fix(mobile): isolate auth to app instance

Credentials are currently shared for the whole app group, which causes
debug, test flight and release versions to conflict with each other.
This results in really weird behaviour like one instance of the app
acknowledging syncs which the other instances aren't aware of.

.github/.nvmrc

@@ -1 +1 @@
-24.13.1
+24.14.0

.github/workflows/docker.yml

@@ -178,7 +178,7 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}
 
@@ -189,6 +189,6 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}

.github/workflows/test.yml

@@ -566,7 +566,7 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}
   mobile-unit-tests:

.github/workflows/weblate-lock.yml

@@ -68,6 +68,6 @@ jobs:
     permissions: {}
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}

cli/.nvmrc

@@ -1 +1 @@
-24.13.1
+24.14.0

cli/package.json

@@ -20,7 +20,7 @@
     "@types/lodash-es": "^4.17.12",
     "@types/micromatch": "^4.0.9",
     "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.11.0",
+    "@types/node": "^24.12.0",
     "@vitest/coverage-v8": "^4.0.0",
     "byte-size": "^9.0.0",
     "cli-progress": "^3.12.0",
@@ -68,6 +68,6 @@
     "micromatch": "^4.0.8"
   },
   "volta": {
-    "node": "24.13.1"
+    "node": "24.14.0"
   }
 }

docker/docker-compose.dev.yml

@@ -90,6 +90,7 @@ services:
       IMMICH_THIRD_PARTY_BUG_FEATURE_URL: https://github.com/immich-app/immich/issues
       IMMICH_THIRD_PARTY_DOCUMENTATION_URL: https://docs.immich.app
       IMMICH_THIRD_PARTY_SUPPORT_URL: https://docs.immich.app/community-guides
+      IMMICH_HELMET_FILE: 'true'
     ports:
       - 9230:9230
       - 9231:9231

docker/docker-compose.prod.yml

@@ -97,7 +97,7 @@ services:
     command: ['./run.sh', '-disable-reporting']
     ports:
       - 3000:3000
-    image: grafana/grafana:12.3.2-ubuntu@sha256:6cca4b429a1dc0d37d401dee54825c12d40056c3c6f3f56e3f0d6318ce77749b
+    image: grafana/grafana:12.4.1-ubuntu@sha256:1a20dea76a2778773df17dbc365db86b1a4f2d57772b8590b6311038a3acb1db
     volumes:
       - grafana-data:/var/lib/grafana
 

docs/.nvmrc

@@ -1 +1 @@
-24.13.1
+24.14.0

docs/docs/features/duplicates-utility.md

@@ -0,0 +1,28 @@
+# Duplicates Utility
+
+Immich comes with a duplicates utility to help you detect assets that look visually similar. The duplicate detection feature relies on machine learning and is enabled by default. For more information about when the duplicate detection job runs, see [Jobs and Workers](/administration/jobs-workers). Once an asset has been processed and added to a duplicate group, it becomes available to review in the "Review duplicates" utility, which can be found [here](https://my.immich.app/utilities/duplicates).
+
+## Reviewing duplicates
+
+The review duplicates page allows the user to individually select which assets should be kept and which ones should be trashed. When more than one asset is kept, there is an option to automatically put the kept assets into a stack.
+
+### Automatic preselection
+
+When using "Deduplicate All" or viewing suggestions, Immich automatically preselects which assets to keep based on:
+
+1. **Image size in bytes** — larger files are preferred as they typically have higher quality.
+2. **Count of EXIF data** — assets with more metadata are preferred.
+
+### Synchronizing metadata
+
+When resolving duplicates, metadata from trashed assets is automatically synchronized to the kept assets. The following metadata is synchronized:
+
+| Name        | Description                                                                                                                     |
+| ----------- | ------------------------------------------------------------------------------------------------------------------------------- |
+| Album       | The kept assets will be added to _every_ album that the other assets in the group belong to.                                    |
+| Favorite    | If any of the assets in the group have been added to favorites, every kept asset will also be added to favorites.               |
+| Rating      | If one or more assets in the duplicate group have a rating, the highest rating is selected and synchronized to the kept assets. |
+| Description | Descriptions from each asset are combined together and synchronized to all the kept assets.                                     |
+| Visibility  | The most restrictive visibility is applied to the kept assets.                                                                  |
+| Location    | Latitude and longitude are copied if all assets with geolocation data in the group share the same coordinates.                  |
+| Tag         | Tags from all assets in the group are merged and applied to every kept asset.                                                   |

docs/docs/guides/custom-map-styles.md

@@ -3,8 +3,8 @@
 You may decide that you'd like to modify the style document which is used to
 draw the maps in Immich. In addition to visual customization, this also allows
 you to pick your own map tile provider instead of the default one. The default
-`style.json` for [light theme](https://github.com/immich-app/immich/tree/main/server/resources/style-light.json)
-and [dark theme](https://github.com/immich-app/immich/blob/main/server/resources/style-dark.json)
+`style.json` for [light theme](https://tiles.immich.cloud/v1/style/light.json)
+and [dark theme](https://tiles.immich.cloud/v1/style/dark.json)
 can be used as a basis for creating your own style.
 
 There are several sources for already-made `style.json` map themes, as well as

docs/docs/install/environment-variables.md

@@ -29,22 +29,23 @@ These environment variables are used by the `docker-compose.yml` file and do **N
 
 ## General
 
-| Variable                            | Description                                                                               |           Default            | Containers               | Workers            |
-| :---------------------------------- | :---------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
-| `TZ`                                | Timezone                                                                                  |        <sup>\*1</sup>        | server                   | microservices      |
-| `IMMICH_ENV`                        | Environment (production, development)                                                     |         `production`         | server, machine learning | api, microservices |
-| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                              |            `log`             | server, machine learning | api, microservices |
-| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                     |          `console`           | server                   | api, microservices |
-| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️ |           `/data`            | server                   | api, microservices |
-| `IMMICH_CONFIG_FILE`                | Path to config file                                                                       |                              | server                   | api, microservices |
-| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                           |           `false`            | server, machine learning |                    |
-| `CPU_CORES`                         | Number of cores available to the Immich server                                            | auto-detected CPU core count | server                   |                    |
-| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                 |            `8081`            | server                   | api                |
-| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                 |            `8082`            | server                   | microservices      |
-| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                       |                              | server                   | microservices      |
-| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                        |                              | server                   | api                |
-| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                  |                              | server                   | api, microservices |
-| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                  |            `true`            | server                   | api                |
+| Variable                            | Description                                                                                                                                            |           Default            | Containers               | Workers            |
+| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
+| `TZ`                                | Timezone                                                                                                                                               |        <sup>\*1</sup>        | server                   | microservices      |
+| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                  |         `production`         | server, machine learning | api, microservices |
+| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                           |            `log`             | server, machine learning | api, microservices |
+| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                  |          `console`           | server                   | api, microservices |
+| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                              |           `/data`            | server                   | api, microservices |
+| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                    |                              | server                   | api, microservices |
+| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`. |           `false`            | server                   | api, microservices |
+| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                        |           `false`            | server, machine learning |                    |
+| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                         | auto-detected CPU core count | server                   |                    |
+| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                              |            `8081`            | server                   | api                |
+| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                              |            `8082`            | server                   | microservices      |
+| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                    |                              | server                   | microservices      |
+| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                     |                              | server                   | api                |
+| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                               |                              | server                   | api, microservices |
+| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                               |            `true`            | server                   | api                |
 
 \*1: `TZ` should be set to a `TZ identifier` from [this list][tz-list]. For example, `TZ="Etc/UTC"`.
 `TZ` is used by `exiftool` as a fallback in case the timezone cannot be determined from the image metadata. It is also used for logfile timestamps and cron job execution.

docs/package.json

@@ -58,6 +58,6 @@
     "node": ">=20"
   },
   "volta": {
-    "node": "24.13.1"
+    "node": "24.14.0"
   }
 }

e2e/.nvmrc

@@ -1 +1 @@
-24.13.1
+24.14.0

e2e/package.json

@@ -32,7 +32,7 @@
     "@playwright/test": "^1.44.1",
     "@socket.io/component-emitter": "^3.1.2",
     "@types/luxon": "^3.4.2",
-    "@types/node": "^24.11.0",
+    "@types/node": "^24.12.0",
     "@types/pg": "^8.15.1",
     "@types/pngjs": "^6.0.4",
     "@types/supertest": "^6.0.2",
@@ -58,6 +58,6 @@
     "vitest": "^4.0.0"
   },
   "volta": {
-    "node": "24.13.1"
+    "node": "24.14.0"
   }
 }

e2e/src/api/specs/duplicate.e2e-spec.ts

@@ -0,0 +1,651 @@
+import { LoginResponseDto } from '@immich/sdk';
+import { createUserDto, uuidDto } from 'src/fixtures';
+import { errorDto } from 'src/responses';
+import { app, utils } from 'src/utils';
+import request from 'supertest';
+import { beforeAll, beforeEach, describe, expect, it } from 'vitest';
+
+describe('/duplicates', () => {
+  let admin: LoginResponseDto;
+  let user1: LoginResponseDto;
+  let user2: LoginResponseDto;
+
+  beforeAll(async () => {
+    await utils.resetDatabase();
+
+    admin = await utils.adminSetup();
+
+    [user1, user2] = await Promise.all([
+      utils.userSetup(admin.accessToken, createUserDto.user1),
+      utils.userSetup(admin.accessToken, createUserDto.user2),
+    ]);
+  });
+
+  beforeEach(async () => {
+    // Reset assets, albums, tags, and stacks between tests to ensure clean state for repeated test runs
+    // Note: We don't reset users since they're set up once in beforeAll
+    // Stack must be reset before asset due to foreign key constraint
+    await utils.resetDatabase(['stack', 'asset', 'album', 'tag']);
+  });
+
+  describe('GET /duplicates', () => {
+    it('should return empty array when no duplicates', async () => {
+      const { status, body } = await request(app)
+        .get('/duplicates')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toEqual([]);
+    });
+
+    it('should return duplicate groups with suggestedKeepAssetIds', async () => {
+      // Create assets with different file sizes for duplicate detection
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Manually set duplicateId on both assets to create a duplicate group
+      const duplicateId = '00000000-0000-4000-8000-000000000001';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .get('/duplicates')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toEqual([
+        {
+          duplicateId,
+          assets: expect.arrayContaining([
+            expect.objectContaining({ id: asset1.id }),
+            expect.objectContaining({ id: asset2.id }),
+          ]),
+          suggestedKeepAssetIds: expect.any(Array),
+        },
+      ]);
+      expect(body[0].suggestedKeepAssetIds.length).toBe(1);
+    });
+  });
+
+  describe('POST /duplicates/resolve', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .send({
+          groups: [{ duplicateId: uuidDto.dummy, keepAssetIds: [], trashAssetIds: [] }],
+        });
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should return failure for non-existent duplicate group', async () => {
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId: uuidDto.dummy, keepAssetIds: [], trashAssetIds: [] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        status: 'COMPLETED',
+        results: [
+          {
+            duplicateId: uuidDto.dummy,
+            status: 'FAILED',
+            reason: expect.stringContaining('not found or access denied'),
+          },
+        ],
+      });
+    });
+
+    it('should resolve duplicate group with keepers', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000002';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        status: 'COMPLETED',
+        results: [
+          {
+            duplicateId,
+            status: 'SUCCESS',
+          },
+        ],
+      });
+
+      // Verify side effects: duplicateId cleared on kept asset
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.duplicateId).toBeNull();
+
+      // Verify side effects: trashed asset is trashed and duplicateId cleared
+      const trashedAsset = await utils.getAssetInfo(user1.accessToken, asset2.id);
+      expect(trashedAsset.isTrashed).toBe(true);
+      expect(trashedAsset.duplicateId).toBeNull();
+    });
+
+    it('should reject when keepAssetIds and trashAssetIds overlap', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000003';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset1.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('FAILED');
+      expect(body.results[0].reason).toContain('disjoint');
+    });
+
+    it('should require keepAssetIds when partially trashing', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000004';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [], trashAssetIds: [asset1.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('FAILED');
+      expect(body.results[0].reason).toContain('must cover all assets');
+    });
+
+    it('should reject partial resolution (not all assets covered)', async () => {
+      const [asset1, asset2, asset3] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000010';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset3.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('FAILED');
+      expect(body.results[0].reason).toContain('must cover all assets');
+    });
+
+    it('should reject asset not in duplicate group', async () => {
+      const [asset1, asset2, outsideAsset] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000011';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [outsideAsset.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('FAILED');
+      expect(body.results[0].reason).toContain('not a member of duplicate group');
+    });
+
+    it('should allow trash-all without keepers', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000012';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [], trashAssetIds: [asset1.id, asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        status: 'COMPLETED',
+        results: [
+          {
+            duplicateId,
+            status: 'SUCCESS',
+          },
+        ],
+      });
+
+      // Verify both assets are trashed
+      const [asset1Info, asset2Info] = await Promise.all([
+        utils.getAssetInfo(user1.accessToken, asset1.id),
+        utils.getAssetInfo(user1.accessToken, asset2.id),
+      ]);
+
+      expect(asset1Info.isTrashed).toBe(true);
+      expect(asset1Info.duplicateId).toBeNull();
+      expect(asset2Info.isTrashed).toBe(true);
+      expect(asset2Info.duplicateId).toBeNull();
+    });
+
+    it('should reject cross-user duplicate group access', async () => {
+      const asset1 = await utils.createAsset(user1.accessToken);
+      const asset2 = await utils.createAsset(user2.accessToken);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000013';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user2.accessToken, asset2.id, duplicateId);
+
+      // User1 tries to resolve a group containing user2's asset
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('FAILED');
+      expect(body.results[0].reason).toContain('not a member of duplicate group');
+    });
+
+    it('should synchronize favorites when enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Mark one asset as favorite
+      await request(app)
+        .put('/assets')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({ ids: [asset2.id], isFavorite: true });
+
+      const duplicateId = '00000000-0000-4000-8000-000000000020';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify favorite was synchronized to keeper
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.isFavorite).toBe(true);
+      expect(keptAsset.duplicateId).toBeNull();
+    });
+
+    it('should synchronize visibility when enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Archive one asset
+      await utils.archiveAssets(user1.accessToken, [asset2.id]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000021';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify visibility was synchronized to keeper
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.visibility).toBe('archive');
+      expect(keptAsset.duplicateId).toBeNull();
+    });
+
+    it('should synchronize rating when enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Set rating on one asset
+      await request(app)
+        .put('/assets')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({ ids: [asset2.id], rating: 5 });
+
+      const duplicateId = '00000000-0000-4000-8000-000000000022';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify rating was synchronized to keeper
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.exifInfo?.rating).toBe(5);
+      expect(keptAsset.duplicateId).toBeNull();
+    });
+
+    it('should synchronize description when enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Set description on one asset
+      await request(app)
+        .put('/assets')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({ ids: [asset2.id], description: 'Test description for duplicate' });
+
+      const duplicateId = '00000000-0000-4000-8000-000000000023';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify description was synchronized to keeper
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.exifInfo?.description).toBe('Test description for duplicate');
+      expect(keptAsset.duplicateId).toBeNull();
+    });
+
+    it('should synchronize location when enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Set location on one asset
+      await request(app)
+        .put('/assets')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({ ids: [asset2.id], latitude: 40.7128, longitude: -74.006 });
+
+      const duplicateId = '00000000-0000-4000-8000-000000000024';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify location was synchronized to keeper
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.exifInfo?.latitude).toBe(40.7128);
+      expect(keptAsset.exifInfo?.longitude).toBe(-74.006);
+      expect(keptAsset.duplicateId).toBeNull();
+    });
+
+    it('should synchronize albums when enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Create albums and add assets to different albums
+      const album1 = await utils.createAlbum(user1.accessToken, {
+        albumName: 'Album 1',
+        assetIds: [asset1.id],
+      });
+      const album2 = await utils.createAlbum(user1.accessToken, {
+        albumName: 'Album 2',
+        assetIds: [asset2.id],
+      });
+
+      const duplicateId = '00000000-0000-4000-8000-000000000025';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify keeper is now in both albums
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.duplicateId).toBeNull();
+
+      // Check albums directly
+      const { status: album1Status, body: album1Body } = await request(app)
+        .get(`/albums/${album1.id}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      const { status: album2Status, body: album2Body } = await request(app)
+        .get(`/albums/${album2.id}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(album1Status).toBe(200);
+      expect(album2Status).toBe(200);
+      expect(album1Body.assets.map((a: any) => a.id)).toContain(asset1.id);
+      expect(album2Body.assets.map((a: any) => a.id)).toContain(asset1.id);
+    });
+
+    it('should synchronize tags when enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      // Wait for metadata extraction to complete before adding tags
+      // Otherwise, metadata jobs will race and overwrite our tags
+      await utils.waitForQueueFinish(admin.accessToken, 'metadataExtraction');
+
+      // Create tags and tag assets differently
+      const tags = await utils.upsertTags(user1.accessToken, ['tag1', 'tag2']);
+      await utils.tagAssets(user1.accessToken, tags[0].id, [asset1.id]);
+      await utils.tagAssets(user1.accessToken, tags[1].id, [asset2.id]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000026';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify keeper has both tags
+      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(keptAsset.duplicateId).toBeNull();
+      expect(keptAsset.tags).toBeDefined();
+      const tagIds = keptAsset.tags?.map((t) => t.id) || [];
+      expect(tagIds).toContain(tags[0].id);
+      expect(tagIds).toContain(tags[1].id);
+    });
+
+    it('should handle batch resolve with mixed success and failure', async () => {
+      // Create first group that will succeed
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+      const duplicateId1 = '00000000-0000-4000-8000-000000000027';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId1);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId1);
+
+      // Create second group with non-existent duplicate ID (will fail)
+      const fakeId = '00000000-0000-4000-8000-000000000099';
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [
+            { duplicateId: duplicateId1, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] },
+            { duplicateId: fakeId, keepAssetIds: [], trashAssetIds: [] },
+          ],
+        });
+
+      expect(status).toBe(200);
+      expect(body.status).toBe('COMPLETED');
+      expect(body.results).toHaveLength(2);
+
+      // First group should succeed
+      expect(body.results[0].duplicateId).toBe(duplicateId1);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Second group should fail
+      expect(body.results[1].duplicateId).toBe(fakeId);
+      expect(body.results[1].status).toBe('FAILED');
+      expect(body.results[1].reason).toContain('not found or access denied');
+
+      // Verify first group was actually resolved despite second failure
+      const asset1Info = await utils.getAssetInfo(user1.accessToken, asset1.id);
+      expect(asset1Info.duplicateId).toBeNull();
+      const asset2Info = await utils.getAssetInfo(user1.accessToken, asset2.id);
+      expect(asset2Info.isTrashed).toBe(true);
+    });
+
+    it('should trash assets when trash is enabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000028';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      // Ensure trash is enabled (default)
+      const config = await utils.getSystemConfig(admin.accessToken);
+      expect(config.trash.enabled).toBe(true);
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Verify asset is trashed (not deleted)
+      const trashedAsset = await utils.getAssetInfo(user1.accessToken, asset2.id);
+      expect(trashedAsset.isTrashed).toBe(true);
+    });
+
+    it('should delete assets when trash is disabled', async () => {
+      const [asset1, asset2] = await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      const duplicateId = '00000000-0000-4000-8000-000000000029';
+      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
+      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
+
+      // Disable trash
+      await request(app)
+        .put('/system-config')
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({
+          trash: { enabled: false, days: 30 },
+        });
+
+      const { status, body } = await request(app)
+        .post('/duplicates/resolve')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({
+          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+        });
+
+      expect(status).toBe(200);
+      expect(body.results[0].status).toBe('SUCCESS');
+
+      // Asset should be marked as deleted (force delete)
+      const { status: getStatus } = await request(app)
+        .get(`/assets/${asset2.id}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      // Asset should still be accessible (soft deleted) but marked as deleted
+      expect(getStatus).toBe(200);
+
+      // Re-enable trash for other tests
+      await utils.resetAdminConfig(admin.accessToken);
+    });
+  });
+});

e2e/src/fixtures.ts

@@ -2,6 +2,8 @@ export const uuidDto = {
   invalid: 'invalid-uuid',
   // valid uuid v4
   notFound: '00000000-0000-4000-a000-000000000000',
+  dummy: '00000000-0000-4000-a000-000000000001',
+  dummy2: '00000000-0000-4000-a000-000000000002',
 };
 
 const adminLoginDto = {

e2e/src/specs/maintenance/server/database-backups.e2e-spec.ts

@@ -10,7 +10,9 @@ describe('/admin/database-backups', () => {
 
   beforeAll(async () => {
     await utils.resetDatabase();
-    admin = await utils.adminSetup();
+    admin = await utils.adminSetup({
+      onboarding: false,
+    });
     await utils.resetBackups(admin.accessToken);
   });
 
@@ -94,7 +96,9 @@ describe('/admin/database-backups', () => {
         ({ status, body }) => status === 200 && !body.maintenanceMode,
       );
 
-      admin = await utils.adminSetup();
+      admin = await utils.adminSetup({
+        onboarding: false,
+      });
     });
 
     it.sequential('should not work when the server is configured', async () => {

e2e/src/specs/web/album.e2e-spec.ts

@@ -1,6 +1,7 @@
 import { LoginResponseDto } from '@immich/sdk';
-import { test } from '@playwright/test';
-import { utils } from 'src/utils';
+import { expect, test } from '@playwright/test';
+import { readFileSync } from 'node:fs';
+import { testAssetDir, utils } from 'src/utils';
 
 test.describe('Album', () => {
   let admin: LoginResponseDto;
@@ -22,4 +23,41 @@ test.describe('Album', () => {
     await page.reload();
     await page.getByRole('button', { name: 'Select photos' }).waitFor();
   });
+
+  test('should keep map view open after viewing an asset from the map and going back', async ({ context, page }) => {
+    await utils.setAuthCookies(context, admin.accessToken);
+
+    const imagePath = `${testAssetDir}/metadata/gps-position/thompson-springs.jpg`;
+    const mapAsset = await utils.createAsset(admin.accessToken, {
+      assetData: {
+        bytes: readFileSync(imagePath),
+        filename: 'thompson-springs.jpg',
+      },
+    });
+
+    await utils.waitForQueueFinish(admin.accessToken, 'metadataExtraction');
+
+    const mapAlbum = await utils.createAlbum(admin.accessToken, {
+      albumName: 'Map Test Album',
+      assetIds: [mapAsset.id],
+    });
+
+    await page.goto(`/albums/${mapAlbum.id}`);
+    const mapButton = page.getByRole('button', { name: 'Map' });
+    await expect(mapButton).toBeVisible();
+    await mapButton.click();
+
+    const mapModal = page.getByRole('dialog');
+    await expect(mapModal).toBeVisible();
+
+    const mapMarker = mapModal.getByRole('img', { name: /Map marker/i }).first();
+    await expect(mapMarker).toBeVisible();
+    await mapMarker.click();
+
+    await page.waitForSelector('#immich-asset-viewer');
+    await page.getByRole('button', { name: 'Go back' }).click();
+
+    await expect(page.locator('#immich-asset-viewer')).not.toBeVisible();
+    await expect(mapModal).toBeVisible();
+  });
 });

e2e/src/utils.ts

@@ -510,6 +510,9 @@ export const utils = {
   createStack: (accessToken: string, assetIds: string[]) =>
     createStack({ stackCreateDto: { assetIds } }, { headers: asBearerAuth(accessToken) }),
 
