fix: foreground cloud sync

2026-03-04 22:17:00 +00:00 · 2026-01-22 20:37:44 +05:30
1406 changed files with 20960 additions and 65111 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,7 +2,6 @@
  "name": "Immich - Backend, Frontend and ML",
  "service": "immich-server",
  "runServices": [
-    "immich-init",
    "immich-server",
    "redis",
    "database",
@@ -27,59 +26,7 @@
        "vitest.explorer",
        "ms-playwright.playwright",
        "ms-azuretools.vscode-docker"
-      ],
-      "settings": {
-        "tasks": {
-          "version": "2.0.0",
-          "tasks": [
-            {
-              "label": "Immich API Server (Nest)",
-              "type": "shell",
-              "command": "[ -f /immich-devcontainer/container-start-backend.sh ] && /immich-devcontainer/container-start-backend.sh || exit 0",
-              "isBackground": true,
-              "presentation": {
-                "echo": true,
-                "reveal": "always",
-                "focus": false,
-                "panel": "dedicated",
-                "showReuseMessage": true,
-                "clear": false,
-                "group": "Devcontainer tasks",
-                "close": true
-              },
-              "runOptions": {
-                "runOn": "folderOpen"
-              },
-              "problemMatcher": []
-            },
-            {
-              "label": "Immich Web Server (Vite)",
-              "type": "shell",
-              "command": "[ -f /immich-devcontainer/container-start-frontend.sh ] && /immich-devcontainer/container-start-frontend.sh || exit 0",
-              "isBackground": true,
-              "presentation": {
-                "echo": true,
-                "reveal": "always",
-                "focus": false,
-                "panel": "dedicated",
-                "showReuseMessage": true,
-                "clear": false,
-                "group": "Devcontainer tasks",
-                "close": true
-              },
-              "runOptions": {
-                "runOn": "folderOpen"
-              },
-              "problemMatcher": []
-            },
-            {
-              "label": "Build Immich CLI",
-              "type": "shell",
-              "command": "pnpm --filter cli build:dev"
-            }
-          ]
-        }
-      }
+      ]
    }
  },
  "features": {
@@ -109,8 +56,8 @@
    }
  },
  "overrideCommand": true,
-  "workspaceFolder": "/usr/src/app",
-  "remoteUser": "root",
+  "workspaceFolder": "/workspaces/immich",
+  "remoteUser": "node",
  "userEnvProbe": "loginInteractiveShell",
  "remoteEnv": {
    // The location where your uploaded files are stored
--- a/.devcontainer/mobile/container-compose-overrides.yml
+++ b/.devcontainer/mobile/container-compose-overrides.yml
@@ -1,17 +1,23 @@
 services:
-  immich-app-base:
-    image: busybox
  immich-server:
-    extends:
-      service: immich-app-base
-    profiles: !reset []
-    image: immich-server-dev:latest
    build:
      target: dev-container-mobile
    environment:
      - IMMICH_SERVER_URL=http://127.0.0.1:2283/
-    volumes:
+    volumes: !override # bind mount host to /workspaces/immich
+      - ..:/workspaces/immich
      - ${UPLOAD_LOCATION:-upload-devcontainer-volume}${UPLOAD_LOCATION:+/photos}:/data
+      - pnpm-store:/usr/src/app/.pnpm-store
+      - server-node_modules:/usr/src/app/server/node_modules
+      - web-node_modules:/usr/src/app/web/node_modules
+      - github-node_modules:/usr/src/app/.github/node_modules
+      - cli-node_modules:/usr/src/app/cli/node_modules
+      - docs-node_modules:/usr/src/app/docs/node_modules
+      - e2e-node_modules:/usr/src/app/e2e/node_modules
+      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
+      - app-node_modules:/usr/src/app/node_modules
+      - sveltekit:/usr/src/app/web/.svelte-kit
+      - coverage:/usr/src/app/web/coverage
      - /etc/localtime:/etc/localtime:ro
  immich-web:
    env_file: !reset []
--- a/.devcontainer/mobile/devcontainer.json
+++ b/.devcontainer/mobile/devcontainer.json
@@ -2,7 +2,6 @@
  "name": "Immich - Mobile",
  "service": "immich-server",
  "runServices": [
-    "immich-init",
    "immich-server",
    "redis",
    "database",
@@ -36,7 +35,7 @@
  },
  "forwardPorts": [],
  "overrideCommand": true,
-  "workspaceFolder": "/usr/src/app",
+  "workspaceFolder": "/workspaces/immich",
  "remoteUser": "node",
  "userEnvProbe": "loginInteractiveShell",
  "remoteEnv": {
--- a/.devcontainer/server/container-common.sh
+++ b/.devcontainer/server/container-common.sh
@@ -2,6 +2,11 @@
 export IMMICH_PORT="${DEV_SERVER_PORT:-2283}"
 export DEV_PORT="${DEV_PORT:-3000}"

+# search for immich directory inside workspace.
+# /workspaces/immich is the bind mount, but other directories can be mounted if runing
+# Devcontainer: Clone [repository|pull request] in container volumne
+WORKSPACES_DIR="/workspaces"
+IMMICH_DIR="$WORKSPACES_DIR/immich"
 IMMICH_DEVCONTAINER_LOG="$HOME/immich-devcontainer.log"

 log() {
@@ -25,8 +30,52 @@ run_cmd() {
    return "${PIPESTATUS[0]}"
 }

-export IMMICH_WORKSPACE="/usr/src/app"
+# Find directories excluding /workspaces/immich
+mapfile -t other_dirs < <(find "$WORKSPACES_DIR" -mindepth 1 -maxdepth 1 -type d ! -path "$IMMICH_DIR" ! -name ".*")
+
+if [ ${#other_dirs[@]} -gt 1 ]; then
+    log "Error: More than one directory found in $WORKSPACES_DIR other than $IMMICH_DIR."
+    exit 1
+elif [ ${#other_dirs[@]} -eq 1 ]; then
+    export IMMICH_WORKSPACE="${other_dirs[0]}"
+else
+    export IMMICH_WORKSPACE="$IMMICH_DIR"
+fi

 log "Found immich workspace in $IMMICH_WORKSPACE"
 log ""

+fix_permissions() {
+
+    log "Fixing permissions for ${IMMICH_WORKSPACE}"
+
+    # Change ownership for directories that exist
+    for dir in "${IMMICH_WORKSPACE}/.vscode" \
+        "${IMMICH_WORKSPACE}/server/upload" \
+        "${IMMICH_WORKSPACE}/.pnpm-store" \
+        "${IMMICH_WORKSPACE}/.github/node_modules" \
+        "${IMMICH_WORKSPACE}/cli/node_modules" \
+        "${IMMICH_WORKSPACE}/e2e/node_modules" \
+        "${IMMICH_WORKSPACE}/open-api/typescript-sdk/node_modules" \
+        "${IMMICH_WORKSPACE}/server/node_modules" \
+        "${IMMICH_WORKSPACE}/server/dist" \
+        "${IMMICH_WORKSPACE}/web/node_modules" \
+        "${IMMICH_WORKSPACE}/web/dist"; do
+        if [ -d "$dir" ]; then
+            run_cmd sudo chown node -R "$dir"
+        fi
+    done
+
+    log ""
+}
+
+install_dependencies() {
+
+    log "Installing dependencies"
+    (
+        cd "${IMMICH_WORKSPACE}" || exit 1
+        export CI=1 FROZEN=1 OFFLINE=1
+        run_cmd make setup-web-dev setup-server-dev
+    )
+    log ""
+}
--- a/.devcontainer/server/container-compose-overrides.yml
+++ b/.devcontainer/server/container-compose-overrides.yml
@@ -1,21 +1,26 @@
 services:
-  immich-app-base:
-    image: busybox
  immich-server:
-    extends:
-      service: immich-app-base
-    profiles: !reset []
-    image: immich-server-dev:latest
    build:
      target: dev-container-server
    env_file: !reset []
    hostname: immich-dev
    environment:
      - IMMICH_SERVER_URL=http://127.0.0.1:2283/
-    volumes:
+    volumes: !override
+      - ..:/workspaces/immich
      - ${UPLOAD_LOCATION:-upload-devcontainer-volume}${UPLOAD_LOCATION:+/photos}:/data
      - /etc/localtime:/etc/localtime:ro
-      - pnpm_store_server:/buildcache/pnpm-store
+      - pnpm-store:/usr/src/app/.pnpm-store
+      - server-node_modules:/usr/src/app/server/node_modules
+      - web-node_modules:/usr/src/app/web/node_modules
+      - github-node_modules:/usr/src/app/.github/node_modules
+      - cli-node_modules:/usr/src/app/cli/node_modules
+      - docs-node_modules:/usr/src/app/docs/node_modules
+      - e2e-node_modules:/usr/src/app/e2e/node_modules
+      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
+      - app-node_modules:/usr/src/app/node_modules
+      - sveltekit:/usr/src/app/web/.svelte-kit
+      - coverage:/usr/src/app/web/coverage
      - ../plugins:/build/corePlugin
  immich-web:
    env_file: !reset []
--- a/.devcontainer/server/container-start.sh
+++ b/.devcontainer/server/container-start.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# shellcheck source=common.sh
+# shellcheck disable=SC1091
+source /immich-devcontainer/container-common.sh
+
+log "Setting up Immich dev container..."
+fix_permissions
+
+log "Setup complete, please wait while backend and frontend services automatically start"
+log
+log "If necessary, the services may be manually started using"
+log
+log "$ /immich-devcontainer/container-start-backend.sh"
+log "$ /immich-devcontainer/container-start-frontend.sh"
+log
+log "From different terminal windows, as these scripts automatically restart the server"
+log "on error, and will continuously run in a loop"
--- a/.github/.nvmrc
+++ b/.github/.nvmrc
@@ -1 +1 @@
-24.13.1
+24.13.0
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,7 +26,6 @@ The `/api/something` endpoint is now `/api/something-else`

 ## Checklist:

- [ ] I have carefully read CONTRIBUTING.md
 - [ ] I have performed a self-review of my own code
 - [ ] I have made corresponding changes to the documentation if applicable
 - [ ] I have no unrelated changes in the PR.
--- a/.github/workflows/build-mobile.yml
+++ b/.github/workflows/build-mobile.yml
@@ -51,14 +51,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -79,12 +79,12 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
@@ -96,14 +96,14 @@ jobs:
        working-directory: ./mobile
        run: printf "%s" $KEY_JKS | base64 -d > android/key.jks

-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
        with:
          distribution: 'zulu'
          java-version: '17'

      - name: Restore Gradle Cache
        id: cache-gradle-restore
-        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ~/.gradle/caches
@@ -160,7 +160,7 @@ jobs:

      - name: Save Gradle Cache
        id: cache-gradle-save
-        uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        if: github.ref == 'refs/heads/main'
        with:
          path: |
@@ -178,14 +178,11 @@ jobs:
      contents: read
    # Run on main branch or workflow_dispatch, or on PRs/other branches (build only, no upload)
    if: ${{ !github.event.pull_request.head.repo.fork && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
-    runs-on: macos-15
+    runs-on: macos-latest

    steps:
-      - name: Select Xcode 26
-        run: sudo xcode-select -s /Applications/Xcode_26.2.app/Contents/Developer
-
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
@@ -269,8 +266,6 @@ jobs:
          ENVIRONMENT: ${{ inputs.environment || 'development' }}
          BUNDLE_ID_SUFFIX: ${{ inputs.environment == 'production' && '' || 'development' }}
          GITHUB_REF: ${{ github.ref }}
-          FASTLANE_XCODEBUILD_SETTINGS_TIMEOUT: 120
-          FASTLANE_XCODEBUILD_SETTINGS_RETRIES: 6
        working-directory: ./mobile/ios
        run: |
          # Only upload to TestFlight on main branch
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -19,13 +19,13 @@ jobs:
      actions: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/check-openapi.yml
+++ b/.github/workflows/check-openapi.yml
@@ -1,32 +0,0 @@
-name: Check OpenAPI
-on:
-  workflow_dispatch:
-  pull_request:
-    paths:
-      - 'open-api/**'
-      - '.github/workflows/check-openapi.yml'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  check-openapi:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Check for breaking API changes
-        # sha is pinning to a commit instead of a tag since the action does not tag versions
-        uses: oasdiff/oasdiff-action/breaking@ccb863950ce437a50f8f1a40d2a1112117e06ce4
-        with:
-          base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
-          revision: open-api/immich-openapi-specs.json
-          fail-on: ERR
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -24,19 +24,18 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
-      id-token: write
-      packages: write
    defaults:
      run:
        working-directory: ./cli
+
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -45,7 +44,7 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './cli/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
@@ -58,8 +57,10 @@ jobs:

      - run: pnpm install --frozen-lockfile
      - run: pnpm build
-      - run: pnpm publish --provenance --no-git-checks
+      - run: pnpm publish --no-git-checks
        if: ${{ github.event_name == 'release' }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  docker:
    name: Docker
@@ -71,13 +72,13 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -89,7 +90,7 @@ jobs:
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          registry: ghcr.io
@@ -115,7 +116,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}

      - name: Build and push image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
--- a/.github/workflows/close-duplicates.yml
+++ b/.github/workflows/close-duplicates.yml
@@ -35,7 +35,7 @@ jobs:
    needs: [get_body, should_run]
    if: ${{ needs.should_run.outputs.should_run == 'true' }}
    container:
-      image: ghcr.io/immich-app/mdq:main@sha256:4f9860d04c88f7f87861f8ee84bfeedaec15ed7ca5ca87bc7db44b036f81645f
+      image: ghcr.io/immich-app/mdq:main@sha256:ab9f163cd5d5cec42704a26ca2769ecf3f10aa8e7bae847f1d527cdf075946e6
    outputs:
      checked: ${{ steps.get_checkbox.outputs.checked }}
    steps:
--- a/.github/workflows/close-llm-pr.yml
+++ b/.github/workflows/close-llm-pr.yml
@@ -1,38 +0,0 @@
-name: Close LLM-generated PRs
-
-on:
-  pull_request_target:
-    types: [labeled]
-
-permissions: {}
-
-jobs:
-  comment_and_close:
-    runs-on: ubuntu-latest
-    if: ${{ github.event.label.name == 'llm-generated' }}
-    permissions:
-      pull-requests: write
-    steps:
-      - name: Comment and close
-        env:
-          GH_TOKEN: ${{ github.token }}
-          NODE_ID: ${{ github.event.pull_request.node_id }}
-        run: |
-          gh api graphql \
-            -f prId="$NODE_ID" \
-            -f body="Thank you for your interest in contributing to Immich! Unfortunately this PR looks like it was generated using an LLM. As noted in our [CONTRIBUTING.md](https://github.com/immich-app/immich/blob/main/CONTRIBUTING.md#use-of-generative-ai), we request that you don't use LLMs to generate PRs as those are not a good use of maintainer time." \
-            -f query='
-              mutation CommentAndClosePR($prId: ID!, $body: String!) {
-                addComment(input: {
-                  subjectId: $prId,
-                  body: $body
-                }) {
-                  __typename
-                }
-
-                closePullRequest(input: {
-                  pullRequestId: $prId
-                }) {
-                  __typename
-                }
-              }'
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -44,20 +44,20 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{matrix.language}}'
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -23,14 +23,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -60,7 +60,7 @@ jobs:
        suffix: ['', '-cuda', '-rocm', '-openvino', '-armnn', '-rknn']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -90,7 +90,7 @@ jobs:
        suffix: ['']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -131,8 +131,8 @@ jobs:
          - device: rocm
            suffixes: '-rocm'
            platforms: linux/amd64
-            runner-mapping: '{"linux/amd64": "pokedex-giant"}'
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@bd49ed7a5a6022149f79b6564df48177476a822b # multi-runner-build-workflow-v2.2.1
+            runner-mapping: '{"linux/amd64": "mich"}'
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@0477486d82313fba68f7c82c034120a4b8981297 # multi-runner-build-workflow-v2.1.0
    permissions:
      contents: read
      actions: read
@@ -155,7 +155,7 @@ jobs:
    name: Build and Push Server
    needs: pre-job
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == true }}
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@bd49ed7a5a6022149f79b6564df48177476a822b # multi-runner-build-workflow-v2.2.1
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@0477486d82313fba68f7c82c034120a4b8981297 # multi-runner-build-workflow-v2.1.0
    permissions:
      contents: read
      actions: read
--- a/.github/workflows/docs-build.yml
+++ b/.github/workflows/docs-build.yml
@@ -21,14 +21,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -54,13 +54,13 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -70,7 +70,7 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './docs/.nvmrc'
          cache: 'pnpm'
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -20,7 +20,7 @@ jobs:
      artifact: ${{ steps.get-artifact.outputs.result }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
@@ -119,19 +119,19 @@ jobs:
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@dab18118da6476e8237ac94080fd937983fecd42 # use-mise-action-v1.1.2
+        uses: immich-app/devtools/actions/use-mise@b868e6e7c8cc212beec876330b4059e661ee44bb # use-mise-action-v1.1.1

      - name: Load parameters
        id: parameters
@@ -192,13 +192,16 @@ jobs:
          ' >> $GITHUB_OUTPUT

      - name: Publish to Cloudflare Pages
-        working-directory: docs
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          PROJECT_NAME: ${{ steps.docs-output.outputs.projectName }}
-          BRANCH_NAME: ${{ steps.parameters.outputs.name }}
-        run: mise run //docs:deploy
+        # TODO: Action is deprecated
+        uses: cloudflare/pages-action@f0a1cd58cd66095dee69bfa18fa5efd1dde93bca # v1.5.0
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          projectName: ${{ steps.docs-output.outputs.projectName }}
+          workingDirectory: 'docs'
+          directory: 'build'
+          branch: ${{ steps.parameters.outputs.name }}
+          wranglerVersion: '3'

      - name: Deploy Docs Release Domain
        if: ${{ steps.parameters.outputs.event == 'release' }}
--- a/.github/workflows/docs-destroy.yml
+++ b/.github/workflows/docs-destroy.yml
@@ -17,19 +17,19 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@dab18118da6476e8237ac94080fd937983fecd42 # use-mise-action-v1.1.2
+        uses: immich-app/devtools/actions/use-mise@b868e6e7c8cc212beec876330b4059e661ee44bb # use-mise-action-v1.1.1

      - name: Destroy Docs Subdomain
        env:
--- a/.github/workflows/fix-format.yml
+++ b/.github/workflows/fix-format.yml
@@ -22,7 +22,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: 'Checkout'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ steps.generate-token.outputs.token }}
@@ -32,14 +32,14 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'

      - name: Fix formatting
-        run: pnpm --recursive install && pnpm run --recursive --if-present --parallel format:fix
+        run: pnpm --recursive install && pnpm run --recursive --parallel fix:format

      - name: Commit and push
        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
--- a/.github/workflows/pr-label-validation.yml
+++ b/.github/workflows/pr-label-validation.yml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -56,20 +56,20 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main

      - name: Install uv
-        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -109,6 +109,12 @@ jobs:
      APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
      IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
      IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
+      IOS_PROVISIONING_PROFILE: ${{ secrets.IOS_PROVISIONING_PROFILE }}
+      IOS_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_SHARE_EXTENSION }}
+      IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
+      IOS_DEVELOPMENT_PROVISIONING_PROFILE: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE }}
+      IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION }}
+      IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
      FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}

    with:
@@ -130,7 +136,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
--- a/.github/workflows/preview-label.yaml
+++ b/.github/workflows/preview-label.yaml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
@@ -32,7 +32,7 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -23,20 +23,20 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main

      - name: Install uv
-        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -159,7 +159,7 @@ jobs:

      - name: Create PR
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          commit-message: 'chore: release ${{ steps.bump-type.outputs.next }}'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -58,7 +58,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
@@ -88,7 +88,6 @@ jobs:
          draft: true
          files: |
            docker/docker-compose.yml
-            docker/docker-compose.rootless.yml
            docker/example.env
            docker/hwaccel.ml.yml
            docker/hwaccel.transcoding.yml
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -12,19 +12,17 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
-      id-token: write
-      packages: write
    defaults:
      run:
        working-directory: ./open-api/typescript-sdk
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -33,7 +31,7 @@ jobs:
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './open-api/typescript-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
@@ -44,4 +42,6 @@ jobs:
      - name: Build
        run: pnpm build
      - name: Publish
-        run: pnpm publish --provenance --no-git-checks
+        run: pnpm publish --no-git-checks
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -20,14 +20,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -49,13 +49,13 @@ jobs:
        working-directory: ./mobile
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -69,14 +69,6 @@ jobs:
      - name: Install dependencies
        run: dart pub get

-      - name: Install dependencies for UI package
-        run: dart pub get
-        working-directory: ./mobile/packages/ui
-
-      - name: Install dependencies for UI Showcase
-        run: dart pub get
-        working-directory: ./mobile/packages/ui/showcase
-
      - name: Install DCM
        uses: CQLabs/setup-dcm@8697ae0790c0852e964a6ef1d768d62a6675481a # v2.0.1
        with:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,14 +17,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -63,13 +63,13 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -77,7 +77,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -108,20 +108,20 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './cli/.nvmrc'
          cache: 'pnpm'
@@ -155,20 +155,20 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './cli/.nvmrc'
          cache: 'pnpm'
@@ -197,20 +197,20 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -241,20 +241,20 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -279,20 +279,20 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -327,20 +327,20 @@ jobs:
        working-directory: ./e2e
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
@@ -373,13 +373,13 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -387,7 +387,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -412,13 +412,13 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -426,7 +426,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
@@ -446,29 +446,12 @@ jobs:
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
-      - name: Start Docker Compose
-        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+      - name: Docker build
+        run: docker compose build
        if: ${{ !cancelled() }}
      - name: Run e2e tests (api & cli)
-        env:
-          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test
        if: ${{ !cancelled() }}
-      - name: Run e2e tests (maintenance)
-        env:
-          VITEST_DISABLE_DOCKER_SETUP: true
-        run: pnpm test:maintenance
-        if: ${{ !cancelled() }}
-      - name: Capture Docker logs
-        if: always()
-        run: docker compose logs --no-color > docker-compose-logs.txt
-        working-directory: ./e2e
-      - name: Archive Docker logs
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: always()
-        with:
-          name: e2e-server-docker-logs-${{ matrix.runner }}
-          path: e2e/docker-compose-logs.txt
  e2e-tests-web:
    name: End-to-End Tests (Web)
    needs: pre-job
@@ -484,13 +467,13 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -498,7 +481,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
@@ -511,54 +494,22 @@ jobs:
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
      - name: Install Playwright Browsers
-        run: pnpm exec playwright install chromium --only-shell
+        run: npx playwright install chromium --only-shell
        if: ${{ !cancelled() }}
      - name: Docker build
-        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+        run: docker compose build
        if: ${{ !cancelled() }}
      - name: Run e2e tests (web)
        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: pnpm test:web
+          CI: true
+        run: npx playwright test
        if: ${{ !cancelled() }}
-      - name: Archive e2e test (web) results
+      - name: Archive test results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: success() || failure()
        with:
          name: e2e-web-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
-      - name: Run ui tests (web)
-        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: pnpm test:web:ui
-        if: ${{ !cancelled() }}
-      - name: Archive ui test (web) results
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: success() || failure()
-        with:
-          name: e2e-ui-test-results-${{ matrix.runner }}
-          path: e2e/playwright-report/
-      - name: Run maintenance tests
-        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: pnpm test:web:maintenance
-        if: ${{ !cancelled() }}
-      - name: Archive maintenance tests (web) results
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: success() || failure()
-        with:
-          name: e2e-maintenance-isolated-test-results-${{ matrix.runner }}
-          path: e2e/playwright-report/
-      - name: Capture Docker logs
-        if: always()
-        run: docker compose logs --no-color > docker-compose-logs.txt
-        working-directory: ./e2e
-      - name: Archive Docker logs
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: always()
-        with:
-          name: e2e-web-docker-logs-${{ matrix.runner }}
-          path: e2e/docker-compose-logs.txt
  success-check-e2e:
    name: End-to-End Tests Success
    needs: [e2e-tests-server-cli, e2e-tests-web]
@@ -578,12 +529,12 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -610,17 +561,17 @@ jobs:
        working-directory: ./machine-learning
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Install uv
-        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
        with:
          python-version: 3.11
      - name: Install dependencies
@@ -629,9 +580,9 @@ jobs:
      - name: Lint with ruff
        run: |
          uv run ruff check --output-format=github immich_ml
-      - name: Format with ruff
+      - name: Check black formatting
        run: |
-          uv run ruff format --check immich_ml
+          uv run black --check immich_ml
      - name: Run mypy type checking
        run: |
          uv run mypy --strict immich_ml/
@@ -650,20 +601,20 @@ jobs:
        working-directory: ./.github
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './.github/.nvmrc'
          cache: 'pnpm'
@@ -680,12 +631,12 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -701,20 +652,20 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -763,20 +714,20 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
      - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
--- a/.github/workflows/weblate-lock.yml
+++ b/.github/workflows/weblate-lock.yml
@@ -24,19 +24,19 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
+        uses: immich-app/devtools/actions/pre-job@08bac802a312fc89808e0dd589271ca0974087b5 # pre-job-action-v2.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
            i18n:
-              - modified: 'i18n/!(en|package)**\.json'
+              - modified: 'i18n/!(en)**\.json'
          skip-force-logic: 'true'

