video player update

apply custom headers immediately
handle basic auth
2026-03-08 06:57:01 +00:00 · 2026-02-22 15:18:53 -05:00 · 2026-02-21 15:42:22 -05:00 · 2026-02-20 23:20:15 -05:00 · 2026-02-20 23:15:08 -05:00 · 2026-02-20 23:15:08 -05:00
340 changed files with 9054 additions and 4892 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,6 +2,7 @@
  "name": "Immich - Backend, Frontend and ML",
  "service": "immich-server",
  "runServices": [
+    "immich-init",
    "immich-server",
    "redis",
    "database",
@@ -31,29 +32,8 @@
        "tasks": {
          "version": "2.0.0",
          "tasks": [
-            {
-              "label": "Fix Permissions, Install Dependencies",
-              "type": "shell",
-              "command": "[ -f /immich-devcontainer/container-start.sh ] && /immich-devcontainer/container-start.sh || exit 0",
-              "isBackground": true,
-              "presentation": {
-                "echo": true,
-                "reveal": "always",
-                "focus": false,
-                "panel": "dedicated",
-                "showReuseMessage": true,
-                "clear": false,
-                "group": "Devcontainer tasks",
-                "close": true
-              },
-              "runOptions": {
-                "runOn": "default"
-              },
-              "problemMatcher": []
-            },
            {
              "label": "Immich API Server (Nest)",
-              "dependsOn": ["Fix Permissions, Install Dependencies"],
              "type": "shell",
              "command": "[ -f /immich-devcontainer/container-start-backend.sh ] && /immich-devcontainer/container-start-backend.sh || exit 0",
              "isBackground": true,
@@ -74,7 +54,6 @@
            },
            {
              "label": "Immich Web Server (Vite)",
-              "dependsOn": ["Fix Permissions, Install Dependencies"],
              "type": "shell",
              "command": "[ -f /immich-devcontainer/container-start-frontend.sh ] && /immich-devcontainer/container-start-frontend.sh || exit 0",
              "isBackground": true,
@@ -130,8 +109,8 @@
    }
  },
  "overrideCommand": true,
-  "workspaceFolder": "/workspaces/immich",
-  "remoteUser": "node",
+  "workspaceFolder": "/usr/src/app",
+  "remoteUser": "root",
  "userEnvProbe": "loginInteractiveShell",
  "remoteEnv": {
    // The location where your uploaded files are stored
--- a/.devcontainer/mobile/container-compose-overrides.yml
+++ b/.devcontainer/mobile/container-compose-overrides.yml
@@ -1,23 +1,17 @@
 services:
+  immich-app-base:
+    image: busybox
  immich-server:
+    extends:
+      service: immich-app-base
+    profiles: !reset []
+    image: immich-server-dev:latest
    build:
      target: dev-container-mobile
    environment:
      - IMMICH_SERVER_URL=http://127.0.0.1:2283/
-    volumes: !override # bind mount host to /workspaces/immich
-      - ..:/workspaces/immich
+    volumes:
      - ${UPLOAD_LOCATION:-upload-devcontainer-volume}${UPLOAD_LOCATION:+/photos}:/data
-      - pnpm-store:/usr/src/app/.pnpm-store
-      - server-node_modules:/usr/src/app/server/node_modules
-      - web-node_modules:/usr/src/app/web/node_modules
-      - github-node_modules:/usr/src/app/.github/node_modules
-      - cli-node_modules:/usr/src/app/cli/node_modules
-      - docs-node_modules:/usr/src/app/docs/node_modules
-      - e2e-node_modules:/usr/src/app/e2e/node_modules
-      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
-      - app-node_modules:/usr/src/app/node_modules
-      - sveltekit:/usr/src/app/web/.svelte-kit
-      - coverage:/usr/src/app/web/coverage
      - /etc/localtime:/etc/localtime:ro
  immich-web:
    env_file: !reset []
--- a/.devcontainer/mobile/devcontainer.json
+++ b/.devcontainer/mobile/devcontainer.json
@@ -2,6 +2,7 @@
  "name": "Immich - Mobile",
  "service": "immich-server",
  "runServices": [
+    "immich-init",
    "immich-server",
    "redis",
    "database",
@@ -35,7 +36,7 @@
  },
  "forwardPorts": [],
  "overrideCommand": true,
-  "workspaceFolder": "/workspaces/immich",
+  "workspaceFolder": "/usr/src/app",
  "remoteUser": "node",
  "userEnvProbe": "loginInteractiveShell",
  "remoteEnv": {
--- a/.devcontainer/server/container-common.sh
+++ b/.devcontainer/server/container-common.sh
@@ -2,11 +2,6 @@
 export IMMICH_PORT="${DEV_SERVER_PORT:-2283}"
 export DEV_PORT="${DEV_PORT:-3000}"

-# search for immich directory inside workspace.
-# /workspaces/immich is the bind mount, but other directories can be mounted if runing
-# Devcontainer: Clone [repository|pull request] in container volumne
-WORKSPACES_DIR="/workspaces"
-IMMICH_DIR="$WORKSPACES_DIR/immich"
 IMMICH_DEVCONTAINER_LOG="$HOME/immich-devcontainer.log"

 log() {
@@ -30,52 +25,8 @@ run_cmd() {
    return "${PIPESTATUS[0]}"
 }

-# Find directories excluding /workspaces/immich
-mapfile -t other_dirs < <(find "$WORKSPACES_DIR" -mindepth 1 -maxdepth 1 -type d ! -path "$IMMICH_DIR" ! -name ".*")
-
-if [ ${#other_dirs[@]} -gt 1 ]; then
-    log "Error: More than one directory found in $WORKSPACES_DIR other than $IMMICH_DIR."
-    exit 1
-elif [ ${#other_dirs[@]} -eq 1 ]; then
-    export IMMICH_WORKSPACE="${other_dirs[0]}"
-else
-    export IMMICH_WORKSPACE="$IMMICH_DIR"
-fi
+export IMMICH_WORKSPACE="/usr/src/app"

 log "Found immich workspace in $IMMICH_WORKSPACE"
 log ""

-fix_permissions() {
-
-    log "Fixing permissions for ${IMMICH_WORKSPACE}"
-
-    # Change ownership for directories that exist
-    for dir in "${IMMICH_WORKSPACE}/.vscode" \
-        "${IMMICH_WORKSPACE}/server/upload" \
-        "${IMMICH_WORKSPACE}/.pnpm-store" \
-        "${IMMICH_WORKSPACE}/.github/node_modules" \
-        "${IMMICH_WORKSPACE}/cli/node_modules" \
-        "${IMMICH_WORKSPACE}/e2e/node_modules" \
-        "${IMMICH_WORKSPACE}/open-api/typescript-sdk/node_modules" \
-        "${IMMICH_WORKSPACE}/server/node_modules" \
-        "${IMMICH_WORKSPACE}/server/dist" \
-        "${IMMICH_WORKSPACE}/web/node_modules" \
-        "${IMMICH_WORKSPACE}/web/dist"; do
-        if [ -d "$dir" ]; then
-            run_cmd sudo chown node -R "$dir"
-        fi
-    done
-
-    log ""
-}
-
-install_dependencies() {
-
-    log "Installing dependencies"
-    (
-        cd "${IMMICH_WORKSPACE}" || exit 1
-        export CI=1 FROZEN=1 OFFLINE=1
-        run_cmd make setup-web-dev setup-server-dev
-    )
-    log ""
-}
--- a/.devcontainer/server/container-compose-overrides.yml
+++ b/.devcontainer/server/container-compose-overrides.yml
@@ -1,26 +1,21 @@
 services:
+  immich-app-base:
+    image: busybox
  immich-server:
+    extends:
+      service: immich-app-base
+    profiles: !reset []
+    image: immich-server-dev:latest
    build:
      target: dev-container-server
    env_file: !reset []
    hostname: immich-dev
    environment:
      - IMMICH_SERVER_URL=http://127.0.0.1:2283/
-    volumes: !override
-      - ..:/workspaces/immich
+    volumes:
      - ${UPLOAD_LOCATION:-upload-devcontainer-volume}${UPLOAD_LOCATION:+/photos}:/data
      - /etc/localtime:/etc/localtime:ro
-      - pnpm-store:/usr/src/app/.pnpm-store
-      - server-node_modules:/usr/src/app/server/node_modules
-      - web-node_modules:/usr/src/app/web/node_modules
-      - github-node_modules:/usr/src/app/.github/node_modules
-      - cli-node_modules:/usr/src/app/cli/node_modules
-      - docs-node_modules:/usr/src/app/docs/node_modules
-      - e2e-node_modules:/usr/src/app/e2e/node_modules
-      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
-      - app-node_modules:/usr/src/app/node_modules
-      - sveltekit:/usr/src/app/web/.svelte-kit
-      - coverage:/usr/src/app/web/coverage
+      - pnpm_store_server:/buildcache/pnpm-store
      - ../plugins:/build/corePlugin
  immich-web:
    env_file: !reset []
--- a/.devcontainer/server/container-start.sh
+++ b/.devcontainer/server/container-start.sh
@@ -1,17 +0,0 @@
-#!/bin/bash
-# shellcheck source=common.sh
-# shellcheck disable=SC1091
-source /immich-devcontainer/container-common.sh
-
-log "Setting up Immich dev container..."
-fix_permissions
-
-log "Setup complete, please wait while backend and frontend services automatically start"
-log
-log "If necessary, the services may be manually started using"
-log
-log "$ /immich-devcontainer/container-start-backend.sh"
-log "$ /immich-devcontainer/container-start-frontend.sh"
-log
-log "From different terminal windows, as these scripts automatically restart the server"
-log "on error, and will continuously run in a loop"
--- a/.github/.nvmrc
+++ b/.github/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.13.1
--- a/.github/workflows/build-mobile.yml
+++ b/.github/workflows/build-mobile.yml
@@ -51,14 +51,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -79,12 +79,12 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
@@ -96,14 +96,14 @@ jobs:
        working-directory: ./mobile
        run: printf "%s" $KEY_JKS | base64 -d > android/key.jks

-      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'zulu'
          java-version: '17'

      - name: Restore Gradle Cache
        id: cache-gradle-restore
-        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: |
            ~/.gradle/caches
@@ -160,7 +160,7 @@ jobs:

      - name: Save Gradle Cache
        id: cache-gradle-save
-        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        if: github.ref == 'refs/heads/main'
        with:
          path: |
@@ -185,7 +185,7 @@ jobs:
        run: sudo xcode-select -s /Applications/Xcode_26.2.app/Contents/Developer

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -19,13 +19,13 @@ jobs:
      actions: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/check-openapi.yml
+++ b/.github/workflows/check-openapi.yml
@@ -0,0 +1,32 @@
+name: Check OpenAPI
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'open-api/**'
+      - '.github/workflows/check-openapi.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  check-openapi:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Check for breaking API changes
+        # sha is pinning to a commit instead of a tag since the action does not tag versions
+        uses: oasdiff/oasdiff-action/breaking@ccb863950ce437a50f8f1a40d2a1112117e06ce4
+        with:
+          base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
+          revision: open-api/immich-openapi-specs.json
+          fail-on: ERR
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -31,12 +31,12 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -45,7 +45,7 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './cli/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
@@ -71,13 +71,13 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -89,7 +89,7 @@ jobs:
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          registry: ghcr.io
@@ -115,7 +115,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}

      - name: Build and push image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
        with:
          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
--- a/.github/workflows/close-duplicates.yml
+++ b/.github/workflows/close-duplicates.yml
@@ -35,7 +35,7 @@ jobs:
    needs: [get_body, should_run]
    if: ${{ needs.should_run.outputs.should_run == 'true' }}
    container:
-      image: ghcr.io/immich-app/mdq:main@sha256:ab9f163cd5d5cec42704a26ca2769ecf3f10aa8e7bae847f1d527cdf075946e6
+      image: ghcr.io/immich-app/mdq:main@sha256:4f9860d04c88f7f87861f8ee84bfeedaec15ed7ca5ca87bc7db44b036f81645f
    outputs:
      checked: ${{ steps.get_checkbox.outputs.checked }}
    steps:
--- a/.github/workflows/close-llm-pr.yml
+++ b/.github/workflows/close-llm-pr.yml
@@ -1,7 +1,7 @@
 name: Close LLM-generated PRs

 on:
-  pull_request:
+  pull_request_target:
    types: [labeled]

 permissions: {}
@@ -20,7 +20,7 @@ jobs:
        run: |
          gh api graphql \
            -f prId="$NODE_ID" \
-            -f body="Thank you for your interest in contributing to Immich! Unfortunately this PR looks like it was generated using an LLM. As noted in our CONTRIBUTING.md, we request that you don't use LLMs to generate PRs as those are not a good use of maintainer time." \
+            -f body="Thank you for your interest in contributing to Immich! Unfortunately this PR looks like it was generated using an LLM. As noted in our [CONTRIBUTING.md](https://github.com/immich-app/immich/blob/main/CONTRIBUTING.md#use-of-generative-ai), we request that you don't use LLMs to generate PRs as those are not a good use of maintainer time." \
            -f query='
              mutation CommentAndClosePR($prId: ID!, $body: String!) {
                addComment(input: {
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -44,20 +44,20 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          category: '/language:${{matrix.language}}'
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -23,14 +23,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -60,7 +60,7 @@ jobs:
        suffix: ['', '-cuda', '-rocm', '-openvino', '-armnn', '-rknn']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -90,7 +90,7 @@ jobs:
        suffix: ['']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -132,7 +132,7 @@ jobs:
            suffixes: '-rocm'
            platforms: linux/amd64
            runner-mapping: '{"linux/amd64": "pokedex-giant"}'
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@0477486d82313fba68f7c82c034120a4b8981297 # multi-runner-build-workflow-v2.1.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@bd49ed7a5a6022149f79b6564df48177476a822b # multi-runner-build-workflow-v2.2.1
    permissions:
      contents: read
      actions: read
@@ -155,7 +155,7 @@ jobs:
    name: Build and Push Server
    needs: pre-job
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == true }}
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@0477486d82313fba68f7c82c034120a4b8981297 # multi-runner-build-workflow-v2.1.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@bd49ed7a5a6022149f79b6564df48177476a822b # multi-runner-build-workflow-v2.2.1
    permissions:
      contents: read
      actions: read
--- a/.github/workflows/docs-build.yml
+++ b/.github/workflows/docs-build.yml
@@ -21,14 +21,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -54,13 +54,13 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -70,7 +70,7 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './docs/.nvmrc'
          cache: 'pnpm'
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -20,7 +20,7 @@ jobs:
      artifact: ${{ steps.get-artifact.outputs.result }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
@@ -119,19 +119,19 @@ jobs:
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0
+        uses: immich-app/devtools/actions/use-mise@dab18118da6476e8237ac94080fd937983fecd42 # use-mise-action-v1.1.2

      - name: Load parameters
        id: parameters
@@ -192,16 +192,13 @@ jobs:
          ' >> $GITHUB_OUTPUT

      - name: Publish to Cloudflare Pages
-        # TODO: Action is deprecated
-        uses: cloudflare/pages-action@f0a1cd58cd66095dee69bfa18fa5efd1dde93bca # v1.5.0
-        with:
-          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
-          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          projectName: ${{ steps.docs-output.outputs.projectName }}
-          workingDirectory: 'docs'
-          directory: 'build'
-          branch: ${{ steps.parameters.outputs.name }}
-          wranglerVersion: '3'
+        working-directory: docs
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          PROJECT_NAME: ${{ steps.docs-output.outputs.projectName }}
+          BRANCH_NAME: ${{ steps.parameters.outputs.name }}
+        run: mise run //docs:deploy

      - name: Deploy Docs Release Domain
        if: ${{ steps.parameters.outputs.event == 'release' }}
--- a/.github/workflows/docs-destroy.yml
+++ b/.github/workflows/docs-destroy.yml
@@ -17,19 +17,19 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0
+        uses: immich-app/devtools/actions/use-mise@dab18118da6476e8237ac94080fd937983fecd42 # use-mise-action-v1.1.2

      - name: Destroy Docs Subdomain
        env:
--- a/.github/workflows/fix-format.yml
+++ b/.github/workflows/fix-format.yml
@@ -22,7 +22,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: 'Checkout'
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ steps.generate-token.outputs.token }}
@@ -32,14 +32,14 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'

      - name: Fix formatting
-        run: pnpm --recursive install && pnpm run --recursive --parallel fix:format
+        run: pnpm --recursive install && pnpm run --recursive --if-present --parallel format:fix

      - name: Commit and push
        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
--- a/.github/workflows/pr-label-validation.yml
+++ b/.github/workflows/pr-label-validation.yml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -56,20 +56,20 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main

      - name: Install uv
-        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -130,7 +130,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
--- a/.github/workflows/preview-label.yaml
+++ b/.github/workflows/preview-label.yaml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
@@ -32,7 +32,7 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -23,20 +23,20 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main

      - name: Install uv
-        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -159,7 +159,7 @@ jobs:

      - name: Create PR
        id: create-pr
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          commit-message: 'chore: release ${{ steps.bump-type.outputs.next }}'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -58,7 +58,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
@@ -88,6 +88,7 @@ jobs:
          draft: true
          files: |
            docker/docker-compose.yml
+            docker/docker-compose.rootless.yml
            docker/example.env
            docker/hwaccel.ml.yml
            docker/hwaccel.transcoding.yml
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -19,12 +19,12 @@ jobs:
        working-directory: ./open-api/typescript-sdk
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -33,7 +33,7 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './open-api/typescript-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -20,14 +20,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -49,13 +49,13 @@ jobs:
        working-directory: ./mobile
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -69,6 +69,14 @@ jobs:
      - name: Install dependencies
        run: dart pub get