+  setAssetDuplicateId: (accessToken: string, assetId: string, duplicateId: string | null) =>
+    updateAssets({ assetBulkUpdateDto: { ids: [assetId], duplicateId } }, { headers: asBearerAuth(accessToken) }),
+
   upsertTags: (accessToken: string, tags: string[]) =>
     upsertTags({ tagUpsertDto: { tags } }, { headers: asBearerAuth(accessToken) }),
 

i18n/en.json

@@ -881,7 +881,7 @@
   "daily_title_text_date": "E, MMM dd",
   "daily_title_text_date_year": "E, MMM dd, yyyy",
   "dark": "Dark",
-  "dark_theme": "Toggle dark theme",
+  "dark_theme": "Switch to dark theme",
   "date": "Date",
   "date_after": "Date after",
   "date_and_time": "Date and Time",
@@ -892,10 +892,8 @@
   "day": "Day",
   "days": "Days",
   "deduplicate_all": "Deduplicate All",
-  "deduplication_criteria_1": "Image size in bytes",
-  "deduplication_criteria_2": "Count of EXIF data",
-  "deduplication_info": "Deduplication Info",
-  "deduplication_info_description": "To automatically preselect assets and remove duplicates in bulk, we look at:",
+  "default_locale": "Default Locale",
+  "default_locale_description": "Format dates and numbers based on your browser locale",
   "delete": "Delete",
   "delete_action_confirmation_message": "Are you sure you want to delete this asset? This action will move the asset to the server's trash and will prompt if you want to delete it locally",
   "delete_action_prompt": "{count} deleted",
@@ -971,7 +969,7 @@
   "downloading_media": "Downloading media",
   "drop_files_to_upload": "Drop files anywhere to upload",
   "duplicates": "Duplicates",
-  "duplicates_description": "Resolve each group by indicating which, if any, are duplicates",
+  "duplicates_description": "Resolve each group by indicating which, if any, are duplicates.",
   "duration": "Duration",
   "edit": "Edit",
   "edit_album": "Edit album",
@@ -1388,9 +1386,11 @@
   "library_page_sort_title": "Album title",
   "licenses": "Licenses",
   "light": "Light",
+  "light_theme": "Switch to light theme",
   "like": "Like",
   "like_deleted": "Like deleted",
   "link_motion_video": "Link motion video",
+  "link_to_docs": "For more information, refer to the <link>documentation</link>.",
   "link_to_oauth": "Link to OAuth",
   "linked_oauth_account": "Linked OAuth account",
   "list": "List",
@@ -2395,6 +2395,7 @@
   "viewer_remove_from_stack": "Remove from Stack",
   "viewer_stack_use_as_main_asset": "Use as Main Asset",
   "viewer_unstack": "Un-Stack",
+  "visibility": "Visibility",
   "visibility_changed": "Visibility changed for {count, plural, one {# person} other {# people}}",
   "visual": "Visual",
   "visual_builder": "Visual builder",

mise.toml

@@ -14,9 +14,9 @@ config_roots = [
 ]
 
 [tools]
-node = "24.13.1"
+node = "24.14.0"
 flutter = "3.35.7"
-pnpm = "10.30.3"
+pnpm = "10.32.1"
 terragrunt = "0.99.4"
 opentofu = "1.11.5"
 java = "21.0.2"

mobile/ios/Runner/Core/NetworkApiImpl.swift

@@ -88,8 +88,8 @@ class NetworkApiImpl: NetworkApi {
       }
     }
 
-    if headers != UserDefaults.group.dictionary(forKey: HEADERS_KEY) as? [String: String] {
-      UserDefaults.group.set(headers, forKey: HEADERS_KEY)
+    if headers != UserDefaults.standard.dictionary(forKey: HEADERS_KEY) as? [String: String] {
+      UserDefaults.standard.set(headers, forKey: HEADERS_KEY)
       URLSessionManager.shared.recreateSession()
     }
   }

mobile/ios/Runner/Core/URLSessionManager.swift

@@ -4,7 +4,6 @@ import native_video_player
 let CLIENT_CERT_LABEL = "app.alextran.immich.client_identity"
 let HEADERS_KEY = "immich.request_headers"
 let SERVER_URLS_KEY = "immich.server_urls"
-let APP_GROUP = "group.app.immich.share"
 let COOKIE_EXPIRY_DAYS: TimeInterval = 400
 
 enum AuthCookie: CaseIterable {
@@ -28,10 +27,6 @@ enum AuthCookie: CaseIterable {
   static let names: Set<String> = Set(allCases.map(\.name))
 }
 
-extension UserDefaults {
-  static let group = UserDefaults(suiteName: APP_GROUP)!
-}
-
 /// Manages a shared URLSession with SSL configuration support.
 /// Old sessions are kept alive by Dart's FFI retain until all isolates release them.
 class URLSessionManager: NSObject {
@@ -55,7 +50,7 @@ class URLSessionManager: NSObject {
     let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
     return "Immich_iOS_\(version)"
   }()
-  static let cookieStorage = HTTPCookieStorage.sharedCookieStorage(forGroupContainerIdentifier: APP_GROUP)
+  static let cookieStorage = HTTPCookieStorage.shared
   private static var serverUrls: [String] = []
   private static var isSyncing = false
 
@@ -67,7 +62,7 @@ class URLSessionManager: NSObject {
     delegate = URLSessionManagerDelegate()
     session = Self.buildSession(delegate: delegate)
     super.init()
-    Self.serverUrls = UserDefaults.group.stringArray(forKey: SERVER_URLS_KEY) ?? []
+    Self.serverUrls = UserDefaults.standard.stringArray(forKey: SERVER_URLS_KEY) ?? []
     NotificationCenter.default.addObserver(
       Self.self,
       selector: #selector(Self.cookiesDidChange),
@@ -83,7 +78,7 @@ class URLSessionManager: NSObject {
   static func setServerUrls(_ urls: [String]) {
     guard urls != serverUrls else { return }
     serverUrls = urls
-    UserDefaults.group.set(urls, forKey: SERVER_URLS_KEY)
+    UserDefaults.standard.set(urls, forKey: SERVER_URLS_KEY)
     syncAuthCookies()
   }
 
@@ -151,7 +146,7 @@ class URLSessionManager: NSObject {
     config.httpMaximumConnectionsPerHost = 64
     config.timeoutIntervalForRequest = 60
 
-    var headers = UserDefaults.group.dictionary(forKey: HEADERS_KEY) as? [String: String] ?? [:]
+    var headers = UserDefaults.standard.dictionary(forKey: HEADERS_KEY) as? [String: String] ?? [:]
     headers["User-Agent"] = headers["User-Agent"] ?? userAgent
     config.httpAdditionalHeaders = headers
 

mobile/lib/presentation/pages/drift_memory.page.dart

@@ -207,6 +207,11 @@ class DriftMemoryPage extends HookConsumerWidget {
                 WidgetsBinding.instance.addPostFrameCallback((_) {
                   DriftMemoryPage.setMemory(ref, memories[pageNumber]);
                 });
+
+                // Update currentAsset to the first asset of the new memory
+                if (memories[pageNumber].assets.isNotEmpty) {
+                  currentAsset.value = memories[pageNumber].assets.first;
+                }
               }
 
               currentAssetPage.value = 0;

mobile/lib/presentation/widgets/asset_viewer/bottom_bar.widget.dart

@@ -71,16 +71,13 @@ class ViewerBottomBar extends ConsumerWidget {
                 ),
                 child: SafeArea(
                   top: false,
-                  child: Padding(
-                    padding: const EdgeInsets.only(top: 16),
-                    child: Column(
-                      mainAxisSize: MainAxisSize.min,
-                      children: [
-                        if (asset.isVideo) VideoControls(videoPlayerName: asset.heroTag),
-                        if (!isReadonlyModeEnabled)
-                          Row(mainAxisAlignment: MainAxisAlignment.spaceEvenly, children: actions),
-                      ],
-                    ),
+                  child: Column(
+                    mainAxisSize: MainAxisSize.min,
+                    children: [
+                      if (asset.isVideo) VideoControls(videoPlayerName: asset.heroTag),
+                      if (!isReadonlyModeEnabled)
+                        Row(mainAxisAlignment: MainAxisAlignment.spaceEvenly, children: actions),
+                    ],
                   ),
                 ),
               ),

mobile/lib/presentation/widgets/images/animated_image_stream_completer.dart

@@ -3,24 +3,21 @@ import 'dart:ui' as ui;
 
 import 'package:flutter/foundation.dart' show InformationCollector;
 import 'package:flutter/painting.dart';
+import 'package:immich_mobile/presentation/widgets/images/cache_aware_listener_tracker.mixin.dart';
 
 /// A [MultiFrameImageStreamCompleter] with support for listener tracking
 /// which makes resource cleanup possible when no longer needed.
 /// Codec is disposed through the MultiFrameImageStreamCompleter's internals onDispose method
-class AnimatedImageStreamCompleter extends MultiFrameImageStreamCompleter {
-  void Function()? _onLastListenerRemoved;
-  int _listenerCount = 0;
-  // True once any image or the codec has been provided.
-  // Until then the image cache holds one listener, so "last real listener gone"
-  // is _listenerCount == 1, not 0.
-  bool didProvideImage = false;
-
+class AnimatedImageStreamCompleter extends MultiFrameImageStreamCompleter with CacheAwareListenerTrackerMixin {
   AnimatedImageStreamCompleter._({
     required super.codec,
     required super.scale,
+    required bool hadInitialImage,
     super.informationCollector,
     void Function()? onLastListenerRemoved,
-  }) : _onLastListenerRemoved = onLastListenerRemoved;
+  }) {
+    setupListenerTracking(hadInitialImage: hadInitialImage, onLastListenerRemoved: onLastListenerRemoved);
+  }
 
   factory AnimatedImageStreamCompleter({
     required Stream<Object> stream,
@@ -33,23 +30,21 @@ class AnimatedImageStreamCompleter extends MultiFrameImageStreamCompleter {
     final self = AnimatedImageStreamCompleter._(
       codec: codecCompleter.future,
       scale: scale,
+      hadInitialImage: initialImage != null,
       informationCollector: informationCollector,
       onLastListenerRemoved: onLastListenerRemoved,
     );
 
     if (initialImage != null) {
-      self.didProvideImage = true;
       self.setImage(initialImage);
     }
 
     stream.listen(
       (item) {
         if (item is ImageInfo) {
-          self.didProvideImage = true;
           self.setImage(item);
         } else if (item is ui.Codec) {
           if (!codecCompleter.isCompleted) {
-            self.didProvideImage = true;
             codecCompleter.complete(item);
           }
         }
@@ -70,27 +65,4 @@ class AnimatedImageStreamCompleter extends MultiFrameImageStreamCompleter {
 
     return self;
   }
-
-  @override
-  void addListener(ImageStreamListener listener) {
-    super.addListener(listener);
-    _listenerCount++;
-  }
-
-  @override
-  void removeListener(ImageStreamListener listener) {
-    super.removeListener(listener);
-    _listenerCount--;
-
-    final bool onlyCacheListenerLeft = _listenerCount == 1 && !didProvideImage;
-    final bool noListenersAfterCodec = _listenerCount == 0 && didProvideImage;
-
-    if (onlyCacheListenerLeft || noListenersAfterCodec) {
-      final onLastListenerRemoved = _onLastListenerRemoved;
-      if (onLastListenerRemoved != null) {
-        _onLastListenerRemoved = null;
-        onLastListenerRemoved();
-      }
-    }
-  }
 }

mobile/lib/presentation/widgets/images/cache_aware_listener_tracker.mixin.dart

@@ -0,0 +1,84 @@
+import 'package:flutter/painting.dart';
+
+/// Tracks listeners on an [ImageStreamCompleter] to safely cancel in-flight
+/// network requests without interfering with [ImageCache] internals.
+///
+/// ### Problem
+/// Cancelling fetches when the listener count drops to 1 (cache only) or 0
+/// is unsafe due to three framework behaviours:
+///
+/// 1. **Memory-pressure eviction** — `ImageCache.clear()` removes the cache
+///    listener while UI widgets still need the image. A count-based check
+///    would cancel the active fetch, leaving the UI with no image.
+/// 2. **Synchronous detach during `putIfAbsent`** — When an `initialImage`
+///    is provided, the cache attaches, receives the frame, and detaches
+///    synchronously *before* the UI widget can attach. Count reaches 0 and
+///    would trigger a false cancel.
+/// 3. **Listener misidentification** — After the cache detaches (via 1 or 2),
+///    the next UI listener could be mistaken for the cache listener, causing
+///    incorrect cancellations when that widget is disposed.
+///
+/// ### Solution: First-Listener Heuristic
+/// The cache is always the first listener attached (via `putIfAbsent`). This
+/// mixin records that identity once and uses it for all subsequent decisions:
+///
+/// * **Identity locking** — The first listener is assumed to be the cache.
+///   Once identified, `_hasIdentifiedCacheListener` prevents reassignment.
+/// * **Targeted cancellation** — Cancel only when the identified cache
+///   listener is the sole remaining listener and no image has been delivered.
+/// * **Sync-removal bypass** — When `hadInitialImage` is set, the first
+///   synchronous removal of the cache listener is ignored so the fetch
+///   survives until the UI attaches.
+mixin CacheAwareListenerTrackerMixin on ImageStreamCompleter {
+  void Function()? _onLastListenerRemoved;
+  int _listenerCount = 0;
+  bool _hadInitialImage = false;
+  bool _hasIgnoredFirstSyncRemoval = false;
+  ImageStreamListener? _cacheListener;
+  bool _hasIdentifiedCacheListener = false;
+
+  /// Initializes the tracking state. Must be called in the subclass constructor.
+  void setupListenerTracking({required bool hadInitialImage, void Function()? onLastListenerRemoved}) {
+    _hadInitialImage = hadInitialImage;
+    _onLastListenerRemoved = onLastListenerRemoved;
+  }
+
+  @override
+  void addListener(ImageStreamListener listener) {
+    if (!_hasIdentifiedCacheListener) {
+      _hasIdentifiedCacheListener = true;
+      _cacheListener = listener;
+    }
+
+    _listenerCount++;
+    super.addListener(listener);
+  }
+
+  @override
+  void removeListener(ImageStreamListener listener) {
+    super.removeListener(listener);
+    _listenerCount--;
+
+    final bool isCacheListener = listener == _cacheListener;
+    if (isCacheListener) {
+      _cacheListener = null;
+    }
+
+    if (_hadInitialImage && !_hasIgnoredFirstSyncRemoval && isCacheListener) {
+      _hasIgnoredFirstSyncRemoval = true;
+      return;
+    }
+
+    final bool onlyCacheListenerLeft = _listenerCount == 1 && _cacheListener != null;
+
+    final bool completelyAbandoned = _listenerCount == 0;
+
+    if (onlyCacheListenerLeft || completelyAbandoned) {
+      final onLastListenerRemoved = _onLastListenerRemoved;
+      if (onLastListenerRemoved != null) {
+        _onLastListenerRemoved = null;
+        onLastListenerRemoved();
+      }
+    }
+  }
+}

mobile/lib/presentation/widgets/images/one_frame_multi_image_stream_completer.dart

@@ -6,14 +6,10 @@ import 'dart:async';
 
 import 'package:flutter/foundation.dart';
 import 'package:flutter/painting.dart';
+import 'package:immich_mobile/presentation/widgets/images/cache_aware_listener_tracker.mixin.dart';
 
 /// An ImageStreamCompleter with support for loading multiple images.
-class OneFramePlaceholderImageStreamCompleter extends ImageStreamCompleter {
-  void Function()? _onLastListenerRemoved;
-  int _listenerCount = 0;
-  // True once setImage() has been called at least once.
-  bool didProvideImage = false;
-
+class OneFramePlaceholderImageStreamCompleter extends ImageStreamCompleter with CacheAwareListenerTrackerMixin {
   /// The constructor to create an OneFramePlaceholderImageStreamCompleter. The [images]
   /// should be the primary images to display (typically asynchronously as they load).
   /// The [initialImage] is an optional image that will be emitted synchronously
@@ -24,14 +20,14 @@ class OneFramePlaceholderImageStreamCompleter extends ImageStreamCompleter {
     InformationCollector? informationCollector,
     void Function()? onLastListenerRemoved,
   }) {
+    setupListenerTracking(hadInitialImage: initialImage != null, onLastListenerRemoved: onLastListenerRemoved);
+
     if (initialImage != null) {
-      didProvideImage = true;
       setImage(initialImage);
     }
-    _onLastListenerRemoved = onLastListenerRemoved;
+
     images.listen(
       (image) {
-        didProvideImage = true;
         setImage(image);
       },
       onError: (Object error, StackTrace stack) {
@@ -45,26 +41,4 @@ class OneFramePlaceholderImageStreamCompleter extends ImageStreamCompleter {
       },
     );
   }
-
-  @override
-  void addListener(ImageStreamListener listener) {
-    super.addListener(listener);
-    _listenerCount = _listenerCount + 1;
-  }
-
-  @override
-  void removeListener(ImageStreamListener listener) {
-    super.removeListener(listener);
-    _listenerCount = _listenerCount - 1;
-
-    final bool onlyCacheListenerLeft = _listenerCount == 1 && !didProvideImage;
-    final bool noListenersAfterImage = _listenerCount == 0 && didProvideImage;
-
-    final onLastListenerRemoved = _onLastListenerRemoved;
-
-    if (onLastListenerRemoved != null && (noListenersAfterImage || onlyCacheListenerLeft)) {
-      _onLastListenerRemoved = null;
-      onLastListenerRemoved();
-    }
-  }
 }

mobile/lib/services/download.service.dart

@@ -109,7 +109,7 @@ class DownloadService {
       return result != null;
     } on PlatformException catch (error, stack) {
       // Handle saving MotionPhotos on iOS
-      if (error.code == 'PHPhotosErrorDomain (-1)') {
+      if (error.code.startsWith('PHPhotosErrorDomain')) {
         final result = await _fileMediaRepository.saveImageWithFile(imageFilePath, title: task.filename);
         return result != null;
       }

mobile/lib/theme/dynamic_theme.dart

@@ -19,8 +19,16 @@ abstract final class DynamicTheme {
         // Some palettes do not generate surface container colors accurately,
         // so we regenerate all colors using the primary color
         _theme = ImmichTheme(
-          light: ColorScheme.fromSeed(seedColor: primaryColor, brightness: Brightness.light),
-          dark: ColorScheme.fromSeed(seedColor: primaryColor, brightness: Brightness.dark),
+          light: ColorScheme.fromSeed(
+            seedColor: primaryColor,
+            brightness: Brightness.light,
+            dynamicSchemeVariant: DynamicSchemeVariant.fidelity,
+          ),
+          dark: ColorScheme.fromSeed(
+            seedColor: primaryColor,
+            brightness: Brightness.dark,
+            dynamicSchemeVariant: DynamicSchemeVariant.fidelity,
+          ),
         );
       }
     } catch (error) {

mobile/lib/theme/theme_data.dart

@@ -62,6 +62,7 @@ ThemeData getThemeData({required ColorScheme colorScheme, required Locale locale
     ),
     chipTheme: const ChipThemeData(side: BorderSide.none),
     sliderTheme: const SliderThemeData(
+      trackHeight: 12,
       // ignore: deprecated_member_use
       year2023: false,
     ),

mobile/lib/widgets/asset_viewer/video_controls.dart

@@ -66,9 +66,9 @@ class VideoControls extends HookConsumerWidget {
     final isLoaded = duration != Duration.zero;
 
     return Padding(
-      padding: const EdgeInsets.all(24),
+      padding: const EdgeInsets.only(left: 16, right: 16, bottom: 12),
       child: Column(
-        spacing: 16,
+        spacing: 4,
         children: [
           Row(
             children: [
@@ -77,8 +77,8 @@ class VideoControls extends HookConsumerWidget {
                 padding: const EdgeInsets.all(12),
                 constraints: const BoxConstraints(),
                 icon: isFinished
-                    ? const Icon(Icons.replay, color: Colors.white, size: 32, shadows: _controlShadows)
-                    : AnimatedPlayPause(color: Colors.white, size: 32, playing: isPlaying, shadows: _controlShadows),
+                    ? const Icon(Icons.replay, color: Colors.white, shadows: _controlShadows)
+                    : AnimatedPlayPause(color: Colors.white, playing: isPlaying, shadows: _controlShadows),
                 onPressed: () => _toggle(ref, isCasting),
               ),
               const Spacer(),
@@ -91,7 +91,7 @@ class VideoControls extends HookConsumerWidget {
                   shadows: _controlShadows,
                 ),
               ),
-              const SizedBox(width: 16),
+              const SizedBox(width: 12),
             ],
           ),
           Slider(

mobile/openapi/README.md

@@ -156,6 +156,7 @@ Class | Method | HTTP request | Description
 *DuplicatesApi* | [**deleteDuplicate**](doc//DuplicatesApi.md#deleteduplicate) | **DELETE** /duplicates/{id} | Delete a duplicate
 *DuplicatesApi* | [**deleteDuplicates**](doc//DuplicatesApi.md#deleteduplicates) | **DELETE** /duplicates | Delete duplicates
 *DuplicatesApi* | [**getAssetDuplicates**](doc//DuplicatesApi.md#getassetduplicates) | **GET** /duplicates | Retrieve duplicates
+*DuplicatesApi* | [**resolveDuplicates**](doc//DuplicatesApi.md#resolveduplicates) | **POST** /duplicates/resolve | Resolve duplicate groups
 *FacesApi* | [**createFace**](doc//FacesApi.md#createface) | **POST** /faces | Create a face
 *FacesApi* | [**deleteFace**](doc//FacesApi.md#deleteface) | **DELETE** /faces/{id} | Delete a face
 *FacesApi* | [**getFaces**](doc//FacesApi.md#getfaces) | **GET** /faces | Retrieve faces for asset
@@ -422,6 +423,8 @@ Class | Method | HTTP request | Description
  - [DownloadResponseDto](doc//DownloadResponseDto.md)
  - [DownloadUpdate](doc//DownloadUpdate.md)
  - [DuplicateDetectionConfig](doc//DuplicateDetectionConfig.md)
+ - [DuplicateResolveDto](doc//DuplicateResolveDto.md)
+ - [DuplicateResolveGroupDto](doc//DuplicateResolveGroupDto.md)
  - [DuplicateResponseDto](doc//DuplicateResponseDto.md)
  - [EmailNotificationsResponse](doc//EmailNotificationsResponse.md)
  - [EmailNotificationsUpdate](doc//EmailNotificationsUpdate.md)

mobile/openapi/lib/api.dart

@@ -161,6 +161,8 @@ part 'model/download_response.dart';
 part 'model/download_response_dto.dart';
 part 'model/download_update.dart';
 part 'model/duplicate_detection_config.dart';
+part 'model/duplicate_resolve_dto.dart';
+part 'model/duplicate_resolve_group_dto.dart';
 part 'model/duplicate_response_dto.dart';
 part 'model/email_notifications_response.dart';
 part 'model/email_notifications_update.dart';

mobile/openapi/lib/api/duplicates_api.dart

@@ -163,4 +163,63 @@ class DuplicatesApi {
     }
     return null;
   }
+
+  /// Resolve duplicate groups
+  ///
+  /// Resolve duplicate groups by synchronizing metadata across assets and deleting/trashing duplicates.
+  ///
+  /// Note: This method returns the HTTP [Response].
+  ///
+  /// Parameters:
+  ///
+  /// * [DuplicateResolveDto] duplicateResolveDto (required):
+  Future<Response> resolveDuplicatesWithHttpInfo(DuplicateResolveDto duplicateResolveDto,) async {
+    // ignore: prefer_const_declarations
+    final apiPath = r'/duplicates/resolve';
+
+    // ignore: prefer_final_locals
+    Object? postBody = duplicateResolveDto;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>['application/json'];
+
+
+    return apiClient.invokeAPI(
+      apiPath,
+      'POST',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  /// Resolve duplicate groups
+  ///
+  /// Resolve duplicate groups by synchronizing metadata across assets and deleting/trashing duplicates.
+  ///
+  /// Parameters:
+  ///
+  /// * [DuplicateResolveDto] duplicateResolveDto (required):
+  Future<List<BulkIdResponseDto>?> resolveDuplicates(DuplicateResolveDto duplicateResolveDto,) async {
+    final response = await resolveDuplicatesWithHttpInfo(duplicateResolveDto,);
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+    // When a remote server returns no body with a status of 204, we shall not decode it.
+    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
+    // FormatException when trying to decode an empty string.
+    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
+      final responseBody = await _decodeBodyBytes(response);
+      return (await apiClient.deserializeAsync(responseBody, 'List<BulkIdResponseDto>') as List)
+        .cast<BulkIdResponseDto>()
+        .toList(growable: false);
+
+    }
+    return null;
+  }
 }

mobile/openapi/lib/api_client.dart

@@ -368,6 +368,10 @@ class ApiClient {
           return DownloadUpdate.fromJson(value);
         case 'DuplicateDetectionConfig':
           return DuplicateDetectionConfig.fromJson(value);
+        case 'DuplicateResolveDto':
+          return DuplicateResolveDto.fromJson(value);
+        case 'DuplicateResolveGroupDto':
+          return DuplicateResolveGroupDto.fromJson(value);
         case 'DuplicateResponseDto':
           return DuplicateResponseDto.fromJson(value);
         case 'EmailNotificationsResponse':

mobile/openapi/lib/model/bulk_id_error_reason.dart

@@ -27,6 +27,7 @@ class BulkIdErrorReason {
   static const noPermission = BulkIdErrorReason._(r'no_permission');
   static const notFound = BulkIdErrorReason._(r'not_found');
   static const unknown = BulkIdErrorReason._(r'unknown');
+  static const validation = BulkIdErrorReason._(r'validation');
 