  enforce-lock:
@@ -47,7 +47,7 @@ jobs:
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).i18n == true }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
--- a/.pnpmfile.cjs
+++ b/.pnpmfile.cjs
@@ -4,18 +4,12 @@ module.exports = {
      if (!pkg.name) {
        return pkg;
      }
-      // make exiftool-vendored.pl a regular dependency since Docker prod
-      // images build with --no-optional to reduce image size
      if (pkg.name === "exiftool-vendored") {
-        const binaryPackage =
-          process.platform === "win32"
-            ? "exiftool-vendored.exe"
-            : "exiftool-vendored.pl";
-
-        if (pkg.optionalDependencies[binaryPackage]) {
-          pkg.dependencies[binaryPackage] =
-            pkg.optionalDependencies[binaryPackage];
-          delete pkg.optionalDependencies[binaryPackage];
+        if (pkg.optionalDependencies["exiftool-vendored.pl"]) {
+          // make exiftool-vendored.pl a regular dependency
+          pkg.dependencies["exiftool-vendored.pl"] =
+            pkg.optionalDependencies["exiftool-vendored.pl"];
+          delete pkg.optionalDependencies["exiftool-vendored.pl"];
        }
      }
      return pkg;
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,80 @@
+{
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "Fix Permissions, Install Dependencies",
+      "type": "shell",
+      "command": "[ -f /immich-devcontainer/container-start.sh ] && /immich-devcontainer/container-start.sh || exit 0",
+      "isBackground": true,
+      "presentation": {
+        "echo": true,
+        "reveal": "always",
+        "focus": false,
+        "panel": "dedicated",
+        "showReuseMessage": true,
+        "clear": false,
+        "group": "Devcontainer tasks",
+        "close": true
+      },
+      "runOptions": {
+        "runOn": "default"
+      },
+      "problemMatcher": []
+    },
+    {
+      "label": "Immich API Server (Nest)",
+      "dependsOn": ["Fix Permissions, Install Dependencies"],
+      "type": "shell",
+      "command": "[ -f /immich-devcontainer/container-start-backend.sh ] && /immich-devcontainer/container-start-backend.sh || exit 0",
+      "isBackground": true,
+      "presentation": {
+        "echo": true,
+        "reveal": "always",
+        "focus": false,
+        "panel": "dedicated",
+        "showReuseMessage": true,
+        "clear": false,
+        "group": "Devcontainer tasks",
+        "close": true
+      },
+      "runOptions": {
+        "runOn": "default"
+      },
+      "problemMatcher": []
+    },
+    {
+      "label": "Immich Web Server (Vite)",
+      "dependsOn": ["Fix Permissions, Install Dependencies"],
+      "type": "shell",
+      "command": "[ -f /immich-devcontainer/container-start-frontend.sh ] && /immich-devcontainer/container-start-frontend.sh || exit 0",
+      "isBackground": true,
+      "presentation": {
+        "echo": true,
+        "reveal": "always",
+        "focus": false,
+        "panel": "dedicated",
+        "showReuseMessage": true,
+        "clear": false,
+        "group": "Devcontainer tasks",
+        "close": true
+      },
+      "runOptions": {
+        "runOn": "default"
+      },
+      "problemMatcher": []
+    },
+    {
+      "label": "Immich Server and Web",
+      "dependsOn": ["Immich Web Server (Vite)", "Immich API Server (Nest)"],
+      "runOptions": {
+        "runOn": "folderOpen"
+      },
+      "problemMatcher": []
+    },
+    {
+      "label": "Build Immich CLI",
+      "type": "shell",
+      "command": "pnpm --filter cli build:dev"
+    }
+  ]
+}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -17,27 +17,15 @@ If you are looking for something to work on, there are discussions and issues wi

 ## Use of generative AI

-We ask you not to open PRs generated with an LLM. We find that code generated like this tends to need a large amount of back-and-forth, which is a very inefficient use of our time. If we want LLM-generated code, it's much faster for us to use an LLM ourselves than to go through an intermediary via a pull request.
+We generally discourage PRs entirely generated by an LLM. For any part generated by an LLM, please put extra effort into your self-review. By using generative AI without proper self-review, the time you save ends up being more work we need to put in for proper reviews and code cleanup. Please keep that in mind when submitting code by an LLM. Clearly state the use of LLMs/(generative) AI in your pull request as requested by the template.

 ## Feature freezes

 From time to time, we put a feature freeze on parts of the codebase. For us, this means we won't accept most PRs that make changes in that area. Exempted from this are simple bug fixes that require only minor changes. We will close feature PRs that target a feature-frozen area, even if that feature is highly requested and you put a lot of work into it. Please keep that in mind, and if you're ever uncertain if a PR would be accepted, reach out to us first (e.g., in the aforementioned `#contributing` channel). We hate to throw away work. Currently, we have feature freezes on:

- Sharing/Asset ownership
- (External) libraries
+* Sharing/Asset ownership
+* (External) libraries

 ## Non-code contributions

-If you want to contribute to Immich but you don't feel comfortable programming in our tech stack, there are other ways you can help the team.
-
-### Translations
-
-All our translations are done through [Weblate](https://hosted.weblate.org/projects/immich). These rely entirely on the community; if you speak a language that isn't fully translated yet, submitting translations there is greatly appreciated!
-
-### Datasets
-
-Help us improve our [Immich Datasets](https://datasets.immich.app) by submitting photos and videos taken from a variety of devices, including smartphones, DSLRs, and action cameras, as well as photos with unique features, such as panoramas, burst photos, and photo spheres. These datasets will be publically available for anyone to use, do not submit private/sensitive photos.
-
-### Community support
-
-If you like helping others, answering Q&A discussions here on GitHub and replying to people on our Discord is also always appreciated.
+If you want to contribute to Immich but you don't feel comfortable programming in our tech stack, there are other ways you can help the team. All our translations are done through [Weblate](https://hosted.weblate.org/projects/immich). These rely entirely on the community; if you speak a language that isn't fully translated yet, submitting translations there is greatly appreciated! If you like helping others, answering Q&A discussions here on GitHub and replying to people on our Discord is also always appreciated.
--- a/2
+++ b/2
@@ -52,7 +52,7 @@ attach-server:
 	docker exec -it docker_immich-server_1 sh

 renovate:
-  LOG_LEVEL=debug pnpm exec renovate --platform=local --repository-cache=reset
+  LOG_LEVEL=debug npx renovate --platform=local --repository-cache=reset

 # Directories that need to be created for volumes or build output
 VOLUME_DIRS = \
--- a/cli/.nvmrc
+++ b/cli/.nvmrc
@@ -1 +1 @@
-24.13.1
+24.13.0
--- a/cli/package.json
+++ b/cli/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@immich/cli",
-  "version": "2.5.6",
+  "version": "2.2.105",
  "description": "Command Line Interface (CLI) for Immich",
  "type": "module",
  "exports": "./dist/index.js",
@@ -14,13 +14,13 @@
  ],
  "devDependencies": {
    "@eslint/js": "^9.8.0",
-    "@immich/sdk": "workspace:*",
+    "@immich/sdk": "file:../open-api/typescript-sdk",
    "@types/byte-size": "^8.1.0",
    "@types/cli-progress": "^3.11.0",
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.10.13",
+    "@types/node": "^24.10.8",
    "@vitest/coverage-v8": "^3.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -45,8 +45,8 @@
    "build": "vite build",
    "build:dev": "vite build --sourcemap true",
    "lint": "eslint \"src/**/*.ts\" --max-warnings 0",
-    "lint:fix": "pnpm run lint --fix",
-    "prepack": "pnpm run build",
+    "lint:fix": "npm run lint -- --fix",
+    "prepack": "npm run build",
    "test": "vitest",
    "test:cov": "vitest --coverage",
    "format": "prettier --check .",
@@ -69,6 +69,6 @@
    "micromatch": "^4.0.8"
  },
  "volta": {
-    "node": "24.13.1"
+    "node": "24.13.0"
  }
 }
--- a/cli/src/commands/asset.spec.ts
+++ b/cli/src/commands/asset.spec.ts
@@ -7,15 +7,7 @@ import { describe, expect, it, MockedFunction, vi } from 'vitest';
 import { Action, checkBulkUpload, defaults, getSupportedMediaTypes, Reason } from '@immich/sdk';
 import createFetchMock from 'vitest-fetch-mock';

-import {
-  checkForDuplicates,
-  deleteFiles,
-  findSidecar,
-  getAlbumName,
-  startWatch,
-  uploadFiles,
-  UploadOptionsDto,
-} from 'src/commands/asset';
+import { checkForDuplicates, getAlbumName, startWatch, uploadFiles, UploadOptionsDto } from 'src/commands/asset';

 vi.mock('@immich/sdk');