+      - name: Install dependencies for UI package
+        run: dart pub get
+        working-directory: ./mobile/packages/ui
+
+      - name: Install dependencies for UI Showcase
+        run: dart pub get
+        working-directory: ./mobile/packages/ui/showcase
+
      - name: Install DCM
        uses: CQLabs/setup-dcm@8697ae0790c0852e964a6ef1d768d62a6675481a # v2.0.1
        with:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,14 +17,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -63,13 +63,13 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -77,7 +77,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -108,20 +108,20 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './cli/.nvmrc'
          cache: 'pnpm'
@@ -155,20 +155,20 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './cli/.nvmrc'
          cache: 'pnpm'
@@ -197,20 +197,20 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -241,20 +241,20 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -279,20 +279,20 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -327,20 +327,20 @@ jobs:
        working-directory: ./e2e
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
@@ -373,13 +373,13 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -387,7 +387,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -412,13 +412,13 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -426,7 +426,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
@@ -446,12 +446,29 @@ jobs:
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
-      - name: Docker build
-        run: docker compose build
+      - name: Start Docker Compose
+        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
      - name: Run e2e tests (api & cli)
+        env:
+          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test
        if: ${{ !cancelled() }}
+      - name: Run e2e tests (maintenance)
+        env:
+          VITEST_DISABLE_DOCKER_SETUP: true
+        run: pnpm test:maintenance
+        if: ${{ !cancelled() }}
+      - name: Capture Docker logs
+        if: always()
+        run: docker compose logs --no-color > docker-compose-logs.txt
+        working-directory: ./e2e
+      - name: Archive Docker logs
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: always()
+        with:
+          name: e2e-server-docker-logs-${{ matrix.runner }}
+          path: e2e/docker-compose-logs.txt
  e2e-tests-web:
    name: End-to-End Tests (Web)
    needs: pre-job
@@ -467,13 +484,13 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -481,7 +498,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
@@ -501,9 +518,8 @@ jobs:
        if: ${{ !cancelled() }}
      - name: Run e2e tests (web)
        env:
-          CI: true
          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: npx playwright test --project=web
+        run: pnpm test:web
        if: ${{ !cancelled() }}
      - name: Archive e2e test (web) results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -513,9 +529,8 @@ jobs:
          path: e2e/playwright-report/
      - name: Run ui tests (web)
        env:
-          CI: true
          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: npx playwright test --project=ui
+        run: pnpm test:web:ui
        if: ${{ !cancelled() }}
      - name: Archive ui test (web) results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -525,9 +540,8 @@ jobs:
          path: e2e/playwright-report/
      - name: Run maintenance tests
        env:
-          CI: true
          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: npx playwright test --project=maintenance
+        run: pnpm test:web:maintenance
        if: ${{ !cancelled() }}
      - name: Archive maintenance tests (web) results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -543,7 +557,7 @@ jobs:
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: always()
        with:
-          name: docker-compose-logs-${{ matrix.runner }}
+          name: e2e-web-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
  success-check-e2e:
    name: End-to-End Tests Success
@@ -564,12 +578,12 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -596,17 +610,17 @@ jobs:
        working-directory: ./machine-learning
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Install uv
-        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
        with:
          python-version: 3.11
      - name: Install dependencies
@@ -636,20 +650,20 @@ jobs:
        working-directory: ./.github
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './.github/.nvmrc'
          cache: 'pnpm'
@@ -666,12 +680,12 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -687,20 +701,20 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -749,20 +763,20 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
--- a/.github/workflows/weblate-lock.yml
+++ b/.github/workflows/weblate-lock.yml
@@ -24,14 +24,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -47,7 +47,7 @@ jobs:
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).i18n == true }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.pnpmfile.cjs
+++ b/.pnpmfile.cjs
@@ -4,12 +4,18 @@ module.exports = {
      if (!pkg.name) {
        return pkg;
      }
+      // make exiftool-vendored.pl a regular dependency since Docker prod
+      // images build with --no-optional to reduce image size
      if (pkg.name === "exiftool-vendored") {
-        if (pkg.optionalDependencies["exiftool-vendored.pl"]) {
-          // make exiftool-vendored.pl a regular dependency
-          pkg.dependencies["exiftool-vendored.pl"] =
-            pkg.optionalDependencies["exiftool-vendored.pl"];
-          delete pkg.optionalDependencies["exiftool-vendored.pl"];
+        const binaryPackage =
+          process.platform === "win32"
+            ? "exiftool-vendored.exe"
+            : "exiftool-vendored.pl";
+
+        if (pkg.optionalDependencies[binaryPackage]) {
+          pkg.dependencies[binaryPackage] =
+            pkg.optionalDependencies[binaryPackage];
+          delete pkg.optionalDependencies[binaryPackage];
        }
      }
      return pkg;
--- a/cli/.nvmrc
+++ b/cli/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.13.1
--- a/cli/package.json
+++ b/cli/package.json
@@ -14,13 +14,13 @@
  ],
  "devDependencies": {
    "@eslint/js": "^9.8.0",
-    "@immich/sdk": "file:../open-api/typescript-sdk",
+    "@immich/sdk": "workspace:*",
    "@types/byte-size": "^8.1.0",
    "@types/cli-progress": "^3.11.0",
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.10.11",
+    "@types/node": "^24.10.13",
    "@vitest/coverage-v8": "^3.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -69,6 +69,6 @@
    "micromatch": "^4.0.8"
  },
  "volta": {
-    "node": "24.13.0"
+    "node": "24.13.1"
  }
 }
--- a/cli/src/commands/asset.spec.ts
+++ b/cli/src/commands/asset.spec.ts
@@ -7,7 +7,15 @@ import { describe, expect, it, MockedFunction, vi } from 'vitest';
 import { Action, checkBulkUpload, defaults, getSupportedMediaTypes, Reason } from '@immich/sdk';
 import createFetchMock from 'vitest-fetch-mock';

-import { checkForDuplicates, getAlbumName, startWatch, uploadFiles, UploadOptionsDto } from 'src/commands/asset';
+import {
+  checkForDuplicates,
+  deleteFiles,
+  findSidecar,
+  getAlbumName,
+  startWatch,
+  uploadFiles,
+  UploadOptionsDto,
+} from 'src/commands/asset';

 vi.mock('@immich/sdk');

@@ -309,3 +317,85 @@ describe('startWatch', () => {
    await fs.promises.rm(testFolder, { recursive: true, force: true });
  });
 });
+
+describe('findSidecar', () => {
+  let testDir: string;
+  let testFilePath: string;
+
+  beforeEach(() => {
+    testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-sidecar-'));
+    testFilePath = path.join(testDir, 'test.jpg');
+    fs.writeFileSync(testFilePath, 'test');
+  });
+
+  afterEach(() => {
+    fs.rmSync(testDir, { recursive: true, force: true });
+  });
+
+  it('should find sidecar file with photo.xmp naming convention', () => {
+    const sidecarPath = path.join(testDir, 'test.xmp');
+    fs.writeFileSync(sidecarPath, 'xmp data');
+
+    const result = findSidecar(testFilePath);
+    expect(result).toBe(sidecarPath);
+  });
+
+  it('should find sidecar file with photo.ext.xmp naming convention', () => {
+    const sidecarPath = path.join(testDir, 'test.jpg.xmp');
+    fs.writeFileSync(sidecarPath, 'xmp data');
+
+    const result = findSidecar(testFilePath);
+    expect(result).toBe(sidecarPath);
+  });
+
+  it('should prefer photo.ext.xmp over photo.xmp when both exist', () => {
+    const sidecarPath1 = path.join(testDir, 'test.xmp');
+    const sidecarPath2 = path.join(testDir, 'test.jpg.xmp');
+    fs.writeFileSync(sidecarPath1, 'xmp data 1');
+    fs.writeFileSync(sidecarPath2, 'xmp data 2');
+
+    const result = findSidecar(testFilePath);
+    // Should return the first one found (photo.xmp) based on the order in the code
+    expect(result).toBe(sidecarPath1);
+  });
+
+  it('should return undefined when no sidecar file exists', () => {
+    const result = findSidecar(testFilePath);
+    expect(result).toBeUndefined();
+  });
+});
+
+describe('deleteFiles', () => {
+  let testDir: string;
+  let testFilePath: string;
+
+  beforeEach(() => {
+    testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-delete-'));
+    testFilePath = path.join(testDir, 'test.jpg');
+    fs.writeFileSync(testFilePath, 'test');
+  });
+
+  afterEach(() => {
+    fs.rmSync(testDir, { recursive: true, force: true });
+  });
+
+  it('should delete asset and sidecar file when main file is deleted', async () => {
+    const sidecarPath = path.join(testDir, 'test.xmp');
+    fs.writeFileSync(sidecarPath, 'xmp data');
+
+    await deleteFiles([{ id: 'test-id', filepath: testFilePath }], [], { delete: true, concurrency: 1 });
+
+    expect(fs.existsSync(testFilePath)).toBe(false);
+    expect(fs.existsSync(sidecarPath)).toBe(false);
+  });
+
+  it('should not delete sidecar file when delete option is false', async () => {
+    const sidecarPath = path.join(testDir, 'test.xmp');
+    fs.writeFileSync(sidecarPath, 'xmp data');
+
+    await deleteFiles([{ id: 'test-id', filepath: testFilePath }], [], { delete: false, concurrency: 1 });
+
+    expect(fs.existsSync(testFilePath)).toBe(true);
+    expect(fs.existsSync(sidecarPath)).toBe(true);
+  });
+});
--- a/cli/src/commands/asset.ts
+++ b/cli/src/commands/asset.ts
@@ -17,7 +17,7 @@ import { Matcher, watch as watchFs } from 'chokidar';
 import { MultiBar, Presets, SingleBar } from 'cli-progress';
 import { chunk } from 'lodash-es';
 import micromatch from 'micromatch';
-import { Stats, createReadStream } from 'node:fs';
+import { Stats, createReadStream, existsSync } from 'node:fs';
 import { stat, unlink } from 'node:fs/promises';
 import path, { basename } from 'node:path';
 import { Queue } from 'src/queue';
@@ -403,23 +403,6 @@ export const uploadFiles = async (
 const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaResponseDto> => {
  const { baseUrl, headers } = defaults;

-  const assetPath = path.parse(input);
-  const noExtension = path.join(assetPath.dir, assetPath.name);
-
-  const sidecarsFiles = await Promise.all(
-    // XMP sidecars can come in two filename formats. For a photo named photo.ext, the filenames are photo.ext.xmp and photo.xmp
-    [`${noExtension}.xmp`, `${input}.xmp`].map(async (sidecarPath) => {
-      try {
-        const stats = await stat(sidecarPath);
-        return new UploadFile(sidecarPath, stats.size);
-      } catch {
-        return false;
-      }
-    }),
-  );
-
-  const sidecarData = sidecarsFiles.find((file): file is UploadFile => file !== false);
-
  const formData = new FormData();
  formData.append('deviceAssetId', `${basename(input)}-${stats.size}`.replaceAll(/\s+/g, ''));
  formData.append('deviceId', 'CLI');
@@ -429,8 +412,15 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
  formData.append('isFavorite', 'false');
  formData.append('assetData', new UploadFile(input, stats.size));

-  if (sidecarData) {
-    formData.append('sidecarData', sidecarData);
+  const sidecarPath = findSidecar(input);
+  if (sidecarPath) {
+    try {
+      const stats = await stat(sidecarPath);
+      const sidecarData = new UploadFile(sidecarPath, stats.size);
+      formData.append('sidecarData', sidecarData);
+    } catch {
+      // noop
+    }
  }

  const response = await fetch(`${baseUrl}/assets`, {
@@ -446,7 +436,19 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
  return response.json();
 };

-const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], options: UploadOptionsDto): Promise<void> => {
+export const findSidecar = (filepath: string): string | undefined => {
+  const assetPath = path.parse(filepath);
+  const noExtension = path.join(assetPath.dir, assetPath.name);
+
+  // XMP sidecars can come in two filename formats. For a photo named photo.ext, the filenames are photo.ext.xmp and photo.xmp
+  for (const sidecarPath of [`${noExtension}.xmp`, `${filepath}.xmp`]) {
+    if (existsSync(sidecarPath)) {
+      return sidecarPath;
+    }
+  }
+};
+
+export const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], options: UploadOptionsDto): Promise<void> => {
  let fileCount = 0;
  if (options.delete) {
    fileCount += uploaded.length;
@@ -474,7 +476,15 @@ const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], options: Uplo

  const chunkDelete = async (files: Asset[]) => {
    for (const assetBatch of chunk(files, options.concurrency)) {
-      await Promise.all(assetBatch.map((input: Asset) => unlink(input.filepath)));
+      await Promise.all(
+        assetBatch.map(async (input: Asset) => {
+          await unlink(input.filepath);
+          const sidecarPath = findSidecar(input.filepath);
+          if (sidecarPath) {
+            await unlink(sidecarPath);
+          }
+        }),
+      );
      deletionProgress.update(assetBatch.length);
    }
  };
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -14,33 +14,65 @@
 name: immich-dev

 services:
+  immich-app-base:
+    profiles: ['_base']
+    tmpfs:
+      - /tmp
+    volumes:
+      - ..:/usr/src/app
+      - pnpm_cache:/buildcache/pnpm_cache
+      - server_node_modules:/usr/src/app/server/node_modules
+      - web_node_modules:/usr/src/app/web/node_modules
+      - github_node_modules:/usr/src/app/.github/node_modules
+      - cli_node_modules:/usr/src/app/cli/node_modules
+      - docs_node_modules:/usr/src/app/docs/node_modules
+      - e2e_node_modules:/usr/src/app/e2e/node_modules
+      - sdk_node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
+      - app_node_modules:/usr/src/app/node_modules
+      - sveltekit:/usr/src/app/web/.svelte-kit
+      - coverage:/usr/src/app/web/coverage
+
+  immich-init:
+    extends:
+      service: immich-app-base
+    profiles: !reset []
+    container_name: immich_init
+    image: immich-server-dev:latest
+    build:
+      context: ../
+      dockerfile: server/Dockerfile.dev
+      target: dev
+    command:
+      - |
+        pnpm install
+        touch /tmp/init-complete
+        exec tail -f /dev/null
+    volumes:
+      - pnpm_store_server:/buildcache/pnpm-store
+    restart: 'no'
+    healthcheck:
+      test: ['CMD', 'test', '-f', '/tmp/init-complete']
+      interval: 2s
+      timeout: 3s
+      retries: 300
+      start_period: 300s
+
  immich-server:
+    extends:
+      service: immich-app-base
+    profiles: !reset []
    container_name: immich_server
    command: ['immich-dev']
    image: immich-server-dev:latest
-    # extends:
-    #   file: hwaccel.transcoding.yml
-    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    build:
      context: ../
      dockerfile: server/Dockerfile.dev
      target: dev
    restart: unless-stopped
    volumes:
-      - ..:/usr/src/app
      - ${UPLOAD_LOCATION}/photos:/data
      - /etc/localtime:/etc/localtime:ro
-      - pnpm-store:/usr/src/app/.pnpm-store
-      - server-node_modules:/usr/src/app/server/node_modules
-      - web-node_modules:/usr/src/app/web/node_modules
-      - github-node_modules:/usr/src/app/.github/node_modules
-      - cli-node_modules:/usr/src/app/cli/node_modules
-      - docs-node_modules:/usr/src/app/docs/node_modules
-      - e2e-node_modules:/usr/src/app/e2e/node_modules
-      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
-      - app-node_modules:/usr/src/app/node_modules
-      - sveltekit:/usr/src/app/web/.svelte-kit
-      - coverage:/usr/src/app/web/coverage
+      - pnpm_store_server:/buildcache/pnpm-store
      - ../plugins:/build/corePlugin
    env_file:
      - .env
@@ -63,6 +95,8 @@ services:
      - 9231:9231
      - 2283:2283
    depends_on:
+      immich-init:
+        condition: service_healthy
      redis:
        condition: service_started
      database:
@@ -71,6 +105,9 @@ services:
      disable: false

  immich-web:
+    extends:
+      service: immich-app-base
+    profiles: !reset []
    container_name: immich_web
    image: immich-web-dev:latest
    build:
@@ -84,20 +121,11 @@ services:
      - 3000:3000
      - 24678:24678
    volumes:
-      - ..:/usr/src/app
-      - pnpm-store:/usr/src/app/.pnpm-store
-      - server-node_modules:/usr/src/app/server/node_modules
-      - web-node_modules:/usr/src/app/web/node_modules
-      - github-node_modules:/usr/src/app/.github/node_modules
-      - cli-node_modules:/usr/src/app/cli/node_modules
-      - docs-node_modules:/usr/src/app/docs/node_modules
-      - e2e-node_modules:/usr/src/app/e2e/node_modules
-      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
-      - app-node_modules:/usr/src/app/node_modules
-      - sveltekit:/usr/src/app/web/.svelte-kit
-      - coverage:/usr/src/app/web/coverage
+      - pnpm_store_web:/buildcache/pnpm-store
    restart: unless-stopped
    depends_on:
+      immich-init:
+        condition: service_healthy
      immich-server:
        condition: service_started

@@ -116,7 +144,7 @@ services:
      - 3003:3003
    volumes:
      - ../machine-learning/immich_ml:/usr/src/immich_ml
-      - model-cache:/cache
+      - model_cache:/cache
    env_file:
      - .env
    depends_on:
@@ -156,7 +184,7 @@ services:
  #   image: prom/prometheus
  #   volumes:
  #     - ./prometheus.yml:/etc/prometheus/prometheus.yml
-  #     - prometheus-data:/prometheus
+  #     - prometheus_data:/prometheus

  # first login uses admin/admin
  # add data source for http://immich-prometheus:9090 to get started
@@ -167,20 +195,22 @@ services:
  #     - 3000:3000
  #   image: grafana/grafana:10.3.3-ubuntu
  #   volumes:
-  #     - grafana-data:/var/lib/grafana
+  #     - grafana_data:/var/lib/grafana

 volumes:
-  model-cache:
-  prometheus-data:
-  grafana-data:
-  pnpm-store:
-  server-node_modules:
-  web-node_modules:
-  github-node_modules:
-  cli-node_modules:
-  docs-node_modules:
-  e2e-node_modules:
-  sdk-node_modules:
-  app-node_modules:
+  model_cache:
+  prometheus_data:
+  grafana_data:
+  pnpm_cache:
+  pnpm_store_server:
+  pnpm_store_web:
+  server_node_modules:
+  web_node_modules:
+  github_node_modules:
+  cli_node_modules:
+  docs_node_modules:
+  e2e_node_modules:
+  sdk_node_modules:
+  app_node_modules:
  sveltekit:
  coverage:
--- a/docs/.nvmrc
+++ b/docs/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.13.1
--- a/docs/docs/developer/devcontainers.md
+++ b/docs/docs/developer/devcontainers.md
@@ -44,7 +44,7 @@ While this guide focuses on VS Code, you have many options for Dev Container dev
 **Self-Hostable Options:**

 - [Coder](https://coder.com) - Enterprise-focused, requires Terraform knowledge, self-managed
- [DevPod](https://devpod.sh) - Client-only tool with excellent devcontainer.json support, works with any provider (local, cloud, or on-premise)
+- [DevPod](https://devpod.sh) - Client-only tool with excellent devcontainer.json support, works with any provider (local, cloud, or on-premise). Check [quick-start guide](#quick-start-guide-for-devpod-with-docker)
  :::

 ## Dev Container Services
@@ -408,7 +408,27 @@ If you encounter issues:
 1. Check container logs: View → Output → Select "Dev Containers"
 2. Rebuild without cache: "Dev Containers: Rebuild Container Without Cache"
 3. Review [common Docker issues](https://docs.docker.com/desktop/troubleshoot/)
-4. Ask in [Discord](https://discord.immich.app) `#help-desk-support` channel
+4. Ask in [Discord](https://discord.immich.app) `#contributing` channel
+
+### Quick-start guide for DevPod with docker
+
+You will need DevPod CLI (check [DevPod CLI installation guide](https://devpod.sh/docs/getting-started/install)) and Docker Desktop.
+
+```sh
+# Step 1: Clone the Repository
+git clone https://github.com/immich-app/immich.git
+cd immich
+
+# Step 2: Prepare DevPod (if you haven't already)
+devpod provider add docker
+devpod provider use docker
+
+# Step 3: Build 'immich-server-dev' docker image first manually
+docker build -f server/Dockerfile.dev -t immich-server-dev .
+
+# Step 4: Now you can start devcontainer
+devpod up .
+```

 ## Mobile Development

--- a/docs/docs/features/supported-formats.md
+++ b/docs/docs/features/supported-formats.md
@@ -38,6 +38,7 @@ For the full list, refer to the [Immich source code](https://github.com/immich-a
 | `MP2T`      | `.mts` `.m2ts` `.m2t` | :white_check_mark: |       |
 | `MP4`       | `.mp4` `.insv`        | :white_check_mark: |       |
 | `MPEG`      | `.mpg` `.mpe` `.mpeg` | :white_check_mark: |       |
+| `MXF`       | `.mxf`                | :white_check_mark: |       |
 | `QUICKTIME` | `.mov`                | :white_check_mark: |       |
 | `WEBM`      | `.webm`               | :white_check_mark: |       |
 | `WMV`       | `.wmv`                | :white_check_mark: |       |
--- a/docs/docs/install/config-file.md
+++ b/docs/docs/install/config-file.md
@@ -8,7 +8,8 @@ A config file can be provided as an alternative to the UI configuration.

