection]
-    E --> I[Duplicate Detection]
+    F --> I[Facial Recognition]
    F --> J[Facial Recognition]
 ```
@@ -14,7 +14,6 @@ Immich supports 3rd party authentication via [OpenID Connect][oidc] (OIDC), an i
 - [Authelia](https://www.authelia.com/integration/openid-connect/immich/)
 - [Okta](https://www.okta.com/openid-connect/)
 - [Google](https://developers.google.com/identity/openid-connect/openid-connect)
 - [Keycloak](https://www.keycloak.org)
 ## Prerequisites
@@ -50,10 +49,6 @@ Before enabling OAuth in Immich, a new client application needs to be configured
   - `https://immich.example.com/auth/login`
   - `https://immich.example.com/user-settings`
 3. Configure Backchannel logout URL
   If the authentication server supports it, the **Backchannel logout URL** can be specified, and it is of the form: `http://DOMAIN:PORT/api/oauth/backchannel-logout`.
 ## Enable OAuth
 Once you have a new OAuth client application configured, Immich can be configured using the Administration Settings page, available on the web (Administration -> Settings).
@@ -61,15 +56,11 @@ Once you have a new OAuth client application configured, Immich can be configure
 | Setting                                              | Type    | Default              | Description                                                                         |
 | ---------------------------------------------------- | ------- | -------------------- | ----------------------------------------------------------------------------------- |
 | Enabled                                              | boolean | false                | Enable/disable OAuth                                                                |
-| `issuer_url`                                         | URL     | (required)           | Required. Self-discovery URL for client (from previous step)                        |
+| Issuer URL                                           | URL     | (required)           | Required. Self-discovery URL for client (from previous step)                        |
-| `client_id`                                          | string  | (required)           | Required. Client ID (from previous step)                                            |
+| Client ID                                            | string  | (required)           | Required. Client ID (from previous step)                                            |
-| `client_secret`                                      | string  | (required)           | Required. Client Secret (previous step)                                             |
+| Client Secret                                        | string  | (required)           | Required. Client Secret (previous step)                                             |
-| `scope`                                              | string  | openid email profile | Full list of scopes to send with the request (space delimited)                      |
+| Scope                                                | string  | openid email profile | Full list of scopes to send with the request (space delimited)                      |
-| `id_token_signed_response_alg`                       | string  | RS256                | The algorithm used to sign the id token (examples: RS256, HS256)                    |
+| Signing Algorithm                                    | string  | RS256                | The algorithm used to sign the id token (examples: RS256, HS256)                    |
 | `userinfo_signed_response_alg`                       | string  | none                 | The algorithm used to sign the userinfo response (examples: RS256, HS256)           |
 | `prompt`                                             | string  | (empty)              | Prompt parameter for authorization url (examples: select_account, login, consent)   |
 | `end_session_endpoint`                               | URL     | (empty)              | Http(s) alternative end session endpoint (logout URI)                               |
 | Request timeout                                      | string  | 30,000 (30 seconds)  | Number of milliseconds to wait for http requests to complete before giving up       |
 | Storage Label Claim                                  | string  | preferred_username   | Claim mapping for the user's storage label**¹**                                     |
 | Role Claim                                           | string  | immich_role          | Claim mapping for the user's role. (should return "user" or "admin")**¹**           |
 | Storage Quota Claim                                  | string  | immich_quota         | Claim mapping for the user's storage**¹**                                           |
@@ -187,7 +178,6 @@ Configuration of OAuth in Immich System Settings
 | Scope                              | openid email profile immich_scope                                   |
 | ID Token Signed Response Algorithm | RS256                                                               |
 | Userinfo Signed Response Algorithm | RS256                                                               |
 | End Session Endpoint               | https://auth.example.com/logout?rd=https://immich.example.com/      |
 | Storage Label Claim                | uid                                                                 |
 | Storage Quota Claim                | immich_quota                                                        |
 | Default Storage Quota (GiB)        | 0 (empty for unlimited quota)                                       |
@@ -261,40 +251,4 @@ Configuration of OAuth in Immich System Settings
 </details>
 <details>
 <summary>Keycloak Example</summary>
 ### Keycloak Example
 Here's an example of OAuth configured for Keycloak:
 Create your immich client on your Keycloak Realm.