@@ -317,85 +309,3 @@ describe('startWatch', () => {
    await fs.promises.rm(testFolder, { recursive: true, force: true });
  });
 });
-
-describe('findSidecar', () => {
-  let testDir: string;
-  let testFilePath: string;
-
-  beforeEach(() => {
-    testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-sidecar-'));
-    testFilePath = path.join(testDir, 'test.jpg');
-    fs.writeFileSync(testFilePath, 'test');
-  });
-
-  afterEach(() => {
-    fs.rmSync(testDir, { recursive: true, force: true });
-  });
-
-  it('should find sidecar file with photo.xmp naming convention', () => {
-    const sidecarPath = path.join(testDir, 'test.xmp');
-    fs.writeFileSync(sidecarPath, 'xmp data');
-
-    const result = findSidecar(testFilePath);
-    expect(result).toBe(sidecarPath);
-  });
-
-  it('should find sidecar file with photo.ext.xmp naming convention', () => {
-    const sidecarPath = path.join(testDir, 'test.jpg.xmp');
-    fs.writeFileSync(sidecarPath, 'xmp data');
-
-    const result = findSidecar(testFilePath);
-    expect(result).toBe(sidecarPath);
-  });
-
-  it('should prefer photo.ext.xmp over photo.xmp when both exist', () => {
-    const sidecarPath1 = path.join(testDir, 'test.xmp');
-    const sidecarPath2 = path.join(testDir, 'test.jpg.xmp');
-    fs.writeFileSync(sidecarPath1, 'xmp data 1');
-    fs.writeFileSync(sidecarPath2, 'xmp data 2');
-
-    const result = findSidecar(testFilePath);
-    // Should return the first one found (photo.xmp) based on the order in the code
-    expect(result).toBe(sidecarPath1);
-  });
-
-  it('should return undefined when no sidecar file exists', () => {
-    const result = findSidecar(testFilePath);
-    expect(result).toBeUndefined();
-  });
-});
-
-describe('deleteFiles', () => {
-  let testDir: string;
-  let testFilePath: string;
-
-  beforeEach(() => {
-    testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-delete-'));
-    testFilePath = path.join(testDir, 'test.jpg');
-    fs.writeFileSync(testFilePath, 'test');
-  });
-
-  afterEach(() => {
-    fs.rmSync(testDir, { recursive: true, force: true });
-  });
-
-  it('should delete asset and sidecar file when main file is deleted', async () => {
-    const sidecarPath = path.join(testDir, 'test.xmp');
-    fs.writeFileSync(sidecarPath, 'xmp data');
-
-    await deleteFiles([{ id: 'test-id', filepath: testFilePath }], [], { delete: true, concurrency: 1 });
-
-    expect(fs.existsSync(testFilePath)).toBe(false);
-    expect(fs.existsSync(sidecarPath)).toBe(false);
-  });
-
-  it('should not delete sidecar file when delete option is false', async () => {
-    const sidecarPath = path.join(testDir, 'test.xmp');
-    fs.writeFileSync(sidecarPath, 'xmp data');
-
-    await deleteFiles([{ id: 'test-id', filepath: testFilePath }], [], { delete: false, concurrency: 1 });
-
-    expect(fs.existsSync(testFilePath)).toBe(true);
-    expect(fs.existsSync(sidecarPath)).toBe(true);
-  });
-});
--- a/cli/src/commands/asset.ts
+++ b/cli/src/commands/asset.ts
@@ -4,7 +4,6 @@ import {
  AssetBulkUploadCheckResult,
  AssetMediaResponseDto,
  AssetMediaStatus,
-  Permission,
  addAssetsToAlbum,
  checkBulkUpload,
  createAlbum,
@@ -17,15 +16,17 @@ import { Matcher, watch as watchFs } from 'chokidar';
 import { MultiBar, Presets, SingleBar } from 'cli-progress';
 import { chunk } from 'lodash-es';
 import micromatch from 'micromatch';
-import { Stats, createReadStream, existsSync } from 'node:fs';
+import { Stats, createReadStream } from 'node:fs';
 import { stat, unlink } from 'node:fs/promises';
 import path, { basename } from 'node:path';
 import { Queue } from 'src/queue';
-import { BaseOptions, Batcher, authenticate, crawl, requirePermissions, s, sha1 } from 'src/utils';
+import { BaseOptions, Batcher, authenticate, crawl, sha1 } from 'src/utils';

 const UPLOAD_WATCH_BATCH_SIZE = 100;
 const UPLOAD_WATCH_DEBOUNCE_TIME_MS = 10_000;

+const s = (count: number) => (count === 1 ? '' : 's');
+
 // TODO figure out why `id` is missing
 type AssetBulkUploadCheckResults = Array<AssetBulkUploadCheckResult & { id: string }>;
 type Asset = { id: string; filepath: string };
@@ -135,7 +136,6 @@ export const startWatch = async (

 export const upload = async (paths: string[], baseOptions: BaseOptions, options: UploadOptionsDto) => {
  await authenticate(baseOptions);
-  await requirePermissions([Permission.AssetUpload]);

  const scanFiles = await scan(paths, options);

@@ -180,49 +180,18 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
  }

  let multiBar: MultiBar | undefined;
-  let totalSize = 0;
-  const statsMap = new Map<string, Stats>();
-
-  // Calculate total size first
-  for (const filepath of files) {
-    const stats = await stat(filepath);
-    statsMap.set(filepath, stats);
-    totalSize += stats.size;
-  }

  if (progress) {
    multiBar = new MultiBar(
-      {
-        format: '{message} | {bar} | {percentage}% | ETA: {eta_formatted} | {value}/{total}',
-        formatValue: (v: number, options, type) => {
-          // Don't format percentage
-          if (type === 'percentage') {
-            return v.toString();
-          }
-          return byteSize(v).toString();
-        },
-        etaBuffer: 100, // Increase samples for ETA calculation
-      },
+      { format: '{message} | {bar} | {percentage}% | ETA: {eta}s | {value}/{total} assets' },
      Presets.shades_classic,
    );
-
-    // Ensure we restore cursor on interrupt
-    process.on('SIGINT', () => {
-      if (multiBar) {
-        multiBar.stop();
-      }
-      process.exit(0);
-    });
  } else {
-    console.log(`Received ${files.length} files (${byteSize(totalSize)}), hashing...`);
+    console.log(`Received ${files.length} files, hashing...`);
  }

-  const hashProgressBar = multiBar?.create(totalSize, 0, {
-    message: 'Hashing files          ',
-  });
-  const checkProgressBar = multiBar?.create(totalSize, 0, {
-    message: 'Checking for duplicates',
-  });
+  const hashProgressBar = multiBar?.create(files.length, 0, { message: 'Hashing files          ' });
+  const checkProgressBar = multiBar?.create(files.length, 0, { message: 'Checking for duplicates' });

  const newFiles: string[] = [];
  const duplicates: Asset[] = [];
@@ -242,13 +211,7 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
        }
      }

-      // Update progress based on total size of processed files
-      let processedSize = 0;
-      for (const asset of assets) {
-        const stats = statsMap.get(asset.id);
-        processedSize += stats?.size || 0;
-      }
-      checkProgressBar?.increment(processedSize);
+      checkProgressBar?.increment(assets.length);
    },
    { concurrency, retry: 3 },
  );
@@ -258,10 +221,6 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas

  const queue = new Queue<string, AssetBulkUploadCheckItem[]>(
    async (filepath: string): Promise<AssetBulkUploadCheckItem[]> => {
-      const stats = statsMap.get(filepath);
-      if (!stats) {
-        throw new Error(`Stats not found for ${filepath}`);
-      }
      const dto = { id: filepath, checksum: await sha1(filepath) };

      results.push(dto);
@@ -272,7 +231,7 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
        void checkBulkUploadQueue.push(batch);
      }

-      hashProgressBar?.increment(stats.size);
+      hashProgressBar?.increment();
      return results;
    },
    { concurrency, retry: 3 },
@@ -403,6 +362,23 @@ export const uploadFiles = async (
 const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaResponseDto> => {
  const { baseUrl, headers } = defaults;

+  const assetPath = path.parse(input);
+  const noExtension = path.join(assetPath.dir, assetPath.name);
+
+  const sidecarsFiles = await Promise.all(
+    // XMP sidecars can come in two filename formats. For a photo named photo.ext, the filenames are photo.ext.xmp and photo.xmp
+    [`${noExtension}.xmp`, `${input}.xmp`].map(async (sidecarPath) => {
+      try {
+        const stats = await stat(sidecarPath);
+        return new UploadFile(sidecarPath, stats.size);
+      } catch {
+        return false;
+      }
+    }),
+  );
+
+  const sidecarData = sidecarsFiles.find((file): file is UploadFile => file !== false);
+
  const formData = new FormData();
  formData.append('deviceAssetId', `${basename(input)}-${stats.size}`.replaceAll(/\s+/g, ''));
  formData.append('deviceId', 'CLI');
@@ -412,15 +388,8 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
  formData.append('isFavorite', 'false');
  formData.append('assetData', new UploadFile(input, stats.size));

-  const sidecarPath = findSidecar(input);
-  if (sidecarPath) {
-    try {
-      const stats = await stat(sidecarPath);
-      const sidecarData = new UploadFile(sidecarPath, stats.size);
-      formData.append('sidecarData', sidecarData);
-    } catch {
-      // noop
-    }
+  if (sidecarData) {
+    formData.append('sidecarData', sidecarData);
  }

  const response = await fetch(`${baseUrl}/assets`, {
@@ -436,19 +405,7 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
  return response.json();
 };

-export const findSidecar = (filepath: string): string | undefined => {
-  const assetPath = path.parse(filepath);
-  const noExtension = path.join(assetPath.dir, assetPath.name);
-
-  // XMP sidecars can come in two filename formats. For a photo named photo.ext, the filenames are photo.ext.xmp and photo.xmp
-  for (const sidecarPath of [`${noExtension}.xmp`, `${filepath}.xmp`]) {
-    if (existsSync(sidecarPath)) {
-      return sidecarPath;
-    }
-  }
-};
-
-export const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], options: UploadOptionsDto): Promise<void> => {
+const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], options: UploadOptionsDto): Promise<void> => {
  let fileCount = 0;
  if (options.delete) {
    fileCount += uploaded.length;
@@ -476,15 +433,7 @@ export const deleteFiles = async (uploaded: Asset[], duplicates: Asset[], option

  const chunkDelete = async (files: Asset[]) => {
    for (const assetBatch of chunk(files, options.concurrency)) {
-      await Promise.all(
-        assetBatch.map(async (input: Asset) => {
-          await unlink(input.filepath);
-          const sidecarPath = findSidecar(input.filepath);
-          if (sidecarPath) {
-            await unlink(sidecarPath);
-          }
-        }),
-      );
+      await Promise.all(assetBatch.map((input: Asset) => unlink(input.filepath)));
      deletionProgress.update(assetBatch.length);
    }
  };
--- a/cli/src/commands/auth.ts
+++ b/cli/src/commands/auth.ts
@@ -1,15 +1,7 @@
-import { getMyUser, Permission } from '@immich/sdk';
+import { getMyUser } from '@immich/sdk';
 import { existsSync } from 'node:fs';
 import { mkdir, unlink } from 'node:fs/promises';
-import {
-  BaseOptions,
-  connect,
-  getAuthFilePath,
-  logError,
-  requirePermissions,
-  withError,
-  writeAuthFile,
-} from 'src/utils';
+import { BaseOptions, connect, getAuthFilePath, logError, withError, writeAuthFile } from 'src/utils';

 export const login = async (url: string, key: string, options: BaseOptions) => {
  console.log(`Logging in to ${url}`);
@@ -17,7 +9,6 @@ export const login = async (url: string, key: string, options: BaseOptions) => {
  const { configDirectory: configDir } = options;

  await connect(url, key);
-  await requirePermissions([Permission.UserRead]);

  const [error, user] = await withError(getMyUser());
  if (error) {
--- a/cli/src/commands/server-info.ts
+++ b/cli/src/commands/server-info.ts
@@ -1,9 +1,8 @@
-import { getAssetStatistics, getMyUser, getServerVersion, getSupportedMediaTypes, Permission } from '@immich/sdk';
-import { authenticate, BaseOptions, requirePermissions } from 'src/utils';
+import { getAssetStatistics, getMyUser, getServerVersion, getSupportedMediaTypes } from '@immich/sdk';
+import { BaseOptions, authenticate } from 'src/utils';

 export const serverInfo = async (options: BaseOptions) => {
  const { url } = await authenticate(options);
-  await requirePermissions([Permission.ServerAbout, Permission.AssetStatistics, Permission.UserRead]);

  const [versionInfo, mediaTypes, stats, userInfo] = await Promise.all([
    getServerVersion(),
--- a/cli/src/utils.ts
+++ b/cli/src/utils.ts
@@ -1,4 +1,4 @@
-import { ApiKeyResponseDto, getMyApiKey, getMyUser, init, isHttpError, Permission } from '@immich/sdk';
+import { getMyUser, init, isHttpError } from '@immich/sdk';
 import { convertPathToPattern, glob } from 'fast-glob';
 import { createHash } from 'node:crypto';
 import { createReadStream } from 'node:fs';
@@ -34,36 +34,6 @@ export const authenticate = async (options: BaseOptions): Promise<AuthDto> => {
  return auth;
 };