 ### Step 1 - Create a new config file

-In JSON format, create a new config file (e.g. `immich.json`) and put it in a location that can be accessed by Immich.
+In JSON format, create a new config file (e.g. `immich.json`) and put it in a location mounted in the container that can be accessed by Immich.
+YAML-formatted config files are also supported.
 The default configuration looks like this:

 <details>
@@ -251,6 +252,15 @@ So you can just grab it from there, paste it into a file and you're pretty much
 In your `.env` file, set the variable `IMMICH_CONFIG_FILE` to the path of your config.
 For more information, refer to the [Environment Variables](/install/environment-variables.md) section.

-:::tip
-YAML-formatted config files are also supported.
-:::
+:::info Docker Compose
+In your `.env` file, the variables `UPLOAD_LOCATION` and `DB_DATA_LOCATION` concern the location on the host.
+However, the variable `IMMICH_CONFIG_FILE` concerns the location inside the container, and informs the `immich-server` container that a configuration file is present.
+
+It is recommended to reuse this variable in your `docker-compose.yml`:
+
+```yaml
+volumes:
+  - ./configuration.yml:${IMMICH_CONFIG_FILE}
+```
+
+::
--- a/docs/docs/install/synology.md
+++ b/docs/docs/install/synology.md
@@ -8,8 +8,6 @@ sidebar_position: 85
 This is a community contribution and not officially supported by the Immich team, but included here for convenience.

 Community support can be found in the dedicated channel on the [Discord Server](https://discord.immich.app/).
-
-**Please report app issues to the corresponding [Github Repository](https://github.com/truenas/charts/tree/master/community/immich).**
 :::

 Immich can easily be installed on a Synology NAS using Container Manager within DSM. If you have not installed Container Manager already, you can install it in the Packages Center. Refer to the [Container Manager docs](https://kb.synology.com/en-us/DSM/help/ContainerManager/docker_desc?version=7) for more information on using Container Manager.
--- a/docs/mise.toml
+++ b/docs/mise.toml
@@ -23,3 +23,9 @@ run = "prettier --check ."
 [tasks."format-fix"]
 env._.path = "./node_modules/.bin"
 run = "prettier --write ."
+
+[tasks.deploy]
+run = "wrangler pages deploy build --project-name=${PROJECT_NAME} --branch=${BRANCH_NAME}"
+
+[tools]
+wrangler = "4.66.0"
--- a/docs/package.json
+++ b/docs/package.json
@@ -58,6 +58,6 @@
    "node": ">=20"
  },
  "volta": {
-    "node": "24.13.0"
+    "node": "24.13.1"
  }
 }
--- a/e2e/.nvmrc
+++ b/e2e/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.13.1
--- a/e2e/docker-compose.dev.yml
+++ b/e2e/docker-compose.dev.yml
@@ -1,86 +1,77 @@
 name: immich-e2e

 services:
+  immich-app-base:
+    extends:
+      file: ../docker/docker-compose.dev.yml
+      service: immich-app-base
+
+  immich-init:
+    extends:
+      file: ../docker/docker-compose.dev.yml
+      service: immich-init
+    container_name: immich-e2e-init
+
  immich-server:
+    extends:
+      file: ../docker/docker-compose.dev.yml
+      service: immich-server
    container_name: immich-e2e-server
-    command: ['immich-dev']
-    image: immich-server-dev:latest
-    build:
-      context: ../
-      dockerfile: server/Dockerfile.dev
-      target: dev
+    ports: !reset []
+    env_file: !reset []
    environment:
-      - DB_HOSTNAME=database
-      - DB_USERNAME=postgres
-      - DB_PASSWORD=postgres
-      - DB_DATABASE_NAME=immich
-      - IMMICH_MACHINE_LEARNING_ENABLED=false
-      - IMMICH_TELEMETRY_INCLUDE=all
-      - IMMICH_ENV=testing
-      - IMMICH_PORT=2285
-      - IMMICH_IGNORE_MOUNT_CHECK_ERRORS=true
+      DB_HOSTNAME: database
+      DB_USERNAME: postgres
+      DB_PASSWORD: postgres
+      DB_DATABASE_NAME: immich
+      IMMICH_MACHINE_LEARNING_ENABLED: 'false'
+      IMMICH_TELEMETRY_INCLUDE: all
+      IMMICH_ENV: testing
+      IMMICH_PORT: '2285'
+      IMMICH_IGNORE_MOUNT_CHECK_ERRORS: 'true'
    volumes:
      - ./test-assets:/test-assets
-      - ..:/usr/src/app
-      - ${UPLOAD_LOCATION}/photos:/data
-      - /etc/localtime:/etc/localtime:ro
-      - pnpm-store:/usr/src/app/.pnpm-store
-      - server-node_modules:/usr/src/app/server/node_modules
-      - web-node_modules:/usr/src/app/web/node_modules
-      - github-node_modules:/usr/src/app/.github/node_modules
-      - cli-node_modules:/usr/src/app/cli/node_modules
-      - docs-node_modules:/usr/src/app/docs/node_modules
-      - e2e-node_modules:/usr/src/app/e2e/node_modules
-      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
-      - app-node_modules:/usr/src/app/node_modules
-      - sveltekit:/usr/src/app/web/.svelte-kit
-      - coverage:/usr/src/app/web/coverage
-      - ../plugins:/build/corePlugin
    depends_on:
+      immich-init:
+        condition: service_healthy
      redis:
        condition: service_started
      database:
        condition: service_healthy

  immich-web:
+    extends:
+      file: ../docker/docker-compose.dev.yml
+      service: immich-web
    container_name: immich-e2e-web
-    image: immich-web-dev:latest
-    build:
-      context: ../
-      dockerfile: server/Dockerfile.dev
-      target: dev
-    command: ['immich-web']
-    ports:
+    ports: !override
      - 2285:3000
    environment:
-      - IMMICH_SERVER_URL=http://immich-server:2285/
-    volumes:
-      - ..:/usr/src/app
-      - pnpm-store:/usr/src/app/.pnpm-store
-      - server-node_modules:/usr/src/app/server/node_modules
-      - web-node_modules:/usr/src/app/web/node_modules
-      - github-node_modules:/usr/src/app/.github/node_modules
-      - cli-node_modules:/usr/src/app/cli/node_modules
-      - docs-node_modules:/usr/src/app/docs/node_modules
-      - e2e-node_modules:/usr/src/app/e2e/node_modules
-      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
-      - app-node_modules:/usr/src/app/node_modules
-      - sveltekit:/usr/src/app/web/.svelte-kit
-      - coverage:/usr/src/app/web/coverage
+      IMMICH_SERVER_URL: http://immich-server:2285/
+    depends_on:
+      immich-init:
+        condition: service_healthy
    restart: unless-stopped

  redis:
-    image: redis:6.2-alpine@sha256:46884be93652d02a96a176ccf173d1040bef365c5706aa7b6a1931caec8bfeef
+    extends:
+      file: ../docker/docker-compose.dev.yml
+      service: redis
+    container_name: immich-e2e-redis

  database:
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0@sha256:6f3e9d2c2177af16c2988ff71425d79d89ca630ec2f9c8db03209ab716542338
+    extends:
+      file: ../docker/docker-compose.dev.yml
+      service: database
+    container_name: immich-e2e-postgres
    command: -c fsync=off -c shared_preload_libraries=vchord.so -c config_file=/var/lib/postgresql/data/postgresql.conf
+    env_file: !reset []
+    ports: !override
+      - 5435:5432
    environment:
      POSTGRES_PASSWORD: postgres
      POSTGRES_USER: postgres
      POSTGRES_DB: immich
-    ports:
-      - 5435:5432
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U postgres -d immich']
      interval: 1s
@@ -89,17 +80,19 @@ services:
      start_period: 10s

 volumes:
-  model-cache:
-  prometheus-data:
-  grafana-data:
-  pnpm-store:
-  server-node_modules:
-  web-node_modules:
-  github-node_modules:
-  cli-node_modules:
-  docs-node_modules:
-  e2e-node_modules:
-  sdk-node_modules:
-  app-node_modules:
+  model_cache:
+  prometheus_data:
+  grafana_data:
+  pnpm_cache:
+  pnpm_store_server:
+  pnpm_store_web:
+  server_node_modules:
+  web_node_modules:
+  github_node_modules:
+  cli_node_modules:
+  docs_node_modules:
+  e2e_node_modules:
+  sdk_node_modules:
+  app_node_modules:
  sveltekit:
  coverage:
--- a/e2e/docker-compose.yml
+++ b/e2e/docker-compose.yml
@@ -2,6 +2,7 @@ name: immich-e2e

 services:
  e2e-auth-server:
+    container_name: immich-e2e-auth-server
    build:
      context: ../e2e-auth-server
    ports:
@@ -22,15 +23,15 @@ services:
        - BUILD_SOURCE_REF=e2e
        - BUILD_SOURCE_COMMIT=e2eeeeeeeeeeeeeeeeee
    environment:
-      - DB_HOSTNAME=database
-      - DB_USERNAME=postgres
-      - DB_PASSWORD=postgres
-      - DB_DATABASE_NAME=immich
-      - IMMICH_MACHINE_LEARNING_ENABLED=false
-      - IMMICH_TELEMETRY_INCLUDE=all
-      - IMMICH_ENV=testing
-      - IMMICH_PORT=2285
-      - IMMICH_IGNORE_MOUNT_CHECK_ERRORS=true
+      DB_HOSTNAME: database
+      DB_USERNAME: postgres
+      DB_PASSWORD: postgres
+      DB_DATABASE_NAME: immich
+      IMMICH_MACHINE_LEARNING_ENABLED: 'false'
+      IMMICH_TELEMETRY_INCLUDE: all
+      IMMICH_ENV: testing
+      IMMICH_PORT: '2285'
+      IMMICH_IGNORE_MOUNT_CHECK_ERRORS: 'true'
    volumes:
      - ./test-assets:/test-assets
    depends_on:
@@ -42,10 +43,14 @@ services:
      - 2285:2285

  redis:
-    image: redis:6.2-alpine@sha256:46884be93652d02a96a176ccf173d1040bef365c5706aa7b6a1931caec8bfeef
+    container_name: immich-e2e-redis
+    image: docker.io/valkey/valkey:9@sha256:930b41430fb727f533c5982fe509b6f04233e26d0f7354e04de4b0d5c706e44e
+    healthcheck:
+      test: redis-cli ping || exit 1

  database:
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0@sha256:6f3e9d2c2177af16c2988ff71425d79d89ca630ec2f9c8db03209ab716542338
+    container_name: immich-e2e-postgres
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
    command: -c fsync=off -c shared_preload_libraries=vchord.so -c config_file=/var/lib/postgresql/data/postgresql.conf
    environment:
      POSTGRES_PASSWORD: postgres
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -7,8 +7,13 @@
  "scripts": {
    "test": "vitest --run",
    "test:watch": "vitest",
-    "test:web": "npx playwright test",
-    "start:web": "npx playwright test --ui",
+    "test:maintenance": "vitest --run --config vitest.maintenance.config.ts",
+    "test:web": "npx playwright test --project=web",
+    "test:web:maintenance": "npx playwright test --project=maintenance",
+    "test:web:ui": "npx playwright test --project=ui",
+    "start:web": "npx playwright test --ui --project=web",
+    "start:web:maintenance": "npx playwright test --ui --project=maintenance",
+    "start:web:ui": "npx playwright test --ui --project=ui",
    "format": "prettier --check .",
    "format:fix": "prettier --write .",
    "lint": "eslint \"src/**/*.ts\" --max-warnings 0",
@@ -21,13 +26,13 @@
  "devDependencies": {
    "@eslint/js": "^9.8.0",
    "@faker-js/faker": "^10.1.0",
-    "@immich/cli": "file:../cli",
-    "@immich/e2e-auth-server": "file:../e2e-auth-server",
-    "@immich/sdk": "file:../open-api/typescript-sdk",
+    "@immich/cli": "workspace:*",
+    "@immich/e2e-auth-server":  "workspace:*",
+    "@immich/sdk": "workspace:*",
    "@playwright/test": "^1.44.1",
    "@socket.io/component-emitter": "^3.1.2",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^24.10.11",
+    "@types/node": "^24.10.13",
    "@types/pg": "^8.15.1",
    "@types/pngjs": "^6.0.4",
    "@types/supertest": "^6.0.2",
@@ -52,6 +57,6 @@
    "vitest": "^3.0.0"
  },
  "volta": {
-    "node": "24.13.0"
+    "node": "24.13.1"
  }
 }
--- a/e2e/playwright.config.ts
+++ b/e2e/playwright.config.ts
@@ -3,7 +3,7 @@ import dotenv from 'dotenv';
 import { cpus } from 'node:os';
 import { resolve } from 'node:path';

-dotenv.config({ path: resolve(import.meta.dirname, '.env') });
+dotenv.config({ quiet: true, path: resolve(import.meta.dirname, '.env') });

 export const playwrightHost = process.env.PLAYWRIGHT_HOST ?? '127.0.0.1';
 export const playwrightDbHost = process.env.PLAYWRIGHT_DB_HOST ?? '127.0.0.1';
@@ -48,7 +48,7 @@ const config: PlaywrightTestConfig = {
    {
      name: 'maintenance',
      use: { ...devices['Desktop Chrome'] },
-      testDir: './src/specs/maintenance',
+      testDir: './src/specs/maintenance/web',
      workers: 1,
    },
  ],
--- a/e2e/src/specs/maintenance/server/database-backups.e2e-spec.ts
+++ b/e2e/src/specs/maintenance/server/database-backups.e2e-spec.ts
--- a/e2e/src/specs/maintenance/server/maintenance.e2e-spec.ts
+++ b/e2e/src/specs/maintenance/server/maintenance.e2e-spec.ts
--- a/e2e/src/specs/maintenance/web/database-backups.e2e-spec.ts
+++ b/e2e/src/specs/maintenance/web/database-backups.e2e-spec.ts
--- a/e2e/src/specs/maintenance/web/maintenance.e2e-spec.ts
+++ b/e2e/src/specs/maintenance/web/maintenance.e2e-spec.ts
--- a/e2e/src/specs/server/api/asset.e2e-spec.ts
+++ b/e2e/src/specs/server/api/asset.e2e-spec.ts
@@ -253,7 +253,8 @@ describe('/asset', () => {

        expect(status).toBe(200);
        expect(body.id).toEqual(facesAsset.id);
-        expect(body.people).toMatchObject(expectedFaces);
+        const sortedPeople = body.people.toSorted((a: any, b: any) => a.name.localeCompare(b.name));
+        expect(sortedPeople).toMatchObject(expectedFaces);
      });
    });

--- a/e2e/src/ui/specs/timeline/utils.ts
+++ b/e2e/src/ui/specs/timeline/utils.ts
@@ -65,7 +65,7 @@ export const thumbnailUtils = {
    return page.locator(`[data-thumbnail-focus-container][data-asset="${assetId}"] button`);
  },
  selectedAsset(page: Page) {
-    return page.locator('[data-thumbnail-focus-container]:has(button[aria-checked])');
+    return page.locator('[data-thumbnail-focus-container][data-selected]');
  },
  async clickAssetId(page: Page, assetId: string) {
    await thumbnailUtils.withAssetId(page, assetId).click();
@@ -103,11 +103,8 @@ export const thumbnailUtils = {
    await expect(thumbnailUtils.withAssetId(page, assetId).locator('[data-icon-archive]')).toHaveCount(0);
  },
  async expectSelectedReadonly(page: Page, assetId: string) {
-    // todo - need a data attribute for selected
    await expect(
-      page.locator(
-        `[data-thumbnail-focus-container][data-asset="${assetId}"] > .group.cursor-not-allowed > .rounded-xl`,
-      ),
+      page.locator(`[data-thumbnail-focus-container][data-asset="${assetId}"][data-selected]`),
    ).toBeVisible();
  },
  async expectTimelineHasOnScreenAssets(page: Page) {
--- a/e2e/vitest.config.ts
+++ b/e2e/vitest.config.ts
@@ -1,15 +1,20 @@
 import { defineConfig } from 'vitest/config';

