fix(be): replace HTTPException with OnyxError in DB layer

Migrate 10 DB layer files from HTTPException to OnyxError for
consistent structured error responses. Also fixes several incorrect
status codes:

- input_prompt: 401 → 403 for authorization errors, 422 → 404 for
  not-found
- connector_credential_pair: 401 → 404 for credential not found
- feedback: 400 → 403 for authorization errors
- chat: 400 → 404 for session not found
- user_group: 400 → 403 for permission errors

Files: onyx/db/{input_prompt,users,connector_credential_pair,feedback,
persona,chat,projects}.py, onyx/db/engine/{sql_engine,async_sql_engine}.py,
ee/onyx/db/user_group.py

.cursor/skills/onyx-cli/SKILL.md

@@ -1,161 +0,0 @@
----
-name: onyx-cli
-description: Query the Onyx knowledge base using the onyx-cli command. Use when the user wants to search company documents, ask questions about internal knowledge, query connected data sources, or look up information stored in Onyx.
----
-
-# Onyx CLI — Agent Tool
-
-Onyx is an enterprise search and Gen-AI platform that connects to company documents, apps, and people. The `onyx-cli` CLI provides non-interactive commands to query the Onyx knowledge base and list available agents.
-
-## Prerequisites
-
-### 1. Check if installed
-
-```bash
-which onyx-cli
-```
-
-### 2. Install (if needed)
-
-**Primary — pip:**
-
-```bash
-pip install onyx-cli
-```
-
-**From source (Go):**
-
-```bash
-cd cli && go build -o onyx-cli . && sudo mv onyx-cli /usr/local/bin/
-```
-
-### 3. Check if configured
-
-```bash
-onyx-cli validate-config
-```
-
-This checks the config file exists, API key is present, and tests the server connection via `/api/me`. Exit code 0 on success, non-zero with a descriptive error on failure.
-
-If unconfigured, you have two options:
-
-**Option A — Interactive setup (requires user input):**
-
-```bash
-onyx-cli configure
-```
-
-This prompts for the Onyx server URL and API key, tests the connection, and saves config.
-
-**Option B — Environment variables (non-interactive, preferred for agents):**
-
-```bash
-export ONYX_SERVER_URL="https://your-onyx-server.com"  # default: https://cloud.onyx.app
-export ONYX_API_KEY="your-api-key"
-```
-
-Environment variables override the config file. If these are set, no config file is needed.
-
-| Variable | Required | Description |
-|----------|----------|-------------|
-| `ONYX_SERVER_URL` | No | Onyx server base URL (default: `https://cloud.onyx.app`) |
-| `ONYX_API_KEY` | Yes | API key for authentication |
-| `ONYX_PERSONA_ID` | No | Default agent/persona ID |
-
-If neither the config file nor environment variables are set, tell the user that `onyx-cli` needs to be configured and ask them to either:
-- Run `onyx-cli configure` interactively, or
-- Set `ONYX_SERVER_URL` and `ONYX_API_KEY` environment variables
-
-## Commands
-
-### Validate configuration
-
-```bash
-onyx-cli validate-config
-```
-
-Checks config file exists, API key is present, and tests the server connection. Use this before `ask` or `agents` to confirm the CLI is properly set up.
-
-### List available agents
-
-```bash
-onyx-cli agents
-```
-
-Prints a table of agent IDs, names, and descriptions. Use `--json` for structured output:
-
-```bash
-onyx-cli agents --json
-```
-
-Use agent IDs with `ask --agent-id` to query a specific agent.
-
-### Basic query (plain text output)
-
-```bash
-onyx-cli ask "What is our company's PTO policy?"
-```
-
-Streams the answer as plain text to stdout. Exit code 0 on success, non-zero on error.
-
-### JSON output (structured events)
-
-```bash
-onyx-cli ask --json "What authentication methods do we support?"
-```
-
-Outputs JSON-encoded parsed stream events (one object per line). Key event objects include message deltas, stop, errors, search-start, and citation payloads.
-
-| Event Type | Description |
-|------------|-------------|
-| `message_delta` | Content token — concatenate all `content` fields for the full answer |
-| `stop` | Stream complete |
-| `error` | Error with `error` message field |
-| `search_tool_start` | Onyx started searching documents |
-| `citation_info` | Source citation with `citation_number` and `document_id` |
-
-### Specify an agent
-
-```bash
-onyx-cli ask --agent-id 5 "Summarize our Q4 roadmap"
-```
-
-Uses a specific Onyx agent/persona instead of the default.
-
-### All flags
-
-| Flag | Type | Description |
-|------|------|-------------|
-| `--agent-id` | int | Agent ID to use (overrides default) |
-| `--json` | bool | Output raw NDJSON events instead of plain text |
-
-## When to Use
-
-Use `onyx-cli ask` when:
-
-- The user asks about company-specific information (policies, docs, processes)
-- You need to search internal knowledge bases or connected data sources
-- The user references Onyx, asks you to "search Onyx", or wants to query their documents
-- You need context from company wikis, Confluence, Google Drive, Slack, or other connected sources
-
-Do NOT use when:
-
-- The question is about general programming knowledge (use your own knowledge)
-- The user is asking about code in the current repository (use grep/read tools)
-- The user hasn't mentioned Onyx and the question doesn't require internal company data
-
-## Examples
-
-```bash
-# Simple question
-onyx-cli ask "What are the steps to deploy to production?"
-
-# Get structured output for parsing
-onyx-cli ask --json "List all active API integrations"
-
-# Use a specialized agent
-onyx-cli ask --agent-id 3 "What were the action items from last week's standup?"
-
-# Pipe the answer into another command
-onyx-cli ask "What is the database schema for users?" | head -20
-```