-export const s = (count: number) => (count === 1 ? '' : 's');
-
-let _apiKey: ApiKeyResponseDto;
-export const requirePermissions = async (permissions: Permission[]) => {
-  if (!_apiKey) {
-    _apiKey = await getMyApiKey();
-  }
-
-  if (_apiKey.permissions.includes(Permission.All)) {
-    return;
-  }
-
-  const missing: Permission[] = [];
-
-  for (const permission of permissions) {
-    if (!_apiKey.permissions.includes(permission)) {
-      missing.push(permission);
-    }
-  }
-
-  if (missing.length > 0) {
-    const combined = missing.map((permission) => `"${permission}"`).join(', ');
-    console.log(
-      `Missing required permission${s(missing.length)}: ${combined}.
-Please make sure your API key has the correct permissions.`,
-    );
-    process.exit(1);
-  }
-};
-
 export const connect = async (url: string, key: string) => {
  const wellKnownUrl = new URL('.well-known/immich', url);
  try {
--- a/deployment/mise.toml
+++ b/deployment/mise.toml
@@ -1,6 +1,6 @@
 [tools]
-terragrunt = "0.98.0"
-opentofu = "1.11.4"
+terragrunt = "0.93.10"
+opentofu = "1.10.7"

 [tasks."tg:fmt"]
 run = "terragrunt hclfmt"
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -14,65 +14,33 @@
 name: immich-dev

 services:
-  immich-app-base:
-    profiles: ['_base']
-    tmpfs:
-      - /tmp
-    volumes:
-      - ..:/usr/src/app
-      - pnpm_cache:/buildcache/pnpm_cache
-      - server_node_modules:/usr/src/app/server/node_modules
-      - web_node_modules:/usr/src/app/web/node_modules
-      - github_node_modules:/usr/src/app/.github/node_modules
-      - cli_node_modules:/usr/src/app/cli/node_modules
-      - docs_node_modules:/usr/src/app/docs/node_modules
-      - e2e_node_modules:/usr/src/app/e2e/node_modules
-      - sdk_node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
-      - app_node_modules:/usr/src/app/node_modules
-      - sveltekit:/usr/src/app/web/.svelte-kit
-      - coverage:/usr/src/app/web/coverage
-
-  immich-init:
-    extends:
-      service: immich-app-base
-    profiles: !reset []
-    container_name: immich_init
-    image: immich-server-dev:latest
-    build:
-      context: ../
-      dockerfile: server/Dockerfile.dev
-      target: dev
-    command:
-      - |
-        pnpm install
-        touch /tmp/init-complete
-        exec tail -f /dev/null
-    volumes:
-      - pnpm_store_server:/buildcache/pnpm-store
-    restart: 'no'
-    healthcheck:
-      test: ['CMD', 'test', '-f', '/tmp/init-complete']
-      interval: 2s
-      timeout: 3s
-      retries: 300
-      start_period: 300s
-
  immich-server:
-    extends:
-      service: immich-app-base
-    profiles: !reset []
    container_name: immich_server
    command: ['immich-dev']
    image: immich-server-dev:latest
+    # extends:
+    #   file: hwaccel.transcoding.yml
+    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    build:
      context: ../
      dockerfile: server/Dockerfile.dev
      target: dev
    restart: unless-stopped
    volumes:
+      - ..:/usr/src/app
      - ${UPLOAD_LOCATION}/photos:/data
      - /etc/localtime:/etc/localtime:ro
-      - pnpm_store_server:/buildcache/pnpm-store
+      - pnpm-store:/usr/src/app/.pnpm-store
+      - server-node_modules:/usr/src/app/server/node_modules
+      - web-node_modules:/usr/src/app/web/node_modules
+      - github-node_modules:/usr/src/app/.github/node_modules
+      - cli-node_modules:/usr/src/app/cli/node_modules
+      - docs-node_modules:/usr/src/app/docs/node_modules
+      - e2e-node_modules:/usr/src/app/e2e/node_modules
+      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
+      - app-node_modules:/usr/src/app/node_modules
+      - sveltekit:/usr/src/app/web/.svelte-kit
+      - coverage:/usr/src/app/web/coverage
      - ../plugins:/build/corePlugin
    env_file:
      - .env
@@ -95,8 +63,6 @@ services:
      - 9231:9231
      - 2283:2283
    depends_on:
-      immich-init:
-        condition: service_healthy
      redis:
        condition: service_started
      database:
@@ -105,9 +71,6 @@ services:
      disable: false

  immich-web:
-    extends:
-      service: immich-app-base
-    profiles: !reset []
    container_name: immich_web
    image: immich-web-dev:latest
    build:
@@ -121,11 +84,20 @@ services:
      - 3000:3000
      - 24678:24678
    volumes:
-      - pnpm_store_web:/buildcache/pnpm-store
+      - ..:/usr/src/app
+      - pnpm-store:/usr/src/app/.pnpm-store
+      - server-node_modules:/usr/src/app/server/node_modules
+      - web-node_modules:/usr/src/app/web/node_modules
+      - github-node_modules:/usr/src/app/.github/node_modules
+      - cli-node_modules:/usr/src/app/cli/node_modules
+      - docs-node_modules:/usr/src/app/docs/node_modules
+      - e2e-node_modules:/usr/src/app/e2e/node_modules
+      - sdk-node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
+      - app-node_modules:/usr/src/app/node_modules
+      - sveltekit:/usr/src/app/web/.svelte-kit
+      - coverage:/usr/src/app/web/coverage
    restart: unless-stopped
    depends_on:
-      immich-init:
-        condition: service_healthy
      immich-server:
        condition: service_started

@@ -144,7 +116,7 @@ services:
      - 3003:3003
    volumes:
      - ../machine-learning/immich_ml:/usr/src/immich_ml
-      - model_cache:/cache
+      - model-cache:/cache
    env_file:
      - .env
    depends_on:
@@ -155,7 +127,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:930b41430fb727f533c5982fe509b6f04233e26d0f7354e04de4b0d5c706e44e
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
    healthcheck:
      test: redis-cli ping || exit 1

@@ -184,7 +156,7 @@ services:
  #   image: prom/prometheus
  #   volumes:
  #     - ./prometheus.yml:/etc/prometheus/prometheus.yml
-  #     - prometheus_data:/prometheus
+  #     - prometheus-data:/prometheus

  # first login uses admin/admin
  # add data source for http://immich-prometheus:9090 to get started
@@ -195,22 +167,20 @@ services:
  #     - 3000:3000
  #   image: grafana/grafana:10.3.3-ubuntu
  #   volumes:
-  #     - grafana_data:/var/lib/grafana
+  #     - grafana-data:/var/lib/grafana

 volumes:
-  model_cache:
-  prometheus_data:
-  grafana_data:
-  pnpm_cache:
-  pnpm_store_server:
-  pnpm_store_web:
-  server_node_modules:
-  web_node_modules:
-  github_node_modules:
-  cli_node_modules:
-  docs_node_modules:
-  e2e_node_modules:
-  sdk_node_modules:
-  app_node_modules:
+  model-cache:
+  prometheus-data:
+  grafana-data:
+  pnpm-store:
+  server-node_modules:
+  web-node_modules:
+  github-node_modules:
+  cli-node_modules:
+  docs-node_modules:
+  e2e-node_modules:
+  sdk-node_modules:
+  app-node_modules:
  sveltekit:
  coverage:
--- a/docker/docker-compose.prod.yml
+++ b/docker/docker-compose.prod.yml
@@ -56,7 +56,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:930b41430fb727f533c5982fe509b6f04233e26d0f7354e04de4b0d5c706e44e
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -97,7 +97,7 @@ services:
    command: ['./run.sh', '-disable-reporting']
    ports:
      - 3000:3000
-    image: grafana/grafana:12.3.2-ubuntu@sha256:6cca4b429a1dc0d37d401dee54825c12d40056c3c6f3f56e3f0d6318ce77749b
+    image: grafana/grafana:12.3.1-ubuntu@sha256:d57f1365197aec34c4d80869d8ca45bb7787c7663904950dab214dfb40c1c2fd
    volumes:
      - grafana-data:/var/lib/grafana

--- a/docker/docker-compose.rootless.yml
+++ b/docker/docker-compose.rootless.yml
@@ -1,100 +0,0 @@
-#
-# WARNING: To install Immich, follow our guide: https://docs.immich.app/install/docker-compose
-#
-# Make sure to use the docker-compose.yml of the current release:
-#
-# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
-#
-# The compose file on main may not be compatible with the latest release.
-
-name: immich
-
-services:
-  immich-server:
-    container_name: immich_server
-    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
-    # extends:
-    #   file: hwaccel.transcoding.yml
-    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
-    user: '1000:1000'
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - NET_RAW
-    volumes:
-      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
-      - ${UPLOAD_LOCATION}:/data
-      - /etc/localtime:/etc/localtime:ro
-    env_file:
-      - .env
-    ports:
-      - '2283:2283'
-    depends_on:
-      - redis
-      - database
-    restart: always
-    healthcheck:
-      disable: false
-
-  immich-machine-learning:
-    container_name: immich_machine_learning
-    # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
-    # Example tag: ${IMMICH_VERSION:-release}-cuda
-    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
-    # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
-    #   file: hwaccel.ml.yml
-    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
-    user: '1000:1000'
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - NET_RAW
-    volumes:
-      - ./ml-model-cache:/cache
-      - ./ml-dotcache:/.cache
-      - ./ml-config:/.config
-    env_file:
-      - .env
-    restart: always
-    healthcheck:
-      disable: false
-
-  redis:
-    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:930b41430fb727f533c5982fe509b6f04233e26d0f7354e04de4b0d5c706e44e
-    user: '1000:1000'
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - NET_RAW
-    volumes:
-      - ./redis:/data
-    healthcheck:
-      test: redis-cli ping || exit 1
-    restart: always
-
-  database:
-    container_name: immich_postgres
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
-    user: '1000:1000'
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - NET_RAW
-    environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_DB: ${DB_DATABASE_NAME}
-      POSTGRES_INITDB_ARGS: '--data-checksums'
-      # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
-      # DB_STORAGE_TYPE: 'HDD'
-    volumes:
-      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
-      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
-    shm_size: 128mb
-    restart: always
-    healthcheck:
-      disable: false
-
-volumes:
-  model-cache:
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -49,7 +49,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:930b41430fb727f533c5982fe509b6f04233e26d0f7354e04de4b0d5c706e44e
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
--- a/docs/.nvmrc
+++ b/docs/.nvmrc
@@ -1 +1 @@
-24.13.1
+24.13.0
--- a/docs/docs/FAQ.mdx
+++ b/docs/docs/FAQ.mdx
@@ -402,9 +402,6 @@ To decrease Redis logs, you can add the following line to the `redis:` section o
 ### How can I run Immich as a non-root user?