-// skip `docker compose up` if `make e2e` was already run
+const skipDockerSetup = process.env.VITEST_DISABLE_DOCKER_SETUP === 'true';
+
+// skip `docker compose up` if `make e2e` was already run or if VITEST_DISABLE_DOCKER_SETUP is set
 const globalSetup: string[] = [];
-try {
-  await fetch('http://127.0.0.1:2285/api/server/ping');
-} catch {
-  globalSetup.push('src/docker-compose.ts');
+if (!skipDockerSetup) {
+  try {
+    await fetch('http://127.0.0.1:2285/api/server/ping');
+  } catch {
+    globalSetup.push('src/docker-compose.ts');
+  }
 }

 export default defineConfig({
  test: {
+    retry: process.env.CI ? 4 : 0,
    include: ['src/specs/server/**/*.e2e-spec.ts'],
    globalSetup,
    testTimeout: 15_000,
--- a/e2e/vitest.maintenance.config.ts
+++ b/e2e/vitest.maintenance.config.ts
@@ -0,0 +1,28 @@
+import { defineConfig } from 'vitest/config';
+
+const skipDockerSetup = process.env.VITEST_DISABLE_DOCKER_SETUP === 'true';
+
+// skip `docker compose up` if `make e2e` was already run or if VITEST_DISABLE_DOCKER_SETUP is set
+const globalSetup: string[] = [];
+if (!skipDockerSetup) {
+  try {
+    await fetch('http://127.0.0.1:2285/api/server/ping');
+  } catch {
+    globalSetup.push('src/docker-compose.ts');
+  }
+}
+
+export default defineConfig({
+  test: {
+    retry: process.env.CI ? 4 : 0,
+    include: ['src/specs/maintenance/server/**/*.e2e-spec.ts'],
+    globalSetup,
+    testTimeout: 15_000,
+    pool: 'threads',
+    poolOptions: {
+      threads: {
+        singleThread: true,
+      },
+    },
+  },
+});
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -1218,6 +1218,7 @@
  "filter_description": "Conditions to filter the target assets",
  "filter_people": "Filter people",
  "filter_places": "Filter places",
+  "filter_tags": "Filter tags",
  "filters": "Filters",
  "find_them_fast": "Find them fast by name with search",
  "first": "First",
@@ -1945,6 +1946,7 @@
  "search_filter_ocr": "Search by OCR",
  "search_filter_people_title": "Select people",
  "search_filter_star_rating": "Star Rating",
+  "search_filter_tags_title": "Select tags",
  "search_for": "Search for",
  "search_for_existing_person": "Search for existing person",
  "search_no_more_result": "No more results",
--- a/machine-learning/pyproject.toml
+++ b/machine-learning/pyproject.toml
@@ -8,7 +8,6 @@ readme = "README.md"
 dependencies = [
    "aiocache>=0.12.1,<1.0",
    "fastapi>=0.95.2,<1.0",
-    "ftfy>=6.1.1",
    "gunicorn>=21.1.0",
    "huggingface-hub>=0.20.1,<1.0",
    "insightface>=0.7.3,<1.0",
--- a/mise.toml
+++ b/mise.toml
@@ -14,15 +14,15 @@ config_roots = [
 ]

 [tools]
-node = "24.13.0"
+node = "24.13.1"
 flutter = "3.35.7"
-pnpm = "10.28.2"
+pnpm = "10.29.3"
 terragrunt = "0.98.0"
 opentofu = "1.11.4"
 java = "21.0.2"

 [tools."github:CQLabs/homebrew-dcm"]
-version = "1.30.0"
+version = "1.35.1"
 bin = "dcm"
 postinstall = "chmod +x $MISE_TOOL_INSTALL_PATH/dcm"

@@ -37,13 +37,12 @@ run = "pnpm install --filter @immich/sdk --frozen-lockfile"

 [tasks."sdk:build"]
 dir = "open-api/typescript-sdk"
-env._.path = "./node_modules/.bin"
-run = "tsc"
+run = "pnpm run build"

 # i18n tasks
 [tasks."i18n:format"]
 dir = "i18n"
-run = { task = ":i18n:format-fix" }
+run = "pnpm run format"

 [tasks."i18n:format-fix"]
 dir = "i18n"
--- a/mobile/android/app/build.gradle
+++ b/mobile/android/app/build.gradle
@@ -81,6 +81,7 @@ android {

    release {
      signingConfig signingConfigs.release
+      proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
    }
  }
  namespace 'app.alextran.immich'
--- a/mobile/android/app/proguard-rules.pro
+++ b/mobile/android/app/proguard-rules.pro
@@ -36,4 +36,12 @@
 ##---------------End: proguard configuration for Gson  ----------

 # Keep all widget model classes and their fields for Gson
-keep class app.alextran.immich.widget.model.** { *; }
+-keep class app.alextran.immich.widget.model.** { *; }
+
+##---------------Begin: proguard configuration for ok_http JNI ----------
+# The ok_http Dart plugin accesses OkHttp and Okio classes via JNI
+# string-based reflection (JClass.forName), which R8 cannot trace.
+-keep class okhttp3.** { *; }
+-keep class okio.** { *; }
+-keep class com.example.ok_http.** { *; }
+##---------------End: proguard configuration for ok_http JNI ----------
--- a/mobile/android/app/src/main/cpp/native_buffer.c
+++ b/mobile/android/app/src/main/cpp/native_buffer.c
@@ -36,3 +36,17 @@ Java_app_alextran_immich_NativeBuffer_copy(
        memcpy((void *) destAddress, (char *) src + offset, length);
    }
 }
+
+/**
+ * Creates a JNI global reference to the given object and returns its address.
+ * The caller is responsible for deleting the global reference when it's no longer needed.
+ */
+JNIEXPORT jlong JNICALL
+Java_app_alextran_immich_NativeBuffer_createGlobalRef(JNIEnv *env, jobject clazz, jobject obj) {
+    if (obj == NULL) {
+        return 0;
+    }
+
+    jobject globalRef = (*env)->NewGlobalRef(env, obj);
+    return (jlong) globalRef;
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/NativeBuffer.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/NativeBuffer.kt
@@ -23,6 +23,9 @@ object NativeBuffer {

  @JvmStatic
  external fun copy(buffer: ByteBuffer, destAddress: Long, offset: Int, length: Int)
+
+  @JvmStatic
+  external fun createGlobalRef(obj: Any): Long
 }

 class NativeByteBuffer(initialCapacity: Int) {
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/HttpClientManager.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/HttpClientManager.kt
@@ -1,11 +1,18 @@
 package app.alextran.immich.core

 import android.content.Context
+import android.content.SharedPreferences
+import android.security.KeyChain
+import androidx.core.content.edit
 import app.alextran.immich.BuildConfig
+import app.alextran.immich.NativeBuffer
 import okhttp3.Cache
 import okhttp3.ConnectionPool
 import okhttp3.Dispatcher
+import okhttp3.Headers
+import okhttp3.Credentials
 import okhttp3.OkHttpClient
+import org.json.JSONObject
 import java.io.ByteArrayInputStream
 import java.io.File
 import java.net.Socket
@@ -20,8 +27,11 @@ import javax.net.ssl.TrustManagerFactory
 import javax.net.ssl.X509KeyManager
 import javax.net.ssl.X509TrustManager

-const val CERT_ALIAS = "client_cert"
 const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
+private const val CERT_ALIAS = "client_cert"
+private const val PREFS_NAME = "immich.ssl"
+private const val PREFS_CERT_ALIAS = "immich.client_cert"
+private const val PREFS_HEADERS = "immich.request_headers"

 /**
 * Manages a shared OkHttpClient with SSL configuration support.
@@ -36,22 +46,56 @@ object HttpClientManager {
  private val clientChangedListeners = mutableListOf<() -> Unit>()

  private lateinit var client: OkHttpClient
+  private lateinit var appContext: Context
+  private lateinit var prefs: SharedPreferences

  private val keyStore = KeyStore.getInstance("AndroidKeyStore").apply { load(null) }

-  val isMtls: Boolean get() = keyStore.containsAlias(CERT_ALIAS)
+  var keyChainAlias: String? = null
+    private set
+
+  var headers: Headers = Headers.headersOf()
+    private set
+
+  val isMtls: Boolean get() = keyChainAlias != null || keyStore.containsAlias(CERT_ALIAS)

  fun initialize(context: Context) {
    if (initialized) return
    synchronized(this) {
      if (initialized) return

+      appContext = context.applicationContext
+      prefs = appContext.getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE)
+      keyChainAlias = prefs.getString(PREFS_CERT_ALIAS, null)
+
+      val savedHeaders = prefs.getString(PREFS_HEADERS, null)
+      if (savedHeaders != null) {
+        val json = JSONObject(savedHeaders)
+        val builder = Headers.Builder()
+        for (key in json.keys()) {
+          builder.add(key, json.getString(key))
+        }
+        headers = builder.build()
+      }
+
      val cacheDir = File(File(context.cacheDir, "okhttp"), "api")
      client = build(cacheDir)
      initialized = true
    }
  }

+  fun setKeyChainAlias(alias: String) {
+    synchronized(this) {
+      val wasMtls = isMtls
+      keyChainAlias = alias
+      prefs.edit { putString(PREFS_CERT_ALIAS, alias) }
+
+      if (wasMtls != isMtls) {
+        clientChangedListeners.forEach { it() }
+      }
+    }
+  }
+
  fun setKeyEntry(clientData: ByteArray, password: CharArray) {
    synchronized(this) {
      val wasMtls = isMtls
@@ -63,7 +107,7 @@ object HttpClientManager {
      val key = tmpKeyStore.getKey(tmpAlias, password)
      val chain = tmpKeyStore.getCertificateChain(tmpAlias)

-      if (wasMtls) {
+      if (keyStore.containsAlias(CERT_ALIAS)) {
        keyStore.deleteEntry(CERT_ALIAS)
      }
      keyStore.setKeyEntry(CERT_ALIAS, key, null, chain)
@@ -75,24 +119,50 @@ object HttpClientManager {

  fun deleteKeyEntry() {
    synchronized(this) {
-      if (!isMtls) {
-        return
+      val wasMtls = isMtls
+
+      if (keyChainAlias != null) {
+        keyChainAlias = null
+        prefs.edit { remove(PREFS_CERT_ALIAS) }
      }

      keyStore.deleteEntry(CERT_ALIAS)
-      clientChangedListeners.forEach { it() }
+
+      if (wasMtls) {
+        clientChangedListeners.forEach { it() }
+      }
    }
  }

+  private var clientGlobalRef: Long = 0L
+
  @JvmStatic
  fun getClient(): OkHttpClient {
    return client
  }

+  fun getClientPointer(): Long {
+    if (clientGlobalRef == 0L) {
+      clientGlobalRef = NativeBuffer.createGlobalRef(client)
+    }
+    return clientGlobalRef
+  }
+
  fun addClientChangedListener(listener: () -> Unit) {
    synchronized(this) { clientChangedListeners.add(listener) }
  }

+  fun setRequestHeaders(headerMap: Map<String, String>) {
+    synchronized(this) {
+      val builder = Headers.Builder()
+      headerMap.forEach { (key, value) -> builder[key] = value }
+      val newHeaders = builder.build()
+      if (headers == newHeaders) return
+      headers = newHeaders
+      prefs.edit { putString(PREFS_HEADERS, JSONObject(headerMap).toString()) }
+    }
+  }
+
  private fun build(cacheDir: File): OkHttpClient {
    val connectionPool = ConnectionPool(
      maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
@@ -109,8 +179,16 @@ object HttpClientManager {
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)

    return OkHttpClient.Builder()
-      .addInterceptor { chain ->
-        chain.proceed(chain.request().newBuilder().header("User-Agent", USER_AGENT).build())
+      .addInterceptor {
+        val request = it.request()
+        val builder = request.newBuilder()
+        builder.header("User-Agent", USER_AGENT)
+        headers.forEach { (key, value) -> builder.header(key, value) }
+        val url = request.url
+        if (url.username.isNotEmpty()) {
+          builder.header("Authorization", Credentials.basic(url.username, url.password))
+        }
+        it.proceed(builder.build())
      }
      .connectionPool(connectionPool)
      .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
@@ -119,23 +197,39 @@ object HttpClientManager {
      .build()
  }

-  // Reads from the key store rather than taking a snapshot at initialization time
+  /**
+   * Resolves client certificates dynamically at TLS handshake time.
+   * Checks the system KeyChain alias first, then falls back to the app's private KeyStore.
+   */
  private class DynamicKeyManager : X509KeyManager {
-    override fun getClientAliases(keyType: String, issuers: Array<Principal>?): Array<String>? =
-      if (isMtls) arrayOf(CERT_ALIAS) else null
+    override fun getClientAliases(keyType: String, issuers: Array<Principal>?): Array<String>? {
+      val alias = chooseClientAlias(arrayOf(keyType), issuers, null) ?: return null
+      return arrayOf(alias)
+    }

    override fun chooseClientAlias(
      keyTypes: Array<String>,
      issuers: Array<Principal>?,
      socket: Socket?
-    ): String? =
-      if (isMtls) CERT_ALIAS else null
+    ): String? {
+      keyChainAlias?.let { return it }
+      if (keyStore.containsAlias(CERT_ALIAS)) return CERT_ALIAS
+      return null
+    }

-    override fun getCertificateChain(alias: String): Array<X509Certificate>? =
-      keyStore.getCertificateChain(alias)?.map { it as X509Certificate }?.toTypedArray()
+    override fun getCertificateChain(alias: String): Array<X509Certificate>? {
+      if (alias == keyChainAlias) {
+        return KeyChain.getCertificateChain(appContext, alias)
+      }
+      return keyStore.getCertificateChain(alias)?.map { it as X509Certificate }?.toTypedArray()
+    }

-    override fun getPrivateKey(alias: String): PrivateKey? =
-      keyStore.getKey(alias, null) as? PrivateKey
+    override fun getPrivateKey(alias: String): PrivateKey? {
+      if (alias == keyChainAlias) {
+        return KeyChain.getPrivateKey(appContext, alias)
+      }
+      return keyStore.getKey(alias, null) as? PrivateKey
+    }

    override fun getServerAliases(keyType: String, issuers: Array<Principal>?): Array<String>? =
      null
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt
@@ -180,8 +180,11 @@ private open class NetworkPigeonCodec : StandardMessageCodec() {
 /** Generated interface from Pigeon that represents a handler of messages from Flutter. */
 interface NetworkApi {
  fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit)
-  fun selectCertificate(promptText: ClientCertPrompt, callback: (Result<ClientCertData>) -> Unit)
+  fun selectCertificate(promptText: ClientCertPrompt, callback: (Result<Unit>) -> Unit)
  fun removeCertificate(callback: (Result<Unit>) -> Unit)
+  fun hasCertificate(): Boolean
+  fun getClientPointer(): Long
+  fun setRequestHeaders(headers: Map<String, String>, serverUrls: List<String>)

  companion object {
    /** The codec used by NetworkApi. */
@@ -217,13 +220,12 @@ interface NetworkApi {
          channel.setMessageHandler { message, reply ->
            val args = message as List<Any?>
            val promptTextArg = args[0] as ClientCertPrompt
-            api.selectCertificate(promptTextArg) { result: Result<ClientCertData> ->
+            api.selectCertificate(promptTextArg) { result: Result<Unit> ->
              val error = result.exceptionOrNull()
              if (error != null) {
                reply.reply(NetworkPigeonUtils.wrapError(error))
              } else {
-                val data = result.getOrNull()
-                reply.reply(NetworkPigeonUtils.wrapResult(data))
+                reply.reply(NetworkPigeonUtils.wrapResult(null))
              }
            }
          }
@@ -248,6 +250,55 @@ interface NetworkApi {
          channel.setMessageHandler(null)
        }
      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.hasCertificate$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { _, reply ->
+            val wrapped: List<Any?> = try {
+              listOf(api.hasCertificate())
+            } catch (exception: Throwable) {
+              NetworkPigeonUtils.wrapError(exception)
+            }
+            reply.reply(wrapped)
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.getClientPointer$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { _, reply ->
+            val wrapped: List<Any?> = try {
+              listOf(api.getClientPointer())
+            } catch (exception: Throwable) {
+              NetworkPigeonUtils.wrapError(exception)
+            }
+            reply.reply(wrapped)
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.setRequestHeaders$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val headersArg = args[0] as Map<String, String>
+            val serverUrlsArg = args[1] as List<String>
+            val wrapped: List<Any?> = try {
+              api.setRequestHeaders(headersArg, serverUrlsArg)
+              listOf(null)
+            } catch (exception: Throwable) {
+              NetworkPigeonUtils.wrapError(exception)
+            }
+            reply.reply(wrapped)
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
    }
  }
 }
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/NetworkApiPlugin.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/NetworkApiPlugin.kt
@@ -2,20 +2,9 @@ package app.alextran.immich.core

 import android.app.Activity
 import android.content.Context
-import android.net.Uri
 import android.os.OperationCanceledException
-import android.text.InputType
-import android.view.ContextThemeWrapper
-import android.view.ViewGroup.LayoutParams.MATCH_PARENT
-import android.view.ViewGroup.LayoutParams.WRAP_CONTENT
-import android.widget.FrameLayout
-import android.widget.LinearLayout
-import androidx.activity.ComponentActivity
-import androidx.activity.result.ActivityResultLauncher
-import androidx.activity.result.contract.ActivityResultContracts
-import com.google.android.material.dialog.MaterialAlertDialogBuilder
-import com.google.android.material.textfield.TextInputEditText
-import com.google.android.material.textfield.TextInputLayout
+import android.security.KeyChain
+import app.alextran.immich.NativeBuffer
 import io.flutter.embedding.engine.plugins.FlutterPlugin
 import io.flutter.embedding.engine.plugins.activity.ActivityAware
 import io.flutter.embedding.engine.plugins.activity.ActivityPluginBinding
@@ -24,7 +13,7 @@ class NetworkApiPlugin : FlutterPlugin, ActivityAware {
  private var networkApi: NetworkApiImpl? = null

  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    networkApi = NetworkApiImpl(binding.applicationContext)
+    networkApi = NetworkApiImpl()
    NetworkApi.setUp(binding.binaryMessenger, networkApi)
  }

@@ -34,48 +23,24 @@ class NetworkApiPlugin : FlutterPlugin, ActivityAware {
  }

  override fun onAttachedToActivity(binding: ActivityPluginBinding) {
-    networkApi?.onAttachedToActivity(binding)
+    networkApi?.activity = binding.activity
  }

  override fun onDetachedFromActivityForConfigChanges() {
-    networkApi?.onDetachedFromActivityForConfigChanges()
+    networkApi?.activity = null
  }

  override fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
-    networkApi?.onReattachedToActivityForConfigChanges(binding)
+    networkApi?.activity = binding.activity
  }

  override fun onDetachedFromActivity() {
-    networkApi?.onDetachedFromActivity()
+    networkApi?.activity = null
  }
 }

-private class NetworkApiImpl(private val context: Context) : NetworkApi {
-  private var activity: Activity? = null
-  private var pendingCallback: ((Result<ClientCertData>) -> Unit)? = null
-  private var filePicker: ActivityResultLauncher<Array<String>>? = null
-  private var promptText: ClientCertPrompt? = null
-
-  fun onAttachedToActivity(binding: ActivityPluginBinding) {
-    activity = binding.activity
-    (binding.activity as? ComponentActivity)?.let { componentActivity ->
-      filePicker = componentActivity.registerForActivityResult(
-        ActivityResultContracts.OpenDocument()
-      ) { uri -> uri?.let { handlePickedFile(it) } ?: pendingCallback?.invoke(Result.failure(OperationCanceledException())) }
-    }
-  }
-
-  fun onDetachedFromActivityForConfigChanges() {
-    activity = null
-  }
-
-  fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
-    activity = binding.activity
-  }
-
-  fun onDetachedFromActivity() {
-    activity = null
-  }
+private class NetworkApiImpl() : NetworkApi {
+  var activity: Activity? = null

  override fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit) {
    try {
@@ -86,11 +51,19 @@ private class NetworkApiImpl(private val context: Context) : NetworkApi {
    }
  }