   /// List of all possible values in this [enum][BulkIdErrorReason].
   static const values = <BulkIdErrorReason>[
@@ -34,6 +35,7 @@ class BulkIdErrorReason {
     noPermission,
     notFound,
     unknown,
+    validation,
   ];
 
   static BulkIdErrorReason? fromJson(dynamic value) => BulkIdErrorReasonTypeTransformer().decode(value);
@@ -76,6 +78,7 @@ class BulkIdErrorReasonTypeTransformer {
         case r'no_permission': return BulkIdErrorReason.noPermission;
         case r'not_found': return BulkIdErrorReason.notFound;
         case r'unknown': return BulkIdErrorReason.unknown;
+        case r'validation': return BulkIdErrorReason.validation;
         default:
           if (!allowNull) {
             throw ArgumentError('Unknown enum value to decode: $data');

mobile/openapi/lib/model/bulk_id_response_dto.dart

@@ -14,6 +14,7 @@ class BulkIdResponseDto {
   /// Returns a new [BulkIdResponseDto] instance.
   BulkIdResponseDto({
     this.error,
+    this.errorMessage,
     required this.id,
     required this.success,
   });
@@ -21,6 +22,14 @@ class BulkIdResponseDto {
   /// Error reason if failed
   BulkIdResponseDtoErrorEnum? error;
 
+  ///
+  /// Please note: This property should have been non-nullable! Since the specification file
+  /// does not include a default value (using the "default:" property), however, the generated
+  /// source code must fall back to having a nullable type.
+  /// Consider adding a "default:" property in the specification file to hide this note.
+  ///
+  String? errorMessage;
+
   /// ID
   String id;
 
@@ -30,6 +39,7 @@ class BulkIdResponseDto {
   @override
   bool operator ==(Object other) => identical(this, other) || other is BulkIdResponseDto &&
     other.error == error &&
+    other.errorMessage == errorMessage &&
     other.id == id &&
     other.success == success;
 
@@ -37,11 +47,12 @@ class BulkIdResponseDto {
   int get hashCode =>
     // ignore: unnecessary_parenthesis
     (error == null ? 0 : error!.hashCode) +
+    (errorMessage == null ? 0 : errorMessage!.hashCode) +
     (id.hashCode) +
     (success.hashCode);
 
   @override
-  String toString() => 'BulkIdResponseDto[error=$error, id=$id, success=$success]';
+  String toString() => 'BulkIdResponseDto[error=$error, errorMessage=$errorMessage, id=$id, success=$success]';
 
   Map<String, dynamic> toJson() {
     final json = <String, dynamic>{};
@@ -49,6 +60,11 @@ class BulkIdResponseDto {
       json[r'error'] = this.error;
     } else {
     //  json[r'error'] = null;
+    }
+    if (this.errorMessage != null) {
+      json[r'errorMessage'] = this.errorMessage;
+    } else {
+    //  json[r'errorMessage'] = null;
     }
       json[r'id'] = this.id;
       json[r'success'] = this.success;
@@ -65,6 +81,7 @@ class BulkIdResponseDto {
 
       return BulkIdResponseDto(
         error: BulkIdResponseDtoErrorEnum.fromJson(json[r'error']),
+        errorMessage: mapValueOfType<String>(json, r'errorMessage'),
         id: mapValueOfType<String>(json, r'id')!,
         success: mapValueOfType<bool>(json, r'success')!,
       );
@@ -136,6 +153,7 @@ class BulkIdResponseDtoErrorEnum {
   static const noPermission = BulkIdResponseDtoErrorEnum._(r'no_permission');
   static const notFound = BulkIdResponseDtoErrorEnum._(r'not_found');
   static const unknown = BulkIdResponseDtoErrorEnum._(r'unknown');
+  static const validation = BulkIdResponseDtoErrorEnum._(r'validation');
 
   /// List of all possible values in this [enum][BulkIdResponseDtoErrorEnum].
   static const values = <BulkIdResponseDtoErrorEnum>[
@@ -143,6 +161,7 @@ class BulkIdResponseDtoErrorEnum {
     noPermission,
     notFound,
     unknown,
+    validation,
   ];
 
   static BulkIdResponseDtoErrorEnum? fromJson(dynamic value) => BulkIdResponseDtoErrorEnumTypeTransformer().decode(value);
@@ -185,6 +204,7 @@ class BulkIdResponseDtoErrorEnumTypeTransformer {
         case r'no_permission': return BulkIdResponseDtoErrorEnum.noPermission;
         case r'not_found': return BulkIdResponseDtoErrorEnum.notFound;
         case r'unknown': return BulkIdResponseDtoErrorEnum.unknown;
+        case r'validation': return BulkIdResponseDtoErrorEnum.validation;
         default:
           if (!allowNull) {
             throw ArgumentError('Unknown enum value to decode: $data');

mobile/openapi/lib/model/duplicate_resolve_dto.dart

@@ -0,0 +1,100 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.18
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+class DuplicateResolveDto {
+  /// Returns a new [DuplicateResolveDto] instance.
+  DuplicateResolveDto({
+    this.groups = const [],
+  });
+
+  /// List of duplicate groups to resolve
+  List<DuplicateResolveGroupDto> groups;
+
+  @override
+  bool operator ==(Object other) => identical(this, other) || other is DuplicateResolveDto &&
+    _deepEquality.equals(other.groups, groups);
+
+  @override
+  int get hashCode =>
+    // ignore: unnecessary_parenthesis
+    (groups.hashCode);
+
+  @override
+  String toString() => 'DuplicateResolveDto[groups=$groups]';
+
+  Map<String, dynamic> toJson() {
+    final json = <String, dynamic>{};
+      json[r'groups'] = this.groups;
+    return json;
+  }
+
+  /// Returns a new [DuplicateResolveDto] instance and imports its values from
+  /// [value] if it's a [Map], null otherwise.
+  // ignore: prefer_constructors_over_static_methods
+  static DuplicateResolveDto? fromJson(dynamic value) {
+    upgradeDto(value, "DuplicateResolveDto");
+    if (value is Map) {
+      final json = value.cast<String, dynamic>();
+
+      return DuplicateResolveDto(
+        groups: DuplicateResolveGroupDto.listFromJson(json[r'groups']),
+      );
+    }
+    return null;
+  }
+
+  static List<DuplicateResolveDto> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <DuplicateResolveDto>[];
+    if (json is List && json.isNotEmpty) {
+      for (final row in json) {
+        final value = DuplicateResolveDto.fromJson(row);
+        if (value != null) {
+          result.add(value);
+        }
+      }
+    }
+    return result.toList(growable: growable);
+  }
+
+  static Map<String, DuplicateResolveDto> mapFromJson(dynamic json) {
+    final map = <String, DuplicateResolveDto>{};
+    if (json is Map && json.isNotEmpty) {
+      json = json.cast<String, dynamic>(); // ignore: parameter_assignments
+      for (final entry in json.entries) {
+        final value = DuplicateResolveDto.fromJson(entry.value);
+        if (value != null) {
+          map[entry.key] = value;
+        }
+      }
+    }
+    return map;
+  }
+
+  // maps a json object with a list of DuplicateResolveDto-objects as value to a dart map
+  static Map<String, List<DuplicateResolveDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
+    final map = <String, List<DuplicateResolveDto>>{};
+    if (json is Map && json.isNotEmpty) {
+      // ignore: parameter_assignments
+      json = json.cast<String, dynamic>();
+      for (final entry in json.entries) {
+        map[entry.key] = DuplicateResolveDto.listFromJson(entry.value, growable: growable,);
+      }
+    }
+    return map;
+  }
+
+  /// The list of required keys that must be present in a JSON.
+  static const requiredKeys = <String>{
+    'groups',
+  };
+}
+

mobile/openapi/lib/model/duplicate_resolve_group_dto.dart

@@ -0,0 +1,121 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.18
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+class DuplicateResolveGroupDto {
+  /// Returns a new [DuplicateResolveGroupDto] instance.
+  DuplicateResolveGroupDto({
+    required this.duplicateId,
+    this.keepAssetIds = const [],
+    this.trashAssetIds = const [],
+  });
+
+  String duplicateId;
+
+  /// Asset IDs to keep
+  List<String> keepAssetIds;
+
+  /// Asset IDs to trash or delete
+  List<String> trashAssetIds;
+
+  @override
+  bool operator ==(Object other) => identical(this, other) || other is DuplicateResolveGroupDto &&
+    other.duplicateId == duplicateId &&
+    _deepEquality.equals(other.keepAssetIds, keepAssetIds) &&
+    _deepEquality.equals(other.trashAssetIds, trashAssetIds);
+
+  @override
+  int get hashCode =>
+    // ignore: unnecessary_parenthesis
+    (duplicateId.hashCode) +
+    (keepAssetIds.hashCode) +
+    (trashAssetIds.hashCode);
+
+  @override
+  String toString() => 'DuplicateResolveGroupDto[duplicateId=$duplicateId, keepAssetIds=$keepAssetIds, trashAssetIds=$trashAssetIds]';
+
+  Map<String, dynamic> toJson() {
+    final json = <String, dynamic>{};
+      json[r'duplicateId'] = this.duplicateId;
+      json[r'keepAssetIds'] = this.keepAssetIds;
+      json[r'trashAssetIds'] = this.trashAssetIds;
+    return json;
+  }
+
+  /// Returns a new [DuplicateResolveGroupDto] instance and imports its values from
+  /// [value] if it's a [Map], null otherwise.
+  // ignore: prefer_constructors_over_static_methods
+  static DuplicateResolveGroupDto? fromJson(dynamic value) {
+    upgradeDto(value, "DuplicateResolveGroupDto");
+    if (value is Map) {
+      final json = value.cast<String, dynamic>();
+
+      return DuplicateResolveGroupDto(
+        duplicateId: mapValueOfType<String>(json, r'duplicateId')!,
+        keepAssetIds: json[r'keepAssetIds'] is Iterable
+            ? (json[r'keepAssetIds'] as Iterable).cast<String>().toList(growable: false)
+            : const [],
+        trashAssetIds: json[r'trashAssetIds'] is Iterable
+            ? (json[r'trashAssetIds'] as Iterable).cast<String>().toList(growable: false)
+            : const [],
+      );
+    }
+    return null;
+  }
+
+  static List<DuplicateResolveGroupDto> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <DuplicateResolveGroupDto>[];
+    if (json is List && json.isNotEmpty) {
+      for (final row in json) {
+        final value = DuplicateResolveGroupDto.fromJson(row);
+        if (value != null) {
+          result.add(value);
+        }
+      }
+    }
+    return result.toList(growable: growable);
+  }
+
+  static Map<String, DuplicateResolveGroupDto> mapFromJson(dynamic json) {
+    final map = <String, DuplicateResolveGroupDto>{};
+    if (json is Map && json.isNotEmpty) {
+      json = json.cast<String, dynamic>(); // ignore: parameter_assignments
+      for (final entry in json.entries) {
+        final value = DuplicateResolveGroupDto.fromJson(entry.value);
+        if (value != null) {
+          map[entry.key] = value;
+        }
+      }
+    }
+    return map;
+  }
+
+  // maps a json object with a list of DuplicateResolveGroupDto-objects as value to a dart map
+  static Map<String, List<DuplicateResolveGroupDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
+    final map = <String, List<DuplicateResolveGroupDto>>{};
+    if (json is Map && json.isNotEmpty) {
+      // ignore: parameter_assignments
+      json = json.cast<String, dynamic>();
+      for (final entry in json.entries) {
+        map[entry.key] = DuplicateResolveGroupDto.listFromJson(entry.value, growable: growable,);
+      }
+    }
+    return map;
+  }
+
+  /// The list of required keys that must be present in a JSON.
+  static const requiredKeys = <String>{
+    'duplicateId',
+    'keepAssetIds',
+    'trashAssetIds',
+  };
+}
+

mobile/openapi/lib/model/duplicate_response_dto.dart

@@ -15,6 +15,7 @@ class DuplicateResponseDto {
   DuplicateResponseDto({
     this.assets = const [],
     required this.duplicateId,
+    this.suggestedKeepAssetIds = const [],
   });
 
   /// Duplicate assets
@@ -23,24 +24,30 @@ class DuplicateResponseDto {
   /// Duplicate group ID
   String duplicateId;
 
+  /// Suggested asset IDs to keep based on file size and EXIF data
+  List<String> suggestedKeepAssetIds;
+
   @override
   bool operator ==(Object other) => identical(this, other) || other is DuplicateResponseDto &&
     _deepEquality.equals(other.assets, assets) &&
-    other.duplicateId == duplicateId;
+    other.duplicateId == duplicateId &&
+    _deepEquality.equals(other.suggestedKeepAssetIds, suggestedKeepAssetIds);
 
   @override
   int get hashCode =>
     // ignore: unnecessary_parenthesis
     (assets.hashCode) +
-    (duplicateId.hashCode);
+    (duplicateId.hashCode) +
+    (suggestedKeepAssetIds.hashCode);
 
   @override
-  String toString() => 'DuplicateResponseDto[assets=$assets, duplicateId=$duplicateId]';
+  String toString() => 'DuplicateResponseDto[assets=$assets, duplicateId=$duplicateId, suggestedKeepAssetIds=$suggestedKeepAssetIds]';
 
   Map<String, dynamic> toJson() {
     final json = <String, dynamic>{};
       json[r'assets'] = this.assets;
       json[r'duplicateId'] = this.duplicateId;
+      json[r'suggestedKeepAssetIds'] = this.suggestedKeepAssetIds;
     return json;
   }
 
@@ -55,6 +62,9 @@ class DuplicateResponseDto {
       return DuplicateResponseDto(
         assets: AssetResponseDto.listFromJson(json[r'assets']),
         duplicateId: mapValueOfType<String>(json, r'duplicateId')!,
+        suggestedKeepAssetIds: json[r'suggestedKeepAssetIds'] is Iterable
+            ? (json[r'suggestedKeepAssetIds'] as Iterable).cast<String>().toList(growable: false)
+            : const [],
       );
     }
     return null;
@@ -104,6 +114,7 @@ class DuplicateResponseDto {
   static const requiredKeys = <String>{
     'assets',
     'duplicateId',
+    'suggestedKeepAssetIds',
   };
 }
 

mobile/test/presentation/widgets/images/cache_aware_listener_tracker_mixin_test.dart

@@ -0,0 +1,183 @@
+import 'dart:ui' as ui;
+
+import 'package:flutter/painting.dart';
+import 'package:flutter_test/flutter_test.dart';
+import 'package:immich_mobile/presentation/widgets/images/cache_aware_listener_tracker.mixin.dart';
+
+class TestImageCompleter extends ImageStreamCompleter with CacheAwareListenerTrackerMixin {
+  bool wasCancelled = false;
+
+  TestImageCompleter({required bool hadInitialImage}) {
+    setupListenerTracking(
+      hadInitialImage: hadInitialImage,
+      onLastListenerRemoved: () {
+        wasCancelled = true;
+      },
+    );
+  }
+
+  @override
+  void setImage(ImageInfo image) {
+    super.setImage(image);
+  }
+}
+
+void main() {
+  late ImageCache cache;
+  late ImageStreamListener uiListener;
+
+  setUp(() {
+    // Create a fresh, real Flutter ImageCache for every test
+    cache = ImageCache();
+    uiListener = ImageStreamListener((_, __) {});
+  });
+
+  group('CacheAwareListenerTrackerMixin with Real ImageCache', () {
+
+    testWidgets('cancels fetch when UI detaches before completion', (WidgetTester tester) async {
+      final completer = TestImageCompleter(hadInitialImage: false);
+      final key = Object();
+
+      // 1. Request image from the real cache (simulating the provider)
+      final stream = cache.putIfAbsent(key, () => completer)!;
+
+      // 2. UI attaches
+      stream.addListener(uiListener);
+      expect(completer.wasCancelled, isFalse);
+
+      // 3. Simulate asynchronous network delay...
+      await tester.pump(const Duration(milliseconds: 150));
+
+      // 4. User scrolls away before network finishes. UI detaches.
+      stream.removeListener(uiListener);
+
+      expect(completer.wasCancelled, isTrue);
+    });
+
+    testWidgets('survives cache eviction while UI listener is still attached', (WidgetTester tester) async {
+      final completer = TestImageCompleter(hadInitialImage: false);
+      final key = Object();
+
+      // 1. Request image and attach UI
+      final stream = cache.putIfAbsent(key, () => completer)!;
+      stream.addListener(uiListener);
+
+      // 2. Simulate app going to background -> OS Memory Warning -> Cache clears
+      cache.clear();
+
+      // Even though the real cache just aggressively detached its listener,
+      // the stream MUST survive because the UI widget is still on screen!
+      expect(completer.wasCancelled, isFalse);
+
+      // 3. UI widget finally detaches
+      stream.removeListener(uiListener);
+      expect(completer.wasCancelled, isTrue);
+    });
+
+    testWidgets('survives synchronous cache detach during putIfAbsent with initialImage', (WidgetTester tester) async {
+      final completer = TestImageCompleter(hadInitialImage: true);
+      final key = Object();
+
+      // Run image creation outside FakeAsync zone to avoid hang
+      late ui.Image dummyImage;
+      await tester.runAsync(() async {
+        dummyImage = await createTestImage(width: 1, height: 1);
+      });
+
+      final initialImageInfo = ImageInfo(image: dummyImage);
+
+      final stream = cache.putIfAbsent(key, () {
+        completer.setImage(initialImageInfo);
+        return completer;
+      })!;
+
+      expect(completer.wasCancelled, isFalse);
+
+      stream.addListener(uiListener);
+      expect(completer.wasCancelled, isFalse);
+
+      stream.removeListener(uiListener);
+      expect(completer.wasCancelled, isTrue);
+    });
+
+    testWidgets('fires cleanup on full abandonment even after successful fetch', (WidgetTester tester) async {
+      final completer = TestImageCompleter(hadInitialImage: false);
+      final key = Object();
+
+      final stream = cache.putIfAbsent(key, () => completer)!;
+      stream.addListener(uiListener);
+
+      await tester.pump(const Duration(milliseconds: 100));
+
+      // Run image creation outside FakeAsync zone to avoid hang
+      late ui.Image dummyImage;
+      await tester.runAsync(() async {
+        dummyImage = await createTestImage(width: 1, height: 1);
+      });
+
+      completer.setImage(ImageInfo(image: dummyImage));
+
+      stream.removeListener(uiListener);
+
+      // The stream is completely abandoned (0 listeners), so it fires the cleanup hook.
+      // Since the image is already downloaded, canceling the network token is a safe no-op.
+      expect(completer.wasCancelled, isTrue);
+    });
+
+    testWidgets('Multiple UI listeners — only all detached, should cancel', (WidgetTester tester) async {
+      final completer = TestImageCompleter(hadInitialImage: false);
+      final key = Object();
+
+      final stream = cache.putIfAbsent(key, () => completer)!;
+
+      final uiListener2 = ImageStreamListener((_, __) {});
+      stream.addListener(uiListener);
+      stream.addListener(uiListener2);
+
+      // First UI detach leaves cache + one UI → no cancel
+      stream.removeListener(uiListener);
+      expect(completer.wasCancelled, isFalse);
+
+      // Second UI detach leaves only cache → cancel
+      stream.removeListener(uiListener2);
+      expect(completer.wasCancelled, isTrue);
+    });
+
+    testWidgets('Listener misidentification: new listener after cache eviction is not treated as cache', (WidgetTester tester) async {
+      final completer = TestImageCompleter(hadInitialImage: false);
+      final key = Object();
+
+      final stream = cache.putIfAbsent(key, () => completer)!;
+
+      // UI attaches
+      stream.addListener(uiListener);
+
+      // Cache eviction removes the cache listener
+      cache.clear();
+      expect(completer.wasCancelled, isFalse);
+
+      // A second UI listener attaches — must NOT be treated as cache
+      final uiListener2 = ImageStreamListener((_, __) {});
+      stream.addListener(uiListener2);
+
+      // Remove first UI listener; second UI still active → no cancel
+      stream.removeListener(uiListener);
+      expect(completer.wasCancelled, isFalse);
+
+      // Remove second UI listener; completely abandoned → cancel
+      stream.removeListener(uiListener2);
+      expect(completer.wasCancelled, isTrue);
+    });
+
+    testWidgets('No UI listener ever attaches (cache-only) — cache detaches should cancel', (WidgetTester tester) async {
+      final completer = TestImageCompleter(hadInitialImage: false);
+      final key = Object();
+
+      cache.putIfAbsent(key, () => completer);
+
+      // Cache eviction removes the only listener
+      cache.clear();
+      expect(completer.wasCancelled, isTrue);
+    });
+  });
+}