 <img src={require('./img/keycloak-general-settings.webp').default} width='100%' title="Keycloak Client general Settings" />
 <img src={require('./img/keycloak-access-settings.webp').default} width='100%' title="Keycloak Client Access Settings" />
 <img src={require('./img/keycloak-capability-config.webp').default} width='100%' title="Keycloak Client Capability Configuration" />
 Configuration of OAuth in Immich System Settings
 | Setting                      | Value                                                 |
 | ---------------------------- | ----------------------------------------------------- |
 | Issuer URL                   | `https://<KEYCLOAK_DOMAIN>/realms/<YOUR_REALM>`       |
 | Client ID                    | immich                                                |
 | Client Secret                | can be optained from Clients -> immich -> Credentials |
 | Scope                        | openid email profile                                  |
 | Signing Algorithm            | RS256                                                 |
 | Storage Label Claim          | preferred_username                                    |
 | Role Claim                   | immich_role                                           |
 | Storage Quota Claim          | immich_quota                                          |
 | Default Storage Quota (GiB)  | 0 (empty for unlimited quota)                         |
 | Button Text                  | Sign in with Keycloak (recommended)                   |
 | Auto Register                | Enabled (optional)                                    |
 | Auto Launch                  | Enabled (optional)                                    |
 | Mobile Redirect URI Override | Disabled                                              |
 | Mobile Redirect URI          |                                                       |
 Role Claim can be managed via Client Role. Remember to create a mapper with claim name `immich_role`.
 </details>
 [oidc]: https://openid.net/connect/
@@ -81,14 +81,14 @@ VectorChord is the successor extension to pgvecto.rs, allowing for higher perfor
 ### Migrating from pgvecto.rs
-Support for pgvecto.rs has been dropped as of 3.0, hence all users currently using pgvecto.rs should migrate to VectorChord. There are two primary approaches to do so.
+Support for pgvecto.rs will be dropped in a later release, hence we recommend all users currently using pgvecto.rs to migrate to VectorChord at their convenience. There are two primary approaches to do so.
 The easiest option is to have both extensions installed during the migration:
 <details>
 <summary>Migration steps (automatic)</summary>
 1. Ensure you still have pgvecto.rs installed
-2. Install `pgvector` (`>= 0.7, < 0.9`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
+2. Install `pgvector` (`>= 0.7.0, < 1.0.0`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
 3. [Install VectorChord][vchord-install]
 4. Add `shared_preload_libraries= 'vchord.so, vectors.so'` to your `postgresql.conf`, making sure to include _both_ `vchord.so` and `vectors.so`. You may include other libraries here as well if needed
 5. Restart the Postgres database
@@ -98,6 +98,7 @@ entryPoints:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
 ```
 The second part is in the `docker-compose.yml` file where immich is in. Add the Traefik specific labels like in the example.
@@ -13,11 +13,8 @@ The `immich-server` docker image comes preinstalled with an administrative CLI (
 | `enable-oauth-login`       | Enable OAuth login                                            |
 | `disable-oauth-login`      | Disable OAuth login                                           |
 | `list-users`               | List Immich users                                             |
 | `grant-admin`              | Grant admin privileges to a user (by email)                   |
 | `revoke-admin`             | Revoke admin privileges from a user (by email)                |
 | `version`                  | Print Immich version                                          |
 | `change-media-location`    | Change database file paths to align with a new media location |
 | `schema-check`             | Verify database migrations and check for schema drift         |
 ## How to run a command
@@ -105,22 +102,6 @@ immich-admin list-users
 ]
 ```
 Grant Admin
 ```
 immich-admin grant-admin
 ? Please enter the user email:  user@example.com
 Admin access has been granted to user@example.com
 ```
 Revoke Admin
 ```
 immich-admin revoke-admin
 ? Please enter the user email:  user@example.com
 Admin access has been revoked from user@example.com
 ```
 Print Immich Version
 ```
@@ -145,12 +126,3 @@ immich-admin change-media-location
 Database file paths updated successfully! 🎉
 ...