-  override fun selectCertificate(promptText: ClientCertPrompt, callback: (Result<ClientCertData>) -> Unit) {
-    val picker = filePicker ?: return callback(Result.failure(IllegalStateException("No activity")))
-    pendingCallback = callback
-    this.promptText = promptText
-    picker.launch(arrayOf("application/x-pkcs12", "application/x-pem-file"))
+  override fun selectCertificate(promptText: ClientCertPrompt, callback: (Result<Unit>) -> Unit) {
+    val currentActivity = activity
+      ?: return callback(Result.failure(IllegalStateException("No activity")))
+
+    val onAlias = { alias: String? ->
+      if (alias != null) {
+        HttpClientManager.setKeyChainAlias(alias)
+        callback(Result.success(Unit))
+      } else {
+        callback(Result.failure(OperationCanceledException()))
+      }
+    }
+    KeyChain.choosePrivateKeyAlias(currentActivity, onAlias, null, null, null, null)
  }

  override fun removeCertificate(callback: (Result<Unit>) -> Unit) {
@@ -98,62 +71,15 @@ private class NetworkApiImpl(private val context: Context) : NetworkApi {
    callback(Result.success(Unit))
  }

-  private fun handlePickedFile(uri: Uri) {
-    val callback = pendingCallback ?: return
-    pendingCallback = null
-
-    try {
-      val data = context.contentResolver.openInputStream(uri)?.use { it.readBytes() }
-        ?: throw IllegalStateException("Could not read file")
-
-      val activity = activity ?: throw IllegalStateException("No activity")
-      promptForPassword(activity) { password ->
-        promptText = null
-        if (password == null) {
-          callback(Result.failure(OperationCanceledException()))
-          return@promptForPassword
-        }
-        try {
-          HttpClientManager.setKeyEntry(data, password.toCharArray())
-          callback(Result.success(ClientCertData(data, password)))
-        } catch (e: Exception) {
-          callback(Result.failure(e))
-        }
-      }
-    } catch (e: Exception) {
-      callback(Result.failure(e))
-    }
+  override fun hasCertificate(): Boolean {
+    return HttpClientManager.isMtls
  }

-  private fun promptForPassword(activity: Activity, callback: (String?) -> Unit) {
-    val themedContext = ContextThemeWrapper(activity, com.google.android.material.R.style.Theme_Material3_DayNight_Dialog)
-    val density = activity.resources.displayMetrics.density
-    val horizontalPadding = (24 * density).toInt()
+  override fun getClientPointer(): Long {
+    return HttpClientManager.getClientPointer()
+  }

-    val textInputLayout = TextInputLayout(themedContext).apply {
-      hint = "Password"
-      endIconMode = TextInputLayout.END_ICON_PASSWORD_TOGGLE
-      layoutParams = FrameLayout.LayoutParams(MATCH_PARENT, WRAP_CONTENT).apply {
-        setMargins(horizontalPadding, 0, horizontalPadding, 0)
-      }
-    }
-
-    val editText = TextInputEditText(textInputLayout.context).apply {
-      inputType = InputType.TYPE_CLASS_TEXT or InputType.TYPE_TEXT_VARIATION_PASSWORD
-      layoutParams = LinearLayout.LayoutParams(MATCH_PARENT, WRAP_CONTENT)
-    }
-    textInputLayout.addView(editText)
-
-    val container = FrameLayout(themedContext).apply { addView(textInputLayout) }
-
-    val text = promptText!!
-    MaterialAlertDialogBuilder(themedContext)
-      .setTitle(text.title)
-      .setMessage(text.message)
-      .setView(container)
-      .setPositiveButton(text.confirm) { _, _ -> callback(editText.text.toString()) }
-      .setNegativeButton(text.cancel) { _, _ -> callback(null) }
-      .setOnCancelListener { callback(null) }
-      .show()
+  override fun setRequestHeaders(headers: Map<String, String>, serverUrls: List<String>) {
+    HttpClientManager.setRequestHeaders(headers)
  }
 }
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImages.g.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImages.g.kt
@@ -47,7 +47,7 @@ private open class RemoteImagesPigeonCodec : StandardMessageCodec() {

 /** Generated interface from Pigeon that represents a handler of messages from Flutter. */
 interface RemoteImageApi {
-  fun requestImage(url: String, headers: Map<String, String>, requestId: Long, callback: (Result<Map<String, Long>?>) -> Unit)
+  fun requestImage(url: String, requestId: Long, callback: (Result<Map<String, Long>?>) -> Unit)
  fun cancelRequest(requestId: Long)
  fun clearCache(callback: (Result<Long>) -> Unit)

@@ -66,9 +66,8 @@ interface RemoteImageApi {
          channel.setMessageHandler { message, reply ->
            val args = message as List<Any?>
            val urlArg = args[0] as String
-            val headersArg = args[1] as Map<String, String>
-            val requestIdArg = args[2] as Long
-            api.requestImage(urlArg, headersArg, requestIdArg) { result: Result<Map<String, Long>?> ->
+            val requestIdArg = args[1] as Long
+            api.requestImage(urlArg, requestIdArg) { result: Result<Map<String, Long>?> ->
              val error = result.exceptionOrNull()
              if (error != null) {
                reply.reply(RemoteImagesPigeonUtils.wrapError(error))
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt
@@ -15,6 +15,8 @@ import okhttp3.Callback
 import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.Response
+import okhttp3.Credentials
+import okhttp3.HttpUrl.Companion.toHttpUrlOrNull
 import org.chromium.net.CronetEngine
 import org.chromium.net.CronetException
 import org.chromium.net.UrlRequest
@@ -49,7 +51,6 @@ class RemoteImagesImpl(context: Context) : RemoteImageApi {

  override fun requestImage(
    url: String,
-    headers: Map<String, String>,
    requestId: Long,
    callback: (Result<Map<String, Long>?>) -> Unit
  ) {
@@ -58,7 +59,6 @@ class RemoteImagesImpl(context: Context) : RemoteImageApi {

    ImageFetcherManager.fetch(
      url,
-      headers,
      signal,
      onSuccess = { buffer ->
        requestMap.remove(requestId)
@@ -119,12 +119,11 @@ private object ImageFetcherManager {

  fun fetch(
    url: String,
-    headers: Map<String, String>,
    signal: CancellationSignal,
    onSuccess: (NativeByteBuffer) -> Unit,
    onFailure: (Exception) -> Unit,
  ) {
-    fetcher.fetch(url, headers, signal, onSuccess, onFailure)
+    fetcher.fetch(url, signal, onSuccess, onFailure)
  }

  fun clearCache(onCleared: (Result<Long>) -> Unit) {
@@ -151,7 +150,6 @@ private object ImageFetcherManager {
 private sealed interface ImageFetcher {
  fun fetch(
    url: String,
-    headers: Map<String, String>,
    signal: CancellationSignal,
    onSuccess: (NativeByteBuffer) -> Unit,
    onFailure: (Exception) -> Unit,
@@ -178,7 +176,6 @@ private class CronetImageFetcher(context: Context, cacheDir: File) : ImageFetche

  override fun fetch(
    url: String,
-    headers: Map<String, String>,
    signal: CancellationSignal,
    onSuccess: (NativeByteBuffer) -> Unit,
    onFailure: (Exception) -> Unit,
@@ -193,7 +190,12 @@ private class CronetImageFetcher(context: Context, cacheDir: File) : ImageFetche

    val callback = FetchCallback(onSuccess, onFailure, ::onComplete)
    val requestBuilder = engine.newUrlRequestBuilder(url, callback, executor)
-    headers.forEach { (key, value) -> requestBuilder.addHeader(key, value) }
+    HttpClientManager.headers.forEach { (key, value) -> requestBuilder.addHeader(key, value) }
+    url.toHttpUrlOrNull()?.let { httpUrl ->
+      if (httpUrl.username.isNotEmpty()) {
+        requestBuilder.addHeader("Authorization", Credentials.basic(httpUrl.username, httpUrl.password))
+      }
+    }
    val request = requestBuilder.build()
    signal.setOnCancelListener(request::cancel)
    request.start()
@@ -390,7 +392,6 @@ private class OkHttpImageFetcher private constructor(

  override fun fetch(
    url: String,
-    headers: Map<String, String>,
    signal: CancellationSignal,
    onSuccess: (NativeByteBuffer) -> Unit,
    onFailure: (Exception) -> Unit,
@@ -403,7 +404,6 @@ private class OkHttpImageFetcher private constructor(
    }

    val requestBuilder = Request.Builder().url(url)
-    headers.forEach { (key, value) -> requestBuilder.addHeader(key, value) }
    val call = client.newCall(requestBuilder.build())
    signal.setOnCancelListener(call::cancel)

--- a/mobile/dcm_global.yaml
+++ b/mobile/dcm_global.yaml
@@ -1 +1 @@
-version: '>=1.29.0 <=1.30.0'
+version: '>=1.29.0 <=1.36.0'
--- a/mobile/ios/Runner/Core/Network.g.swift
+++ b/mobile/ios/Runner/Core/Network.g.swift
@@ -221,8 +221,11 @@ class NetworkPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
 /// Generated protocol from Pigeon that represents a handler of messages from Flutter.
 protocol NetworkApi {
  func addCertificate(clientData: ClientCertData, completion: @escaping (Result<Void, Error>) -> Void)
-  func selectCertificate(promptText: ClientCertPrompt, completion: @escaping (Result<ClientCertData, Error>) -> Void)
+  func selectCertificate(promptText: ClientCertPrompt, completion: @escaping (Result<Void, Error>) -> Void)
  func removeCertificate(completion: @escaping (Result<Void, Error>) -> Void)
+  func hasCertificate() throws -> Bool
+  func getClientPointer() throws -> Int64
+  func setRequestHeaders(headers: [String: String], serverUrls: [String]) throws
 }

 /// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
@@ -255,8 +258,8 @@ class NetworkApiSetup {
        let promptTextArg = args[0] as! ClientCertPrompt
        api.selectCertificate(promptText: promptTextArg) { result in
          switch result {
-          case .success(let res):
-            reply(wrapResult(res))
+          case .success:
+            reply(wrapResult(nil))
          case .failure(let error):
            reply(wrapError(error))
          }
@@ -280,5 +283,47 @@ class NetworkApiSetup {
    } else {
      removeCertificateChannel.setMessageHandler(nil)
    }
+    let hasCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.hasCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      hasCertificateChannel.setMessageHandler { _, reply in
+        do {
+          let result = try api.hasCertificate()
+          reply(wrapResult(result))
+        } catch {
+          reply(wrapError(error))
+        }
+      }
+    } else {
+      hasCertificateChannel.setMessageHandler(nil)
+    }
+    let getClientPointerChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.getClientPointer\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      getClientPointerChannel.setMessageHandler { _, reply in
+        do {
+          let result = try api.getClientPointer()
+          reply(wrapResult(result))
+        } catch {
+          reply(wrapError(error))
+        }
+      }
+    } else {
+      getClientPointerChannel.setMessageHandler(nil)
+    }
+    let setRequestHeadersChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.setRequestHeaders\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      setRequestHeadersChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let headersArg = args[0] as! [String: String]
+        let serverUrlsArg = args[1] as! [String]
+        do {
+          try api.setRequestHeaders(headers: headersArg, serverUrls: serverUrlsArg)
+          reply(wrapResult(nil))
+        } catch {
+          reply(wrapError(error))
+        }
+      }
+    } else {
+      setRequestHeadersChannel.setMessageHandler(nil)
+    }
  }
 }
--- a/mobile/ios/Runner/Core/NetworkApiImpl.swift
+++ b/mobile/ios/Runner/Core/NetworkApiImpl.swift
@@ -1,5 +1,6 @@
 import Foundation
 import UniformTypeIdentifiers
+import native_video_player

 enum ImportError: Error {
  case noFile
@@ -16,14 +17,25 @@ class NetworkApiImpl: NetworkApi {
    self.viewController = viewController
  }
  
-  func selectCertificate(promptText: ClientCertPrompt, completion: @escaping (Result<ClientCertData, any Error>) -> Void) {
+  func selectCertificate(promptText: ClientCertPrompt, completion: @escaping (Result<Void, any Error>) -> Void) {
    let importer = CertImporter(promptText: promptText, completion: { [weak self] result in
      self?.activeImporter = nil
-      completion(result.map { ClientCertData(data: FlutterStandardTypedData(bytes: $0.0), password: $0.1) })
+      completion(result)
    }, viewController: viewController)
    activeImporter = importer
    importer.load()
  }
+
+  func hasCertificate() throws -> Bool {
+    let query: [String: Any] = [
+      kSecClass as String: kSecClassIdentity,
+      kSecAttrLabel as String: CLIENT_CERT_LABEL,
+      kSecReturnRef as String: true,
+    ]
+    var item: CFTypeRef?
+    let status = SecItemCopyMatching(query as CFDictionary, &item)
+    return status == errSecSuccess
+  }
  
  func removeCertificate(completion: @escaping (Result<Void, any Error>) -> Void) {
    let status = clearCerts()
@@ -40,14 +52,60 @@ class NetworkApiImpl: NetworkApi {
    }
    completion(.failure(ImportError.keychainError(status)))
  }
+  
+  func getClientPointer() throws -> Int64 {
+    let pointer = URLSessionManager.shared.sessionPointer
+    return Int64(Int(bitPattern: pointer))
+  }
+  
+  func setRequestHeaders(headers: [String : String], serverUrls: [String]) throws {
+    var headers = headers
+    if let token = headers.removeValue(forKey: "x-immich-user-token") {
+      for serverUrl in serverUrls {
+        guard let url = URL(string: serverUrl), let domain = url.host else { continue }
+        let isSecure = serverUrl.hasPrefix("https")
+        let cookies: [(String, String, Bool)] = [
+          ("immich_access_token", token, true),
+          ("immich_is_authenticated", "true", false),
+          ("immich_auth_type", "password", true),
+        ]
+        let expiry = Date().addingTimeInterval(400 * 24 * 60 * 60)
+        for (name, value, httpOnly) in cookies {
+          var properties: [HTTPCookiePropertyKey: Any] = [
+            .name: name,
+            .value: value,
+            .domain: domain,
+            .path: "/",
+            .expires: expiry,
+          ]
+          if isSecure { properties[.secure] = "TRUE" }
+          if httpOnly { properties[.init("HttpOnly")] = "TRUE" }
+          if let cookie = HTTPCookie(properties: properties) {
+            URLSessionManager.cookieStorage.setCookie(cookie)
+          }
+        }
+      }
+    } else {
+      URLSessionManager.cookieStorage.removeCookies(since: .distantPast)
+    }
+
+    if serverUrls.first != UserDefaults.group.string(forKey: SERVER_URL_KEY) {
+      UserDefaults.group.set(serverUrls.first, forKey: SERVER_URL_KEY)
+    }
+
+    if headers != UserDefaults.group.dictionary(forKey: HEADERS_KEY) as? [String: String] {
+      UserDefaults.group.set(headers, forKey: HEADERS_KEY)
+      URLSessionManager.shared.recreateSession() // Recreate session to apply custom headers without app restart
+    }
+  }
 }

 private class CertImporter: NSObject, UIDocumentPickerDelegate {
  private let promptText: ClientCertPrompt
-  private var completion: ((Result<(Data, String), Error>) -> Void)
+  private var completion: ((Result<Void, Error>) -> Void)
  private weak var viewController: UIViewController?
-  
-  init(promptText: ClientCertPrompt, completion: (@escaping (Result<(Data, String), Error>) -> Void), viewController: UIViewController?) {
+
+  init(promptText: ClientCertPrompt, completion: (@escaping (Result<Void, Error>) -> Void), viewController: UIViewController?) {
    self.promptText = promptText
    self.completion = completion
    self.viewController = viewController
@@ -81,7 +139,7 @@ private class CertImporter: NSObject, UIDocumentPickerDelegate {
        }
        
        await URLSessionManager.shared.session.flush()
-        self.completion(.success((data, password)))
+        self.completion(.success(()))
      } catch {
        completion(.failure(error))
      }
--- a/mobile/ios/Runner/Core/URLSessionManager.swift
+++ b/mobile/ios/Runner/Core/URLSessionManager.swift
@@ -1,49 +1,77 @@
 import Foundation
+import native_video_player

 let CLIENT_CERT_LABEL = "app.alextran.immich.client_identity"
+let HEADERS_KEY = "immich.request_headers"
+let SERVER_URL_KEY = "immich.server_url"
+let APP_GROUP = "group.app.immich.share"
+
+extension UserDefaults {
+  static let group = UserDefaults(suiteName: APP_GROUP)!
+}

 /// Manages a shared URLSession with SSL configuration support.
+/// Old sessions are kept alive by Dart's FFI retain until all isolates release them.
 class URLSessionManager: NSObject {
  static let shared = URLSessionManager()
  
-  let session: URLSession
-  private let configuration = {
-    let config = URLSessionConfiguration.default
-    
-    let cacheDir = FileManager.default.urls(for: .cachesDirectory, in: .userDomainMask)
+  private(set) var session: URLSession
+  let delegate: URLSessionManagerDelegate
+  private static let cacheDir: URL = {
+    let dir = FileManager.default.urls(for: .cachesDirectory, in: .userDomainMask)
      .first!
      .appendingPathComponent("api", isDirectory: true)
-    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
-    
-    config.urlCache = URLCache(
-      memoryCapacity: 0,
-      diskCapacity: 1024 * 1024 * 1024,
-      directory: cacheDir
-    )
-    
+    try! FileManager.default.createDirectory(at: dir, withIntermediateDirectories: true)
+    return dir
+  }()
+  private static let urlCache = URLCache(
+    memoryCapacity: 0,
+    diskCapacity: 1024 * 1024 * 1024,
+    directory: cacheDir
+  )
+  private static let userAgent: String = {
+    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
+    return "Immich_iOS_\(version)"
+  }()
+  static let cookieStorage = HTTPCookieStorage.sharedCookieStorage(forGroupContainerIdentifier: APP_GROUP)
+  
+  var sessionPointer: UnsafeMutableRawPointer {
+    Unmanaged.passUnretained(session).toOpaque()
+  }
+  
+  private override init() {
+    delegate = URLSessionManagerDelegate()
+    session = Self.buildSession(delegate: delegate)
+    super.init()
+  }
+
+  func recreateSession() {
+    session = Self.buildSession(delegate: delegate)
+  }
+
+  private static func buildSession(delegate: URLSessionManagerDelegate) -> URLSession {
+    let config = URLSessionConfiguration.default
+    config.urlCache = urlCache
+    config.httpCookieStorage = cookieStorage
    config.httpMaximumConnectionsPerHost = 64
    config.timeoutIntervalForRequest = 60
    config.timeoutIntervalForResource = 300
-    
-    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
-    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
-    
-    return config
-  }()
-  
-  private override init() {
-    session = URLSession(configuration: configuration, delegate: URLSessionManagerDelegate(), delegateQueue: nil)
-    super.init()
+
+    var headers = UserDefaults.group.dictionary(forKey: HEADERS_KEY) as? [String: String] ?? [:]
+    headers["User-Agent"] = headers["User-Agent"] ?? userAgent
+    config.httpAdditionalHeaders = headers
+
+    return URLSession(configuration: config, delegate: delegate, delegateQueue: nil)
  }
 }