open-api/immich-openapi-specs.json

@@ -5285,6 +5285,65 @@
         "x-immich-state": "Stable"
       }
     },
+    "/duplicates/resolve": {
+      "post": {
+        "description": "Resolve duplicate groups by synchronizing metadata across assets and deleting/trashing duplicates.",
+        "operationId": "resolveDuplicates",
+        "parameters": [],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/DuplicateResolveDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "items": {
+                    "$ref": "#/components/schemas/BulkIdResponseDto"
+                  },
+                  "type": "array"
+                }
+              }
+            },
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "summary": "Resolve duplicate groups",
+        "tags": [
+          "Duplicates"
+        ],
+        "x-immich-history": [
+          {
+            "version": "v3.0.0",
+            "state": "Added"
+          },
+          {
+            "version": "v3.0.0",
+            "state": "Alpha"
+          }
+        ],
+        "x-immich-permission": "duplicate.delete",
+        "x-immich-state": "Alpha"
+      }
+    },
     "/duplicates/{id}": {
       "delete": {
         "description": "Delete a single duplicate asset specified by its ID.",
@@ -17299,7 +17358,8 @@
           "duplicate",
           "no_permission",
           "not_found",
-          "unknown"
+          "unknown",
+          "validation"
         ],
         "type": "string"
       },
@@ -17311,10 +17371,14 @@
               "duplicate",
               "no_permission",
               "not_found",
-              "unknown"
+              "unknown",
+              "validation"
             ],
             "type": "string"
           },
+          "errorMessage": {
+            "type": "string"
+          },
           "id": {
             "description": "ID",
             "type": "string"
@@ -17828,6 +17892,52 @@
         ],
         "type": "object"
       },
+      "DuplicateResolveDto": {
+        "properties": {
+          "groups": {
+            "description": "List of duplicate groups to resolve",
+            "items": {
+              "$ref": "#/components/schemas/DuplicateResolveGroupDto"
+            },
+            "minItems": 1,
+            "type": "array"
+          }
+        },
+        "required": [
+          "groups"
+        ],
+        "type": "object"
+      },
+      "DuplicateResolveGroupDto": {
+        "properties": {
+          "duplicateId": {
+            "format": "uuid",
+            "type": "string"
+          },
+          "keepAssetIds": {
+            "description": "Asset IDs to keep",
+            "items": {
+              "format": "uuid",
+              "type": "string"
+            },
+            "type": "array"
+          },
+          "trashAssetIds": {
+            "description": "Asset IDs to trash or delete",
+            "items": {
+              "format": "uuid",
+              "type": "string"
+            },
+            "type": "array"
+          }
+        },
+        "required": [
+          "duplicateId",
+          "keepAssetIds",
+          "trashAssetIds"
+        ],
+        "type": "object"
+      },
       "DuplicateResponseDto": {
         "properties": {
           "assets": {
@@ -17840,11 +17950,20 @@
           "duplicateId": {
             "description": "Duplicate group ID",
             "type": "string"
+          },
+          "suggestedKeepAssetIds": {
+            "description": "Suggested asset IDs to keep based on file size and EXIF data",
+            "items": {
+              "format": "uuid",
+              "type": "string"
+            },
+            "type": "array"
           }
         },
         "required": [
           "assets",
-          "duplicateId"
+          "duplicateId",
+          "suggestedKeepAssetIds"
         ],
         "type": "object"
       },

open-api/typescript-sdk/.nvmrc

@@ -1 +1 @@
-24.13.1
+24.14.0

open-api/typescript-sdk/package.json

@@ -19,7 +19,7 @@
     "@oazapfts/runtime": "^1.0.2"
   },
   "devDependencies": {
-    "@types/node": "^24.11.0",
+    "@types/node": "^24.12.0",
     "typescript": "^5.3.3"
   },
   "repository": {
@@ -28,6 +28,6 @@
     "directory": "open-api/typescript-sdk"
   },
   "volta": {
-    "node": "24.13.1"
+    "node": "24.14.0"
   }
 }

open-api/typescript-sdk/src/fetch-client.ts

@@ -725,6 +725,7 @@ export type BulkIdsDto = {
 export type BulkIdResponseDto = {
     /** Error reason if failed */
     error?: Error;
+    errorMessage?: string;
     /** ID */
     id: string;
     /** Whether operation succeeded */
@@ -1163,6 +1164,19 @@ export type DuplicateResponseDto = {
     assets: AssetResponseDto[];
     /** Duplicate group ID */
     duplicateId: string;
+    /** Suggested asset IDs to keep based on file size and EXIF data */
+    suggestedKeepAssetIds: string[];
+};
+export type DuplicateResolveGroupDto = {
+    duplicateId: string;
+    /** Asset IDs to keep */
+    keepAssetIds: string[];
+    /** Asset IDs to trash or delete */
+    trashAssetIds: string[];
+};
+export type DuplicateResolveDto = {
+    /** List of duplicate groups to resolve */
+    groups: DuplicateResolveGroupDto[];
 };
 export type PersonResponseDto = {
     /** Person date of birth */
@@ -4531,6 +4545,21 @@ export function getAssetDuplicates(opts?: Oazapfts.RequestOpts) {
         ...opts
     }));
 }
+/**
+ * Resolve duplicate groups
+ */
+export function resolveDuplicates({ duplicateResolveDto }: {
+    duplicateResolveDto: DuplicateResolveDto;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchJson<{
+        status: 200;
+        data: BulkIdResponseDto[];
+    }>("/duplicates/resolve", oazapfts.json({
+        ...opts,
+        method: "POST",
+        body: duplicateResolveDto
+    })));
+}
 /**
  * Delete a duplicate
  */
@@ -6893,13 +6922,15 @@ export enum BulkIdErrorReason {
     Duplicate = "duplicate",
     NoPermission = "no_permission",
     NotFound = "not_found",
-    Unknown = "unknown"
+    Unknown = "unknown",
+    Validation = "validation"
 }
 export enum Error {
     Duplicate = "duplicate",
     NoPermission = "no_permission",
     NotFound = "not_found",
-    Unknown = "unknown"
+    Unknown = "unknown",
+    Validation = "validation"
 }
 export enum Permission {
     All = "all",

package.json

@@ -3,7 +3,7 @@
   "version": "2.6.3",
   "description": "Monorepo for Immich",
   "private": true,
-  "packageManager": "pnpm@10.30.3+sha512.c961d1e0a2d8e354ecaa5166b822516668b7f44cb5bd95122d590dd81922f606f5473b6d23ec4a5be05e7fcd18e8488d47d978bbe981872f1145d06e9a740017",
+  "packageManager": "pnpm@10.32.1+sha512.a706938f0e89ac1456b6563eab4edf1d1faf3368d1191fc5c59790e96dc918e4456ab2e67d613de1043d2e8c81f87303e6b40d4ffeca9df15ef1ad567348f2be",
   "engines": {
     "pnpm": ">=10.0.0"
   }

plugins/package-lock.json

@@ -15,9 +15,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
-      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
+      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
       "cpu": [
         "ppc64"
       ],
@@ -32,9 +32,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
-      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
+      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
       "cpu": [
         "arm"
       ],
@@ -49,9 +49,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
-      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
+      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
       "cpu": [
         "arm64"
       ],
@@ -66,9 +66,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
-      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
+      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
       "cpu": [
         "x64"
       ],
@@ -83,9 +83,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
-      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
+      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
       "cpu": [
         "arm64"
       ],
@@ -100,9 +100,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
-      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
+      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
       "cpu": [
         "x64"
       ],
@@ -117,9 +117,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
       "cpu": [
         "arm64"
       ],
@@ -134,9 +134,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
-      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
+      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
       "cpu": [
         "x64"
       ],
@@ -151,9 +151,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
-      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
+      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
       "cpu": [
         "arm"
       ],
@@ -168,9 +168,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
-      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
+      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
       "cpu": [
         "arm64"
       ],
@@ -185,9 +185,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
-      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
+      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
       "cpu": [
         "ia32"
       ],
@@ -202,9 +202,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
-      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
+      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
       "cpu": [
         "loong64"
       ],
@@ -219,9 +219,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
-      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
+      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
       "cpu": [
         "mips64el"
       ],
@@ -236,9 +236,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
-      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
+      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
       "cpu": [
         "ppc64"
       ],
@@ -253,9 +253,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
-      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
+      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
       "cpu": [
         "riscv64"
       ],
@@ -270,9 +270,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
-      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
+      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
       "cpu": [
         "s390x"
       ],
@@ -287,9 +287,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
-      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
+      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
       "cpu": [
         "x64"
       ],
@@ -304,9 +304,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
       "cpu": [
         "arm64"
       ],
@@ -321,9 +321,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
       "cpu": [
         "x64"
       ],
@@ -338,9 +338,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
       "cpu": [
         "arm64"
       ],
@@ -355,9 +355,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
       "cpu": [
         "x64"
       ],
@@ -372,9 +372,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
-      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
+      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
       "cpu": [
         "arm64"
       ],
@@ -389,9 +389,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
-      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
+      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
       "cpu": [
         "x64"
       ],
@@ -406,9 +406,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
-      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
+      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
       "cpu": [
         "arm64"
       ],
@@ -423,9 +423,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
-      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
+      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
       "cpu": [
         "ia32"
       ],
@@ -440,9 +440,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
-      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
+      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
       "cpu": [
         "x64"
       ],
@@ -467,9 +467,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
-      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
+      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -480,32 +480,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.3",
-        "@esbuild/android-arm": "0.27.3",
-        "@esbuild/android-arm64": "0.27.3",
-        "@esbuild/android-x64": "0.27.3",
-        "@esbuild/darwin-arm64": "0.27.3",
-        "@esbuild/darwin-x64": "0.27.3",
-        "@esbuild/freebsd-arm64": "0.27.3",
-        "@esbuild/freebsd-x64": "0.27.3",
-        "@esbuild/linux-arm": "0.27.3",
-        "@esbuild/linux-arm64": "0.27.3",
-        "@esbuild/linux-ia32": "0.27.3",
-        "@esbuild/linux-loong64": "0.27.3",
-        "@esbuild/linux-mips64el": "0.27.3",
-        "@esbuild/linux-ppc64": "0.27.3",
-        "@esbuild/linux-riscv64": "0.27.3",
-        "@esbuild/linux-s390x": "0.27.3",
-        "@esbuild/linux-x64": "0.27.3",
-        "@esbuild/netbsd-arm64": "0.27.3",
-        "@esbuild/netbsd-x64": "0.27.3",
-        "@esbuild/openbsd-arm64": "0.27.3",
-        "@esbuild/openbsd-x64": "0.27.3",
-        "@esbuild/openharmony-arm64": "0.27.3",
-        "@esbuild/sunos-x64": "0.27.3",
-        "@esbuild/win32-arm64": "0.27.3",
-        "@esbuild/win32-ia32": "0.27.3",
-        "@esbuild/win32-x64": "0.27.3"
+        "@esbuild/aix-ppc64": "0.27.4",
+        "@esbuild/android-arm": "0.27.4",
+        "@esbuild/android-arm64": "0.27.4",
+        "@esbuild/android-x64": "0.27.4",
+        "@esbuild/darwin-arm64": "0.27.4",
+        "@esbuild/darwin-x64": "0.27.4",
+        "@esbuild/freebsd-arm64": "0.27.4",
+        "@esbuild/freebsd-x64": "0.27.4",
+        "@esbuild/linux-arm": "0.27.4",
+        "@esbuild/linux-arm64": "0.27.4",
+        "@esbuild/linux-ia32": "0.27.4",
+        "@esbuild/linux-loong64": "0.27.4",
+        "@esbuild/linux-mips64el": "0.27.4",
+        "@esbuild/linux-ppc64": "0.27.4",
+        "@esbuild/linux-riscv64": "0.27.4",
+        "@esbuild/linux-s390x": "0.27.4",
+        "@esbuild/linux-x64": "0.27.4",
+        "@esbuild/netbsd-arm64": "0.27.4",
+        "@esbuild/netbsd-x64": "0.27.4",
+        "@esbuild/openbsd-arm64": "0.27.4",
+        "@esbuild/openbsd-x64": "0.27.4",
+        "@esbuild/openharmony-arm64": "0.27.4",
+        "@esbuild/sunos-x64": "0.27.4",
+        "@esbuild/win32-arm64": "0.27.4",
+        "@esbuild/win32-ia32": "0.27.4",
+        "@esbuild/win32-x64": "0.27.4"
       }
     },
     "node_modules/typescript": {

server/.nvmrc

@@ -1 +1 @@
-24.13.1
+24.14.0

server/bin/start.sh

@@ -15,13 +15,12 @@ log_message() {
 
 log_message "Initializing Immich $IMMICH_SOURCE_REF"
 
-# TODO: Update to mimalloc v3 when verified memory isn't released issue is fixed
-# lib_path="/usr/lib/$(arch)-linux-gnu/libmimalloc.so.3"
-# if [ -f "$lib_path" ]; then
-#   export LD_PRELOAD="$lib_path"
-# else
-#   echo "skipping libmimalloc - path not found $lib_path"
-# fi
+lib_path="/usr/lib/$(arch)-linux-gnu/libmimalloc.so.3"
+if [ -f "$lib_path" ]; then
+  export LD_PRELOAD="$lib_path"
+else
+  echo "skipping libmimalloc - path not found $lib_path"
+fi
 export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/lib/jellyfin-ffmpeg/lib"
 SERVER_HOME="$(readlink -f "$(dirname "$0")/..")"
 

server/helmet.json

@@ -0,0 +1,21 @@
+{
+  "contentSecurityPolicy": {
+    "directives": {
+      "default-src": ["'self'"],
+      "script-src": ["'self'", "'wasm-unsafe-eval", "'unsafe-inline'", "https://www.gstatic.com"],
+      "style-src": ["'self'", "'unsafe-inline'"],
+      "img-src": ["'self'", "'data:'", "'blob:'"],
+      "connect-src": [
+        "'self'",
+        "blob:",
+        "https://pay.futo.org",
+        "https://static.immich.cloud",
+        "https://tiles.immich.cloud"
+      ],
+      "worker-src": ["'self'", "blob:"],
+      "frame-src": ["'none'"],
+      "object-src": ["'none'"],
+      "base-uri": ["'self'"]
+    }
+  }
+}

server/package.json

@@ -5,6 +5,11 @@
   "author": "",
   "private": true,
   "license": "GNU Affero General Public License version 3",
+  "files": [
+    "bin",
+    "dist",
+    "helmet.json"
+  ],
   "scripts": {
     "build": "nest build",
     "format": "prettier --cache --check .",
@@ -77,12 +82,13 @@
     "fluent-ffmpeg": "^2.1.2",
     "geo-tz": "^8.0.0",
     "handlebars": "^4.7.8",
+    "helmet": "^8.1.0",
     "i18n-iso-countries": "^7.6.0",
     "ioredis": "^5.8.2",
     "jose": "^5.10.0",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",
-    "kysely": "0.28.11",
+    "kysely": "0.28.14",
     "kysely-postgres-js": "^3.0.0",
     "lodash": "^4.17.21",
     "luxon": "^3.4.2",
@@ -136,7 +142,7 @@
     "@types/luxon": "^3.6.2",
     "@types/mock-fs": "^4.13.1",
     "@types/multer": "^2.0.0",
-    "@types/node": "^24.11.0",
+    "@types/node": "^24.12.0",
     "@types/nodemailer": "^7.0.0",
     "@types/picomatch": "^4.0.0",
     "@types/pngjs": "^6.0.5",
@@ -168,7 +174,7 @@
     "vitest": "^3.0.0"
   },
   "volta": {
-    "node": "24.13.1"
+    "node": "24.14.0"
   },
   "overrides": {
     "sharp": "^0.34.5"

server/src/app.common.ts

@@ -2,9 +2,10 @@ import { NestExpressApplication } from '@nestjs/platform-express';
 import { json } from 'body-parser';
 import compression from 'compression';
 import cookieParser from 'cookie-parser';
+import helmetMiddleware from 'helmet';
 import { existsSync } from 'node:fs';
 import sirv from 'sirv';
-import { excludePaths, serverVersion } from 'src/constants';
+import { IMMICH_SERVER_START, excludePaths, serverVersion } from 'src/constants';
 import { MaintenanceWorkerService } from 'src/maintenance/maintenance-worker.service';
 import { WebSocketAdapter } from 'src/middleware/websocket.adapter';
 import { ConfigRepository } from 'src/repositories/config.repository';
@@ -39,7 +40,7 @@ export async function configureExpress(
   },
 ) {
   const configRepository = app.get(ConfigRepository);
-  const { environment, host, port, resourcePaths, network } = configRepository.getEnv();
+  const { environment, host, port, helmet, resourcePaths, network } = configRepository.getEnv();
 
   const logger = await app.resolve(LoggingRepository);
   logger.setContext('Bootstrap');
@@ -47,6 +48,12 @@ export async function configureExpress(
 
   app.set('trust proxy', ['loopback', ...network.trustedProxies]);
   app.set('etag', 'strong');
+
+  if (helmet.config) {
+    app.use(helmetMiddleware(helmet.config));
+    logger.log('Initialized helmet middleware');
+  }
+
   app.use(cookieParser());
   app.use(json({ limit: '10mb' }));
 
@@ -83,5 +90,5 @@ export async function configureExpress(
   const server = await (host ? app.listen(port, host) : app.listen(port));
   server.requestTimeout = 24 * 60 * 60 * 1000;
 
-  logger.log(`Immich Server is listening on ${await app.getUrl()} [v${serverVersion}] [${environment}] `);
+  logger.log(`${IMMICH_SERVER_START} on ${await app.getUrl()} [v${serverVersion}] [${environment}] `);
 }

server/src/app.module.ts

@@ -29,6 +29,7 @@ import { ProcessRepository } from 'src/repositories/process.repository';
 import { StorageRepository } from 'src/repositories/storage.repository';
 import { SystemMetadataRepository } from 'src/repositories/system-metadata.repository';
 import { teardownTelemetry, TelemetryRepository } from 'src/repositories/telemetry.repository';
+import { UserRepository } from 'src/repositories/user.repository';
 import { WebsocketRepository } from 'src/repositories/websocket.repository';
 import { services } from 'src/services';
 import { AuthService } from 'src/services/auth.service';
@@ -111,6 +112,7 @@ export class ApiModule extends BaseModule {}
     StorageRepository,
     ProcessRepository,
     DatabaseRepository,
+    UserRepository,
     SystemMetadataRepository,
     AppRepository,
     MaintenanceHealthRepository,

server/src/constants.ts

@@ -4,6 +4,8 @@ import { dirname, join } from 'node:path';
 import { SemVer } from 'semver';
 import { ApiTag, AudioCodec, DatabaseExtension, ExifOrientation, VectorIndex } from 'src/enum';
 
+export const IMMICH_SERVER_START = 'Immich Server is listening';
+
 export const ErrorMessages = {
   InconsistentMediaLocation:
     'Detected an inconsistent media location. For more information, see https://docs.immich.app/errors#inconsistent-media-location',

server/src/controllers/duplicate.controller.spec.ts

@@ -0,0 +1,47 @@
+import { DuplicateController } from 'src/controllers/duplicate.controller';
+import { DuplicateService } from 'src/services/duplicate.service';
+import request from 'supertest';
+import { factory } from 'test/small.factory';
+import { ControllerContext, controllerSetup, mockBaseService } from 'test/utils';
+
+describe(DuplicateController.name, () => {
+  let ctx: ControllerContext;
+  const service = mockBaseService(DuplicateService);
+
+  beforeAll(async () => {
+    ctx = await controllerSetup(DuplicateController, [{ provide: DuplicateService, useValue: service }]);
+    return () => ctx.close();
+  });
+
+  beforeEach(() => {
+    service.resetAllMocks();
+    ctx.reset();
+  });
+
+  describe('GET /duplicates', () => {
+    it('should be an authenticated route', async () => {
+      await request(ctx.getHttpServer()).get('/duplicates');
+      expect(ctx.authenticate).toHaveBeenCalled();
+    });
+  });
+
+  describe('DELETE /duplicates', () => {
+    it('should be an authenticated route', async () => {
+      await request(ctx.getHttpServer()).delete('/duplicates');
+      expect(ctx.authenticate).toHaveBeenCalled();
+    });
+  });
+
+  describe('DELETE /duplicates/:id', () => {
+    it('should be an authenticated route', async () => {
+      await request(ctx.getHttpServer()).delete(`/duplicates/${factory.uuid()}`);
+      expect(ctx.authenticate).toHaveBeenCalled();
+    });
+
+    it('should require a valid uuid', async () => {
+      const { status, body } = await request(ctx.getHttpServer()).delete(`/duplicates/123`);
+      expect(status).toBe(400);
+      expect(body).toEqual(factory.responses.badRequest(['id must be a UUID']));
+    });
+  });
+});

server/src/controllers/duplicate.controller.ts

@@ -1,9 +1,9 @@
-import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param } from '@nestjs/common';
+import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { Endpoint, HistoryBuilder } from 'src/decorators';
-import { BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
+import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { DuplicateResponseDto } from 'src/dtos/duplicate.dto';
+import { DuplicateResolveDto, DuplicateResponseDto } from 'src/dtos/duplicate.dto';
 import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { DuplicateService } from 'src/services/duplicate.service';
@@ -48,4 +48,16 @@ export class DuplicateController {
   deleteDuplicate(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
     return this.service.delete(auth, id);
   }
+
+  @Post('resolve')
+  @HttpCode(HttpStatus.OK)
+  @Authenticated({ permission: Permission.DuplicateDelete })
+  @Endpoint({
+    summary: 'Resolve duplicate groups',
+    description: 'Resolve duplicate groups by synchronizing metadata across assets and deleting/trashing duplicates.',
+    history: new HistoryBuilder().added('v3.0.0').alpha('v3.0.0'),
+  })
+  resolveDuplicates(@Auth() auth: AuthDto, @Body() dto: DuplicateResolveDto): Promise<BulkIdResponseDto[]> {
+    return this.service.resolve(auth, dto);
+  }
 }

server/src/database.ts

@@ -5,6 +5,7 @@ import {
   AssetFileType,
   AssetType,
   AssetVisibility,
+  ChecksumAlgorithm,
   MemoryType,
   Permission,
   PluginContext,
@@ -112,6 +113,7 @@ export type Memory = {
 export type Asset = {
   id: string;
   checksum: Buffer<ArrayBufferLike>;
+  checksumAlgorithm: ChecksumAlgorithm;
   deviceAssetId: string;
   deviceId: string;
   fileCreatedAt: Date;
@@ -330,6 +332,7 @@ export const columns = {
   asset: [
     'asset.id',
     'asset.checksum',
+    'asset.checksumAlgorithm',
     'asset.deviceAssetId',
     'asset.deviceId',
     'asset.fileCreatedAt',
@@ -345,6 +348,7 @@ export const columns = {
     'asset.type',
     'asset.width',
     'asset.height',
+    'asset.isEdited',
   ],
   assetFiles: ['asset_file.id', 'asset_file.path', 'asset_file.type', 'asset_file.isEdited'],
   assetFilesForThumbnail: [

server/src/dtos/asset-ids.response.dto.ts

@@ -23,6 +23,7 @@ export enum BulkIdErrorReason {
   NO_PERMISSION = 'no_permission',
   NOT_FOUND = 'not_found',
   UNKNOWN = 'unknown',
+  VALIDATION = 'validation',
 }
 
 export class BulkIdsDto {
@@ -37,4 +38,5 @@ export class BulkIdResponseDto {
   success!: boolean;
   @ApiPropertyOptional({ description: 'Error reason if failed', enum: BulkIdErrorReason })
   error?: BulkIdErrorReason;
+  errorMessage?: string;
 }

server/src/dtos/asset-response.dto.ts

@@ -13,7 +13,7 @@ import {
 } from 'src/dtos/person.dto';
 import { TagResponseDto, mapTag } from 'src/dtos/tag.dto';
 import { UserResponseDto, mapUser } from 'src/dtos/user.dto';
-import { AssetStatus, AssetType, AssetVisibility } from 'src/enum';
+import { AssetStatus, AssetType, AssetVisibility, ChecksumAlgorithm } from 'src/enum';
 import { ImageDimensions, MaybeDehydrated } from 'src/types';
 import { getDimensions } from 'src/utils/asset.util';
 import { hexOrBufferToBase64 } from 'src/utils/bytes';
@@ -148,6 +148,7 @@ export type MapAsset = {
   updateId: string;
   status: AssetStatus;
   checksum: Buffer<ArrayBufferLike>;
+  checksumAlgorithm: ChecksumAlgorithm;
   deviceAssetId: string;
   deviceId: string;
   duplicateId: string | null;

server/src/dtos/duplicate.dto.ts

@@ -1,9 +1,35 @@
 import { ApiProperty } from '@nestjs/swagger';
+import { Type } from 'class-transformer';
+import { ArrayMinSize, IsArray, ValidateNested } from 'class-validator';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
+import { ValidateUUID } from 'src/validation';
 
 export class DuplicateResponseDto {
   @ApiProperty({ description: 'Duplicate group ID' })
   duplicateId!: string;
   @ApiProperty({ description: 'Duplicate assets' })
   assets!: AssetResponseDto[];
+
+  @ValidateUUID({ each: true, description: 'Suggested asset IDs to keep based on file size and EXIF data' })
+  suggestedKeepAssetIds!: string[];
+}
+
+export class DuplicateResolveGroupDto {
+  @ValidateUUID()
+  duplicateId!: string;
+
+  @ValidateUUID({ each: true, description: 'Asset IDs to keep' })
+  keepAssetIds!: string[];
+
+  @ValidateUUID({ each: true, description: 'Asset IDs to trash or delete' })
+  trashAssetIds!: string[];
+}
+
+export class DuplicateResolveDto {
+  @ApiProperty({ description: 'List of duplicate groups to resolve' })
+  @ValidateNested({ each: true })
+  @IsArray()
+  @Type(() => DuplicateResolveGroupDto)
+  @ArrayMinSize(1)
+  groups!: DuplicateResolveGroupDto[];
 }

server/src/dtos/env.dto.ts

@@ -42,6 +42,10 @@ export class EnvDto {
   @Optional()
   IMMICH_CONFIG_FILE?: string;
 