 ```
 Schema Check
 ```
 immich-admin schema-check
 Migrations are up to date
 No schema drift detected
 ```
@@ -230,7 +230,7 @@ The default value is `ultrafast`.
 ### Audio codec (`ffmpeg.targetAudioCodec`) {#ffmpeg.targetAudioCodec}
-Which audio codec to use when the audio stream is being transcoded. Can be one of `mp3`, `aac`, `opus`.
+Which audio codec to use when the audio stream is being transcoded. Can be one of `mp3`, `aac`, `libopus`.
 The default value is `aac`.
@@ -24,7 +24,7 @@ Immich has three main clients:
 3. CLI - Command-line utility for bulk upload
 :::info
-All three clients use [OpenAPI](/api.md) to auto-generate rest clients for easy integration. For more information about this process, see [OpenAPI](/api.md).
+All three clients use [OpenAPI](./open-api.md) to auto-generate rest clients for easy integration. For more information about this process, see [OpenAPI](./open-api.md).
 :::
 ### Mobile App
@@ -71,7 +71,7 @@ An incoming HTTP request is mapped to a controller (`src/controllers`). Controll
 ### Domain Transfer Objects (DTOs)
-The server uses [Domain Transfer Objects](https://en.wikipedia.org/wiki/Data_transfer_object) as public interfaces for the inputs (query, params, and body) and outputs (response) for each endpoint. DTOs translate to [OpenAPI](/api.md) schemas and control the generated code used by each client.
+The server uses [Domain Transfer Objects](https://en.wikipedia.org/wiki/Data_transfer_object) as public interfaces for the inputs (query, params, and body) and outputs (response) for each endpoint. DTOs translate to [OpenAPI](./open-api.md) schemas and control the generated code used by each client.
 ### Background Jobs
@@ -44,7 +44,7 @@ While this guide focuses on VS Code, you have many options for Dev Container dev
 **Self-Hostable Options:**
 - [Coder](https://coder.com) - Enterprise-focused, requires Terraform knowledge, self-managed
- [DevPod](https://devpod.sh) - Client-only tool with excellent devcontainer.json support, works with any provider (local, cloud, or on-premise). Check [quick-start guide](#quick-start-guide-for-devpod-with-docker)
+- [DevPod](https://devpod.sh) - Client-only tool with excellent devcontainer.json support, works with any provider (local, cloud, or on-premise)
  :::
 ## Dev Container Services
@@ -205,7 +205,7 @@ When the Dev Container starts, it automatically:
 1. **Runs post-create script** (`container-server-post-create.sh`):
   - Adjusts file permissions for the `node` user
   - Installs dependencies: `pnpm install` in all packages
-   - Builds TypeScript SDK: `pnpm --filter @immich/sdk build`
+   - Builds TypeScript SDK: `pnpm run build` in `open-api/typescript-sdk`
 2. **Starts development servers** via VS Code tasks:
   - `Immich API Server (Nest)` - API server with hot-reloading on port 2283
@@ -243,8 +243,8 @@ To connect the mobile app to your Dev Container:
 - **Server code** (`/server`): Changes trigger automatic restart
 - **Web code** (`/web`): Changes trigger hot module replacement
- **Database migrations**: Run `mise //:sql`
+- **Database migrations**: Run `pnpm run sync:sql` in the server directory
- **API changes**: Regenerate TypeScript SDK with `mise //:open-api`
+- **API changes**: Regenerate TypeScript SDK with `make open-api`
 ## Testing
@@ -252,11 +252,20 @@ To connect the mobile app to your Dev Container:
 The Dev Container supports multiple ways to run tests:
-#### Using Mise Commands (Recommended)
+#### Using Make Commands (Recommended)
 ```bash
 # Run tests for specific components
-mise run checklist      # in `server/`, `web/`, `packages/cli`
+make test-server        # Server unit tests
 make test-web           # Web unit tests
 make test-e2e           # End-to-end tests
 make test-cli           # CLI tests
 # Run all tests
 make test-all           # Runs tests for all components
 # Medium tests (integration tests)
 make test-medium-dev    # End-to-end tests