-class URLSessionManagerDelegate: NSObject, URLSessionTaskDelegate {
+class URLSessionManagerDelegate: NSObject, URLSessionTaskDelegate, URLSessionWebSocketDelegate {
  func urlSession(
    _ session: URLSession,
    didReceive challenge: URLAuthenticationChallenge,
    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
  ) {
-    handleChallenge(challenge, completionHandler: completionHandler)
+    handleChallenge(session, challenge, completionHandler)
  }
  
  func urlSession(
@@ -52,20 +80,24 @@ class URLSessionManagerDelegate: NSObject, URLSessionTaskDelegate {
    didReceive challenge: URLAuthenticationChallenge,
    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
  ) {
-    handleChallenge(challenge, completionHandler: completionHandler)
+    handleChallenge(session, challenge, completionHandler, task: task)
  }
  
  func handleChallenge(
+    _ session: URLSession,
    _ challenge: URLAuthenticationChallenge,
-    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+    _ completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void,
+    task: URLSessionTask? = nil
  ) {
    switch challenge.protectionSpace.authenticationMethod {
-    case NSURLAuthenticationMethodClientCertificate: handleClientCertificate(completion: completionHandler)
+    case NSURLAuthenticationMethodClientCertificate: handleClientCertificate(session, completion: completionHandler)
+    case NSURLAuthenticationMethodHTTPBasic: handleBasicAuth(session, task: task, completion: completionHandler)
    default: completionHandler(.performDefaultHandling, nil)
    }
  }
  
  private func handleClientCertificate(
+    _ session: URLSession,
    completion: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
  ) {
    let query: [String: Any] = [
@@ -80,8 +112,29 @@ class URLSessionManagerDelegate: NSObject, URLSessionTaskDelegate {
      let credential = URLCredential(identity: identity as! SecIdentity,
                                     certificates: nil,
                                     persistence: .forSession)
+      if #available(iOS 15, *) {
+        VideoProxyServer.shared.session = session
+      }
      return completion(.useCredential, credential)
    }
    completion(.performDefaultHandling, nil)
  }
+  
+  private func handleBasicAuth(
+    _ session: URLSession,
+    task: URLSessionTask?,
+    completion: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+  ) {
+    guard let url = task?.originalRequest?.url,
+      let user = url.user,
+      let password = url.password
+    else {
+      return completion(.performDefaultHandling, nil)
+    }
+    if #available(iOS 15, *) {
+      VideoProxyServer.shared.session = session
+    }
+    let credential = URLCredential(user: user, password: password, persistence: .forSession)
+    completion(.useCredential, credential)
+  }
 }
--- a/mobile/ios/Runner/Images/RemoteImages.g.swift
+++ b/mobile/ios/Runner/Images/RemoteImages.g.swift
@@ -70,7 +70,7 @@ class RemoteImagesPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable

 /// Generated protocol from Pigeon that represents a handler of messages from Flutter.
 protocol RemoteImageApi {
-  func requestImage(url: String, headers: [String: String], requestId: Int64, completion: @escaping (Result<[String: Int64]?, Error>) -> Void)
+  func requestImage(url: String, requestId: Int64, completion: @escaping (Result<[String: Int64]?, Error>) -> Void)
  func cancelRequest(requestId: Int64) throws
  func clearCache(completion: @escaping (Result<Int64, Error>) -> Void)
 }
@@ -86,9 +86,8 @@ class RemoteImageApiSetup {
      requestImageChannel.setMessageHandler { message, reply in
        let args = message as! [Any?]
        let urlArg = args[0] as! String
-        let headersArg = args[1] as! [String: String]
-        let requestIdArg = args[2] as! Int64
-        api.requestImage(url: urlArg, headers: headersArg, requestId: requestIdArg) { result in
+        let requestIdArg = args[1] as! Int64
+        api.requestImage(url: urlArg, requestId: requestIdArg) { result in
          switch result {
          case .success(let res):
            reply(wrapResult(res))
--- a/mobile/ios/Runner/Images/RemoteImagesImpl.swift
+++ b/mobile/ios/Runner/Images/RemoteImagesImpl.swift
@@ -33,12 +33,9 @@ class RemoteImageApiImpl: NSObject, RemoteImageApi {
    kCGImageSourceCreateThumbnailFromImageAlways: true
  ] as CFDictionary
  
-  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
+  func requestImage(url: String, requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
    var urlRequest = URLRequest(url: URL(string: url)!)
    urlRequest.cachePolicy = .returnCacheDataElseLoad
-    for (key, value) in headers {
-      urlRequest.setValue(value, forHTTPHeaderField: key)
-    }
    
    let task = URLSessionManager.shared.session.dataTask(with: urlRequest) { data, response, error in
      Self.handleCompletion(requestId: requestId, data: data, response: response, error: error)
--- a/mobile/lib/domain/models/events.model.dart
+++ b/mobile/lib/domain/models/events.model.dart
@@ -16,9 +16,8 @@ class ScrollToDateEvent extends Event {
 }

 // Asset Viewer Events
-class ViewerOpenBottomSheetEvent extends Event {
-  final bool activitiesMode;
-  const ViewerOpenBottomSheetEvent({this.activitiesMode = false});
+class ViewerShowDetailsEvent extends Event {
+  const ViewerShowDetailsEvent();
 }

 class ViewerReloadAssetEvent extends Event {
--- a/mobile/lib/domain/models/tag.model.dart
+++ b/mobile/lib/domain/models/tag.model.dart
@@ -0,0 +1,29 @@
+import 'package:openapi/api.dart';
+
+class Tag {
+  final String id;
+  final String value;
+
+  const Tag({required this.id, required this.value});
+
+  @override
+  String toString() {
+    return 'Tag(id: $id, value: $value)';
+  }
+
+  @override
+  bool operator ==(covariant Tag other) {
+    if (identical(this, other)) return true;
+
+    return other.id == id && other.value == value;
+  }
+
+  @override
+  int get hashCode {
+    return id.hashCode ^ value.hashCode;
+  }
+
+  static Tag fromDto(TagResponseDto dto) {
+    return Tag(id: dto.id, value: dto.value);
+  }
+}
--- a/mobile/lib/domain/services/background_worker.service.dart
+++ b/mobile/lib/domain/services/background_worker.service.dart
@@ -3,7 +3,6 @@ import 'dart:io';
 import 'dart:ui';

 import 'package:background_downloader/background_downloader.dart';
-import 'package:cancellation_token_http/http.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:immich_mobile/constants/constants.dart';
@@ -28,7 +27,6 @@ import 'package:immich_mobile/services/localization.service.dart';
 import 'package:immich_mobile/services/foreground_upload.service.dart';
 import 'package:immich_mobile/utils/bootstrap.dart';
 import 'package:immich_mobile/utils/debug_print.dart';
-import 'package:immich_mobile/utils/http_ssl_options.dart';
 import 'package:immich_mobile/wm_executor.dart';
 import 'package:isar/isar.dart';
 import 'package:logging/logging.dart';
@@ -64,7 +62,7 @@ class BackgroundWorkerBgService extends BackgroundWorkerFlutterApi {
  final Drift _drift;
  final DriftLogger _driftLogger;
  final BackgroundWorkerBgHostApi _backgroundHostApi;
-  final CancellationToken _cancellationToken = CancellationToken();
+  final _cancellationToken = Completer<void>();
  final Logger _logger = Logger('BackgroundWorkerBgService');

  bool _isCleanedUp = false;
@@ -88,8 +86,6 @@ class BackgroundWorkerBgService extends BackgroundWorkerFlutterApi {

  Future<void> init() async {
    try {
-      HttpSSLOptions.apply();
-
      await Future.wait(
        [
          loadTranslations(),
@@ -198,7 +194,7 @@ class BackgroundWorkerBgService extends BackgroundWorkerFlutterApi {
      _ref?.dispose();
      _ref = null;

-      _cancellationToken.cancel();
+      _cancellationToken.complete();
      _logger.info("Cleaning up background worker");

      final cleanupFutures = [
--- a/mobile/lib/domain/services/timeline.service.dart
+++ b/mobile/lib/domain/services/timeline.service.dart
@@ -183,8 +183,8 @@ class TimelineService {
    return _buffer.slice(start, start + count);
  }

-  // Pre-cache assets around the given index for asset viewer
-  Future<void> preCacheAssets(int index) => _mutex.run(() => _loadAssets(index, math.min(5, _totalAssets - index)));
+  // Preload assets around the given index for asset viewer
+  Future<void> preloadAssets(int index) => _mutex.run(() => _loadAssets(index, math.min(5, _totalAssets - index)));

  BaseAsset getRandomAsset() => _buffer.elementAt(math.Random().nextInt(_buffer.length));

--- a/mobile/lib/extensions/scroll_extensions.dart
+++ b/mobile/lib/extensions/scroll_extensions.dart
@@ -32,3 +32,125 @@ class FastClampingScrollPhysics extends ClampingScrollPhysics {
    damping: 80,
  );
 }
+
+class SnapScrollPhysics extends ScrollPhysics {
+  static const _minFlingVelocity = 700.0;
+  static const minSnapDistance = 30.0;
+
+  static final _spring = SpringDescription.withDampingRatio(mass: .5, stiffness: 300);
+
+  const SnapScrollPhysics({super.parent});
+
+  @override
+  SnapScrollPhysics applyTo(ScrollPhysics? ancestor) {
+    return SnapScrollPhysics(parent: buildParent(ancestor));
+  }
+
+  @override
+  Simulation? createBallisticSimulation(ScrollMetrics position, double velocity) {
+    assert(
+      position is SnapScrollPosition,
+      'SnapScrollPhysics can only be used with Scrollables that use a '
+      'controller whose createScrollPosition returns a SnapScrollPosition',
+    );
+
+    final snapOffset = (position as SnapScrollPosition).snapOffset;
+    if (snapOffset <= 0) {
+      return super.createBallisticSimulation(position, velocity);
+    }
+
+    if (position.pixels >= snapOffset) {
+      final simulation = super.createBallisticSimulation(position, velocity);
+      if (simulation == null || simulation.x(double.infinity) >= snapOffset) {
+        return simulation;
+      }
+    }
+
+    return ScrollSpringSimulation(
+      _spring,
+      position.pixels,
+      target(position, velocity, snapOffset),
+      velocity,
+      tolerance: toleranceFor(position),
+    );
+  }
+
+  static double target(ScrollMetrics position, double velocity, double snapOffset) {
+    if (velocity > _minFlingVelocity) return snapOffset;
+    if (velocity < -_minFlingVelocity) return position.pixels < snapOffset ? 0.0 : snapOffset;
+    return position.pixels < minSnapDistance ? 0.0 : snapOffset;
+  }
+}
+
+class SnapScrollPosition extends ScrollPositionWithSingleContext {
+  double snapOffset;
+
+  SnapScrollPosition({this.snapOffset = 0.0, required super.physics, required super.context, super.oldPosition});
+}
+
+class ProxyScrollController extends ScrollController {
+  final ScrollController scrollController;
+
+  ProxyScrollController({required this.scrollController});
+
+  SnapScrollPosition get snapPosition => position as SnapScrollPosition;
+
+  @override
+  ScrollPosition createScrollPosition(ScrollPhysics physics, ScrollContext context, ScrollPosition? oldPosition) {
+    return ProxyScrollPosition(
+      scrollController: scrollController,
+      physics: physics,
+      context: context,
+      oldPosition: oldPosition,
+    );
+  }
+
+  @override
+  void dispose() {
+    scrollController.dispose();
+    super.dispose();
+  }
+}
+
+class ProxyScrollPosition extends SnapScrollPosition {
+  final ScrollController scrollController;
+
+  ProxyScrollPosition({
+    required this.scrollController,
+    required super.physics,
+    required super.context,
+    super.oldPosition,
+  });
+
+  @override
+  double setPixels(double newPixels) {
+    final overscroll = super.setPixels(newPixels);
+    if (scrollController.hasClients && scrollController.position.pixels != pixels) {
+      scrollController.position.forcePixels(pixels);
+    }
+    return overscroll;
+  }
+
+  @override
+  void forcePixels(double value) {
+    super.forcePixels(value);
+    if (scrollController.hasClients && scrollController.position.pixels != pixels) {
+      scrollController.position.forcePixels(pixels);
+    }
+  }
+
+  @override
+  double get maxScrollExtent => scrollController.hasClients && scrollController.position.hasContentDimensions
+      ? scrollController.position.maxScrollExtent
+      : super.maxScrollExtent;
+
+  @override
+  double get minScrollExtent => scrollController.hasClients && scrollController.position.hasContentDimensions
+      ? scrollController.position.minScrollExtent
+      : super.minScrollExtent;
+
+  @override
+  double get viewportDimension => scrollController.hasClients && scrollController.position.hasViewportDimension
+      ? scrollController.position.viewportDimension
+      : super.viewportDimension;
+}
--- a/mobile/lib/infrastructure/loaders/remote_image_request.dart
+++ b/mobile/lib/infrastructure/loaders/remote_image_request.dart
@@ -2,9 +2,8 @@ part of 'image_request.dart';

 class RemoteImageRequest extends ImageRequest {
  final String uri;
-  final Map<String, String> headers;

-  RemoteImageRequest({required this.uri, required this.headers});
+  RemoteImageRequest({required this.uri});

  @override
  Future<ImageInfo?> load(ImageDecoderCallback decode, {double scale = 1.0}) async {
@@ -12,7 +11,7 @@ class RemoteImageRequest extends ImageRequest {
      return null;
    }

-    final info = await remoteImageApi.requestImage(uri, headers: headers, requestId: requestId);
+    final info = await remoteImageApi.requestImage(uri, requestId: requestId);
    final frame = switch (info) {
      {'pointer': int pointer, 'length': int length} => await _fromEncodedPlatformImage(pointer, length),
      {'pointer': int pointer, 'width': int width, 'height': int height, 'rowBytes': int rowBytes} =>
--- a/mobile/lib/infrastructure/repositories/network.repository.dart
+++ b/mobile/lib/infrastructure/repositories/network.repository.dart
@@ -1,67 +1,55 @@
+import 'dart:ffi';
 import 'dart:io';

-import 'package:cronet_http/cronet_http.dart';
 import 'package:cupertino_http/cupertino_http.dart';
 import 'package:http/http.dart' as http;
-import 'package:immich_mobile/utils/user_agent.dart';
-import 'package:path_provider/path_provider.dart';
+import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
+import 'package:ok_http/ok_http.dart';
+import 'package:web_socket/web_socket.dart';

 class NetworkRepository {
-  static late Directory _cachePath;
-  static late String _userAgent;
-  static final _clients = <String, http.Client>{};
+  static http.Client? _client;
+  static Pointer<Void>? _clientPointer;

-  static Future<void> init() {
-    return (
-      getTemporaryDirectory().then((cachePath) => _cachePath = cachePath),
-      getUserAgentString().then((userAgent) => _userAgent = userAgent),
-    ).wait;
+  static Future<void> init() async {
+    final clientPointer = Pointer<Void>.fromAddress(await networkApi.getClientPointer());
+    if (clientPointer == _clientPointer) {
+      return;
+    }
+    _clientPointer = clientPointer;
+    _client?.close();
+    if (Platform.isIOS) {
+      final session = URLSession.fromRawPointer(clientPointer.cast());
+      _client = CupertinoClient.fromSharedSession(session);
+    } else {
+      _client = OkHttpClient.fromJniGlobalRef(clientPointer);
+    }
  }

-  static void reset() {
-    Future.microtask(init);
-    for (final client in _clients.values) {
-      client.close();
+  static Future<void> setHeaders(Map<String, String> headers, List<String> serverUrls) async {
+    await networkApi.setRequestHeaders(headers, serverUrls);
+    if (Platform.isIOS) {
+      await init();
+    }
+  }
+
+  // ignore: avoid-unused-parameters
+  static Future<WebSocket> createWebSocket(Uri uri, {Map<String, String>? headers, Iterable<String>? protocols}) {
+    if (Platform.isIOS) {
+      final session = URLSession.fromRawPointer(_clientPointer!.cast());
+      return CupertinoWebSocket.connectWithSession(session, uri, protocols: protocols);
+    } else {
+      return OkHttpWebSocket.connectFromJniGlobalRef(_clientPointer!, uri, protocols: protocols);
    }
-    _clients.clear();
  }

  const NetworkRepository();