+  @IsString()
+  @Optional()
+  IMMICH_HELMET_FILE?: string;
+
   @IsEnum(ImmichEnvironment)
   @Optional()
   IMMICH_ENV?: ImmichEnvironment;

server/src/enum.ts

@@ -37,6 +37,11 @@ export enum AssetType {
   Other = 'OTHER',
 }
 
+export enum ChecksumAlgorithm {
+  sha1File = 'sha1', // sha1 checksum of the whole file contents
+  sha1Path = 'sha1-path', // sha1 checksum of "path:" plus the file path, currently used in external libraries, deprecated
+}
+
 export enum AssetFileType {
   /**
    * An full/large-size image extracted/converted from RAW photos

server/src/maintenance/maintenance-health.repository.ts

@@ -1,6 +1,7 @@
 import { Injectable } from '@nestjs/common';
 import { fork } from 'node:child_process';
 import { dirname, join } from 'node:path';
+import { IMMICH_SERVER_START } from 'src/constants';
 
 @Injectable()
 export class MaintenanceHealthRepository {
@@ -20,45 +21,27 @@ export class MaintenanceHealthRepository {
         stdio: ['ignore', 'pipe', 'ignore', 'ipc'],
       });
 
-      async function checkHealth() {
-        try {
-          const response = await fetch('http://127.0.0.1:33001/api/server/config');
-          const { isOnboarded } = await response.json();
-          if (isOnboarded) {
-            resolve();
-          } else {
-            reject(new Error('Server health check failed, no admin exists.'));
-          }
-        } catch (error) {
-          reject(error);
-        } finally {
-          if (worker.exitCode === null) {
-            worker.kill('SIGTERM');
-          }
-        }
-      }
-
-      let output = '',
-        alive = false;
+      let output = '';
 
       worker.stdout?.on('data', (data) => {
-        if (alive) {
+        if (worker.exitCode !== null) {
           return;
         }
 
         output += data;
 
-        if (output.includes('Immich Server is listening')) {
-          alive = true;
-          void checkHealth();
+        if (output.includes(IMMICH_SERVER_START)) {
+          resolve();
+          worker.kill('SIGTERM');
         }
       });
 
-      worker.on('exit', reject);
-      worker.on('error', reject);
+      worker.on('exit', (code, signal) => reject(`Server health check failed, server exited with ${signal ?? code}`));
+      worker.on('error', (error) => reject(`Server health check failed, process threw: ${error}`));
 
       setTimeout(() => {
         if (worker.exitCode === null) {
+          reject('Server health check failed, took too long to start.');
           worker.kill('SIGTERM');
         }
       }, 20_000);

server/src/queries/access.repository.sql

@@ -160,6 +160,16 @@ where
   "session"."userId" = $1
   and "session"."id" in ($2)
 
+-- AccessRepository.duplicate.checkOwnerAccess
+select
+  "asset"."duplicateId"
+from
+  "asset"
+where
+  "asset"."duplicateId" in ($1)
+  and "asset"."ownerId" = $2
+  and "asset"."deletedAt" is null
+
 -- AccessRepository.memory.checkOwnerAccess
 select
   "memory"."id"

server/src/queries/album.repository.sql

@@ -164,6 +164,28 @@ order by
   "album"."createdAt" desc,
   "album"."createdAt" desc
 
+-- AlbumRepository.getByAssetIds
+select
+  "album"."id",
+  "album_asset"."assetId"
+from
+  "album"
+  inner join "album_asset" on "album_asset"."albumId" = "album"."id"
+where
+  (
+    "album"."ownerId" = $1
+    or exists (
+      select
+      from
+        "album_user"
+      where
+        "album_user"."albumId" = "album"."id"
+        and "album_user"."userId" = $2
+    )
+  )
+  and "album_asset"."assetId" in ($3)
+  and "album"."deletedAt" is null
+
 -- AlbumRepository.getMetadataForIds
 select
   "album_asset"."albumId" as "albumId",

server/src/queries/asset.job.repository.sql

@@ -249,6 +249,7 @@ where
 select
   "asset"."id",
   "asset"."checksum",
+  "asset"."checksumAlgorithm",
   "asset"."deviceAssetId",
   "asset"."deviceId",
   "asset"."fileCreatedAt",
@@ -264,6 +265,7 @@ select
   "asset"."type",
   "asset"."width",
   "asset"."height",
+  "asset"."isEdited",
   (
     select
       coalesce(json_agg(agg), '[]')

server/src/queries/duplicate.repository.sql

@@ -15,7 +15,26 @@ with
       inner join lateral (
         select
           "asset".*,
-          "asset_exif" as "exifInfo"
+          to_json("asset_exif") as "exifInfo",
+          (
+            select
+              coalesce(json_agg(agg), '[]')
+            from
+              (
+                select
+                  "tag"."id",
+                  "tag"."value",
+                  "tag"."createdAt",
+                  "tag"."updatedAt",
+                  "tag"."color",
+                  "tag"."parentId"
+                from
+                  "tag"
+                  inner join "tag_asset" on "tag"."id" = "tag_asset"."tagId"
+                where
+                  "tag_asset"."assetId" = "asset"."id"
+              ) as agg
+          ) as "tags"
         from
           "asset_exif"
         where
@@ -29,36 +48,84 @@ with
       and "asset"."stackId" is null
     group by
       "asset"."duplicateId"
-  ),
-  "unique" as (
-    select
-      "duplicateId"
-    from
-      "duplicates"
-    where
-      json_array_length("assets") = $2
-  ),
-  "removed_unique" as (
-    update "asset"
-    set
-      "duplicateId" = $3
-    from
-      "unique"
-    where
-      "asset"."duplicateId" = "unique"."duplicateId"
   )
 select
   *
 from
   "duplicates"
 where
-  not exists (
+  json_array_length("assets") > $2
+
+-- DuplicateRepository.cleanupSingletonGroups
+with
+  "singletons" as (
     select
+      "duplicateId"
     from
-      "unique"
+      "asset"
     where
-      "unique"."duplicateId" = "duplicates"."duplicateId"
+      "ownerId" = $1::uuid
+      and "duplicateId" is not null
+      and "deletedAt" is null
+      and "stackId" is null
+    group by
+      "duplicateId"
+    having
+      count("id") = $2
   )
+update "asset"
+set
+  "duplicateId" = $3
+from
+  "singletons"
+where
+  "asset"."duplicateId" = "singletons"."duplicateId"
+
+-- DuplicateRepository.get
+select
+  "asset"."duplicateId",
+  json_agg(
+    "asset2"
+    order by
+      "asset"."localDateTime" asc
+  ) as "assets"
+from
+  "asset"
+  inner join lateral (
+    select
+      "asset".*,
+      to_json("asset_exif") as "exifInfo",
+      (
+        select
+          coalesce(json_agg(agg), '[]')
+        from
+          (
+            select
+              "tag"."id",
+              "tag"."value",
+              "tag"."createdAt",
+              "tag"."updatedAt",
+              "tag"."color",
+              "tag"."parentId"
+            from
+              "tag"
+              inner join "tag_asset" on "tag"."id" = "tag_asset"."tagId"
+            where
+              "tag_asset"."assetId" = "asset"."id"
+          ) as agg
+      ) as "tags"
+    from
+      "asset_exif"
+    where
+      "asset_exif"."assetId" = "asset"."id"
+  ) as "asset2" on true
+where
+  "asset"."visibility" in ('archive', 'timeline')
+  and "asset"."duplicateId" = $1::uuid
+  and "asset"."deletedAt" is null
+  and "asset"."stackId" is null
+group by
+  "asset"."duplicateId"
 
 -- DuplicateRepository.delete
 update "asset"

server/src/queries/shared.link.repository.sql

@@ -3,37 +3,64 @@
 -- SharedLinkRepository.get
 select
   "shared_link".*,
-  coalesce(
-    json_agg("a") filter (
-      where
-        "a"."id" is not null
-    ),
-    '[]'
+  (
+    select
+      coalesce(json_agg(agg), '[]')
+    from
+      (
+        select
+          "asset".*,
+          to_json("exifInfo") as "exifInfo"
+        from
+          "shared_link_asset"
+          inner join "asset" on "asset"."id" = "shared_link_asset"."assetId"
+          inner join lateral (
+            select
+              "asset_exif"."assetId",
+              "asset_exif"."autoStackId",
+              "asset_exif"."bitsPerSample",
+              "asset_exif"."city",
+              "asset_exif"."colorspace",
+              "asset_exif"."country",
+              "asset_exif"."dateTimeOriginal",
+              "asset_exif"."description",
+              "asset_exif"."exifImageHeight",
+              "asset_exif"."exifImageWidth",
+              "asset_exif"."exposureTime",
+              "asset_exif"."fileSizeInByte",
+              "asset_exif"."fNumber",
+              "asset_exif"."focalLength",
+              "asset_exif"."fps",
+              "asset_exif"."iso",
+              "asset_exif"."latitude",
+              "asset_exif"."lensModel",
+              "asset_exif"."livePhotoCID",
+              "asset_exif"."longitude",
+              "asset_exif"."make",
+              "asset_exif"."model",
+              "asset_exif"."modifyDate",
+              "asset_exif"."orientation",
+              "asset_exif"."profileDescription",
+              "asset_exif"."projectionType",
+              "asset_exif"."rating",
+              "asset_exif"."state",
+              "asset_exif"."tags",
+              "asset_exif"."timeZone"
+            from
+              "asset_exif"
+            where
+              "asset_exif"."assetId" = "asset"."id"
+          ) as "exifInfo" on true
+        where
+          "shared_link"."id" = "shared_link_asset"."sharedLinkId"
+          and "asset"."deletedAt" is null
+        order by
+          "asset"."fileCreatedAt" asc
+      ) as agg
   ) as "assets",
   to_json("album") as "album"
 from
   "shared_link"
-  left join lateral (
-    select
-      "asset".*,
-      to_json("exifInfo") as "exifInfo"
-    from
-      "shared_link_asset"
-      inner join "asset" on "asset"."id" = "shared_link_asset"."assetId"
-      inner join lateral (
-        select
-          "asset_exif".*
-        from
-          "asset_exif"
-        where
-          "asset_exif"."assetId" = "asset"."id"
-      ) as "exifInfo" on true
-    where
-      "shared_link"."id" = "shared_link_asset"."sharedLinkId"
-      and "asset"."deletedAt" is null
-    order by
-      "asset"."fileCreatedAt" asc
-  ) as "a" on true
   left join lateral (
     select
       "album".*,
@@ -60,7 +87,36 @@ from
           "asset"
           inner join lateral (
             select
-              "asset_exif".*
+              "asset_exif"."assetId",
+              "asset_exif"."autoStackId",
+              "asset_exif"."bitsPerSample",
+              "asset_exif"."city",
+              "asset_exif"."colorspace",
+              "asset_exif"."country",
+              "asset_exif"."dateTimeOriginal",
+              "asset_exif"."description",
+              "asset_exif"."exifImageHeight",
+              "asset_exif"."exifImageWidth",
+              "asset_exif"."exposureTime",
+              "asset_exif"."fileSizeInByte",
+              "asset_exif"."fNumber",
+              "asset_exif"."focalLength",
+              "asset_exif"."fps",
+              "asset_exif"."iso",
+              "asset_exif"."latitude",
+              "asset_exif"."lensModel",
+              "asset_exif"."livePhotoCID",
+              "asset_exif"."longitude",
+              "asset_exif"."make",
+              "asset_exif"."model",
+              "asset_exif"."modifyDate",
+              "asset_exif"."orientation",
+              "asset_exif"."profileDescription",
+              "asset_exif"."projectionType",
+              "asset_exif"."rating",
+              "asset_exif"."state",
+              "asset_exif"."tags",
+              "asset_exif"."timeZone"
             from
               "asset_exif"
             where
@@ -74,7 +130,12 @@ from
       ) as "assets" on true
       inner join lateral (
         select
-          "user".*
+          "id",
+          "name",
+          "email",
+          "avatarColor",
+          "profileImagePath",
+          "profileChangedAt"
         from
           "user"
         where
@@ -95,9 +156,6 @@ where
     "shared_link"."type" = $3
     or "album"."id" is not null
   )
-group by
-  "shared_link"."id",
-  "album".*
 order by
   "shared_link"."createdAt" desc
 
@@ -134,21 +192,12 @@ from
       "album"
       inner join lateral (
         select
-          "user"."id",
-          "user"."email",
-          "user"."createdAt",
-          "user"."profileImagePath",
-          "user"."isAdmin",
-          "user"."shouldChangePassword",
-          "user"."deletedAt",
-          "user"."oauthId",
-          "user"."updatedAt",
-          "user"."storageLabel",
-          "user"."name",
-          "user"."quotaSizeInBytes",
-          "user"."quotaUsageInBytes",
-          "user"."status",
-          "user"."profileChangedAt"
+          "id",
+          "name",
+          "email",
+          "avatarColor",
+          "profileImagePath",
+          "profileChangedAt"
         from
           "user"
         where
@@ -267,7 +316,36 @@ from
       "asset"
       inner join lateral (
         select
-          *
+          "asset_exif"."assetId",
+          "asset_exif"."autoStackId",
+          "asset_exif"."bitsPerSample",
+          "asset_exif"."city",
+          "asset_exif"."colorspace",
+          "asset_exif"."country",
+          "asset_exif"."dateTimeOriginal",
+          "asset_exif"."description",
+          "asset_exif"."exifImageHeight",
+          "asset_exif"."exifImageWidth",
+          "asset_exif"."exposureTime",
+          "asset_exif"."fileSizeInByte",
+          "asset_exif"."fNumber",
+          "asset_exif"."focalLength",
+          "asset_exif"."fps",
+          "asset_exif"."iso",
+          "asset_exif"."latitude",
+          "asset_exif"."lensModel",
+          "asset_exif"."livePhotoCID",
+          "asset_exif"."longitude",
+          "asset_exif"."make",
+          "asset_exif"."model",
+          "asset_exif"."modifyDate",
+          "asset_exif"."orientation",
+          "asset_exif"."profileDescription",
+          "asset_exif"."projectionType",
+          "asset_exif"."rating",
+          "asset_exif"."state",
+          "asset_exif"."tags",
+          "asset_exif"."timeZone"
         from
           "asset_exif"
         where

server/src/repositories/access.repository.ts

@@ -1,5 +1,5 @@
 import { Injectable } from '@nestjs/common';
-import { Kysely, sql } from 'kysely';
+import { Kysely, NotNull, sql } from 'kysely';
 import { InjectKysely } from 'nestjs-kysely';
 import { ChunkedSet, DummyValue, GenerateSql } from 'src/decorators';
 import { AlbumUserRole, AssetVisibility } from 'src/enum';
@@ -285,6 +285,28 @@ class AuthDeviceAccess {
   }
 }
 
+class DuplicateAccess {
+  constructor(private db: Kysely<DB>) {}
+
+  @GenerateSql({ params: [DummyValue.UUID, DummyValue.UUID_SET] })
+  @ChunkedSet({ paramIndex: 1 })
+  async checkOwnerAccess(userId: string, duplicateIds: Set<string>) {
+    if (duplicateIds.size === 0) {
+      return new Set<string>();
+    }
+
+    return this.db
+      .selectFrom('asset')
+      .select('asset.duplicateId')
+      .where('asset.duplicateId', 'in', [...duplicateIds])
+      .where('asset.ownerId', '=', userId)
+      .where('asset.deletedAt', 'is', null)
+      .$narrowType<{ duplicateId: NotNull }>()
+      .execute()
+      .then((assets) => new Set(assets.map((asset) => asset.duplicateId)));
+  }
+}
+
 class NotificationAccess {
   constructor(private db: Kysely<DB>) {}
 
@@ -488,6 +510,7 @@ export class AccessRepository {
   album: AlbumAccess;
   asset: AssetAccess;
   authDevice: AuthDeviceAccess;
+  duplicate: DuplicateAccess;
   memory: MemoryAccess;
   notification: NotificationAccess;
   person: PersonAccess;
@@ -503,6 +526,7 @@ export class AccessRepository {
     this.album = new AlbumAccess(db);
     this.asset = new AssetAccess(db);
     this.authDevice = new AuthDeviceAccess(db);
+    this.duplicate = new DuplicateAccess(db);
     this.memory = new MemoryAccess(db);
     this.notification = new NotificationAccess(db);
     this.person = new PersonAccess(db);

server/src/repositories/album.repository.ts

@@ -125,6 +125,44 @@ export class AlbumRepository {
       .execute();
   }
 
+  @GenerateSql({ params: [DummyValue.UUID, [DummyValue.UUID]] })
+  @ChunkedSet({ paramIndex: 1 })
+  async getByAssetIds(ownerId: string, assetIds: string[]): Promise<Map<string, string[]>> {
+    if (assetIds.length === 0) {
+      return new Map();
+    }
+
+    const results = await this.db
+      .selectFrom('album')
+      .select('album.id')
+      .innerJoin('album_asset', 'album_asset.albumId', 'album.id')
+      .where((eb) =>
+        eb.or([
+          eb('album.ownerId', '=', ownerId),
+          eb.exists(
+            eb
+              .selectFrom('album_user')
+              .whereRef('album_user.albumId', '=', 'album.id')
+              .where('album_user.userId', '=', ownerId),
+          ),
+        ]),
+      )
+      .where('album_asset.assetId', 'in', assetIds)
+      .where('album.deletedAt', 'is', null)
+      .select('album_asset.assetId')
+      .execute();
+
+    // Group by assetId
+    const map = new Map<string, string[]>();
+    for (const row of results) {
+      const existing = map.get(row.assetId) ?? [];
+      existing.push(row.id);
+      map.set(row.assetId, existing);
+    }
+
+    return map;
+  }
+
   @GenerateSql({ params: [[DummyValue.UUID]] })
   @ChunkedArray()
   async getMetadataForIds(ids: string[]): Promise<AlbumAssetCount[]> {
@@ -339,7 +377,12 @@ export class AlbumRepository {
     if (values.length === 0) {
       return;
     }
-    await this.db.insertInto('album_asset').values(values).execute();
+    await this.db
+      .insertInto('album_asset')
+      .values(values)
+      // Allow idempotent album sync without failing on existing album memberships.
+      .onConflict((oc) => oc.columns(['albumId', 'assetId']).doNothing())
+      .execute();
   }
 
   /**

server/src/repositories/config.repository.ts

@@ -5,9 +5,11 @@ import { QueueOptions } from 'bullmq';
 import { plainToInstance } from 'class-transformer';
 import { validateSync } from 'class-validator';
 import { Request, Response } from 'express';
+import { HelmetOptions } from 'helmet';
 import { RedisOptions } from 'ioredis';
 import { CLS_ID, ClsModuleOptions } from 'nestjs-cls';
 import { OpenTelemetryModuleOptions } from 'nestjs-otel/lib/interfaces';
+import { readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { citiesFile, excludePaths, IWorker } from 'src/constants';
 import { Telemetry } from 'src/decorators';
@@ -58,6 +60,10 @@ export interface EnvData {
     config: ClsModuleOptions;
   };
 
+  helmet: {
+    config?: HelmetOptions;
+  };
+
   database: {
     config: DatabaseConnectionParams;
     skipMigrations: boolean;
@@ -143,6 +149,25 @@ const asSet = <T>(value: string | undefined, defaults: T[]) => {
   return new Set(values.length === 0 ? defaults : (values as T[]));
 };
 
+const resolveHelmetFile = (helmetFile: 'true' | 'false' | string | undefined) => {
+  // default is off
+  if (!helmetFile || helmetFile === 'false') {
+    return;
+  }
+
+  helmetFile =
+    helmetFile === 'true'
+      ? // eslint-disable-next-line unicorn/prefer-module
+        join(__dirname, '..', '..', 'helmet.json')
+      : helmetFile;
+
+  try {
+    return JSON.parse(readFileSync(helmetFile).toString()) as HelmetOptions;
+  } catch (error) {
+    throw new Error(`Failed to read helmet file: ${helmetFile}`, { cause: error });
+  }
+};
+
 const getEnv = (): EnvData => {
   const dto = plainToInstance(EnvDto, process.env);
   const errors = validateSync(dto);
@@ -289,6 +314,10 @@ const getEnv = (): EnvData => {
       vectorExtension,
     },
 
+    helmet: {
+      config: resolveHelmetFile(dto.IMMICH_HELMET_FILE),
+    },
+
     licensePublicKey: isProd ? productionKeys : stagingKeys,
 
     network: {

server/src/repositories/duplicate.repository.ts

@@ -1,13 +1,19 @@
 import { Injectable } from '@nestjs/common';
 import { Kysely, NotNull, Selectable, ShallowDehydrateObject, sql } from 'kysely';
+import { jsonArrayFrom } from 'kysely/helpers/postgres';
 import { InjectKysely } from 'nestjs-kysely';
+import { columns } from 'src/database';
 import { Chunked, DummyValue, GenerateSql } from 'src/decorators';
+import { MapAsset } from 'src/dtos/asset-response.dto';
 import { AssetType, VectorIndex } from 'src/enum';
 import { probes } from 'src/repositories/database.repository';
 import { DB } from 'src/schema';
 import { AssetExifTable } from 'src/schema/tables/asset-exif.table';
 import { anyUuid, asUuid, withDefaultVisibility } from 'src/utils/database';
 