 ```
 #### Using PNPM Directly
@@ -280,16 +289,48 @@ pnpm run test           # Run API tests
 pnpm run test:web       # Run web UI tests
 ```
 ### Code Quality Commands
 ```bash
 # Linting
 make lint-server        # Lint server code
 make lint-web           # Lint web code
 make lint-all           # Lint all components
 # Formatting
 make format-server      # Format server code
 make format-web         # Format web code
 make format-all         # Format all code
 # Type checking
 make check-server       # Type check server
 make check-web          # Type check web
 make check-all          # Check all components
 # Complete hygiene check
 make hygiene-all        # Run lint, format, check, SQL sync, and audit
 ```
 ### Additional Make Commands
 ```bash
 # Build commands
 make build-server       # Build server
 make build-web          # Build web app
 make build-all          # Build everything
 # API generation
 make open-api           # Generate OpenAPI specs
 make open-api-typescript # Generate TypeScript SDK
 make open-api-dart      # Generate Dart SDK
 # Database
-mise sql                # Sync database schema
+make sql                # Sync database schema
 # Dependencies
 make install-server     # Install server dependencies
 make install-web        # Install web dependencies
 make install-all        # Install all dependencies
 ```
 ### Debugging
@@ -367,27 +408,7 @@ If you encounter issues:
 1. Check container logs: View → Output → Select "Dev Containers"
 2. Rebuild without cache: "Dev Containers: Rebuild Container Without Cache"
 3. Review [common Docker issues](https://docs.docker.com/desktop/troubleshoot/)
-4. Ask in [Discord](https://discord.immich.app) `#contributing` channel
+4. Ask in [Discord](https://discord.immich.app) `#help-desk-support` channel
 ### Quick-start guide for DevPod with docker
 You will need DevPod CLI (check [DevPod CLI installation guide](https://devpod.sh/docs/getting-started/install)) and Docker Desktop.
 ```sh
 # Step 1: Clone the Repository
 git clone https://github.com/immich-app/immich.git
 cd immich
 # Step 2: Prepare DevPod (if you haven't already)
 devpod provider add docker
 devpod provider use docker
 # Step 3: Build 'immich-server-dev' docker image first manually
 docker build -f server/Dockerfile.dev -t immich-server-dev .
 # Step 4: Now you can start devcontainer
 devpod up .
 ```
 ## Mobile Development
@@ -10,8 +10,7 @@ Our [GitHub Repository](https://github.com/immich-app/immich) is a [monorepo](ht
 | :------------------ | :------------------------------------------------------------------- |
 | `.github/`          | Github templates and action workflows                                |
 | `.vscode/`          | VSCode debug launch profiles                                         |
-| `packages/cli`      | Source code for the CLI                                              |
+| `cli/`              | Source code for the work-in-progress CLI rewrite                     |
 | `packages/sdk`      | Source code for the generated OpenAPI SDK                            |
 | `docker/`           | Docker compose resources for dev, test, production                   |
 | `design/`           | Screenshots and logos for the README                                 |
 | `docs/`             | Source code for the [https://immich.app](https://immich.app) website |
@@ -1,4 +1,4 @@
-# API
+# OpenAPI
 Immich uses the [OpenAPI](https://swagger.io/specification/) standard to generate API documentation. To view the published docs see [here](https://api.immich.app/).
@@ -10,4 +10,4 @@ OpenAPI is used to generate the client (Typescript, Dart) SDK. `openapi-generato
 make open-api
 ```
-You can find the generated client SDK in the `packages/sdk/client` for Typescript SDK and `mobile/openapi` for Dart SDK.
+You can find the generated client SDK in the `open-api/typescript-sdk/client` for Typescript SDK and `mobile/openapi` for Dart SDK.