.github/workflows/deployment.yml

@@ -182,52 +182,8 @@ jobs:
           title: "🚨 Version Tag Check Failed"
           ref-name: ${{ github.ref_name }}
 
-  # Create GitHub release first, before desktop builds start.
-  # This ensures all desktop matrix jobs upload to the same release instead of
-  # racing to create duplicate releases.
-  create-release:
-    needs: determine-builds
-    if: needs.determine-builds.outputs.build-desktop == 'true'
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-    permissions:
-      contents: write
-    outputs:
-      release-id: ${{ steps.create-release.outputs.id }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-        with:
-          persist-credentials: false
-
-      - name: Determine release tag
-        id: release-tag
-        env:
-          IS_TEST_RUN: ${{ needs.determine-builds.outputs.is-test-run }}
-          SHORT_SHA: ${{ needs.determine-builds.outputs.short-sha }}
-        run: |
-          if [ "${IS_TEST_RUN}" == "true" ]; then
-            echo "tag=v0.0.0-dev+${SHORT_SHA}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Create GitHub Release
-        id: create-release
-        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # ratchet:softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ steps.release-tag.outputs.tag }}
-          name: ${{ steps.release-tag.outputs.tag }}
-          body: "See the assets to download this version and install."
-          draft: true
-          prerelease: false
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
   build-desktop:
-    needs:
-      - determine-builds
-      - create-release
+    needs: determine-builds
     if: needs.determine-builds.outputs.build-desktop == 'true'
     permissions:
       id-token: write
@@ -252,12 +208,12 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2
         with:
-          # NOTE: persist-credentials is needed for tauri-action to upload assets to GitHub releases.
+          # NOTE: persist-credentials is needed for tauri-action to create GitHub releases.
           persist-credentials: true # zizmor: ignore[artipacked]
 
       - name: Configure AWS credentials
         if: startsWith(matrix.platform, 'macos-')
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -397,9 +353,11 @@ jobs:
           APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
           APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
         with:
-          # Use the release created by the create-release job to avoid race conditions
-          # when multiple matrix jobs try to create/update the same release simultaneously
-          releaseId: ${{ needs.create-release.outputs.release-id }}
+          tagName: ${{ needs.determine-builds.outputs.is-test-run != 'true' && 'v__VERSION__' || format('v0.0.0-dev+{0}', needs.determine-builds.outputs.short-sha) }}
+          releaseName: ${{ needs.determine-builds.outputs.is-test-run != 'true' && 'v__VERSION__' || format('v0.0.0-dev+{0}', needs.determine-builds.outputs.short-sha) }}
+          releaseBody: "See the assets to download this version and install."
+          releaseDraft: true
+          prerelease: false
           assetNamePattern: "[name]_[arch][ext]"
           args: ${{ matrix.args }}
 
@@ -426,7 +384,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -500,7 +458,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -569,7 +527,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -639,7 +597,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -721,7 +679,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -798,7 +756,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -865,7 +823,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -938,7 +896,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1006,7 +964,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1076,7 +1034,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1149,7 +1107,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1218,7 +1176,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1288,7 +1246,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1368,7 +1326,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1442,7 +1400,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1507,7 +1465,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1562,7 +1520,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1622,7 +1580,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -1679,7 +1637,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2