+// Maximum number of candidate duplicates to return from vector search
+const DUPLICATE_SEARCH_LIMIT = 64;
+
 interface DuplicateSearch {
   assetId: string;
   embedding: string;
@@ -34,20 +40,39 @@ export class DuplicateRepository {
           qb
             .selectFrom('asset')
             .$call(withDefaultVisibility)
+            // Use innerJoinLateral to build a composite object per asset that includes
+            // exifInfo and tags. This "asset2" object is then aggregated via jsonAgg.
+            // Tags must be included here (not via separate joins) so they appear in the
+            // final MapAsset[] output - needed for tag synchronization during resolution.
             .innerJoinLateral(
               (qb) =>
                 qb
                   .selectFrom('asset_exif')
                   .selectAll('asset')
                   .select((eb) =>
-                    eb.table('asset_exif').$castTo<ShallowDehydrateObject<Selectable<AssetExifTable>>>().as('exifInfo'),
+                    eb.fn
+                      .toJson('asset_exif')
+                      .$castTo<ShallowDehydrateObject<Selectable<AssetExifTable>>>()
+                      .as('exifInfo'),
+                  )
+
+                  .select((eb) =>
+                    jsonArrayFrom(
+                      eb
+                        .selectFrom('tag')
+                        .select(columns.tag)
+                        .innerJoin('tag_asset', 'tag.id', 'tag_asset.tagId')
+                        .whereRef('tag_asset.assetId', '=', 'asset.id'),
+                    ).as('tags'),
                   )
                   .whereRef('asset_exif.assetId', '=', 'asset.id')
                   .as('asset2'),
               (join) => join.onTrue(),
             )
             .select('asset.duplicateId')
-            .select((eb) => eb.fn.jsonAgg('asset2').orderBy('asset.localDateTime', 'asc').as('assets'))
+            .select((eb) =>
+              eb.fn.jsonAgg('asset2').orderBy('asset.localDateTime', 'asc').$castTo<MapAsset[]>().as('assets'),
+            )
             .where('asset.ownerId', '=', asUuid(userId))
             .where('asset.duplicateId', 'is not', null)
             .$narrowType<{ duplicateId: NotNull }>()
@@ -55,29 +80,80 @@ export class DuplicateRepository {
             .where('asset.stackId', 'is', null)
             .groupBy('asset.duplicateId'),
         )
-        .with('unique', (qb) =>
-          qb
-            .selectFrom('duplicates')
-            .select('duplicateId')
-            .where((eb) => eb(eb.fn('json_array_length', ['assets']), '=', 1)),
-        )
-        .with('removed_unique', (qb) =>
-          qb
-            .updateTable('asset')
-            .set({ duplicateId: null })
-            .from('unique')
-            .whereRef('asset.duplicateId', '=', 'unique.duplicateId'),
-        )
         .selectFrom('duplicates')
         .selectAll()
-        // TODO: compare with filtering by json_array_length > 1
-        .where(({ not, exists }) =>
-          not(exists((eb) => eb.selectFrom('unique').whereRef('unique.duplicateId', '=', 'duplicates.duplicateId'))),
-        )
+        // Filter out singleton groups (only 1 asset) directly in the query
+        .where((eb) => eb(eb.fn('json_array_length', ['assets']), '>', 1))
         .execute()
     );
   }
 
+  @GenerateSql({ params: [DummyValue.UUID] })
+  async cleanupSingletonGroups(userId: string): Promise<void> {
+    // Remove duplicateId from assets that are the only member of their duplicate group
+    await this.db
+      .with('singletons', (qb) =>
+        qb
+          .selectFrom('asset')
+          .select('duplicateId')
+          .where('ownerId', '=', asUuid(userId))
+          .where('duplicateId', 'is not', null)
+          .$narrowType<{ duplicateId: NotNull }>()
+          .where('deletedAt', 'is', null)
+          .where('stackId', 'is', null)
+          .groupBy('duplicateId')
+          .having((eb) => eb.fn.count('id'), '=', 1),
+      )
+      .updateTable('asset')
+      .set({ duplicateId: null })
+      .from('singletons')
+      .whereRef('asset.duplicateId', '=', 'singletons.duplicateId')
+      .execute();
+  }
+
+  @GenerateSql({ params: [DummyValue.UUID, DummyValue.UUID] })
+  async get(duplicateId: string): Promise<{ duplicateId: string; assets: MapAsset[] } | undefined> {
+    const result = await this.db
+      .selectFrom('asset')
+      .$call(withDefaultVisibility)
+      // Use innerJoinLateral to build a composite object per asset that includes
+      // exifInfo and tags. This "asset2" object is then aggregated via jsonAgg.
+      // Tags must be included here (not via separate joins) so they appear in the
+      // final MapAsset[] output - needed for tag synchronization during resolution.
+      .innerJoinLateral(
+        (qb) =>
+          qb
+            .selectFrom('asset_exif')
+            .selectAll('asset')
+            .select((eb) => eb.fn.toJson('asset_exif').as('exifInfo'))
+            .select((eb) =>
+              jsonArrayFrom(
+                eb
+                  .selectFrom('tag')
+                  .select(columns.tag)
+                  .innerJoin('tag_asset', 'tag.id', 'tag_asset.tagId')
+                  .whereRef('tag_asset.assetId', '=', 'asset.id'),
+              ).as('tags'),
+            )
+            .whereRef('asset_exif.assetId', '=', 'asset.id')
+            .as('asset2'),
+        (join) => join.onTrue(),
+      )
+      .select('asset.duplicateId')
+      .select((eb) => eb.fn.jsonAgg('asset2').orderBy('asset.localDateTime', 'asc').$castTo<MapAsset[]>().as('assets'))
+      .where('asset.duplicateId', '=', asUuid(duplicateId))
+      .where('asset.deletedAt', 'is', null)
+      .where('asset.stackId', 'is', null)
+      .groupBy('asset.duplicateId')
+      .executeTakeFirst();
+
+    if (!result || !result.duplicateId) {
+      return;
+    }
+
+    return { duplicateId: result.duplicateId, assets: result.assets };
+  }
+
   @GenerateSql({ params: [DummyValue.UUID, DummyValue.UUID] })
   async delete(userId: string, id: string): Promise<void> {
     await this.db
@@ -134,7 +210,7 @@ export class DuplicateRepository {
             .where('asset.id', '!=', asUuid(assetId))
             .where('asset.stackId', 'is', null)
             .orderBy('distance')
-            .limit(64),
+            .limit(DUPLICATE_SEARCH_LIMIT),
         )
         .selectFrom('cte')
         .selectAll()

server/src/repositories/shared-link.repository.ts

@@ -1,5 +1,5 @@
 import { Injectable } from '@nestjs/common';
-import { Insertable, Kysely, Selectable, ShallowDehydrateObject, sql, Updateable } from 'kysely';
+import { ExpressionBuilder, Insertable, Kysely, Selectable, ShallowDehydrateObject, sql, Updateable } from 'kysely';
 import { jsonArrayFrom, jsonObjectFrom } from 'kysely/helpers/postgres';
 import _ from 'lodash';
 import { InjectKysely } from 'nestjs-kysely';
@@ -17,6 +17,41 @@ export type SharedLinkSearchOptions = {
   albumId?: string;
 };
 
+const withSharedAssets = (eb: ExpressionBuilder<DB, 'shared_link'>) => {
+  return eb
+    .selectFrom('shared_link_asset')
+    .whereRef('shared_link.id', '=', 'shared_link_asset.sharedLinkId')
+    .innerJoin('asset', 'asset.id', 'shared_link_asset.assetId')
+    .where('asset.deletedAt', 'is', null)
+    .selectAll('asset')
+    .orderBy('asset.fileCreatedAt', 'asc');
+};
+
+export const withExifInfo = (eb: ExpressionBuilder<DB, 'asset'>) => {
+  return eb
+    .selectFrom('asset_exif')
+    .select(columns.exif)
+    .whereRef('asset_exif.assetId', '=', 'asset.id')
+    .as('exifInfo');
+};
+
+const withAlbumOwner = (eb: ExpressionBuilder<DB, 'album'>) => {
+  return eb
+    .selectFrom('user')
+    .select(columns.user)
+    .whereRef('user.id', '=', 'album.ownerId')
+    .where('user.deletedAt', 'is', null)
+    .as('owner');
+};
+
+const withSharedLinkAlbum = (eb: ExpressionBuilder<DB, 'shared_link'>) => {
+  return eb
+    .selectFrom('album')
+    .selectAll('album')
+    .whereRef('album.id', '=', 'shared_link.albumId')
+    .where('album.deletedAt', 'is', null);
+};
+
 @Injectable()
 export class SharedLinkRepository {
   constructor(@InjectKysely() private db: Kysely<DB>) {}
@@ -26,35 +61,16 @@ export class SharedLinkRepository {
     return this.db
       .selectFrom('shared_link')
       .selectAll('shared_link')
-      .leftJoinLateral(
-        (eb) =>
-          eb
-            .selectFrom('shared_link_asset')
-            .whereRef('shared_link.id', '=', 'shared_link_asset.sharedLinkId')
-            .innerJoin('asset', 'asset.id', 'shared_link_asset.assetId')
-            .where('asset.deletedAt', 'is', null)
-            .selectAll('asset')
-            .innerJoinLateral(
-              (eb) =>
-                eb
-                  .selectFrom('asset_exif')
-                  .selectAll('asset_exif')
-                  .whereRef('asset_exif.assetId', '=', 'asset.id')
-                  .as('exifInfo'),
-              (join) => join.onTrue(),
-            )
-            .select((eb) => eb.fn.toJson('exifInfo').as('exifInfo'))
-            .orderBy('asset.fileCreatedAt', 'asc')
-            .as('a'),
-        (join) => join.onTrue(),
+      .select((eb) =>
+        jsonArrayFrom(
+          withSharedAssets(eb)
+            .innerJoinLateral(withExifInfo, (join) => join.onTrue())
+            .select((eb) => eb.fn.toJson('exifInfo').as('exifInfo')),
+        ).as('assets'),
       )
       .leftJoinLateral(
         (eb) =>
-          eb
-            .selectFrom('album')
-            .selectAll('album')
-            .whereRef('album.id', '=', 'shared_link.albumId')
-            .where('album.deletedAt', 'is', null)
+          withSharedLinkAlbum(eb)
             .leftJoin('album_asset', 'album_asset.albumId', 'album.id')
             .leftJoinLateral(
               (eb) =>
@@ -63,30 +79,13 @@ export class SharedLinkRepository {
                   .selectAll('asset')
                   .whereRef('album_asset.assetId', '=', 'asset.id')
                   .where('asset.deletedAt', 'is', null)
-                  .innerJoinLateral(
-                    (eb) =>
-                      eb
-                        .selectFrom('asset_exif')
-                        .selectAll('asset_exif')
-                        .whereRef('asset_exif.assetId', '=', 'asset.id')
-                        .as('exifInfo'),
-                    (join) => join.onTrue(),
-                  )
+                  .innerJoinLateral(withExifInfo, (join) => join.onTrue())
                   .select((eb) => eb.fn.toJson(eb.table('exifInfo')).as('exifInfo'))
                   .orderBy('asset.fileCreatedAt', 'asc')
                   .as('assets'),
               (join) => join.onTrue(),
             )
-            .innerJoinLateral(
-              (eb) =>
-                eb
-                  .selectFrom('user')
-                  .selectAll('user')
-                  .whereRef('user.id', '=', 'album.ownerId')
-                  .where('user.deletedAt', 'is', null)
-                  .as('owner'),
-              (join) => join.onTrue(),
-            )
+            .innerJoinLateral(withAlbumOwner, (join) => join.onTrue())
             .select((eb) =>
               eb.fn
                 .coalesce(
@@ -104,17 +103,6 @@ export class SharedLinkRepository {
             .as('album'),
         (join) => join.onTrue(),
       )
-      .select((eb) =>
-        eb.fn
-          .coalesce(eb.fn.jsonAgg('a').filterWhere('a.id', 'is not', null), sql`'[]'`)
-          .$castTo<
-            (ShallowDehydrateObject<Selectable<AssetTable>> & {
-              exifInfo: ShallowDehydrateObject<Selectable<AssetExifTable>>;
-            })[]
-          >()
-          .as('assets'),
-      )
-      .groupBy(['shared_link.id', sql`"album".*`])
       .select((eb) => eb.fn.toJson(eb.table('album')).$castTo<ShallowDehydrateObject<Album> | null>().as('album'))
       .where('shared_link.id', '=', id)
       .where('shared_link.userId', '=', userId)
@@ -128,53 +116,13 @@ export class SharedLinkRepository {
     return this.db
       .selectFrom('shared_link')
       .selectAll('shared_link')
+      .select((eb) => jsonArrayFrom(withSharedAssets(eb).limit(1)).as('assets'))
       .where('shared_link.userId', '=', userId)
-      .select((eb) =>
-        jsonArrayFrom(
-          eb
-            .selectFrom('shared_link_asset')
-            .whereRef('shared_link.id', '=', 'shared_link_asset.sharedLinkId')
-            .innerJoin('asset', 'asset.id', 'shared_link_asset.assetId')
-            .where('asset.deletedAt', 'is', null)
-            .selectAll('asset')
-            .orderBy('asset.fileCreatedAt', 'asc')
-            .limit(1),
-        ).as('assets'),
-      )
       .leftJoinLateral(
         (eb) =>
-          eb
-            .selectFrom('album')
-            .selectAll('album')
-            .whereRef('album.id', '=', 'shared_link.albumId')
-            .innerJoinLateral(
-              (eb) =>
-                eb
-                  .selectFrom('user')
-                  .select([
-                    'user.id',
-                    'user.email',
-                    'user.createdAt',
-                    'user.profileImagePath',
-                    'user.isAdmin',
-                    'user.shouldChangePassword',
-                    'user.deletedAt',
-                    'user.oauthId',
-                    'user.updatedAt',
-                    'user.storageLabel',
-                    'user.name',
-                    'user.quotaSizeInBytes',
-                    'user.quotaUsageInBytes',
-                    'user.status',
-                    'user.profileChangedAt',
-                  ])
-                  .whereRef('user.id', '=', 'album.ownerId')
-                  .where('user.deletedAt', 'is', null)
-                  .as('owner'),
-              (join) => join.onTrue(),
-            )
+          withSharedLinkAlbum(eb)
+            .innerJoinLateral(withAlbumOwner, (join) => join.onTrue())
             .select((eb) => eb.fn.toJson('owner').as('owner'))
-            .where('album.deletedAt', 'is', null)
             .as('album'),
         (join) => join.onTrue(),
       )
@@ -283,11 +231,7 @@ export class SharedLinkRepository {
             .selectFrom('asset')
             .whereRef('asset.id', '=', 'shared_link_asset.assetId')
             .selectAll('asset')
-            .innerJoinLateral(
-              (eb) =>
-                eb.selectFrom('asset_exif').whereRef('asset_exif.assetId', '=', 'asset.id').selectAll().as('exifInfo'),
-              (join) => join.onTrue(),
-            )
+            .innerJoinLateral(withExifInfo, (join) => join.onTrue())
             .as('assets'),
         (join) => join.onTrue(),
       )

server/src/schema/enums.ts

@@ -1,5 +1,5 @@
 import { registerEnum } from '@immich/sql-tools';
-import { AssetStatus, AssetVisibility, SourceType } from 'src/enum';
+import { AssetStatus, AssetVisibility, ChecksumAlgorithm, SourceType } from 'src/enum';
 
 export const assets_status_enum = registerEnum({
   name: 'assets_status_enum',
@@ -15,3 +15,8 @@ export const asset_visibility_enum = registerEnum({
   name: 'asset_visibility_enum',
   values: Object.values(AssetVisibility),
 });
+
+export const asset_checksum_algorithm_enum = registerEnum({
+  name: 'asset_checksum_algorithm_enum',
+  values: Object.values(ChecksumAlgorithm),
+});

server/src/schema/migrations/1774548649115-AddChecksumAlgorithm.ts.ts

@@ -0,0 +1,21 @@
+import { Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await sql`CREATE TYPE "asset_checksum_algorithm_enum" AS ENUM ('sha1','sha1-path');`.execute(db);
+  await sql`ALTER TABLE "asset" ADD "checksumAlgorithm" asset_checksum_algorithm_enum;`.execute(db);
+
+  await sql`
+    UPDATE "asset"
+    SET "checksumAlgorithm" = CASE
+      WHEN "isExternal" = true THEN 'sha1-path'::asset_checksum_algorithm_enum
+      ELSE 'sha1'::asset_checksum_algorithm_enum
+    END
+  `.execute(db);
+
+  await sql`ALTER TABLE "asset" ALTER COLUMN "checksumAlgorithm" SET NOT NULL;`.execute(db);
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await sql`ALTER TABLE "asset" DROP COLUMN "checksumAlgorithm";`.execute(db);
+  await sql`DROP TYPE "asset_checksum_algorithm_enum";`.execute(db);
+}

server/src/schema/tables/asset.table.ts

@@ -12,8 +12,8 @@ import {
   UpdateDateColumn,
 } from '@immich/sql-tools';
 import { UpdatedAtTrigger, UpdateIdColumn } from 'src/decorators';
-import { AssetStatus, AssetType, AssetVisibility } from 'src/enum';
-import { asset_visibility_enum, assets_status_enum } from 'src/schema/enums';
+import { AssetStatus, AssetType, AssetVisibility, ChecksumAlgorithm } from 'src/enum';
+import { asset_checksum_algorithm_enum, asset_visibility_enum, assets_status_enum } from 'src/schema/enums';
 import { asset_delete_audit } from 'src/schema/functions';
 import { LibraryTable } from 'src/schema/tables/library.table';
 import { StackTable } from 'src/schema/tables/stack.table';
@@ -95,6 +95,9 @@ export class AssetTable {
   @Column({ type: 'bytea', index: true })
   checksum!: Buffer; // sha1 checksum
 
+  @Column({ enum: asset_checksum_algorithm_enum })
+  checksumAlgorithm!: ChecksumAlgorithm;
+
   @ForeignKeyColumn(() => AssetTable, { nullable: true, onUpdate: 'CASCADE', onDelete: 'SET NULL' })
   livePhotoVideoId!: string | null;
 

server/src/services/asset-media.service.ts

@@ -27,6 +27,7 @@ import {
   AssetStatus,
   AssetVisibility,
   CacheControl,
+  ChecksumAlgorithm,
   JobName,
   Permission,
   StorageFolder,
@@ -425,6 +426,7 @@ export class AssetMediaService extends BaseService {
       deviceId: asset.deviceId,
       type: asset.type,
       checksum: asset.checksum,
+      checksumAlgorithm: asset.checksumAlgorithm,
       fileCreatedAt: asset.fileCreatedAt,
       localDateTime: asset.localDateTime,
       fileModifiedAt: asset.fileModifiedAt,
@@ -446,6 +448,7 @@ export class AssetMediaService extends BaseService {
       libraryId: null,
 
       checksum: file.checksum,
+      checksumAlgorithm: ChecksumAlgorithm.sha1File,
       originalPath: file.originalPath,
 
       deviceAssetId: dto.deviceAssetId,

server/src/services/database-backup.service.spec.ts

@@ -27,6 +27,7 @@ describe(DatabaseBackupService.name, () => {
       mocks.systemMetadata as never,
       mocks.process,
       mocks.database as never,
+      mocks.user as never,
       mocks.cron as never,
       mocks.job as never,
       maintenanceHealthRepositoryMock as never,
@@ -187,6 +188,7 @@ describe(DatabaseBackupService.name, () => {
         mocks.systemMetadata as never,
         mocks.process,
         mocks.database as never,
+        mocks.user as never,
         mocks.cron as never,
         mocks.job as never,
         void 0 as never,
@@ -400,6 +402,7 @@ describe(DatabaseBackupService.name, () => {
           mocks.systemMetadata as never,
           mocks.process,
           mocks.database as never,
+          mocks.user as never,
           mocks.cron as never,
           mocks.job as never,
           void 0 as never,
@@ -474,6 +477,7 @@ describe(DatabaseBackupService.name, () => {
           mocks.systemMetadata as never,
           mocks.process,
           mocks.database as never,
+          mocks.user as never,
           mocks.cron as never,
           mocks.job as never,
           void 0 as never,
@@ -536,6 +540,7 @@ describe(DatabaseBackupService.name, () => {
           mocks.systemMetadata as never,
           mocks.process,
           mocks.database as never,
+          mocks.user as never,
           mocks.cron as never,
           mocks.job as never,
           void 0 as never,
@@ -663,6 +668,7 @@ describe(DatabaseBackupService.name, () => {
         mocks.systemMetadata as never,
         mocks.process,
         mocks.database as never,
+        mocks.user as never,
         mocks.cron as never,
         mocks.job as never,
         maintenanceHealthRepositoryMock,
@@ -678,6 +684,8 @@ describe(DatabaseBackupService.name, () => {
     it('should successfully restore a backup', async () => {
       let writtenToPsql = '';
 
+      mocks.user.hasAdmin.mockResolvedValue(true);
+
       mocks.process.spawnDuplexStream.mockImplementationOnce(() => mockDuplex()('command', 0, 'data', ''));
       mocks.process.spawnDuplexStream.mockImplementationOnce(() => mockDuplex()('command', 0, 'data', ''));
       mocks.process.spawnDuplexStream.mockImplementationOnce(() => {
@@ -740,6 +748,8 @@ describe(DatabaseBackupService.name, () => {
     it('should generate pg_dumpall specific SQL instructions', async () => {
       let writtenToPsql = '';
 
+      mocks.user.hasAdmin.mockResolvedValue(true);
+
       mocks.process.spawnDuplexStream.mockImplementationOnce(() => mockDuplex()('command', 0, 'data', ''));
       mocks.process.spawnDuplexStream.mockImplementationOnce(() => mockDuplex()('command', 0, 'data', ''));
       mocks.process.spawnDuplexStream.mockImplementationOnce(() => {
@@ -834,7 +844,24 @@ describe(DatabaseBackupService.name, () => {
       expect(mocks.process.spawnDuplexStream).toHaveBeenCalledTimes(4);
     });
 
+    it('should rollback if there is no admin user', async () => {
+      mocks.user.hasAdmin.mockResolvedValue(false);
+
+      const progress = vitest.fn();
+      await expect(
+        sut.restoreDatabaseBackup('development-filename.sql', progress),
+      ).rejects.toThrowErrorMatchingInlineSnapshot(`[Error: Server health check failed, no admin exists.]`);
+
+      expect(progress).toHaveBeenCalledWith('backup', 0.05);
+      expect(progress).toHaveBeenCalledWith('migrations', 0.9);
+      expect(progress).toHaveBeenCalledWith('rollback', 0);
+
+      expect(mocks.user.hasAdmin).toHaveBeenCalled();
+      expect(mocks.process.spawnDuplexStream).toHaveBeenCalledTimes(4);
+    });
+
     it('should rollback if API healthcheck fails', async () => {
+      mocks.user.hasAdmin.mockResolvedValue(true);
       maintenanceHealthRepositoryMock.checkApiHealth.mockRejectedValue(new Error('Health Error'));
 
       const progress = vitest.fn();
@@ -846,6 +873,7 @@ describe(DatabaseBackupService.name, () => {
       expect(progress).toHaveBeenCalledWith('migrations', 0.9);
       expect(progress).toHaveBeenCalledWith('rollback', 0);
 