@@ -34,28 +34,26 @@ Run all web checks with `pnpm run check:all`
 Run all server checks with `pnpm run check:all`
 :::
-:::tip Auto Fix
+:::info Auto Fix
 You can use `pnpm run __:fix` to potentially correct some issues automatically for `pnpm run format` and `lint`.
 :::
-## Mobile Checklist
+## Mobile Checks
- [ ] `mise //mobile:codegen` (auto-generate files using build_runner)
+The following commands must be executed from within the mobile app directory of the codebase.
 - [ ] `mise //mobile:lint` (static analysis via Dart Analyzer and DCM)
 - [ ] `mise //mobile:format` (formatting via Dart Formatter)
 - [ ] `mise //mobile:test` (unit tests)
-:::tip
+- [ ] `make build` (auto-generate files using build_runner)
-Run all these commands at once with `mise //mobile:checklist`
+- [ ] `make analyze` (static analysis via Dart Analyzer and DCM)
-:::
+- [ ] `make format` (formatting via Dart Formatter)
 - [ ] `make test` (unit tests)
-:::tip Auto Fix
+:::info Auto Fix
-You can use `mise //mobile:lint-fix` to potentially correct some issues automatically for `mise //mobile:lint`.
+You can use `dart fix --apply` and `dcm fix lib` to potentially correct some issues automatically for `make analyze`.
 :::
 ## OpenAPI
-The OpenAPI client libraries need to be regenerated whenever there are changes to the `immich-openapi-specs.json` file. Note that you should not modify this file directly as it is auto-generated. See [OpenAPI](/api.md) for more details.
+The OpenAPI client libraries need to be regenerated whenever there are changes to the `immich-openapi-specs.json` file. Note that you should not modify this file directly as it is auto-generated. See [OpenAPI](/developer/open-api.md) for more details.
 ## Database Migrations
@@ -58,7 +58,7 @@ You can access the web from `http://your-machine-ip:3000` or `http://localhost:3
 If you only want to do web development connected to an existing, remote backend, follow these steps:
-1. Build the Immich SDK - `pnpm --filter @immich/sdk install && pnpm --filter @immich/sdk build`
+1. Build the Immich SDK - `cd open-api/typescript-sdk && pnpm i && pnpm run build && cd -`
 2. Enter the web directory - `cd web/`
 3. Install web dependencies - `pnpm i`
 4. Start the web development server
@@ -80,9 +80,9 @@ To see local changes to `@immich/ui` in Immich, do the following:
 1. Install `@immich/ui` as a sibling to `immich/`, for example `/home/user/immich` and `/home/user/ui`
 2. Build the `@immich/ui` project via `pnpm run build`
-3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yml` file (`../../ui:/usr/src/ui`)
+3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yaml` file (`../../ui:/usr/ui`)
-4. Uncomment the corresponding alias in the `web/vite.config.ts` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui/packages/ui')`)
+4. Uncomment the corresponding alias in the `web/vite.config.js` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui')`)
-5. Uncomment the import statement in `web/src/app.css` file `@import '../../../ui/packages/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
+5. Uncomment the import statement in `web/src/app.css` file `@import '/usr/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
 6. Start up the stack via `make dev`
 7. After making changes in `@immich/ui`, rebuild it (`pnpm run build`)
@@ -90,13 +90,10 @@ To see local changes to `@immich/ui` in Immich, do the following:
 #### Setup
-1. [Install mise](https://mise.jdx.dev/installing-mise.html).
+1. Setup Flutter toolchain using FVM.
-2. Change to the immich (root) directory and trust the mise config with `mise trust`.
+2. Run `flutter pub get` to install the dependencies.
-3. Install tools with mise: `mise install`.
+3. Run `make translation` to generate the translation file.
-4. Change to the `mobile/` directory.
+4. Run `fvm flutter run` to start the app.