-  /// Note: when disk caching is enabled, only one client may use a given directory at a time.
-  /// Different isolates or engines must use different directories.
-  http.Client getHttpClient(
-    String directoryName, {
-    CacheMode cacheMode = CacheMode.memory,
-    int diskCapacity = 0,
-    int maxConnections = 6,
-    int memoryCapacity = 10 << 20,
-  }) {
-    final cachedClient = _clients[directoryName];
-    if (cachedClient != null) {
-      return cachedClient;
-    }
-
-    final directory = Directory('${_cachePath.path}/$directoryName');
-    directory.createSync(recursive: true);
-    if (Platform.isAndroid) {
-      final engine = CronetEngine.build(
-        cacheMode: cacheMode,
-        cacheMaxSize: diskCapacity,
-        storagePath: directory.path,
-        userAgent: _userAgent,
-      );
-      return _clients[directoryName] = CronetClient.fromCronetEngine(engine, closeEngine: true);
-    }
-
-    final config = URLSessionConfiguration.defaultSessionConfiguration()
-      ..httpMaximumConnectionsPerHost = maxConnections
-      ..cache = URLCache.withCapacity(
-        diskCapacity: diskCapacity,
-        memoryCapacity: memoryCapacity,
-        directory: directory.uri,
-      )
-      ..httpAdditionalHeaders = {'User-Agent': _userAgent};
-    return _clients[directoryName] = CupertinoClient.fromSessionConfiguration(config);
-  }
+  /// Returns a shared HTTP client that uses native SSL configuration.
+  ///
+  /// On iOS: Uses SharedURLSessionManager's URLSession.
+  /// On Android: Uses SharedHttpClientManager's OkHttpClient.
+  ///
+  /// Must call [init] before using this method.
+  static http.Client get client => _client!;
 }
--- a/mobile/lib/infrastructure/repositories/search_api.repository.dart
+++ b/mobile/lib/infrastructure/repositories/search_api.repository.dart
@@ -35,6 +35,7 @@ class SearchApiRepository extends ApiRepository {
          isFavorite: filter.display.isFavorite ? true : null,
          isNotInAlbum: filter.display.isNotInAlbum ? true : null,
          personIds: filter.people.map((e) => e.id).toList(),
+          tagIds: filter.tagIds,
          type: type,
          page: page,
          size: 100,
@@ -59,6 +60,7 @@ class SearchApiRepository extends ApiRepository {
        isFavorite: filter.display.isFavorite ? true : null,
        isNotInAlbum: filter.display.isNotInAlbum ? true : null,
        personIds: filter.people.map((e) => e.id).toList(),
+        tagIds: filter.tagIds,
        type: type,
        page: page,
        size: 1000,
--- a/mobile/lib/infrastructure/repositories/sync_api.repository.dart
+++ b/mobile/lib/infrastructure/repositories/sync_api.repository.dart
@@ -6,6 +6,7 @@ import 'package:immich_mobile/constants/constants.dart';
 import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/domain/models/sync_event.model.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
+import 'package:immich_mobile/infrastructure/repositories/network.repository.dart';
 import 'package:immich_mobile/services/api.service.dart';
 import 'package:logging/logging.dart';
 import 'package:openapi/api.dart';
@@ -30,15 +31,11 @@ class SyncApiRepository {
    http.Client? httpClient,
  }) async {
    final stopwatch = Stopwatch()..start();
-    final client = httpClient ?? http.Client();
+    final client = httpClient ?? NetworkRepository.client;
    final endpoint = "${_api.apiClient.basePath}/sync/stream";

    final headers = {'Content-Type': 'application/json', 'Accept': 'application/jsonlines+json'};

-    final headerParams = <String, String>{};
-    await _api.applyToParams([], headerParams);
-    headers.addAll(headerParams);
-
    final shouldReset = Store.get(StoreKey.shouldResetSync, false);
    final request = http.Request('POST', Uri.parse(endpoint));
    request.headers.addAll(headers);
@@ -116,8 +113,6 @@ class SyncApiRepository {
      }
    } catch (error, stack) {
      return Future.error(error, stack);
-    } finally {
-      client.close();
    }
    stopwatch.stop();
    _logger.info("Remote Sync completed in ${stopwatch.elapsed.inMilliseconds}ms");
--- a/mobile/lib/infrastructure/repositories/tags_api.repository.dart
+++ b/mobile/lib/infrastructure/repositories/tags_api.repository.dart
@@ -0,0 +1,17 @@
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:immich_mobile/infrastructure/repositories/api.repository.dart';
+import 'package:immich_mobile/providers/api.provider.dart';
+import 'package:openapi/api.dart';
+
+final tagsApiRepositoryProvider = Provider<TagsApiRepository>(
+  (ref) => TagsApiRepository(ref.read(apiServiceProvider).tagsApi),
+);
+
+class TagsApiRepository extends ApiRepository {
+  final TagsApi _api;
+  const TagsApiRepository(this._api);
+
+  Future<List<TagResponseDto>?> getAllTags() async {
+    return await _api.getAllTags();
+  }
+}
--- a/mobile/lib/main.dart
+++ b/mobile/lib/main.dart
@@ -39,7 +39,6 @@ import 'package:immich_mobile/theme/theme_data.dart';
 import 'package:immich_mobile/utils/bootstrap.dart';
 import 'package:immich_mobile/utils/cache/widgets_binding.dart';
 import 'package:immich_mobile/utils/debug_print.dart';
-import 'package:immich_mobile/utils/http_ssl_options.dart';
 import 'package:immich_mobile/utils/licenses.dart';
 import 'package:immich_mobile/utils/migration.dart';
 import 'package:immich_mobile/wm_executor.dart';
@@ -57,7 +56,6 @@ void main() async {
  // Warm-up isolate pool for worker manager
  await workerManagerPatch.init(dynamicSpawning: true, isolatesCount: max(Platform.numberOfProcessors - 1, 5));
  await migrateDatabaseIfNeeded(isar, drift);
-  HttpSSLOptions.apply();

  runApp(
    ProviderScope(
@@ -241,7 +239,7 @@ class ImmichAppState extends ConsumerState<ImmichApp> with WidgetsBindingObserve
  @override
  void reassemble() {
    if (kDebugMode) {
-      NetworkRepository.reset();
+      NetworkRepository.init();
    }
    super.reassemble();
  }
--- a/mobile/lib/models/backup/backup_state.model.dart
+++ b/mobile/lib/models/backup/backup_state.model.dart
@@ -1,6 +1,5 @@
 // ignore_for_file: public_member_api_docs, sort_constructors_first

-import 'package:cancellation_token_http/http.dart';
 import 'package:collection/collection.dart';
 import 'package:immich_mobile/models/backup/backup_candidate.model.dart';

@@ -21,7 +20,6 @@ class BackUpState {
  final DateTime progressInFileSpeedUpdateTime;
  final int progressInFileSpeedUpdateSentBytes;
  final double iCloudDownloadProgress;
-  final CancellationToken cancelToken;
  final ServerDiskInfo serverInfo;
  final bool autoBackup;
  final bool backgroundBackup;
@@ -53,7 +51,6 @@ class BackUpState {
    required this.progressInFileSpeedUpdateTime,
    required this.progressInFileSpeedUpdateSentBytes,
    required this.iCloudDownloadProgress,
-    required this.cancelToken,
    required this.serverInfo,
    required this.autoBackup,
    required this.backgroundBackup,
@@ -78,7 +75,6 @@ class BackUpState {
    DateTime? progressInFileSpeedUpdateTime,
    int? progressInFileSpeedUpdateSentBytes,
    double? iCloudDownloadProgress,
-    CancellationToken? cancelToken,
    ServerDiskInfo? serverInfo,
    bool? autoBackup,
    bool? backgroundBackup,
@@ -102,7 +98,6 @@ class BackUpState {
      progressInFileSpeedUpdateTime: progressInFileSpeedUpdateTime ?? this.progressInFileSpeedUpdateTime,
      progressInFileSpeedUpdateSentBytes: progressInFileSpeedUpdateSentBytes ?? this.progressInFileSpeedUpdateSentBytes,
      iCloudDownloadProgress: iCloudDownloadProgress ?? this.iCloudDownloadProgress,
-      cancelToken: cancelToken ?? this.cancelToken,
      serverInfo: serverInfo ?? this.serverInfo,
      autoBackup: autoBackup ?? this.autoBackup,
      backgroundBackup: backgroundBackup ?? this.backgroundBackup,
@@ -120,7 +115,7 @@ class BackUpState {

  @override
  String toString() {
-    return 'BackUpState(backupProgress: $backupProgress, allAssetsInDatabase: $allAssetsInDatabase, progressInPercentage: $progressInPercentage, progressInFileSize: $progressInFileSize, progressInFileSpeed: $progressInFileSpeed, progressInFileSpeeds: $progressInFileSpeeds, progressInFileSpeedUpdateTime: $progressInFileSpeedUpdateTime, progressInFileSpeedUpdateSentBytes: $progressInFileSpeedUpdateSentBytes, iCloudDownloadProgress: $iCloudDownloadProgress, cancelToken: $cancelToken, serverInfo: $serverInfo, autoBackup: $autoBackup, backgroundBackup: $backgroundBackup, backupRequireWifi: $backupRequireWifi, backupRequireCharging: $backupRequireCharging, backupTriggerDelay: $backupTriggerDelay, availableAlbums: $availableAlbums, selectedBackupAlbums: $selectedBackupAlbums, excludedBackupAlbums: $excludedBackupAlbums, allUniqueAssets: $allUniqueAssets, selectedAlbumsBackupAssetsIds: $selectedAlbumsBackupAssetsIds, currentUploadAsset: $currentUploadAsset)';
+    return 'BackUpState(backupProgress: $backupProgress, allAssetsInDatabase: $allAssetsInDatabase, progressInPercentage: $progressInPercentage, progressInFileSize: $progressInFileSize, progressInFileSpeed: $progressInFileSpeed, progressInFileSpeeds: $progressInFileSpeeds, progressInFileSpeedUpdateTime: $progressInFileSpeedUpdateTime, progressInFileSpeedUpdateSentBytes: $progressInFileSpeedUpdateSentBytes, iCloudDownloadProgress: $iCloudDownloadProgress, serverInfo: $serverInfo, autoBackup: $autoBackup, backgroundBackup: $backgroundBackup, backupRequireWifi: $backupRequireWifi, backupRequireCharging: $backupRequireCharging, backupTriggerDelay: $backupTriggerDelay, availableAlbums: $availableAlbums, selectedBackupAlbums: $selectedBackupAlbums, excludedBackupAlbums: $excludedBackupAlbums, allUniqueAssets: $allUniqueAssets, selectedAlbumsBackupAssetsIds: $selectedAlbumsBackupAssetsIds, currentUploadAsset: $currentUploadAsset)';
  }

  @override
@@ -137,7 +132,6 @@ class BackUpState {
        other.progressInFileSpeedUpdateTime == progressInFileSpeedUpdateTime &&
        other.progressInFileSpeedUpdateSentBytes == progressInFileSpeedUpdateSentBytes &&
        other.iCloudDownloadProgress == iCloudDownloadProgress &&
-        other.cancelToken == cancelToken &&
        other.serverInfo == serverInfo &&
        other.autoBackup == autoBackup &&
        other.backgroundBackup == backgroundBackup &&
@@ -163,7 +157,6 @@ class BackUpState {
        progressInFileSpeedUpdateTime.hashCode ^
        progressInFileSpeedUpdateSentBytes.hashCode ^
        iCloudDownloadProgress.hashCode ^
-        cancelToken.hashCode ^
        serverInfo.hashCode ^
        autoBackup.hashCode ^
        backgroundBackup.hashCode ^
--- a/mobile/lib/models/backup/manual_upload_state.model.dart
+++ b/mobile/lib/models/backup/manual_upload_state.model.dart
@@ -1,11 +1,8 @@
-import 'package:cancellation_token_http/http.dart';
 import 'package:collection/collection.dart';

 import 'package:immich_mobile/models/backup/current_upload_asset.model.dart';

 class ManualUploadState {
-  final CancellationToken cancelToken;
-
  // Current Backup Asset
  final CurrentUploadAsset currentUploadAsset;
  final int currentAssetIndex;
@@ -29,7 +26,6 @@ class ManualUploadState {
    required this.progressInFileSpeeds,
    required this.progressInFileSpeedUpdateTime,
    required this.progressInFileSpeedUpdateSentBytes,
-    required this.cancelToken,
    required this.currentUploadAsset,
    required this.totalAssetsToUpload,
    required this.currentAssetIndex,
@@ -44,7 +40,6 @@ class ManualUploadState {
    List<double>? progressInFileSpeeds,
    DateTime? progressInFileSpeedUpdateTime,
    int? progressInFileSpeedUpdateSentBytes,
-    CancellationToken? cancelToken,
    CurrentUploadAsset? currentUploadAsset,
    int? totalAssetsToUpload,
    int? successfulUploads,
@@ -58,7 +53,6 @@ class ManualUploadState {
      progressInFileSpeeds: progressInFileSpeeds ?? this.progressInFileSpeeds,
      progressInFileSpeedUpdateTime: progressInFileSpeedUpdateTime ?? this.progressInFileSpeedUpdateTime,
      progressInFileSpeedUpdateSentBytes: progressInFileSpeedUpdateSentBytes ?? this.progressInFileSpeedUpdateSentBytes,
-      cancelToken: cancelToken ?? this.cancelToken,
      currentUploadAsset: currentUploadAsset ?? this.currentUploadAsset,
      totalAssetsToUpload: totalAssetsToUpload ?? this.totalAssetsToUpload,
      currentAssetIndex: currentAssetIndex ?? this.currentAssetIndex,
@@ -69,7 +63,7 @@ class ManualUploadState {

  @override
  String toString() {
-    return 'ManualUploadState(progressInPercentage: $progressInPercentage, progressInFileSize: $progressInFileSize, progressInFileSpeed: $progressInFileSpeed, progressInFileSpeeds: $progressInFileSpeeds, progressInFileSpeedUpdateTime: $progressInFileSpeedUpdateTime, progressInFileSpeedUpdateSentBytes: $progressInFileSpeedUpdateSentBytes, cancelToken: $cancelToken, currentUploadAsset: $currentUploadAsset, totalAssetsToUpload: $totalAssetsToUpload, successfulUploads: $successfulUploads, currentAssetIndex: $currentAssetIndex, showDetailedNotification: $showDetailedNotification)';
+    return 'ManualUploadState(progressInPercentage: $progressInPercentage, progressInFileSize: $progressInFileSize, progressInFileSpeed: $progressInFileSpeed, progressInFileSpeeds: $progressInFileSpeeds, progressInFileSpeedUpdateTime: $progressInFileSpeedUpdateTime, progressInFileSpeedUpdateSentBytes: $progressInFileSpeedUpdateSentBytes, currentUploadAsset: $currentUploadAsset, totalAssetsToUpload: $totalAssetsToUpload, successfulUploads: $successfulUploads, currentAssetIndex: $currentAssetIndex, showDetailedNotification: $showDetailedNotification)';
  }

  @override
@@ -84,7 +78,6 @@ class ManualUploadState {
        collectionEquals(other.progressInFileSpeeds, progressInFileSpeeds) &&
        other.progressInFileSpeedUpdateTime == progressInFileSpeedUpdateTime &&
        other.progressInFileSpeedUpdateSentBytes == progressInFileSpeedUpdateSentBytes &&
-        other.cancelToken == cancelToken &&
        other.currentUploadAsset == currentUploadAsset &&
        other.totalAssetsToUpload == totalAssetsToUpload &&
        other.currentAssetIndex == currentAssetIndex &&
@@ -100,7 +93,6 @@ class ManualUploadState {
        progressInFileSpeeds.hashCode ^
        progressInFileSpeedUpdateTime.hashCode ^
        progressInFileSpeedUpdateSentBytes.hashCode ^
-        cancelToken.hashCode ^
        currentUploadAsset.hashCode ^
        totalAssetsToUpload.hashCode ^
        currentAssetIndex.hashCode ^
--- a/mobile/lib/models/search/search_filter.model.dart
+++ b/mobile/lib/models/search/search_filter.model.dart
@@ -214,6 +214,7 @@ class SearchFilter {
  String? ocr;
  String? language;
  String? assetId;
+  List<String>? tagIds;
  Set<PersonDto> people;
  SearchLocationFilter location;
  SearchCameraFilter camera;
@@ -231,6 +232,7 @@ class SearchFilter {
    this.ocr,
    this.language,
    this.assetId,
+    this.tagIds,
    required this.people,
    required this.location,
    required this.camera,
@@ -246,6 +248,7 @@ class SearchFilter {
        (description == null || (description!.isEmpty)) &&
        (assetId == null || (assetId!.isEmpty)) &&
        (ocr == null || (ocr!.isEmpty)) &&
+        (tagIds ?? []).isEmpty &&
        people.isEmpty &&
        location.country == null &&
        location.state == null &&
@@ -269,6 +272,7 @@ class SearchFilter {
    String? ocr,
    String? assetId,
    Set<PersonDto>? people,
+    List<String>? tagIds,
    SearchLocationFilter? location,
    SearchCameraFilter? camera,
    SearchDateFilter? date,
@@ -290,12 +294,13 @@ class SearchFilter {
      display: display ?? this.display,
      rating: rating ?? this.rating,
      mediaType: mediaType ?? this.mediaType,
+      tagIds: tagIds ?? this.tagIds,
    );
  }

  @override
  String toString() {
-    return 'SearchFilter(context: $context, filename: $filename, description: $description, language: $language, ocr: $ocr, people: $people, location: $location, camera: $camera, date: $date, display: $display, rating: $rating, mediaType: $mediaType, assetId: $assetId)';
+    return 'SearchFilter(context: $context, filename: $filename, description: $description, language: $language, ocr: $ocr, people: $people, location: $location, tagIds: $tagIds, camera: $camera, date: $date, display: $display, rating: $rating, mediaType: $mediaType, assetId: $assetId)';
  }

  @override
@@ -309,6 +314,7 @@ class SearchFilter {
        other.ocr == ocr &&
        other.assetId == assetId &&
        other.people == people &&
+        other.tagIds == tagIds &&
        other.location == location &&
        other.camera == camera &&
        other.date == date &&
@@ -326,6 +332,7 @@ class SearchFilter {
        ocr.hashCode ^
        assetId.hashCode ^
        people.hashCode ^
+        tagIds.hashCode ^
        location.hashCode ^
        camera.hashCode ^
        date.hashCode ^
--- a/mobile/lib/models/server_info/server_features.model.dart
+++ b/mobile/lib/models/server_info/server_features.model.dart
@@ -6,6 +6,7 @@ class ServerFeatures {
  final bool oauthEnabled;
  final bool passwordLogin;
  final bool ocr;
+  final bool smartSearch;

  const ServerFeatures({
    required this.trash,
@@ -13,21 +14,30 @@ class ServerFeatures {
    required this.oauthEnabled,
    required this.passwordLogin,
    this.ocr = false,
+    this.smartSearch = false,
  });

-  ServerFeatures copyWith({bool? trash, bool? map, bool? oauthEnabled, bool? passwordLogin, bool? ocr}) {
+  ServerFeatures copyWith({
+    bool? trash,
+    bool? map,
+    bool? oauthEnabled,
+    bool? passwordLogin,
+    bool? ocr,
+    bool? smartSearch,
+  }) {
    return ServerFeatures(
      trash: trash ?? this.trash,
      map: map ?? this.map,
      oauthEnabled: oauthEnabled ?? this.oauthEnabled,
      passwordLogin: passwordLogin ?? this.passwordLogin,
      ocr: ocr ?? this.ocr,
+      smartSearch: smartSearch ?? this.smartSearch,
    );
  }

  @override
  String toString() {
-    return 'ServerFeatures(trash: $trash, map: $map, oauthEnabled: $oauthEnabled, passwordLogin: $passwordLogin, ocr: $ocr)';
+    return 'ServerFeatures(trash: $trash, map: $map, oauthEnabled: $oauthEnabled, passwordLogin: $passwordLogin, ocr: $ocr, smartSearch: $smartSearch)';
  }