.github/workflows/nightly-llm-provider-chat.yml

@@ -15,8 +15,7 @@ permissions:
 jobs:
   provider-chat-test:
     uses: ./.github/workflows/reusable-nightly-llm-provider-chat.yml
-    secrets:
-      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+    secrets: inherit
     permissions:
       contents: read
       id-token: write

.github/workflows/post-merge-beta-cherry-pick.yml

@@ -6,13 +6,11 @@ on:
       - main
 
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
   cherry-pick-to-latest-release:
-    permissions:
-      contents: write
-      pull-requests: write
     outputs:
       should_cherrypick: ${{ steps.gate.outputs.should_cherrypick }}
       pr_number: ${{ steps.gate.outputs.pr_number }}

.github/workflows/pr-golang-tests.yml

@@ -1,56 +0,0 @@
-name: Golang Tests
-concurrency:
-  group: Golang-Tests-${{ github.workflow }}-${{ github.head_ref || github.event.workflow_run.head_branch || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  merge_group:
-  pull_request:
-    branches:
-      - main
-      - "release/**"
-  push:
-    tags:
-      - "v*.*.*"
-
-permissions: {}
-
-env:
-  GO_VERSION: "1.26"
-
-jobs:
-  detect-modules:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    outputs:
-      modules: ${{ steps.set-modules.outputs.modules }}
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
-        with:
-          persist-credentials: false
-      - id: set-modules
-        run: echo "modules=$(find . -name 'go.mod' -exec dirname {} \; | jq -Rc '[.,inputs]')" >> "$GITHUB_OUTPUT"
-
-  golang:
-    needs: detect-modules
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    strategy:
-      matrix:
-        modules: ${{ fromJSON(needs.detect-modules.outputs.modules) }}
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6
-        with:
-          persist-credentials: false
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # zizmor: ignore[cache-poisoning]
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: "**/go.sum"
-
-      - run: go mod tidy
-        working-directory: ${{ matrix.modules }}
-      - run: git diff --exit-code go.mod go.sum
-        working-directory: ${{ matrix.modules }}
-
-      - run: go test ./...
-        working-directory: ${{ matrix.modules }}

.github/workflows/pr-helm-chart-testing.yml

@@ -71,7 +71,7 @@ jobs:
 
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # ratchet:helm/kind-action@v1.14.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # ratchet:helm/kind-action@v1.13.0
 
       - name: Pre-install cluster status check
         if: steps.list-changed.outputs.changed == 'true'

.github/workflows/pr-jest-tests.yml

@@ -31,7 +31,7 @@ jobs:
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # ratchet:actions/setup-node@v4
         with:
           node-version: 22
-          cache: "npm" # zizmor: ignore[cache-poisoning] test-only workflow; no deploy artifacts
+          cache: "npm"
           cache-dependency-path: ./web/package-lock.json
 
       - name: Install node dependencies

.github/workflows/pr-playwright-tests.yml

@@ -461,7 +461,7 @@ jobs:
       # --- Visual Regression Diff ---
       - name: Configure AWS credentials
         if: always()
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2

.github/workflows/pr-quality-checks.yml

@@ -38,9 +38,9 @@ jobs:
       - name: Install node dependencies
         working-directory: ./web
         run: npm ci
-      - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # ratchet:j178/prek-action@v1
+      - uses: j178/prek-action@9d6a3097e0c1865ecce00cfb89fe80f2ee91b547 # ratchet:j178/prek-action@v1
         with:
-          prek-version: '0.3.4'
+          prek-version: '0.2.21'
           extra-args: ${{ github.event_name == 'pull_request' && format('--from-ref {0} --to-ref {1}', github.event.pull_request.base.sha, github.event.pull_request.head.sha) || github.event_name == 'merge_group' && format('--from-ref {0} --to-ref {1}', github.event.merge_group.base_sha, github.event.merge_group.head_sha) || github.ref_name == 'main' && '--all-files' || '' }}
       - name: Check Actions
         uses: giner/check-actions@28d366c7cbbe235f9624a88aa31a628167eee28c # ratchet:giner/check-actions@v1.0.1