 5. Run `flutter pub get` to install the dependencies.
 6. Run `make translation` to generate the translation file.
 7. Run `flutter run` to start the app.
 #### Translation
@@ -17,14 +17,15 @@ make e2e
 Before you can run the tests, you need to run the following commands _once_:
- `pnpm install`
+- `pnpm install` (in `e2e/`)
- `pnpm --filter "@immich/*" build`
+- `pnpm run build` (in `cli/`)
- `mise //:open-api`
+- `make open-api` (in the project root `/`)
 Once the test environment is running, the e2e tests can be run via:
 ```bash
-mise //e2e:test
+cd e2e/
 pnpm test
 ```
 The tests check various things including:
@@ -183,7 +183,7 @@ For example to get a list of files that would be uploaded for further
 processing:
 ```bash
-immich upload --dry-run --json-output . | tail -n +6 | jq .newFiles[]
+immich upload --dry-run . | tail -n +6 | jq .newFiles[]
 ```
 ### Obtain the API Key
@@ -1,28 +0,0 @@
 # Duplicates Utility
 Immich comes with a duplicates utility to help you detect assets that look visually similar. The duplicate detection feature relies on machine learning and is enabled by default. For more information about when the duplicate detection job runs, see [Jobs and Workers](/administration/jobs-workers). Once an asset has been processed and added to a duplicate group, it becomes available to review in the "Review duplicates" utility, which can be found [here](https://my.immich.app/utilities/duplicates).
 ## Reviewing duplicates
 The review duplicates page allows the user to individually select which assets should be kept and which ones should be trashed. When more than one asset is kept, there is an option to automatically put the kept assets into a stack.
 ### Automatic preselection
 When using "Deduplicate All" or viewing suggestions, Immich automatically preselects which assets to keep based on:
 1. **Image size in bytes** — larger files are preferred as they typically have higher quality.
 2. **Count of EXIF data** — assets with more metadata are preferred.
 ### Synchronizing metadata
 When resolving duplicates, metadata from trashed assets is automatically synchronized to the kept assets. The following metadata is synchronized:
 | Name        | Description                                                                                                                     |
 | ----------- | ------------------------------------------------------------------------------------------------------------------------------- |
 | Album       | The kept assets will be added to _every_ album that the other assets in the group belong to.                                    |
 | Favorite    | If any of the assets in the group have been added to favorites, every kept asset will also be added to favorites.               |
 | Rating      | If one or more assets in the duplicate group have a rating, the highest rating is selected and synchronized to the kept assets. |
 | Description | Descriptions from each asset are combined together and synchronized to all the kept assets.                                     |
 | Visibility  | The most restrictive visibility is applied to the kept assets.                                                                  |
 | Location    | Latitude and longitude are copied if all assets with geolocation data in the group share the same coordinates.                  |
 | Tag         | Tags from all assets in the group are merged and applied to every kept asset.                                                   |
@@ -50,8 +50,6 @@ Some basic examples:
 - `**/Raw/**` will exclude all files in any directory named `Raw`
 - `**/*.{tif,jpg}` will exclude all files with the extension `.tif` or `.jpg`
 Note that `*` is a wildcard matching zero or more characters (i.e., withinin a filename or single directory name). `**` matches zero or more subdirectories, recursively. It also includes any/all files within a subdirectory, i.e., when used at the end of a pattern. For example, `**/exclude_me/**` will exclude all files in any directory named `exclude_me`, as well as all files in any subdirectories of `exclude_me`, recursively.
 Special characters such as @ should be escaped, for instance:
 - `**/\@eaDir/**` will exclude all files in any directory named `@eaDir`
@@ -82,10 +80,6 @@ There is an automatic scan job that is scheduled to run once a day. Its schedule
 This job also cleans up any libraries stuck in deletion. It is possible to trigger the cleanup by clicking "Scan all libraries" in the library management page.
 ### Deleting a Library
 When deleting an external library, all assets inside are immediately deleted along with the library. Note that while a library can take a long time to fully delete in the background, it is immediately removed from the library list. If the deletion process is interrupted (for example, due to server restart), it will be cleaned up in the next nightly cron job. The cleanup process can also be manually initiated by clicking the "Scan All Libraries" button in the library list.
 ## Usage
 Let's show a concrete example where we add an existing gallery to Immich. Here, we have the following folders we want to add:
--- a/Show More
+++ b/Show More