 You can change the user in the container by setting the `user` argument in `docker-compose.yml` for each service.
-
-[Example docker-compose.yml file](https://github.com/immich-app/immich/blob/main/docker/docker-compose.rootless.yml)
-
 You may need to add mount points or docker volumes for the following internal container paths:

 - `immich-machine-learning:/.config`
--- a/docs/docs/administration/backup-and-restore.md
+++ b/docs/docs/administration/backup-and-restore.md
@@ -2,8 +2,6 @@

 import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
-import { mdiAlertCircle, mdiCheckCircle } from '@mdi/js';
-import Icon from '@mdi/react';

 A [3-2-1 backup strategy](https://www.backblaze.com/blog/the-3-2-1-backup-strategy/) is recommended to protect your data. You should keep copies of your uploaded photos/videos as well as the Immich database for a comprehensive backup solution. This page provides an overview on how to backup the database and the location of user-uploaded pictures and videos. A template bash script that can be run as a cron job is provided [here](/guides/template-backup-script.md)

@@ -13,135 +11,54 @@ The instructions on this page show you how to prepare your Immich instance to be

 ## Database

-Immich stores [file paths](https://github.com/immich-app/immich/discussions/3299) and user metadata in the database. It does not scan the library folder, so database backups are essential.
-
-### Automatic Database Backups
-
-Immich automatically creates database backups for disaster-recovery purposes. These backups are stored in `UPLOAD_LOCATION/backups` and can be managed through the web interface.
-
-You can adjust the backup schedule and retention settings in **Administration > Settings > Backup** (default: keep last 14 backups, create daily at 2:00 AM).
-
 :::caution
-Database backups do **not** contain photos or videos — only metadata. They must be used together with a copy of the files in `UPLOAD_LOCATION` as outlined below.
+Immich saves [file paths in the database](https://github.com/immich-app/immich/discussions/3299), it does not scan the library folder to update the database so backups are crucial.
 :::

-#### Creating a Backup
-
-You can trigger a database backup manually:
-
-1. Go to **Administration > Job Queues**
-2. Click **Create job** in the top right
-3. Select **Create Database Backup** and click **Confirm**
-
-The backup will appear in `UPLOAD_LOCATION/backups` and counts toward your retention limit.
-
-### Restoring a Database Backup
-
-Immich provides two ways to restore a database backup: through the web interface or via the command line. The web interface is the recommended method for most users.
-
-#### Restore from Settings {#restore-from-settings}
-
-If you have an existing Immich installation:
-
-<img
-src={require('./img/restore-from-settings.webp').default}
-title="Restore from settings"
-/>
-
-1. Go to **Administration > Maintenance**
-2. Expand the **Restore database backup** section
-3. You'll see a list of available backups with their version and creation date
-4. Click **Restore** next to the backup you want to restore
-5. Confirm the restore operation
-
 :::info
-Restoring a backup will wipe the current database and replace it with the backup. A restore point is automatically created before the operation begins, allowing rollback if the restore fails.
+Refer to the official [postgres documentation](https://www.postgresql.org/docs/current/backup.html) for details about backing up and restoring a postgres database.
 :::

-#### Restore from Onboarding {#restore-from-onboarding}
-
-If you're setting up Immich on a fresh installation and want to restore from an existing backup:
-
-1. Download and populate `.env` and `docker-compose.yml` as per the [installation instructions](/install/docker-compose).
-2. Move the previous's instance data directories containing `backups`, `encoded-video`, `library`, `profile`, `thumbs` and `upload` into the new `UPLOAD_LOCATION`
-3. **(For external libraries)** If you used external library feature in your previous instance, make sure that the mount settings in your new `docker-compose.yml` reflect the same structure. You may need to move files accordingly.
-
-:::info Example
-
-Assuming your previous `UPLOAD_LOCATION` was `UPLOAD_LOCATION=/my-broken-instance/media` and your new one is `UPLOAD_LOCATION=/a-brand-new-instance/data`, you will need to perform the following file moves:
-
-```
-/my-broken-instance/media/backups          ->    /a-brand-new-instance/data/backups
-/my-broken-instance/media/encoded-video    ->    /a-brand-new-instance/data/encoded-video
-/my-broken-instance/media/library          ->    /a-brand-new-instance/data/library
-/my-broken-instance/media/profile          ->    /a-brand-new-instance/data/profile
-/my-broken-instance/media/thumbs           ->    /a-brand-new-instance/data/thumbs
-/my-broken-instance/media/upload           ->    /a-brand-new-instance/data/upload
-```
-
+:::caution
+It is not recommended to directly backup the `DB_DATA_LOCATION` folder. Doing so while the database is running can lead to a corrupted backup that cannot be restored.
 :::

-4. Start the Immich services with `docker compose up -d`
-
-<img
-src={require('./img/restore-from-onboarding.webp').default}
-title="Restore from onboarding"
-/>
-
-5. On the welcome screen, click **Restore from backup**
-6. Immich will enter maintenance mode and display integrity checks for your storage folders
-7. Review the folder status to ensure your library files are accessible
-8. Click **Next** to proceed to backup selection
-9. Select a backup from the list or upload a backup file (`.sql.gz`)
-10. Click **Restore** to begin the restoration process
-
-:::tip
-Before restoring, ensure your `UPLOAD_LOCATION` folders contain the same files that existed when the backup was created. The integrity check will show you which folders are readable/writable and how many files they contain.
-:::
-
-### Uploading a Backup File {#uploading-backup}
-
-You can upload a database backup file directly:
-
-1. In the **Restore database backup** section, click **Select from computer**
-2. Choose a `.sql.gz` file
-3. The uploaded backup will appear in the list with an `uploaded-` prefix
-4. Click **Restore** to restore from the uploaded file
-
-### Backup Version Compatibility {#backup-compatibility}
-
-When viewing backups, Immich displays compatibility indicators based on the current version and the information from the filename:
-
- <Icon path={mdiCheckCircle} size={1} color="green"/> Backup version matches current Immich version
- <Icon path={mdiAlertCircle} size={1} color="#feb001"/> Backup was created with a different Immich version
- <Icon path={mdiAlertCircle} size={1} color="red"/> Could not determine backup version
+### Automatic Database Dumps

 :::warning
-Restoring a backup from a different Immich version may require database migrations. The restore process will attempt to run migrations automatically, but you should ensure you're restoring to a compatible version when possible.
+The automatic database dumps can be used to restore the database in the event of damage to the Postgres database files.
+There is no monitoring for these dumps and you will not be notified if they are unsuccessful.
 :::

-### Restore Process {#restore-process}
+:::caution
+The database dumps do **NOT** contain any pictures or videos, only metadata. They are only usable with a copy of the other files in `UPLOAD_LOCATION` as outlined below.
+:::

-During restoration, Immich will:
+For disaster-recovery purposes, Immich will automatically create database dumps. The dumps are stored in `UPLOAD_LOCATION/backups`.
+Please be sure to make your own, independent backup of the database together with the asset folders as noted below.
+You can adjust the schedule and amount of kept database dumps in the [admin settings](http://my.immich.app/admin/system-settings?isOpen=backup).
+By default, Immich will keep the last 14 database dumps and create a new dump every day at 2:00 AM.

-1. Create a backup of the current database (restore point)
-2. Restore the selected backup
-3. Run database migrations if needed
-4. Perform a health check to verify the restore succeeded
+#### Trigger Dump

-If the restore fails (e.g., corrupted backup or missing admin user), Immich will automatically roll back to the restore point.
+You are able to trigger a database dump in the [admin job status page](http://my.immich.app/admin/queues).
+Visit the page, open the "Create job" modal from the top right, select "Create Database Dump" and click "Confirm".
+A job will run and trigger a dump, you can verify this worked correctly by checking the logs or the `backups/` folder.
+This dumps will count towards the last `X` dumps that will be kept based on your settings.

-### Restore via Command Line {#restore-cli}
+#### Restoring

-For advanced users or automated recovery scenarios, you can restore a database backup using the command line.
+We hope to make restoring simpler in future versions, for now you can find the database dumps in the `UPLOAD_LOCATION/backups` folder on your host.
+Then please follow the steps in the following section for restoring the database.
+
+### Manual Backup and Restore

 <Tabs>
  <TabItem value="Linux system" label="Linux system" default>

 ```bash title='Backup'
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
-# Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.
-docker exec -t immich_postgres pg_dump --clean --if-exists --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME> | gzip > "/path/to/backup/dump.sql.gz"
+docker exec -t immich_postgres pg_dumpall --clean --if-exists --username=<DB_USERNAME> | gzip > "/path/to/backup/dump.sql.gz"
 ```

 ```bash title='Restore'
@@ -154,10 +71,9 @@ docker start immich_postgres    # Start Postgres server
 sleep 10                        # Wait for Postgres server to start up
 # Check the database user if you deviated from the default
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
-# Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.
 gunzip --stdout "/path/to/backup/dump.sql.gz" \
 | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" \
-| docker exec -i immich_postgres psql --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME> --single-transaction --set ON_ERROR_STOP=on  # Restore Backup
+| docker exec -i immich_postgres psql --dbname=postgres --username=<DB_USERNAME>  # Restore Backup
 docker compose up -d            # Start remainder of Immich apps
 ```

@@ -166,8 +82,7 @@ docker compose up -d            # Start remainder of Immich apps

 ```powershell title='Backup'
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
-# Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.
-[System.IO.File]::WriteAllLines("C:\absolute\path\to\backup\dump.sql", (docker exec -t immich_postgres pg_dump --clean --if-exists --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME>))
+[System.IO.File]::WriteAllLines("C:\absolute\path\to\backup\dump.sql", (docker exec -t immich_postgres pg_dumpall --clean --if-exists --username=<DB_USERNAME>))
 ```

 ```powershell title='Restore'
@@ -182,9 +97,8 @@ sleep 10                                          # Wait for Postgres server to
 docker exec -it immich_postgres bash              # Enter the Docker shell and run the following command
 # If your backup ends in `.gz`, replace `cat` with `gunzip --stdout`
 # Replace <DB_USERNAME> with the database username - usually postgres unless you have changed it.
-# Replace <DB_DATABASE_NAME> with the database name - usually immich unless you have changed it.

-cat "/dump.sql" | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" | psql --dbname=<DB_DATABASE_NAME> --username=<DB_USERNAME>  --single-transaction --set ON_ERROR_STOP=on
+cat "/dump.sql" | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" | psql --dbname=postgres --username=<DB_USERNAME>
 exit                                              # Exit the Docker shell
 docker compose up -d                              # Start remainder of Immich apps
 ```
@@ -192,20 +106,10 @@ docker compose up -d                              # Start remainder of Immich ap
  </TabItem>
 </Tabs>

-:::warning
-The backup and restore process changed in v2.5.0, if you have a backup created with an older version of Immich, use the documentation version selector to find manual restore instructions for your backup.
-:::
-
-:::note
-For the database restore to proceed properly, it requires a completely fresh install (i.e., the Immich server has never run since creating the Docker containers). If the Immich app has run, you may encounter Postgres conflicts (relation already exists, violated foreign key constraints, etc.). In this case, delete the `DB_DATA_LOCATION` folder to reset the database.
-:::
+Note that for the database restore to proceed properly, it requires a completely fresh install (i.e. the Immich server has never run since creating the Docker containers). If the Immich app has run, Postgres conflicts may be encountered upon database restoration (relation already exists, violated foreign key constraints, multiple primary keys, etc.), in which case you need to delete the `DB_DATA_LOCATION` folder to reset the database.