+      expect(mocks.user.hasAdmin).toHaveBeenCalled();
       expect(maintenanceHealthRepositoryMock.checkApiHealth).toHaveBeenCalled();
       expect(mocks.process.spawnDuplexStream).toHaveBeenCalledTimes(4);
     });

server/src/services/database-backup.service.ts

@@ -20,6 +20,7 @@ import { LoggingRepository } from 'src/repositories/logging.repository';
 import { ProcessRepository } from 'src/repositories/process.repository';
 import { StorageRepository } from 'src/repositories/storage.repository';
 import { SystemMetadataRepository } from 'src/repositories/system-metadata.repository';
+import { UserRepository } from 'src/repositories/user.repository';
 import { getConfig } from 'src/utils/config';
 import {
   findDatabaseBackupVersion,
@@ -40,6 +41,7 @@ export class DatabaseBackupService {
     private readonly systemMetadataRepository: SystemMetadataRepository,
     private readonly processRepository: ProcessRepository,
     private readonly databaseRepository: DatabaseRepository,
+    private readonly userRepository: UserRepository,
     @Optional()
     private readonly cronRepository: CronRepository,
     @Optional()
@@ -405,7 +407,14 @@ export class DatabaseBackupService {
 
       try {
         progressCb?.('migrations', 0.9);
+
         await this.databaseRepository.runMigrations();
+
+        const hasAdmin = await this.userRepository.hasAdmin();
+        if (!hasAdmin) {
+          throw new Error('Server health check failed, no admin exists.');
+        }
+
         await this.maintenanceHealthRepository.checkApiHealth();
       } catch (error) {
         progressCb?.('rollback', 0);

server/src/services/duplicate.service.spec.ts

@@ -1,12 +1,13 @@
+import { BulkIdErrorReason } from 'src/dtos/asset-ids.response.dto';
+import { MapAsset } from 'src/dtos/asset-response.dto';
 import { AssetType, AssetVisibility, JobName, JobStatus } from 'src/enum';
 import { DuplicateService } from 'src/services/duplicate.service';
-import { SearchService } from 'src/services/search.service';
 import { AssetFactory } from 'test/factories/asset.factory';
 import { authStub } from 'test/fixtures/auth.stub';
 import { getForDuplicate } from 'test/mappers';
 import { newUuid } from 'test/small.factory';
 import { makeStream, newTestService, ServiceMocks } from 'test/utils';
-import { beforeEach, vitest } from 'vitest';
+import { beforeEach, describe, expect, it, vitest } from 'vitest';
 
 vitest.useFakeTimers();
 
@@ -26,7 +27,7 @@ const hasDupe = {
   duplicateId: 'duplicate-id',
 };
 
-describe(SearchService.name, () => {
+describe(DuplicateService.name, () => {
   let sut: DuplicateService;
   let mocks: ServiceMocks;
 
@@ -41,6 +42,8 @@ describe(SearchService.name, () => {
   describe('getDuplicates', () => {
     it('should get duplicates', async () => {
       const asset = AssetFactory.from().exif().build();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['duplicate-id']));
+      mocks.duplicateRepository.cleanupSingletonGroups.mockResolvedValue();
       mocks.duplicateRepository.getAll.mockResolvedValue([
         {
           duplicateId: 'duplicate-id',
@@ -51,9 +54,24 @@ describe(SearchService.name, () => {
         {
           duplicateId: 'duplicate-id',
           assets: [expect.objectContaining({ id: asset.id }), expect.objectContaining({ id: asset.id })],
+          suggestedKeepAssetIds: [asset.id],
         },
       ]);
     });
+
+    it('should return suggestedKeepAssetIds based on file size', async () => {
+      const smallAsset = AssetFactory.from().exif({ fileSizeInByte: 1000 }).build();
+      const largeAsset = AssetFactory.from().exif({ fileSizeInByte: 5000 }).build();
+      mocks.duplicateRepository.cleanupSingletonGroups.mockResolvedValue();
+      mocks.duplicateRepository.getAll.mockResolvedValue([
+        {
+          duplicateId: 'duplicate-id',
+          assets: [getForDuplicate(smallAsset), getForDuplicate(largeAsset)],
+        },
+      ]);
+      const result = await sut.getDuplicates(authStub.admin);
+      expect(result[0].suggestedKeepAssetIds).toEqual([largeAsset.id]);
+    });
   });
 
   describe('handleQueueSearchDuplicates', () => {
@@ -131,6 +149,200 @@ describe(SearchService.name, () => {
     });
   });
 
+  describe('resolve', () => {
+    it('should handle mixed success and failure', async () => {
+      const asset = AssetFactory.create();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1', 'group-2']));
+      mocks.duplicateRepository.get.mockResolvedValueOnce(void 0);
+      mocks.duplicateRepository.get.mockResolvedValueOnce({
+        duplicateId: 'group-2',
+        assets: [asset as unknown as MapAsset],
+      });
+
+      await expect(
+        sut.resolve(authStub.admin, {
+          groups: [
+            { duplicateId: 'group-1', keepAssetIds: [], trashAssetIds: [] },
+            { duplicateId: 'group-2', keepAssetIds: [asset.id], trashAssetIds: [] },
+          ],
+        }),
+      ).resolves.toEqual([
+        { id: 'group-1', success: false, error: BulkIdErrorReason.NOT_FOUND },
+        { id: 'group-2', success: true },
+      ]);
+    });
+
+    it('should catch and report errors', async () => {
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1']));
+      mocks.duplicateRepository.get.mockRejectedValue(new Error('Database error'));
+
+      await expect(
+        sut.resolve(authStub.admin, {
+          groups: [{ duplicateId: 'group-1', keepAssetIds: [], trashAssetIds: [] }],
+        }),
+      ).resolves.toEqual([{ id: 'group-1', success: false, error: BulkIdErrorReason.UNKNOWN }]);
+    });
+  });
+
+  describe('resolveGroup (via resolve)', () => {
+    it('should fail if duplicate group not found', async () => {
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['missing-id']));
+      mocks.duplicateRepository.get.mockResolvedValue(void 0);
+
+      await expect(
+        sut.resolve(authStub.admin, {
+          groups: [{ duplicateId: 'missing-id', keepAssetIds: [], trashAssetIds: [] }],
+        }),
+      ).resolves.toEqual([
+        {
+          id: 'missing-id',
+          success: false,
+          error: BulkIdErrorReason.NOT_FOUND,
+        },
+      ]);
+    });
+
+    it('should skip when keepAssetIds contains non-member', async () => {
+      const asset = AssetFactory.create();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1']));
+      mocks.duplicateRepository.get.mockResolvedValue({
+        duplicateId: 'group-1',
+        assets: [asset as unknown as MapAsset],
+      });
+
+      await expect(
+        sut.resolve(authStub.admin, {
+          groups: [{ duplicateId: 'group-1', keepAssetIds: ['asset-999', asset.id], trashAssetIds: [] }],
+        }),
+      ).resolves.toEqual([{ id: 'group-1', success: true }]);
+    });
+
+    it('should skip when trashAssetIds contains non-member', async () => {
+      const asset = AssetFactory.create();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1']));
+      mocks.duplicateRepository.get.mockResolvedValue({
+        duplicateId: 'group-1',
+        assets: [asset as unknown as MapAsset],
+      });
+
+      await expect(
+        sut.resolve(authStub.admin, {
+          groups: [{ duplicateId: 'group-1', keepAssetIds: [asset.id], trashAssetIds: ['asset-999'] }],
+        }),
+      ).resolves.toEqual([{ id: 'group-1', success: true }]);
+    });
+
+    it('should fail if keepAssetIds and trashAssetIds overlap', async () => {
+      const asset1 = AssetFactory.create();
+      const asset2 = AssetFactory.create();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1']));
+      mocks.duplicateRepository.get.mockResolvedValue({
+        duplicateId: 'group-1',
+        assets: [asset1 as unknown as MapAsset, asset2 as unknown as MapAsset],
+      });
+
+      const result = await sut.resolve(authStub.admin, {
+        groups: [{ duplicateId: 'group-1', keepAssetIds: [asset1.id], trashAssetIds: [asset1.id] }],
+      });
+
+      expect(result[0].success).toBe(false);
+      expect(result[0].errorMessage).toContain('An asset cannot be in both keepAssetIds and trashAssetIds');
+    });
+
+    it('should fail if keepAssetIds and trashAssetIds do not cover all assets', async () => {
+      const asset1 = AssetFactory.create();
+      const asset2 = AssetFactory.create();
+      const asset3 = AssetFactory.create();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1']));
+      mocks.duplicateRepository.get.mockResolvedValue({
+        duplicateId: 'group-1',
+        assets: [asset1 as unknown as MapAsset, asset2 as unknown as MapAsset, asset3 as unknown as MapAsset],
+      });
+
+      const result = await sut.resolve(authStub.admin, {
+        groups: [{ duplicateId: 'group-1', keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+      });
+
+      expect(result[0].success).toBe(false);
+      expect(result[0].errorMessage).toContain('Every asset must be in either keepAssetIds or trashAssetIds');
+    });
+
+    it('should fail if partial trash without keepers', async () => {
+      const asset1 = AssetFactory.create();
+      const asset2 = AssetFactory.create();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1']));
+      mocks.duplicateRepository.get.mockResolvedValue({
+        duplicateId: 'group-1',
+        assets: [asset1 as unknown as MapAsset, asset2 as unknown as MapAsset],
+      });
+
+      const result = await sut.resolve(authStub.admin, {
+        groups: [{ duplicateId: 'group-1', keepAssetIds: [], trashAssetIds: [asset1.id] }],
+      });
+
+      expect(result[0].success).toBe(false);
+      expect(result[0].errorMessage).toContain('Every asset must be in either keepAssetIds or trashAssetIds');
+    });
+
+    it('should sync merged tags to asset_exif.tags', async () => {
+      const asset1 = AssetFactory.create();
+      const asset2 = AssetFactory.create();
+      mocks.access.duplicate.checkOwnerAccess.mockResolvedValue(new Set(['group-1']));
+      mocks.access.asset.checkOwnerAccess.mockResolvedValue(new Set(['asset-2']));
+      mocks.access.tag.checkOwnerAccess.mockResolvedValue(new Set(['tag-1', 'tag-2']));
+      mocks.duplicateRepository.get.mockResolvedValue({
+        duplicateId: 'group-1',
+        assets: [
+          {
+            ...asset1,
+            tags: [
+              {
+                id: 'tag-1',
+                value: 'Work',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+                parentId: null,
+                color: null,
+              },
+            ],
+          },
+          {
+            ...asset2,
+            tags: [
+              {
+                id: 'tag-2',
+                value: 'Travel',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+                parentId: null,
+                color: null,
+              },
+            ],
+          },
+        ] as any,
+      });
+
+      const result = await sut.resolve(authStub.admin, {
+        groups: [{ duplicateId: 'group-1', keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
+      });
+
+      expect(result[0].success).toBe(true);
+
+      // Verify tags were applied to tag_asset table
+      expect(mocks.tag.replaceAssetTags).toHaveBeenCalledWith(asset1.id, ['tag-1', 'tag-2']);
+
+      // Verify merged tag values were written to asset_exif.tags so SidecarWrite preserves them
+      expect(mocks.asset.updateAllExif).toHaveBeenCalledWith([asset1.id], { tags: ['Work', 'Travel'] });
+
+      // Verify SidecarWrite was queued (to write tags to sidecar)
+      expect(mocks.job.queueAll).toHaveBeenCalledWith([{ name: JobName.SidecarWrite, data: { id: asset1.id } }]);
+    });
+
+    // NOTE: The following integration-style tests are covered by E2E tests instead
+    // to avoid complex mock setup. The validation and error-handling logic above
+    // is thoroughly unit tested.
+  });
+
   describe('handleSearchDuplicates', () => {
     beforeEach(() => {
       mocks.systemMetadata.get.mockResolvedValue({

server/src/services/duplicate.service.ts

@@ -1,24 +1,84 @@
 import { Injectable } from '@nestjs/common';
 import { JOBS_ASSET_PAGINATION_SIZE } from 'src/constants';
 import { OnJob } from 'src/decorators';
-import { BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
-import { mapAsset } from 'src/dtos/asset-response.dto';
+import { BulkIdErrorReason, BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
+import { MapAsset, mapAsset } from 'src/dtos/asset-response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { DuplicateResponseDto } from 'src/dtos/duplicate.dto';
-import { AssetVisibility, JobName, JobStatus, QueueName } from 'src/enum';
+import { DuplicateResolveDto, DuplicateResolveGroupDto, DuplicateResponseDto } from 'src/dtos/duplicate.dto';
+import { AssetStatus, AssetVisibility, JobName, JobStatus, Permission, QueueName } from 'src/enum';
 import { AssetDuplicateResult } from 'src/repositories/search.repository';
 import { BaseService } from 'src/services/base.service';
 import { JobItem, JobOf } from 'src/types';
+import { suggestDuplicateKeepAssetIds } from 'src/utils/duplicate';
 import { isDuplicateDetectionEnabled } from 'src/utils/misc';
 
+type ResolveRequest = {
+  assetUpdate: {
+    isFavorite?: boolean;
+    visibility?: AssetVisibility;
+  };
+
+  exifUpdate: {
+    rating?: number;
+    latitude?: number;
+    longitude?: number;
+    description?: string;
+  };
+
+  mergedAlbumIds: string[];
+
+  mergedTagIds: string[];
+
+  mergedTagValues: string[];
+};
+
+const uniqueNonEmptyLines = (values: Array<string | null | undefined>): string[] => {
+  const unique = new Set<string>();
+  const lines: string[] = [];
+  for (const value of values) {
+    if (!value) {
+      continue;
+    }
+    for (const line of value.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed || unique.has(trimmed)) {
+        continue;
+      }
+      unique.add(trimmed);
+      lines.push(trimmed);
+    }
+  }
+  return lines;
+};
+
+const getUniqueCoordinate = (assets: MapAsset[], key: 'latitude' | 'longitude'): number | null => {
+  const values = assets
+    .map((asset) => asset.exifInfo?.[key])
+    .filter((value): value is number => Number.isFinite(value));
+
+  if (values.length === 0) {
+    return null;
+  }
+
+  const unique = new Set(values);
+  return unique.size === 1 ? [...unique][0] : null;
+};
+
 @Injectable()
 export class DuplicateService extends BaseService {
   async getDuplicates(auth: AuthDto): Promise<DuplicateResponseDto[]> {
+    // Clean up singleton groups (assets that are the only member of their duplicate group)
+    await this.duplicateRepository.cleanupSingletonGroups(auth.user.id);
+
     const duplicates = await this.duplicateRepository.getAll(auth.user.id);
-    return duplicates.map(({ duplicateId, assets }) => ({
-      duplicateId,
-      assets: assets.map((asset) => mapAsset(asset, { auth })),
-    }));
+    return duplicates.map(({ duplicateId, assets }) => {
+      const mappedAssets = assets.map((asset) => mapAsset(asset, { auth }));
+      return {
+        duplicateId,
+        assets: mappedAssets,
+        suggestedKeepAssetIds: suggestDuplicateKeepAssetIds(mappedAssets),
+      };
+    });
   }
 
   async delete(auth: AuthDto, id: string): Promise<void> {
@@ -29,6 +89,213 @@ export class DuplicateService extends BaseService {
     await this.duplicateRepository.deleteAll(auth.user.id, dto.ids);
   }
 
+  async resolve(auth: AuthDto, dto: DuplicateResolveDto) {
+    const duplicateIds = dto.groups.map(({ duplicateId }) => duplicateId);
+
+    await this.requireAccess({ auth, permission: Permission.DuplicateDelete, ids: duplicateIds });
+
+    const results: BulkIdResponseDto[] = [];
+
+    for (const group of dto.groups) {
+      try {
+        results.push(await this.resolveGroup(auth, group));
+      } catch (error: Error | any) {
+        this.logger.error(`Error resolving duplicate group ${group.duplicateId}: ${error}`, error?.stack);
+        results.push({ id: group.duplicateId, success: false, error: BulkIdErrorReason.UNKNOWN });
+      }
+    }
+
+    return results;
+  }
+
+  private async resolveGroup(auth: AuthDto, group: DuplicateResolveGroupDto): Promise<BulkIdResponseDto> {
+    const { duplicateId, keepAssetIds, trashAssetIds } = group;
+
+    const duplicateGroup = await this.duplicateRepository.get(duplicateId);
+    if (!duplicateGroup) {
+      return { id: duplicateId, success: false, error: BulkIdErrorReason.NOT_FOUND };
+    }
+
+    const groupAssetIds = new Set(duplicateGroup.assets.map((a) => a.id));
+
+    // ignore/skip asset IDs not in the group
+    const idsToKeep = keepAssetIds.filter((id) => groupAssetIds.has(id));
+    const idsToTrash = trashAssetIds.filter((id) => groupAssetIds.has(id));
+
+    for (const assetId of groupAssetIds) {
+      if (idsToKeep.includes(assetId) && idsToTrash.includes(assetId)) {
+        return {
+          id: duplicateId,
+          success: false,
+          error: BulkIdErrorReason.VALIDATION,
+          errorMessage: 'An asset cannot be in both keepAssetIds and trashAssetIds',
+        };
+      }
+
+      if (!idsToKeep.includes(assetId) && !idsToTrash.includes(assetId)) {
+        return {
+          id: duplicateId,
+          success: false,
+          error: BulkIdErrorReason.VALIDATION,
+          errorMessage: 'Every asset must be in either keepAssetIds or trashAssetIds',
+        };
+      }
+    }
+
+    if (idsToTrash.length > 0) {
+      const ids = await this.checkAccess({ auth, permission: Permission.AssetDelete, ids: idsToTrash });
+      if (ids.size !== idsToTrash.length) {
+        return {
+          id: duplicateId,
+          success: false,
+          error: BulkIdErrorReason.NO_PERMISSION,
+          errorMessage: 'No permission to delete assets',
+        };
+      }
+    }
+
+    const assetAlbumMap = await this.albumRepository.getByAssetIds(auth.user.id, [...groupAssetIds]);
+
+    const { assetUpdate, exifUpdate, mergedAlbumIds, mergedTagIds, mergedTagValues } = this.getSyncMergeResult(
+      duplicateGroup.assets,
+      assetAlbumMap,
+    );
+
+    if (mergedAlbumIds.length > 0) {
+      const allowedAlbumIds = await this.checkAccess({
+        auth,
+        permission: Permission.AlbumAssetCreate,
+        ids: mergedAlbumIds,
+      });
+
+      const allowedShareIds = await this.checkAccess({
+        auth,
+        permission: Permission.AssetShare,
+        ids: idsToKeep,
+      });
+
+      if (allowedAlbumIds.size > 0 && allowedShareIds.size > 0) {
+        await this.albumRepository.addAssetIdsToAlbums(
+          [...allowedAlbumIds].flatMap((albumId) => [...allowedShareIds].map((assetId) => ({ albumId, assetId }))),
+        );
+      }
+    }
+
+    if (mergedTagIds.length > 0) {
+      const allowedTagIds = await this.checkAccess({
+        auth,
+        permission: Permission.TagAsset,
+        ids: mergedTagIds,
+      });
+
+      if (allowedTagIds.size > 0) {
+        // Replace tags for each keeper asset to ensure all merged tags are applied
+        await Promise.all(idsToKeep.map((assetId) => this.tagRepository.replaceAssetTags(assetId, [...allowedTagIds])));
+
+        // Update asset_exif.tags so the subsequent SidecarWrite + MetadataExtraction
+        // cycle preserves the merged tags (updateAllExif locks the property automatically)
+        await this.assetRepository.updateAllExif(idsToKeep, { tags: mergedTagValues });
+      }
+    }
+
+    if (idsToKeep.length > 0) {
+      const hasExifUpdate = Object.keys(exifUpdate).length > 0;
+      const hasTagUpdate = mergedTagIds.length > 0;
+
+      if (hasExifUpdate) {
+        await this.assetRepository.updateAllExif(idsToKeep, exifUpdate);
+      }
+
+      if (hasExifUpdate || hasTagUpdate) {
+        await this.jobRepository.queueAll(idsToKeep.map((id) => ({ name: JobName.SidecarWrite, data: { id } })));
+      }
+
+      await this.assetRepository.updateAll(idsToKeep, { duplicateId: null, ...assetUpdate });
+    }
+
+    if (idsToTrash.length > 0) {
+      // TODO: this is duplicated with AssetService.deleteAssets
+      const { trash } = await this.getConfig({ withCache: true });
+      const force = !trash.enabled;
+
+      await this.assetRepository.updateAll(idsToTrash, {
+        deletedAt: new Date(),
+        status: force ? AssetStatus.Deleted : AssetStatus.Trashed,
+        duplicateId: null,
+      });
+
+      await this.eventRepository.emit(force ? 'AssetDeleteAll' : 'AssetTrashAll', {
+        assetIds: idsToTrash,
+        userId: auth.user.id,
+      });
+    }
+
+    return { id: duplicateId, success: true };
+  }
+
+  private getSyncMergeResult(assets: MapAsset[], assetAlbumMap: Map<string, string[]> = new Map()): ResolveRequest {
+    const response: ResolveRequest = {
+      mergedAlbumIds: [],
+      mergedTagIds: [],
+      mergedTagValues: [],
+      assetUpdate: {},
+      exifUpdate: {},
+    };
+
+    response.assetUpdate.isFavorite = assets.some((asset) => asset.isFavorite);
+
+    const visibilityOrder = [AssetVisibility.Locked, AssetVisibility.Archive, AssetVisibility.Timeline];
+    let visibility = visibilityOrder.find((level) => assets.some((asset) => asset.visibility === level));
+    if (!visibility && assets.some((asset) => asset.visibility === AssetVisibility.Hidden)) {
+      visibility = AssetVisibility.Hidden;
+    }
+    if (visibility) {
+      response.assetUpdate.visibility = visibility;
+    }
+
+    let rating = 0;
+    for (const asset of assets) {
+      const assetRating = asset.exifInfo?.rating ?? 0;
+      if (assetRating > rating) {
+        rating = assetRating;
+      }
+    }
+    if (rating > 0) {
+      response.exifUpdate.rating = rating;
+    }
+
+    const descriptionLines = uniqueNonEmptyLines(assets.map((asset) => asset.exifInfo?.description));
+    const description = descriptionLines.length > 0 ? descriptionLines.join('\n') : null;
+    if (description !== null) {
+      response.exifUpdate.description = description;
+    }
+
+    const latitude = getUniqueCoordinate(assets, 'latitude');
+    const longitude = getUniqueCoordinate(assets, 'longitude');
+    if (latitude !== null && longitude !== null) {
+      response.exifUpdate.latitude = latitude;
+      response.exifUpdate.longitude = longitude;
+    }
+
+    const albumIdSet = new Set<string>();
+    for (const [, albumIds] of assetAlbumMap) {
+      for (const albumId of albumIds) {
+        albumIdSet.add(albumId);
+      }
+    }
+    response.mergedAlbumIds = [...albumIdSet];
+
+    const allTags = assets.flatMap((asset) => asset.tags ?? []);
+    const tagIds = [...new Set(allTags.map((tag) => tag.id).filter((id): id is string => !!id))];
+    const tagValues = [...new Set(allTags.map((tag) => tag.value).filter((v): v is string => !!v))];
+    if (tagIds.length > 0) {
+      response.mergedTagIds = tagIds;
+      response.mergedTagValues = tagValues;
+    }
+
+    return response;
+  }
+
   @OnJob({ name: JobName.AssetDetectDuplicatesQueueAll, queue: QueueName.DuplicateDetection })
   async handleQueueSearchDuplicates({ force }: JobOf<JobName.AssetDetectDuplicatesQueueAll>): Promise<JobStatus> {
     const { machineLearning } = await this.getConfig({ withCache: false });

server/src/services/library.service.ts

@@ -17,7 +17,17 @@ import {
   ValidateLibraryImportPathResponseDto,
   ValidateLibraryResponseDto,
 } from 'src/dtos/library.dto';
-import { AssetStatus, AssetType, CronJob, DatabaseLock, ImmichWorker, JobName, JobStatus, QueueName } from 'src/enum';
+import {
+  AssetStatus,
+  AssetType,
+  ChecksumAlgorithm,
+  CronJob,
+  DatabaseLock,
+  ImmichWorker,
+  JobName,
+  JobStatus,
+  QueueName,
+} from 'src/enum';
 import { ArgOf } from 'src/repositories/event.repository';
 import { AssetSyncResult } from 'src/repositories/library.repository';
 import { AssetTable } from 'src/schema/tables/asset.table';
@@ -400,6 +410,7 @@ export class LibraryService extends BaseService {
       ownerId,
       libraryId,
       checksum: this.cryptoRepository.hashSha1(`path:${assetPath}`),
+      checksumAlgorithm: ChecksumAlgorithm.sha1Path,
       originalPath: assetPath,
 
       fileCreatedAt: stat.mtime,

server/src/services/metadata.service.spec.ts

@@ -7,6 +7,7 @@ import {
   AssetFileType,
   AssetType,
   AssetVisibility,
+  ChecksumAlgorithm,
   ExifOrientation,
   ImmichWorker,
   JobName,
@@ -652,6 +653,7 @@ describe(MetadataService.name, () => {
       expect(mocks.assetJob.getForMetadataExtraction).toHaveBeenCalledWith(asset.id);
       expect(mocks.asset.create).toHaveBeenCalledWith({
         checksum: expect.any(Buffer),
+        checksumAlgorithm: ChecksumAlgorithm.sha1File,
         deviceAssetId: 'NONE',
         deviceId: 'NONE',
         fileCreatedAt: asset.fileCreatedAt,
@@ -705,6 +707,7 @@ describe(MetadataService.name, () => {
       expect(mocks.assetJob.getForMetadataExtraction).toHaveBeenCalledWith(asset.id);
       expect(mocks.asset.create).toHaveBeenCalledWith({
         checksum: expect.any(Buffer),
+        checksumAlgorithm: ChecksumAlgorithm.sha1File,
         deviceAssetId: 'NONE',
         deviceId: 'NONE',
         fileCreatedAt: asset.fileCreatedAt,
@@ -758,6 +761,7 @@ describe(MetadataService.name, () => {
       expect(mocks.storage.readFile).toHaveBeenCalledWith(asset.originalPath, expect.any(Object));
       expect(mocks.asset.create).toHaveBeenCalledWith({
         checksum: expect.any(Buffer),
+        checksumAlgorithm: ChecksumAlgorithm.sha1File,
         deviceAssetId: 'NONE',
         deviceId: 'NONE',
         fileCreatedAt: asset.fileCreatedAt,
@@ -1641,12 +1645,32 @@ describe(MetadataService.name, () => {
       );
     });
 