  ServerFeatures.fromDto(ServerFeaturesDto dto)
@@ -35,7 +45,8 @@ class ServerFeatures {
      map = dto.map,
      oauthEnabled = dto.oauth,
      passwordLogin = dto.passwordLogin,
-      ocr = dto.ocr;
+      ocr = dto.ocr,
+      smartSearch = dto.smartSearch;

  @override
  bool operator ==(covariant ServerFeatures other) {
@@ -45,11 +56,17 @@ class ServerFeatures {
        other.map == map &&
        other.oauthEnabled == oauthEnabled &&
        other.passwordLogin == passwordLogin &&
-        other.ocr == ocr;
+        other.ocr == ocr &&
+        other.smartSearch == smartSearch;
  }

  @override
  int get hashCode {
-    return trash.hashCode ^ map.hashCode ^ oauthEnabled.hashCode ^ passwordLogin.hashCode ^ ocr.hashCode;
+    return trash.hashCode ^
+        map.hashCode ^
+        oauthEnabled.hashCode ^
+        passwordLogin.hashCode ^
+        ocr.hashCode ^
+        smartSearch.hashCode;
  }
 }
--- a/mobile/lib/pages/album/album_options.page.dart
+++ b/mobile/lib/pages/album/album_options.page.dart
@@ -134,7 +134,7 @@ class AlbumOptionsPage extends HookConsumerWidget {
        itemBuilder: (context, index) {
          final user = sharedUsers.value[index];
          return ListTile(
-            leading: UserCircleAvatar(user: user, radius: 22),
+            leading: UserCircleAvatar(user: user),
            title: Text(user.name, style: const TextStyle(fontWeight: FontWeight.w500)),
            subtitle: Text(user.email, style: TextStyle(color: context.colorScheme.onSurfaceSecondary)),
            trailing: userId == user.id || isOwner ? const Icon(Icons.more_horiz_rounded) : const SizedBox(),
--- a/mobile/lib/pages/album/album_shared_user_icons.dart
+++ b/mobile/lib/pages/album/album_shared_user_icons.dart
@@ -41,7 +41,7 @@ class AlbumSharedUserIcons extends HookConsumerWidget {
          itemBuilder: ((context, index) {
            return Padding(
              padding: const EdgeInsets.only(right: 8.0),
-              child: UserCircleAvatar(user: sharedUsers.value[index], radius: 18, size: 36),
+              child: UserCircleAvatar(user: sharedUsers.value[index], size: 36),
            );
          }),
          itemCount: sharedUsers.value.length,
--- a/mobile/lib/pages/backup/drift_backup.page.dart
+++ b/mobile/lib/pages/backup/drift_backup.page.dart
@@ -96,10 +96,6 @@ class _DriftBackupPageState extends ConsumerState<DriftBackupPage> {
      await backupNotifier.startForegroundBackup(currentUser.id);
    }

-    Future<void> stopBackup() async {
-      await backupNotifier.stopForegroundBackup();
-    }
-
    return Scaffold(
      appBar: AppBar(
        elevation: 0,
@@ -136,9 +132,9 @@ class _DriftBackupPageState extends ConsumerState<DriftBackupPage> {
                  const Divider(),
                  BackupToggleButton(
                    onStart: () async => await startBackup(),
-                    onStop: () async {
+                    onStop: () {
                      syncSuccess = null;
-                      await stopBackup();
+                      backupNotifier.stopForegroundBackup();
                    },
                  ),
                  switch (error) {
--- a/mobile/lib/pages/backup/drift_backup_album_selection.page.dart
+++ b/mobile/lib/pages/backup/drift_backup_album_selection.page.dart
@@ -112,16 +112,15 @@ class _DriftBackupAlbumSelectionPageState extends ConsumerState<DriftBackupAlbum
            // Waits for hashing to be cancelled before starting a new one
            unawaited(nativeSync.cancelHashing().whenComplete(() => backgroundSync.hashAssets()));
            if (isBackupEnabled) {
+              backupNotifier.stopForegroundBackup();
              unawaited(
-                backupNotifier.stopForegroundBackup().whenComplete(
-                  () => backgroundSync.syncRemote().then((success) {
-                    if (success) {
-                      return backupNotifier.startForegroundBackup(user.id);
-                    } else {
-                      Logger('DriftBackupAlbumSelectionPage').warning('Background sync failed, not starting backup');
-                    }
-                  }),
-                ),
+                backgroundSync.syncRemote().then((success) {
+                  if (success) {
+                    return backupNotifier.startForegroundBackup(user.id);
+                  } else {
+                    Logger('DriftBackupAlbumSelectionPage').warning('Background sync failed, not starting backup');
+                  }
+                }),
              );
            }
          }
--- a/mobile/lib/pages/backup/drift_backup_options.page.dart
+++ b/mobile/lib/pages/backup/drift_backup_options.page.dart
@@ -59,16 +59,15 @@ class DriftBackupOptionsPage extends ConsumerWidget {

          final backupNotifier = ref.read(driftBackupProvider.notifier);
          final backgroundSync = ref.read(backgroundSyncProvider);
+          backupNotifier.stopForegroundBackup();
          unawaited(
-            backupNotifier.stopForegroundBackup().whenComplete(
-              () => backgroundSync.syncRemote().then((success) {
-                if (success) {
-                  return backupNotifier.startForegroundBackup(currentUser.id);
-                } else {
-                  Logger('DriftBackupOptionsPage').warning('Background sync failed, not starting backup');
-                }
-              }),
-            ),
+            backgroundSync.syncRemote().then((success) {
+              if (success) {
+                return backupNotifier.startForegroundBackup(currentUser.id);
+              } else {
+                Logger('DriftBackupOptionsPage').warning('Background sync failed, not starting backup');
+              }
+            }),
          );
        }
      },
--- a/mobile/lib/pages/common/headers_settings.page.dart
+++ b/mobile/lib/pages/common/headers_settings.page.dart
@@ -8,6 +8,7 @@ import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/generated/translations.g.dart';
+import 'package:immich_mobile/providers/api.provider.dart';

 class SettingsHeader {
  String key = "";
@@ -20,7 +21,6 @@ class HeaderSettingsPage extends HookConsumerWidget {

  @override
  Widget build(BuildContext context, WidgetRef ref) {
-    // final apiService = ref.watch(apiServiceProvider);
    final headers = useState<List<SettingsHeader>>([]);
    final setInitialHeaders = useState(false);

@@ -75,7 +75,7 @@ class HeaderSettingsPage extends HookConsumerWidget {
        ],
      ),
      body: PopScope(
-        onPopInvokedWithResult: (didPop, _) => saveHeaders(headers.value),
+        onPopInvokedWithResult: (didPop, _) => saveHeaders(ref, headers.value),
        child: ListView.separated(
          padding: const EdgeInsets.symmetric(horizontal: 8.0, vertical: 16.0),
          itemCount: list.length,
@@ -87,7 +87,7 @@ class HeaderSettingsPage extends HookConsumerWidget {
    );
  }

-  saveHeaders(List<SettingsHeader> headers) {
+  saveHeaders(WidgetRef ref, List<SettingsHeader> headers) async {
    final headersMap = {};
    for (var header in headers) {
      final key = header.key.trim();
@@ -98,7 +98,8 @@ class HeaderSettingsPage extends HookConsumerWidget {
    }

    var encoded = jsonEncode(headersMap);
-    Store.put(StoreKey.customHeaders, encoded);
+    await Store.put(StoreKey.customHeaders, encoded);
+    await ref.read(apiServiceProvider).updateHeaders();
  }
 }

--- a/mobile/lib/pages/search/map/map.page.dart
+++ b/mobile/lib/pages/search/map/map.page.dart
@@ -118,7 +118,7 @@ class MapPage extends HookConsumerWidget {
    }

    // finds the nearest asset marker from the tap point and store it as the selectedMarker
-    Future<void> onMarkerClicked(Point<double> point, LatLng coords) async {
+    Future<void> onMarkerClicked(Point<double> point, LatLng _) async {
      // Guard map not created
      if (mapController.value == null) {
        return;
--- a/mobile/lib/pages/search/map/map_location_picker.page.dart
+++ b/mobile/lib/pages/search/map/map_location_picker.page.dart
@@ -28,7 +28,7 @@ class MapLocationPickerPage extends HookConsumerWidget {
      marker.value = await controller.value?.addMarkerAtLatLng(initialLatLng);
    }

-    Future<void> onMapClick(Point<num> point, LatLng centre) async {
+    Future<void> onMapClick(Point<num> _, LatLng centre) async {
      selectedLatLng.value = centre;
      await controller.value?.animateCamera(CameraUpdate.newLatLng(centre));
      if (marker.value != null) {
--- a/mobile/lib/platform/network_api.g.dart
+++ b/mobile/lib/platform/network_api.g.dart
@@ -179,7 +179,7 @@ class NetworkApi {
    }
  }

-  Future<ClientCertData> selectCertificate(ClientCertPrompt promptText) async {
+  Future<void> selectCertificate(ClientCertPrompt promptText) async {
    final String pigeonVar_channelName =
        'dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate$pigeonVar_messageChannelSuffix';
    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
@@ -197,13 +197,8 @@ class NetworkApi {
        message: pigeonVar_replyList[1] as String?,
        details: pigeonVar_replyList[2],
      );
-    } else if (pigeonVar_replyList[0] == null) {
-      throw PlatformException(
-        code: 'null-error',
-        message: 'Host platform returned null value for non-null return value.',
-      );
    } else {
-      return (pigeonVar_replyList[0] as ClientCertData?)!;
+      return;
    }
  }

@@ -229,4 +224,83 @@ class NetworkApi {
      return;
    }
  }
+
+  Future<bool> hasCertificate() async {
+    final String pigeonVar_channelName =
+        'dev.flutter.pigeon.immich_mobile.NetworkApi.hasCertificate$pigeonVar_messageChannelSuffix';
+    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
+      pigeonVar_channelName,
+      pigeonChannelCodec,
+      binaryMessenger: pigeonVar_binaryMessenger,
+    );
+    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(null);
+    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
+    if (pigeonVar_replyList == null) {
+      throw _createConnectionError(pigeonVar_channelName);
+    } else if (pigeonVar_replyList.length > 1) {
+      throw PlatformException(
+        code: pigeonVar_replyList[0]! as String,
+        message: pigeonVar_replyList[1] as String?,
+        details: pigeonVar_replyList[2],
+      );
+    } else if (pigeonVar_replyList[0] == null) {
+      throw PlatformException(
+        code: 'null-error',
+        message: 'Host platform returned null value for non-null return value.',
+      );
+    } else {
+      return (pigeonVar_replyList[0] as bool?)!;
+    }
+  }
+
+  Future<int> getClientPointer() async {
+    final String pigeonVar_channelName =
+        'dev.flutter.pigeon.immich_mobile.NetworkApi.getClientPointer$pigeonVar_messageChannelSuffix';
+    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
+      pigeonVar_channelName,
+      pigeonChannelCodec,
+      binaryMessenger: pigeonVar_binaryMessenger,
+    );
+    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(null);
+    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
+    if (pigeonVar_replyList == null) {
+      throw _createConnectionError(pigeonVar_channelName);
+    } else if (pigeonVar_replyList.length > 1) {
+      throw PlatformException(
+        code: pigeonVar_replyList[0]! as String,
+        message: pigeonVar_replyList[1] as String?,
+        details: pigeonVar_replyList[2],
+      );
+    } else if (pigeonVar_replyList[0] == null) {
+      throw PlatformException(
+        code: 'null-error',
+        message: 'Host platform returned null value for non-null return value.',
+      );
+    } else {
+      return (pigeonVar_replyList[0] as int?)!;
+    }
+  }
+
+  Future<void> setRequestHeaders(Map<String, String> headers, List<String> serverUrls) async {
+    final String pigeonVar_channelName =
+        'dev.flutter.pigeon.immich_mobile.NetworkApi.setRequestHeaders$pigeonVar_messageChannelSuffix';
+    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
+      pigeonVar_channelName,
+      pigeonChannelCodec,
+      binaryMessenger: pigeonVar_binaryMessenger,
+    );
+    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(<Object?>[headers, serverUrls]);
+    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
+    if (pigeonVar_replyList == null) {
+      throw _createConnectionError(pigeonVar_channelName);
+    } else if (pigeonVar_replyList.length > 1) {
+      throw PlatformException(
+        code: pigeonVar_replyList[0]! as String,
+        message: pigeonVar_replyList[1] as String?,
+        details: pigeonVar_replyList[2],
+      );
+    } else {
+      return;
+    }
+  }
 }
--- a/mobile/lib/platform/remote_image_api.g.dart
+++ b/mobile/lib/platform/remote_image_api.g.dart
@@ -49,11 +49,7 @@ class RemoteImageApi {

  final String pigeonVar_messageChannelSuffix;

-  Future<Map<String, int>?> requestImage(
-    String url, {
-    required Map<String, String> headers,
-    required int requestId,
-  }) async {
+  Future<Map<String, int>?> requestImage(String url, {required int requestId}) async {
    final String pigeonVar_channelName =
        'dev.flutter.pigeon.immich_mobile.RemoteImageApi.requestImage$pigeonVar_messageChannelSuffix';
    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
@@ -61,7 +57,7 @@ class RemoteImageApi {
      pigeonChannelCodec,
      binaryMessenger: pigeonVar_binaryMessenger,
    );
-    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(<Object?>[url, headers, requestId]);
+    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(<Object?>[url, requestId]);
    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
    if (pigeonVar_replyList == null) {
      throw _createConnectionError(pigeonVar_channelName);
--- a/mobile/lib/presentation/pages/dev/ui_showcase.page.dart
+++ b/mobile/lib/presentation/pages/dev/ui_showcase.page.dart
@@ -1,100 +0,0 @@
-import 'package:auto_route/auto_route.dart';
-import 'package:flutter/material.dart';
-import 'package:immich_mobile/extensions/build_context_extensions.dart';
-import 'package:immich_ui/immich_ui.dart';
-
-List<Widget> _showcaseBuilder(Function(ImmichVariant variant, ImmichColor color) builder) {
-  final children = <Widget>[];
-
-  final items = [
-    (variant: ImmichVariant.filled, title: "Filled Variant"),
-    (variant: ImmichVariant.ghost, title: "Ghost Variant"),
-  ];
-
-  for (final (:variant, :title) in items) {
-    children.add(Text(title));
-    children.add(Row(spacing: 10, children: [for (var color in ImmichColor.values) builder(variant, color)]));
-  }
-
-  return children;
-}
-
-class _ComponentTitle extends StatelessWidget {
-  final String title;
-
-  const _ComponentTitle(this.title);
-
-  @override
-  Widget build(BuildContext context) {
-    return Text(title, style: context.textTheme.titleLarge);
-  }
-}
-
-@RoutePage()
-class ImmichUIShowcasePage extends StatelessWidget {
-  const ImmichUIShowcasePage({super.key});
-
-  @override
-  Widget build(BuildContext context) {
-    return Scaffold(
-      appBar: AppBar(title: const Text('Immich UI Showcase')),
-      body: Padding(
-        padding: const EdgeInsets.all(20),
-        child: SingleChildScrollView(
-          child: Column(
-            spacing: 10,
-            mainAxisAlignment: MainAxisAlignment.start,
-            crossAxisAlignment: CrossAxisAlignment.start,
-            children: [
-              const _ComponentTitle("IconButton"),
-              ..._showcaseBuilder(
-                (variant, color) =>
-                    ImmichIconButton(icon: Icons.favorite, color: color, variant: variant, onPressed: () {}),
-              ),
-              const _ComponentTitle("CloseButton"),
-              ..._showcaseBuilder(
-                (variant, color) => ImmichCloseButton(color: color, variant: variant, onPressed: () {}),
-              ),
-              const _ComponentTitle("TextButton"),
-
-              ImmichTextButton(
-                labelText: "Text Button",
-                onPressed: () {},
-                variant: ImmichVariant.filled,
-                color: ImmichColor.primary,
-              ),
-              ImmichTextButton(
-                labelText: "Text Button",
-                onPressed: () {},
-                variant: ImmichVariant.filled,
-                color: ImmichColor.primary,
-                loading: true,
-              ),
-              ImmichTextButton(
-                labelText: "Text Button",
-                onPressed: () {},
-                variant: ImmichVariant.ghost,
-                color: ImmichColor.primary,
-              ),
-              ImmichTextButton(
-                labelText: "Text Button",
-                onPressed: () {},
-                variant: ImmichVariant.ghost,
-                color: ImmichColor.primary,
-                loading: true,
-              ),
-              const _ComponentTitle("Form"),
-              ImmichForm(
-                onSubmit: () {},
-                child: const Column(
-                  spacing: 10,
-                  children: [ImmichTextInput(label: "Title", hintText: "Enter a title")],
-                ),
-              ),
-            ],
-          ),
-        ),
-      ),
-    );
-  }
-}
--- a/mobile/lib/presentation/pages/drift_activities.page.dart
+++ b/mobile/lib/presentation/pages/drift_activities.page.dart
@@ -14,13 +14,15 @@ import 'package:immich_mobile/providers/infrastructure/current_album.provider.da
@RoutePage()
 class DriftActivitiesPage extends HookConsumerWidget {
  final RemoteAlbum album;
+  final String? assetId;
+  final String? assetName;

-  const DriftActivitiesPage({super.key, required this.album});
+  const DriftActivitiesPage({super.key, required this.album, this.assetId, this.assetName});

  @override
  Widget build(BuildContext context, WidgetRef ref) {
-    final activityNotifier = ref.read(albumActivityProvider(album.id).notifier);
-    final activities = ref.watch(albumActivityProvider(album.id));
+    final activityNotifier = ref.read(albumActivityProvider(album.id, assetId).notifier);
+    final activities = ref.watch(albumActivityProvider(album.id, assetId));
    final listViewScrollController = useScrollController();

    void scrollToBottom() {
@@ -36,7 +38,13 @@ class DriftActivitiesPage extends HookConsumerWidget {
      overrides: [currentRemoteAlbumScopedProvider.overrideWithValue(album)],
      child: Scaffold(
        appBar: AppBar(
-          title: Text(album.name),
+          title: Column(
+            crossAxisAlignment: CrossAxisAlignment.start,
+            children: [
+              Text(album.name),
+              if (assetName != null) Text(assetName!, style: context.textTheme.bodySmall),
+            ],
+          ),
          actions: [const LikeActivityActionButton(iconOnly: true)],
          actionsPadding: const EdgeInsets.only(right: 8),
        ),
@@ -47,7 +55,7 @@ class DriftActivitiesPage extends HookConsumerWidget {
              activityWidgets.add(
                Padding(
                  padding: const EdgeInsets.symmetric(horizontal: 8, vertical: 6),
-                  child: CommentBubble(activity: activity),
+                  child: CommentBubble(activity: activity, isAssetActivity: assetId != null),
                ),
              );
            }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .13.0
 .13.1