 :::tip
-Some deployment methods make it difficult to start the database without also starting the server. In these cases, set the environment variable `DB_SKIP_MIGRATIONS=true` before starting the services. This prevents the server from running migrations that interfere with the restore process. Remove this variable and restart services after the database is restored.
-:::
-
-:::tip
-The provided restore process ensures your database is never in a broken state by committing all changes in one transaction. This may be undesirable behaviour in some circumstances, you can disable it by removing `--single-transaction --set ON_ERROR_STOP=on` from the command.
+Some deployment methods make it difficult to start the database without also starting the server. In these cases, you may set the environment variable `DB_SKIP_MIGRATIONS=true` before starting the services. This will prevent the server from running migrations that interfere with the restore process. Be sure to remove this variable and restart the services after the database is restored.
 :::

 ## Filesystem
@@ -253,14 +157,17 @@ for more info read the [release notes](https://github.com/immich-app/immich/rele
 - **Encoded Assets:**
  - Videos that have been re-encoded from the original for wider compatibility. The original is not removed.
  - Stored in `UPLOAD_LOCATION/encoded-video/<userID>`.
- **Database Dump Backups:**
-  - Automatic database backups created by Immich for disaster recovery.
-  - Stored in `UPLOAD_LOCATION/backups/`.
+
 - **Postgres**
  - The Immich database containing all the information to allow the system to function properly.  
    **Note:** This folder will only appear to users who have made the changes mentioned in [v1.102.0](https://github.com/immich-app/immich/discussions/8930) (an optional, non-mandatory change) or who started with this version.
  - Stored in `DB_DATA_LOCATION`.

+  :::danger
+  A backup of this folder does not constitute a backup of your database!
+  Follow the instructions listed [here](/administration/backup-and-restore#database) to learn how to perform a proper backup.
+  :::
+
 </TabItem>
  <TabItem value="Storage Template On" label="Storage Template On">

@@ -296,14 +203,16 @@ When you turn off the storage template engine, it will leave the assets in `UPLO
  - Files uploaded through mobile apps.
  - Temporarily located in `UPLOAD_LOCATION/upload/<userID>`.
  - Transferred to `UPLOAD_LOCATION/library/<userID>` upon successful upload.
- **Database Dump Backups:**
-  - Automatic database backups created by Immich for disaster recovery.
-  - Stored in `UPLOAD_LOCATION/backups/`.
 - **Postgres**
  - The Immich database containing all the information to allow the system to function properly.  
    **Note:** This folder will only appear to users who have made the changes mentioned in [v1.102.0](https://github.com/immich-app/immich/discussions/8930) (an optional, non-mandatory change) or who started with this version.
  - Stored in `DB_DATA_LOCATION`.

+  :::danger
+  A backup of this folder does not constitute a backup of your database!
+  Follow the instructions listed [here](/administration/backup-and-restore#database) to learn how to perform a proper backup.
+  :::
+
 </TabItem>

 </Tabs>
--- a/docs/docs/administration/img/admin-jobs.webp
+++ b/docs/docs/administration/img/admin-jobs.webp
--- a/docs/docs/administration/img/admin-nightly-tasks.webp
+++ b/docs/docs/administration/img/admin-nightly-tasks.webp
--- a/docs/docs/administration/img/customize-delete-user.webp
+++ b/docs/docs/administration/img/customize-delete-user.webp
--- a/docs/docs/administration/img/immediately-remove-user.webp
+++ b/docs/docs/administration/img/immediately-remove-user.webp
--- a/docs/docs/administration/img/restore-from-onboarding.webp
+++ b/docs/docs/administration/img/restore-from-onboarding.webp
--- a/docs/docs/administration/img/restore-from-settings.webp
+++ b/docs/docs/administration/img/restore-from-settings.webp
--- a/docs/docs/administration/img/server-stats.webp
+++ b/docs/docs/administration/img/server-stats.webp
--- a/docs/docs/administration/img/user-edit-menu.webp
+++ b/docs/docs/administration/img/user-edit-menu.webp
--- a/docs/docs/administration/img/user-notifications-settings.webp
+++ b/docs/docs/administration/img/user-notifications-settings.webp
--- a/docs/docs/administration/img/user-notifications-templates.webp
+++ b/docs/docs/administration/img/user-notifications-templates.webp
--- a/docs/docs/administration/img/user-quota-size.webp
+++ b/docs/docs/administration/img/user-quota-size.webp
--- a/docs/docs/administration/img/user-storage-label.webp
+++ b/docs/docs/administration/img/user-storage-label.webp
--- a/docs/docs/administration/jobs-workers.md
+++ b/docs/docs/administration/jobs-workers.md
@@ -50,7 +50,7 @@ When a new asset is uploaded it kicks off a series of jobs, which include metada

 Additionally, some jobs (such as memories generation) run on a schedule, which is every night at midnight by default. To change when they run or enable/disable a job navigate to System Settings -> [Nightly Tasks Settings](https://my.immich.app/admin/system-settings?isOpen=nightly-tasks).

-<img src={require('./img/admin-nightly-tasks.webp').default} width="80%" title="Admin nightly tasks" />
+<img src={require('./img/admin-nightly-tasks.webp').default} width="60%" title="Admin nightly tasks" />

 :::note
 Some jobs ([External Libraries](/features/libraries) scanning, Database Dump) are configured in their own sections in System Settings.
--- a/docs/docs/administration/maintenance-mode.md
+++ b/docs/docs/administration/maintenance-mode.md
@@ -4,7 +4,7 @@ Maintenance mode is used to perform administrative tasks such as restoring backu

 You can enter maintenance mode by either:

- Selecting "Switch to maintenance mode" in `Maintenance` tab in administration.
+- Selecting "enable maintenance mode" in system settings in administration.
 - Running the enable maintenance mode [administration command](./server-commands.md).

 ## Logging in during maintenance
--- a/docs/docs/administration/oauth.md
+++ b/docs/docs/administration/oauth.md
@@ -56,13 +56,11 @@ Once you have a new OAuth client application configured, Immich can be configure
 | Setting                                              | Type    | Default              | Description                                                                         |
 | ---------------------------------------------------- | ------- | -------------------- | ----------------------------------------------------------------------------------- |
 | Enabled                                              | boolean | false                | Enable/disable OAuth                                                                |
-| `issuer_url`                                         | URL     | (required)           | Required. Self-discovery URL for client (from previous step)                        |
-| `client_id`                                          | string  | (required)           | Required. Client ID (from previous step)                                            |
-| `client_secret`                                      | string  | (required)           | Required. Client Secret (previous step)                                             |
-| `scope`                                              | string  | openid email profile | Full list of scopes to send with the request (space delimited)                      |
-| `id_token_signed_response_alg`                       | string  | RS256                | The algorithm used to sign the id token (examples: RS256, HS256)                    |
-| `userinfo_signed_response_alg`                       | string  | none                 | The algorithm used to sign the userinfo response (examples: RS256, HS256)           |
-| Request timeout                                      | string  | 30,000 (30 seconds)  | Number of milliseconds to wait for http requests to complete before giving up       |
+| Issuer URL                                           | URL     | (required)           | Required. Self-discovery URL for client (from previous step)                        |
+| Client ID                                            | string  | (required)           | Required. Client ID (from previous step)                                            |
+| Client Secret                                        | string  | (required)           | Required. Client Secret (previous step)                                             |
+| Scope                                                | string  | openid email profile | Full list of scopes to send with the request (space delimited)                      |
+| Signing Algorithm                                    | string  | RS256                | The algorithm used to sign the id token (examples: RS256, HS256)                    |
 | Storage Label Claim                                  | string  | preferred_username   | Claim mapping for the user's storage label**¹**                                     |
 | Role Claim                                           | string  | immich_role          | Claim mapping for the user's role. (should return "user" or "admin")**¹**           |
 | Storage Quota Claim                                  | string  | immich_quota         | Claim mapping for the user's storage**¹**                                           |
--- a/docs/docs/administration/postgres-standalone.md
+++ b/docs/docs/administration/postgres-standalone.md
@@ -88,7 +88,7 @@ The easiest option is to have both extensions installed during the migration:
 <details>
 <summary>Migration steps (automatic)</summary>
 1. Ensure you still have pgvecto.rs installed
-2. Install `pgvector` (`>= 0.7, < 0.9`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
+2. Install `pgvector` (`>= 0.7.0, < 1.0.0`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
 3. [Install VectorChord][vchord-install]
 4. Add `shared_preload_libraries= 'vchord.so, vectors.so'` to your `postgresql.conf`, making sure to include _both_ `vchord.so` and `vectors.so`. You may include other libraries here as well if needed
 5. Restart the Postgres database
--- a/docs/docs/administration/reverse-proxy.md
+++ b/docs/docs/administration/reverse-proxy.md
@@ -98,6 +98,7 @@ entryPoints:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
+        writeTimeout: 600s
 ```

 The second part is in the `docker-compose.yml` file where immich is in. Add the Traefik specific labels like in the example.
--- a/docs/docs/administration/user-management.mdx
+++ b/docs/docs/administration/user-management.mdx
@@ -31,7 +31,7 @@ Admin can send a welcome email if the Email option is set, you can learn here ho

 Admin can specify the storage quota for the user as the instance's admin; once the limit is reached, the user won't be able to upload to the instance anymore.

-In order to select a storage quota, click on the edit user icon and enter the storage quota in GiB. You can choose an unlimited quota by leaving it empty (default).
+In order to select a storage quota, click on the pencil icon and enter the storage quota in GiB. You can choose an unlimited quota by leaving it empty (default).

 :::tip
 The system administrator can see the usage quota percentage of all users in Server Stats page.
@@ -41,12 +41,12 @@ The system administrator can see the usage quota percentage of all users in Serv
 External libraries don't take up space from the storage quota.
 :::

-<img src={require('./img/user-quota-size.webp').default} width="80%" title="Set Quota Size" />
+<img src={require('./img/user-quota-size.webp').default} width="40%" title="Set Quota Size" />

 ## Set Storage Label For User

 The admin can add a custom label for each user, so instead of `upload/{userId}/your-template` it will be `upload/{custom_user_label}/your-template`.  
-To apply a storage template, go to the `Administration > Users`, then click on the context menu button next to the user.
+To apply a storage template, go to the Administration page -> click on the pencil button next to the user.
 :::note
 To apply the Storage Label to previously uploaded assets, run the Storage Migration Job.
 :::
@@ -55,21 +55,25 @@ To apply the Storage Label to previously uploaded assets, run the Storage Migrat

 ## Password Reset

-<img src={require('./img/user-edit-menu.webp').default} width="80%" title="Customize Delete User" />
+To reset a user's password, click the pencil icon to edit a user, then click "Reset Password". The user's password will be reset to random password and they have to change it next time the sign in.

-To reset a user's password, go to `Administration > Users`, then click on the context menu button next to the user, then click "Reset Password". The user's password will be reset to a random password and they have to change it next time they sign in.
+<img src={require('./img/user-management-update.webp').default} width="40%" title="Reset Password" />

 ## Delete a User

-If you need to remove a user from Immich, go to `Administration > Users`, then click on the context menu button next to the user. The user account will immediately become disabled and their library and all associated data will be removed after 7 days by default.
+If you need to remove a user from Immich, head to "Administration", where users can be scheduled for deletion. The user account will immediately become disabled and their library and all associated data will be removed after 7 days by default.
+
+<img src={require('./img/delete-user.webp').default} width="40%" title="Delete User" />

 ### Delete Delay

-You can customize the time of the deletion of the users from `Administration -> Settings -> User Settings`.
+You can customize the time of the deletion of the users from the Administration -> Settings -> User Settings.
 :::info user deletion job
 The user deletion job runs at midnight to check for users that are ready for deletion. Changes to this setting will be evaluated at the next execution.
 :::

+<img src={require('./img/customize-delete-user.webp').default} width="80%" title="Customize Delete User" />
+
 ### Immediately Remove User

 You can choose to delete a user immediately by checking the box
--- a/docs/docs/developer/devcontainers.md
+++ b/docs/docs/developer/devcontainers.md
@@ -44,7 +44,7 @@ While this guide focuses on VS Code, you have many options for Dev Container dev
 **Self-Hostable Options:**

 - [Coder](https://coder.com) - Enterprise-focused, requires Terraform knowledge, self-managed
- [DevPod](https://devpod.sh) - Client-only tool with excellent devcontainer.json support, works with any provider (local, cloud, or on-premise). Check [quick-start guide](#quick-start-guide-for-devpod-with-docker)
+- [DevPod](https://devpod.sh) - Client-only tool with excellent devcontainer.json support, works with any provider (local, cloud, or on-premise)
  :::

 ## Dev Container Services
@@ -408,27 +408,7 @@ If you encounter issues:
 1. Check container logs: View → Output → Select "Dev Containers"
 2. Rebuild without cache: "Dev Containers: Rebuild Container Without Cache"
 3. Review [common Docker issues](https://docs.docker.com/desktop/troubleshoot/)
-4. Ask in [Discord](https://discord.immich.app) `#contributing` channel
-
-### Quick-start guide for DevPod with docker
-
-You will need DevPod CLI (check [DevPod CLI installation guide](https://devpod.sh/docs/getting-started/install)) and Docker Desktop.
-
-```sh
-# Step 1: Clone the Repository
-git clone https://github.com/immich-app/immich.git
-cd immich
-
-# Step 2: Prepare DevPod (if you haven't already)
-devpod provider add docker
-devpod provider use docker
-
-# Step 3: Build 'immich-server-dev' docker image first manually
-docker build -f server/Dockerfile.dev -t immich-server-dev .
-
-# Step 4: Now you can start devcontainer
-devpod up .
-```
+4. Ask in [Discord](https://discord.immich.app) `#help-desk-support` channel

 ## Mobile Development

--- a/docs/docs/developer/setup.md
+++ b/docs/docs/developer/setup.md
@@ -37,8 +37,7 @@ All the services are packaged to run as with single Docker Compose command.
 1. Clone the project repo.
 2. Run `cp docker/example.env docker/.env`.
 3. Edit `docker/.env` to provide values for the required variable `UPLOAD_LOCATION`.
-4. Install dependencies - `pnpm i`
-5. From the root directory, run:
+4. From the root directory, run:

 ```bash title="Start development server"
 make dev # required Makefile installed on the system.
@@ -90,13 +89,10 @@ To see local changes to `@immich/ui` in Immich, do the following:

 #### Setup

-1. [Install mise](https://mise.jdx.dev/installing-mise.html).
-2. Change to the immich (root) directory and trust the mise config with `mise trust`.
-3. Install tools with mise: `mise install`.
-4. Change to the `mobile/` directory.
-5. Run `flutter pub get` to install the dependencies.
-6. Run `make translation` to generate the translation file.
-7. Run `flutter run` to start the app.
+1. Setup Flutter toolchain using FVM.
+2. Run `flutter pub get` to install the dependencies.
+3. Run `make translation` to generate the translation file.
+4. Run `fvm flutter run` to start the app.

 #### Translation

--- a/docs/docs/features/automatic-backup.md
+++ b/docs/docs/features/automatic-backup.md
@@ -0,0 +1,42 @@
+# Automatic Backup
+
+Immich supports uploading photos and videos from your mobile device to the server automatically.
+
+---
+
+You can enable the settings by accessing the upload options from the upload page
+
+<img src={require('./img/backup-settings-access.webp').default} width="50%" title="Backup option selection" />
+
+<img src={require('./img/background-foreground-backup.webp').default} width="50%" title="Foreground&Background Backup" />
+
+## Foreground backup
+
+If foreground backup is enabled: whenever the app is opened or resumed, it will check if any photos or videos in the selected album(s) have yet to be uploaded to the cloud (the remainder count). If there are any, they will be uploaded.
+
+## Background backup
+
+This feature is intended for everyday use. For initial bulk uploading, please use the foreground upload feature. For more information on why background upload is not working as expected, please refer to the [FAQ](/FAQ#why-does-foreground-backup-stop-when-i-navigate-away-from-the-app-shouldnt-it-transfer-the-job-to-background-backup).
+
+If background backup is enabled. The app will periodically check if there are any new photos or videos in the selected album(s) to be uploaded to the server. If there are, it will upload them to the cloud in the background.
+
+:::info Note
+
+#### General
+
+- The app must be in the background for the backup worker to start running.
+- If you reopen the app and the first page you see is the backup page, the counts will not reflect the background uploaded result. You have to navigate out of the page and come back to see the updated counts.
+
+#### Android
+
+- It is a well-known problem that some Android models are very strict with battery optimization settings, which can cause a problem with the background worker. Please visit [Don't kill my app](https://dontkillmyapp.com/) for a guide on disabling this setting on your phone.
+
+#### iOS
+
+- You must enable **Background App Refresh** for the app to work in the background. You can enable it in the Settings app under General > Background App Refresh.
+
+<div style={{textAlign: 'center'}}>
+<img src={require('./img/background-app-refresh.webp').default} width="30%" title="background-app-refresh" />
+</div>
+
+:::
--- a/docs/docs/features/command-line-interface.md
+++ b/docs/docs/features/command-line-interface.md
@@ -183,13 +183,11 @@ For example to get a list of files that would be uploaded for further
 processing:

 ```bash
-immich upload --dry-run --json-output . | tail -n +6 | jq .newFiles[]
+immich upload --dry-run . | tail -n +6 | jq .newFiles[]
 ```

 ### Obtain the API Key

-The API key can be obtained in the user setting panel on the web interface. You can also specify permissions for the key to limit its access.
+The API key can be obtained in the user setting panel on the web interface.

 ![Obtain Api Key](./img/obtain-api-key.webp)
-
-![Specify permissions for the key](./img/obtain-api-key-2.webp)
--- a/docs/docs/features/editing.mdx
+++ b/docs/docs/features/editing.mdx
@@ -1,19 +0,0 @@
-# Editing
-
-Immich supports non-destructive editing of photos. This means that any edits you make to an asset do not modify the original file, but instead create a new version of the asset with the edits applied. You can always revert back to the original asset if needed.
-
-## Supported Edits
-
-Currently, Immich supports the following types of edits:
-
- Cropping
- Rotation
- Mirroring
-
-<img src={require('./img/web-edit-interface.webp').default} title="Web edit interface" />
-
-## Download
-
-When you download an edited asset, Immich provides the edited version of the asset by default. However, you can choose to download the original version if needed.
-
-<img src={require('./img/web-edit-download.webp').default} title="Web edit download" />
--- a/docs/docs/features/facial-recognition.md
+++ b/docs/docs/features/facial-recognition.md
@@ -21,14 +21,14 @@ The asset detail view will also show the faces that are recognized in the asset.
 Additional actions you can do include:

 - Changing the feature photo of the person
+- Setting a person's date of birth
+- Merging two or more detected faces into one person
 - Hiding the faces of a person from the Explore page and detail view
- Setting a person's date of birth, so that the age of the person can be shown at the time the photo was taken
- Merging two or more detected people into one person
- Favoriting a person to pin them to the top of the list
+- Assigning an unrecognized face to a person

 It can be found from the app bar when you access the detail view of a person.

-<img src={require('./img/facial-recognition-4.webp').default} title='Facial Recognition 4' />
+<img src={require('./img/facial-recognition-4.webp').default} title='Facial Recognition 4' width="70%"/>

 ## How Face Detection Works

--- a/docs/docs/features/img/advanced-search-filters.webp
+++ b/docs/docs/features/img/advanced-search-filters.webp
--- a/docs/docs/features/img/android-backup-options.webp
+++ b/docs/docs/features/img/android-backup-options.webp
--- a/docs/docs/features/img/background-foreground-backup.webp
+++ b/docs/docs/features/img/background-foreground-backup.webp
--- a/docs/docs/features/img/backup-album-selection.webp
+++ b/docs/docs/features/img/backup-album-selection.webp
--- a/docs/docs/features/img/backup-album-sync.webp
+++ b/docs/docs/features/img/backup-album-sync.webp
--- a/docs/docs/features/img/backup-options.webp
+++ b/docs/docs/features/img/backup-options.webp
--- a/docs/docs/features/img/enable-backup-button.webp
+++ b/docs/docs/features/img/enable-backup-button.webp
--- a/docs/docs/features/img/facial-recognition-1.webp
+++ b/docs/docs/features/img/facial-recognition-1.webp
--- a/docs/docs/features/img/facial-recognition-2.webp
+++ b/docs/docs/features/img/facial-recognition-2.webp
--- a/docs/docs/features/img/facial-recognition-3.webp
+++ b/docs/docs/features/img/facial-recognition-3.webp
--- a/docs/docs/features/img/facial-recognition-4.webp
+++ b/docs/docs/features/img/facial-recognition-4.webp
--- a/docs/docs/features/img/folder-view-enable.webp
+++ b/docs/docs/features/img/folder-view-enable.webp
--- a/docs/docs/features/img/free-up-space.webp
+++ b/docs/docs/features/img/free-up-space.webp
--- a/docs/docs/features/img/gcast-enable.webp
+++ b/docs/docs/features/img/gcast-enable.webp
--- a/docs/docs/features/img/library-custom-scan-interval.webp
+++ b/docs/docs/features/img/library-custom-scan-interval.webp
--- a/docs/docs/features/img/mobile-smart-search.webp
+++ b/docs/docs/features/img/mobile-smart-search.webp
--- a/docs/docs/features/img/mobile-upload-selected-photos.webp
+++ b/docs/docs/features/img/mobile-upload-selected-photos.webp
--- a/docs/docs/features/img/my-wife.webp
+++ b/docs/docs/features/img/my-wife.webp
--- a/docs/docs/features/img/obtain-api-key-2.webp
+++ b/docs/docs/features/img/obtain-api-key-2.webp
--- a/docs/docs/features/img/obtain-api-key.webp
+++ b/docs/docs/features/img/obtain-api-key.webp
--- a/docs/docs/features/img/partner-sharing-1.webp
+++ b/docs/docs/features/img/partner-sharing-1.webp
--- a/docs/docs/features/img/partner-sharing-2.webp
+++ b/docs/docs/features/img/partner-sharing-2.webp
--- a/docs/docs/features/img/partner-sharing-3.webp
+++ b/docs/docs/features/img/partner-sharing-3.webp
--- a/docs/docs/features/img/partner-sharing-4.webp
+++ b/docs/docs/features/img/partner-sharing-4.webp
--- a/docs/docs/features/img/partner-sharing-5.webp
+++ b/docs/docs/features/img/partner-sharing-5.webp
--- a/docs/docs/features/img/partner-sharing-7.webp
+++ b/docs/docs/features/img/partner-sharing-7.webp
--- a/docs/docs/features/img/public-shared-link-album.webp
+++ b/docs/docs/features/img/public-shared-link-album.webp
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .13.1
 .13.0