-    it('should not overwrite existing width/height if they already exist', async () => {
-      const asset = AssetFactory.create({ width: 1920, height: 1080 });
+    it('should overwrite existing width/height for unedited assets', async () => {
+      const asset = AssetFactory.create({ width: 1920, height: 1080, isEdited: false });
       mocks.assetJob.getForMetadataExtraction.mockResolvedValue(getForMetadataExtraction(asset));
       mockReadTags({ ImageWidth: 1280, ImageHeight: 720 });
 
       await sut.handleMetadataExtraction({ id: asset.id });
+      expect(mocks.asset.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          width: 1280,
+          height: 720,
+        }),
+      );
+    });
+
+    it('should not overwrite existing width/height for edited assets', async () => {
+      const asset = AssetFactory.create({ width: 1920, height: 1080, isEdited: true });
+      mocks.assetJob.getForMetadataExtraction.mockResolvedValue(getForMetadataExtraction(asset));
+      mockReadTags({ ImageWidth: 1280, ImageHeight: 720 });
+
+      await sut.handleMetadataExtraction({ id: asset.id });
+      expect(mocks.asset.update).toHaveBeenCalledWith(
+        expect.objectContaining({
+          width: undefined,
+          height: undefined,
+        }),
+      );
       expect(mocks.asset.update).not.toHaveBeenCalledWith(
         expect.objectContaining({
           width: 1280,

server/src/services/metadata.service.ts

@@ -14,6 +14,7 @@ import {
   AssetFileType,
   AssetType,
   AssetVisibility,
+  ChecksumAlgorithm,
   DatabaseLock,
   ExifOrientation,
   ImmichWorker,
@@ -327,10 +328,9 @@ export class MetadataService extends BaseService {
           fileCreatedAt: dates.dateTimeOriginal ?? undefined,
           fileModifiedAt: stats.mtime,
 
-          // only update the dimensions if they don't already exist
-          // we don't want to overwrite width/height that are modified by edits
-          width: asset.width == null ? assetWidth : undefined,
-          height: asset.height == null ? assetHeight : undefined,
+          // Keep unedited assets in sync with the file on disk, but don't overwrite edited dimensions.
+          width: !asset.isEdited || asset.width == null ? assetWidth : undefined,
+          height: !asset.isEdited || asset.height == null ? assetHeight : undefined,
         }),
       async () => {
         await this.assetRepository.upsertExif(exifData, { lockedPropertiesBehavior: 'skip' });
@@ -676,6 +676,7 @@ export class MetadataService extends BaseService {
             fileModifiedAt: stats.mtime,
             localDateTime: dates.localDateTime,
             checksum,
+            checksumAlgorithm: ChecksumAlgorithm.sha1File,
             ownerId: asset.ownerId,
             originalPath: StorageCore.getAndroidMotionPath(asset, motionAssetId),
             originalFileName: `${parse(asset.originalFileName).name}.mp4`,

server/src/utils/access.ts

@@ -241,6 +241,11 @@ const checkOtherAccess = async (access: AccessRepository, request: OtherAccessRe
       return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set();
     }
 
+    case Permission.DuplicateRead:
+    case Permission.DuplicateDelete: {
+      return access.duplicate.checkOwnerAccess(auth.user.id, ids);
+    }
+
     case Permission.AuthDeviceDelete: {
       return await access.authDevice.checkOwnerAccess(auth.user.id, ids);
     }

server/src/utils/duplicate.spec.ts

@@ -0,0 +1,178 @@
+import { AssetResponseDto } from 'src/dtos/asset-response.dto';
+import { AssetType, AssetVisibility } from 'src/enum';
+import { getExifCount, suggestDuplicate, suggestDuplicateKeepAssetIds } from 'src/utils/duplicate';
+import { describe, expect, it } from 'vitest';
+
+const createAsset = (
+  id: string,
+  fileSizeInByte: number | null = null,
+  exifFields: Record<string, unknown> = {},
+): AssetResponseDto => ({
+  id,
+  type: AssetType.Image,
+  thumbhash: null,
+  localDateTime: new Date().toISOString(),
+  duration: '0:00:00.00000',
+  hasMetadata: true,
+  width: 1920,
+  height: 1080,
+  createdAt: new Date().toISOString(),
+  deviceAssetId: 'device-asset-1',
+  deviceId: 'device-1',
+  ownerId: 'owner-1',
+  originalPath: '/path/to/asset',
+  originalFileName: 'asset.jpg',
+  fileCreatedAt: new Date().toISOString(),
+  fileModifiedAt: new Date().toISOString(),
+  updatedAt: new Date().toISOString(),
+  isFavorite: false,
+  isArchived: false,
+  isTrashed: false,
+  isOffline: false,
+  isEdited: false,
+  visibility: AssetVisibility.Timeline,
+  checksum: 'checksum',
+  exifInfo:
+    fileSizeInByte !== null || Object.keys(exifFields).length > 0 ? { fileSizeInByte, ...exifFields } : undefined,
+});
+
+describe('duplicate utils', () => {
+  describe('getExifCount', () => {
+    it('should return 0 for asset without exifInfo', () => {
+      const asset = createAsset('asset-1');
+      asset.exifInfo = undefined;
+      expect(getExifCount(asset)).toBe(0);
+    });
+
+    it('should return 0 for empty exifInfo', () => {
+      const asset = createAsset('asset-1');
+      asset.exifInfo = {};
+      expect(getExifCount(asset)).toBe(0);
+    });
+
+    it('should count all truthy values in exifInfo', () => {
+      const asset = createAsset('asset-1', 1000, {
+        make: 'Canon',
+        model: 'EOS 5D',
+        dateTimeOriginal: new Date(),
+        timeZone: 'UTC',
+        latitude: 40.7128,
+        longitude: -74.006,
+        city: 'New York',
+        state: 'NY',
+        country: 'USA',
+        description: 'A photo',
+        rating: 5,
+      });
+      // fileSizeInByte (1000) + 11 other truthy fields = 12
+      expect(getExifCount(asset)).toBe(12);
+    });
+
+    it('should not count null or undefined values', () => {
+      const asset = createAsset('asset-1', 1000, {
+        make: 'Canon',
+        model: null,
+        latitude: undefined,
+        city: '',
+        rating: 0,
+      });
+      // fileSizeInByte (1000) + make ('Canon') = 2 truthy values
+      // model (null), latitude (undefined), city (''), rating (0) are all falsy
+      expect(getExifCount(asset)).toBe(2);
+    });
+  });
+
+  describe('suggestDuplicate', () => {
+    it('should return undefined for empty list', () => {
+      expect(suggestDuplicate([])).toBeUndefined();
+    });
+
+    it('should return the single asset for list with one asset', () => {
+      const asset = createAsset('asset-1', 1000);
+      expect(suggestDuplicate([asset])).toEqual(asset);
+    });
+
+    it('should return asset with largest file size', () => {
+      const small = createAsset('small', 1000);
+      const large = createAsset('large', 5000);
+      const medium = createAsset('medium', 3000);
+
+      expect(suggestDuplicate([small, large, medium])?.id).toBe('large');
+      expect(suggestDuplicate([large, small, medium])?.id).toBe('large');
+      expect(suggestDuplicate([medium, small, large])?.id).toBe('large');
+    });
+
+    it('should use EXIF count as tie-breaker when file sizes are equal', () => {
+      const lessExif = createAsset('less-exif', 1000, { make: 'Canon' });
+      const moreExif = createAsset('more-exif', 1000, {
+        make: 'Canon',
+        model: 'EOS 5D',
+        dateTimeOriginal: new Date(),
+        city: 'New York',
+      });
+
+      expect(suggestDuplicate([lessExif, moreExif])?.id).toBe('more-exif');
+      expect(suggestDuplicate([moreExif, lessExif])?.id).toBe('more-exif');
+    });
+
+    it('should handle assets with no exifInfo (treat as 0 file size)', () => {
+      const noExif = createAsset('no-exif');
+      noExif.exifInfo = undefined;
+      const withExif = createAsset('with-exif', 1000);
+
+      expect(suggestDuplicate([noExif, withExif])?.id).toBe('with-exif');
+    });
+
+    it('should handle assets with exifInfo but no fileSizeInByte', () => {
+      const noFileSize = createAsset('no-file-size');
+      noFileSize.exifInfo = { make: 'Canon', model: 'EOS 5D' };
+      const withFileSize = createAsset('with-file-size', 1000);
+
+      expect(suggestDuplicate([noFileSize, withFileSize])?.id).toBe('with-file-size');
+    });
+
+    it('should return last asset when all have same file size and EXIF count', () => {
+      const asset1 = createAsset('asset-1', 1000, { make: 'Canon' });
+      const asset2 = createAsset('asset-2', 1000, { make: 'Nikon' });
+
+      // Both have same file size (1000) and same EXIF count (2: fileSizeInByte + make)
+      // Should return the last one in the sorted array
+      const result = suggestDuplicate([asset1, asset2]);
+      // Since they're equal, the last one after sorting should be returned
+      expect(result).toBeDefined();
+      expect(['asset-1', 'asset-2']).toContain(result?.id);
+    });
+
+    it('should prioritize file size over EXIF count', () => {
+      const largeWithLessExif = createAsset('large-less-exif', 5000, { make: 'Canon' });
+      const smallWithMoreExif = createAsset('small-more-exif', 1000, {
+        make: 'Canon',
+        model: 'EOS 5D',
+        dateTimeOriginal: new Date(),
+        city: 'New York',
+        state: 'NY',
+        country: 'USA',
+      });
+
+      expect(suggestDuplicate([largeWithLessExif, smallWithMoreExif])?.id).toBe('large-less-exif');
+    });
+  });
+
+  describe('suggestDuplicateKeepAssetIds', () => {
+    it('should return empty array for empty list', () => {
+      expect(suggestDuplicateKeepAssetIds([])).toEqual([]);
+    });
+
+    it('should return array with single asset ID', () => {
+      const asset = createAsset('asset-1', 1000);
+      expect(suggestDuplicateKeepAssetIds([asset])).toEqual(['asset-1']);
+    });
+
+    it('should return array with best asset ID', () => {
+      const small = createAsset('small', 1000);
+      const large = createAsset('large', 5000);
+
+      expect(suggestDuplicateKeepAssetIds([small, large])).toEqual(['large']);
+    });
+  });
+});

server/src/utils/duplicate.ts

@@ -0,0 +1,60 @@
+import { AssetResponseDto } from 'src/dtos/asset-response.dto';
+
+/**
+ * Counts all truthy values in the exifInfo object.
+ * This matches the client implementation in web/src/lib/utils/exif-utils.ts
+ *
+ * @param asset Asset with optional exifInfo
+ * @returns Count of truthy EXIF values
+ */
+export const getExifCount = (asset: AssetResponseDto): number => {
+  return Object.values(asset.exifInfo ?? {}).filter(Boolean).length;
+};
+
+/**
+ * Suggests the best duplicate asset to keep from a list of duplicates.
+ * This is a direct port of the client logic from web/src/lib/utils/duplicate-utils.ts
+ *
+ * The best asset is determined by the following criteria:
+ *  1. Largest image file size in bytes
+ *  2. Largest count of EXIF data (as tie-breaker)
+ *
+ * @param assets List of duplicate assets
+ * @returns The best asset to keep, or undefined if empty list
+ */
+export const suggestDuplicate = (assets: AssetResponseDto[]): AssetResponseDto | undefined => {
+  if (assets.length === 0) {
+    return undefined;
+  }
+
+  // Sort by file size ascending (smallest first)
+  let duplicateAssets = [...assets].toSorted(
+    (a, b) => (a.exifInfo?.fileSizeInByte ?? 0) - (b.exifInfo?.fileSizeInByte ?? 0),
+  );
+
+  // Get the largest file size (last element after sorting)
+  const largestFileSize = duplicateAssets.at(-1)?.exifInfo?.fileSizeInByte ?? 0;
+
+  // Filter to keep only assets with the largest file size
+  duplicateAssets = duplicateAssets.filter((asset) => (asset.exifInfo?.fileSizeInByte ?? 0) === largestFileSize);
+
+  // If there are multiple assets with the same file size, sort by EXIF count
+  if (duplicateAssets.length >= 2) {
+    duplicateAssets = duplicateAssets.toSorted((a, b) => getExifCount(a) - getExifCount(b));
+  }
+
+  // Return the last asset (highest EXIF count among highest file size)
+  return duplicateAssets.at(-1);
+};
+
+/**
+ * Suggests the best duplicate asset IDs to keep from a list of duplicates.
+ * Returns an array with a single asset ID (the best candidate), or empty if no assets.
+ *
+ * @param assets List of duplicate assets
+ * @returns Array of suggested asset IDs to keep (0 or 1 element)
+ */
+export const suggestDuplicateKeepAssetIds = (assets: AssetResponseDto[]): string[] => {
+  const suggested = suggestDuplicate(assets);
+  return suggested ? [suggested.id] : [];
+};

server/test/factories/asset.factory.ts

@@ -1,5 +1,5 @@
 import { Selectable } from 'kysely';
-import { AssetFileType, AssetStatus, AssetType, AssetVisibility } from 'src/enum';
+import { AssetFileType, AssetStatus, AssetType, AssetVisibility, ChecksumAlgorithm } from 'src/enum';
 import { AssetTable } from 'src/schema/tables/asset.table';
 import { StackTable } from 'src/schema/tables/stack.table';
 import { AssetEditFactory } from 'test/factories/asset-edit.factory';
@@ -53,6 +53,7 @@ export class AssetFactory {
       updateId: newUuidV7(),
       status: AssetStatus.Active,
       checksum: newSha1(),
+      checksumAlgorithm: ChecksumAlgorithm.sha1File,
       deviceAssetId: '',
       deviceId: '',
       duplicateId: null,

server/test/mappers.ts

@@ -1,4 +1,5 @@
 import { Selectable, ShallowDehydrateObject } from 'kysely';
+import { MapAsset } from 'src/dtos/asset-response.dto';
 import { AssetEditActionItem } from 'src/dtos/editing.dto';
 import { ActivityTable } from 'src/schema/tables/activity.table';
 import { AssetTable } from 'src/schema/tables/asset.table';
@@ -125,6 +126,7 @@ export const getForMemory = (memory: ReturnType<MemoryFactory['build']>) => ({
 export const getForMetadataExtraction = (asset: ReturnType<AssetFactory['build']>) => ({
   id: asset.id,
   checksum: asset.checksum,
+  checksumAlgorithm: asset.checksumAlgorithm,
   deviceAssetId: asset.deviceAssetId,
   deviceId: asset.deviceId,
   fileCreatedAt: asset.fileCreatedAt,
@@ -138,6 +140,7 @@ export const getForMetadataExtraction = (asset: ReturnType<AssetFactory['build']
   originalPath: asset.originalPath,
   ownerId: asset.ownerId,
   type: asset.type,
+  isEdited: asset.isEdited,
   width: asset.width,
   height: asset.height,
   faces: asset.faces.map((face) => getDehydrated(face)),
@@ -203,10 +206,11 @@ export const getForStack = (stack: ReturnType<StackFactory['build']>) => ({
   })),
 });
 
-export const getForDuplicate = (asset: ReturnType<AssetFactory['build']>) => ({
-  ...getDehydrated(asset),
-  exifInfo: getDehydrated(asset.exifInfo),
-});
+export const getForDuplicate = (asset: ReturnType<AssetFactory['build']>) =>
+  ({
+    ...getDehydrated(asset),
+    exifInfo: getDehydrated(asset.exifInfo),
+  }) as unknown as MapAsset;
 
 export const getForSharedLink = (sharedLink: ReturnType<SharedLinkFactory['build']>) => ({
   ...sharedLink,

server/test/medium.factory.ts

@@ -12,6 +12,7 @@ import {
   AlbumUserRole,
   AssetType,
   AssetVisibility,
+  ChecksumAlgorithm,
   MemoryType,
   SourceType,
   SyncEntityType,
@@ -547,6 +548,7 @@ const assetInsert = (asset: Partial<Insertable<AssetTable>> = {}) => {
     deviceId: '',
     originalFileName: '',
     checksum: randomBytes(32),
+    checksumAlgorithm: ChecksumAlgorithm.sha1File,
     type: AssetType.Image,
     originalPath: '/path/to/something.jpg',
     ownerId: 'not-a-valid-uuid',

server/test/medium/specs/services/shared-link.service.spec.ts

@@ -372,6 +372,43 @@ describe(SharedLinkService.name, () => {
   });
 
   describe('get', () => {
+    it('should return an album shared link with assets', async () => {
+      const { sut, ctx } = setup();
+      const { user } = await ctx.newUser();
+      const auth = factory.auth({ user });
+      const { album } = await ctx.newAlbum({ ownerId: user.id });
+
+      const [{ asset: asset1 }, { asset: asset2 }] = await Promise.all([
+        ctx.newAsset({ ownerId: user.id }),
+        ctx.newAsset({ ownerId: user.id }),
+      ]);
+      await Promise.all([
+        ctx.newExif({ assetId: asset1.id, make: 'Canon' }),
+        ctx.newExif({ assetId: asset2.id, make: 'Canon' }),
+      ]);
+
+      const sharedLinkRepo = ctx.get(SharedLinkRepository);
+      const sharedLink = await sharedLinkRepo.create({
+        key: randomBytes(16),
+        id: factory.uuid(),
+        userId: user.id,
+        albumId: album.id,
+        allowUpload: true,
+        type: SharedLinkType.Album,
+      });
+
+      await sharedLinkRepo.addAssets(sharedLink.id, [asset1.id, asset2.id]);
+      const result = await sut.get(auth, sharedLink.id);
+      const assetIds = result.assets.map((asset) => asset.id);
+
+      expect(result).toMatchObject({
+        id: sharedLink.id,
+        album: expect.objectContaining({ id: album.id }),
+      });
+      expect(assetIds).toHaveLength(2);
+      expect(assetIds).toEqual(expect.arrayContaining([asset1.id, asset2.id]));
+    });
+
     it('should not return trashed assets for an individual shared link', async () => {
       const { sut, ctx } = setup();
       const { user } = await ctx.newUser();

server/test/repositories/access.repository.mock.ts

@@ -33,6 +33,10 @@ export const newAccessRepositoryMock = (): IAccessRepositoryMock => {
       checkOwnerAccess: vitest.fn().mockResolvedValue(new Set()),
     },
 
+    duplicate: {
+      checkOwnerAccess: vitest.fn().mockResolvedValue(new Set()),
+    },
+
     memory: {
       checkOwnerAccess: vitest.fn().mockResolvedValue(new Set()),
     },

server/test/repositories/config.repository.mock.ts

@@ -35,6 +35,10 @@ const envData: EnvData = {
     vectorExtension: DatabaseExtension.Vectors,
   },
 
+  helmet: {
+    config: {},
+  },
+
   licensePublicKey: {
     client: 'client-public-key',
     server: 'server-public-key',

web/.nvmrc

@@ -1 +1 @@
-24.13.1
+24.14.0

web/package.json

@@ -27,7 +27,7 @@
     "@formatjs/icu-messageformat-parser": "^3.0.0",
     "@immich/justified-layout-wasm": "^0.4.3",
     "@immich/sdk": "workspace:*",
-    "@immich/ui": "^0.65.3",
+    "@immich/ui": "^0.69.0",
     "@mapbox/mapbox-gl-rtl-text": "0.3.0",
     "@mdi/js": "^7.4.47",
     "@photo-sphere-viewer/core": "^5.14.0",
@@ -100,7 +100,7 @@
     "prettier-plugin-sort-json": "^4.1.1",
     "prettier-plugin-svelte": "^3.3.3",
     "rollup-plugin-visualizer": "^6.0.0",
-    "svelte": "5.53.13",
+    "svelte": "5.54.1",
     "svelte-check": "^4.1.5",
     "svelte-eslint-parser": "^1.3.3",
     "tailwindcss": "^4.2.2",
@@ -110,6 +110,6 @@
     "vitest": "^4.0.0"
   },
   "volta": {
-    "node": "24.13.1"
+    "node": "24.14.0"
   }
 }