.github/workflows/reusable-nightly-llm-provider-chat.yml

@@ -48,10 +48,6 @@ on:
         required: false
         default: true
         type: boolean
-    secrets:
-      AWS_OIDC_ROLE_ARN:
-        description: "AWS role ARN for OIDC auth"
-        required: true
 
 permissions:
   contents: read
@@ -77,7 +73,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -120,7 +116,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -162,7 +158,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -268,7 +264,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2

.github/workflows/sandbox-deployment.yml

@@ -110,7 +110,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -180,7 +180,7 @@ jobs:
           persist-credentials: false
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2
@@ -244,7 +244,7 @@ jobs:
       - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
           aws-region: us-east-2

.pre-commit-config.yaml

@@ -119,11 +119,10 @@ repos:
           ]
 
   - repo: https://github.com/golangci/golangci-lint
-    rev: 5d1e709b7be35cb2025444e19de266b056b7b7ee # frozen: v2.10.1
+    rev: 9f61b0f53f80672872fced07b6874397c3ed197b # frozen: v2.7.2
     hooks:
       - id: golangci-lint
-        language_version: "1.26.0"
-        entry: bash -c "find . -name go.mod -not -path './.venv/*' -print0 | xargs -0 -I{} bash -c 'cd \"$(dirname {})\" && golangci-lint run ./...'"
+        entry: bash -c "find tools/ -name go.mod -print0 | xargs -0 -I{} bash -c 'cd \"$(dirname {})\" && golangci-lint run ./...'"
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.

.vscode/launch.json

@@ -485,6 +485,21 @@
         "group": "3"
       }
     },
+    {
+      "name": "Clear and Restart OpenSearch Container",
+      // Generic debugger type, required arg but has no bearing on bash.
+      "type": "node",
+      "request": "launch",
+      "runtimeExecutable": "bash",
+      "runtimeArgs": [
+        "${workspaceFolder}/backend/scripts/restart_opensearch_container.sh"
+      ],
+      "cwd": "${workspaceFolder}",
+      "console": "integratedTerminal",
+      "presentation": {
+        "group": "3"
+      }
+    },
     {
       "name": "Eval CLI",
       "type": "debugpy",

AGENTS.md

@@ -104,10 +104,6 @@ Onyx uses Celery for asynchronous task processing with multiple specialized work
 
 - Always use `@shared_task` rather than `@celery_app`
 - Put tasks under `background/celery/tasks/` or `ee/background/celery/tasks`
-- Never enqueue a task without an expiration. Always supply `expires=` when
-  sending tasks, either from the beat schedule or directly from another task. It
-  should never be acceptable to submit code which enqueues tasks without an
-  expiration, as doing so can lead to unbounded task queue growth.
 
 **Defining APIs**:
 When creating new FastAPI APIs, do NOT use the `response_model` field. Instead, just type the

backend/ee/onyx/db/user_group.py

@@ -2,7 +2,6 @@ from collections.abc import Sequence
 from operator import and_
 from uuid import UUID
 
-from fastapi import HTTPException
 from sqlalchemy import delete
 from sqlalchemy import func
 from sqlalchemy import Select
@@ -37,6 +36,8 @@ from onyx.db.models import UserGroup
 from onyx.db.models import UserGroup__ConnectorCredentialPair
 from onyx.db.models import UserRole
 from onyx.db.users import fetch_user_by_id
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.utils.logger import setup_logger
 
 logger = setup_logger()
@@ -166,18 +167,12 @@ def validate_object_creation_for_user(
     if object_is_public and user.role == UserRole.BASIC:
         detail = "User does not have permission to create public objects"
         logger.error(detail)
-        raise HTTPException(
-            status_code=400,
-            detail=detail,
-        )
+        raise OnyxError(OnyxErrorCode.INSUFFICIENT_PERMISSIONS, detail)
 
     if not target_group_ids:
         detail = "Curators must specify 1+ groups"
         logger.error(detail)
-        raise HTTPException(
-            status_code=400,
-            detail=detail,
-        )
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, detail)
 
     user_curated_groups = fetch_user_groups_for_user(
         db_session=db_session,
@@ -190,10 +185,7 @@ def validate_object_creation_for_user(
     if not target_group_ids_set.issubset(user_curated_group_ids):
         detail = "Curators cannot control groups they don't curate"
         logger.error(detail)
-        raise HTTPException(
-            status_code=400,
-            detail=detail,
-        )
+        raise OnyxError(OnyxErrorCode.INSUFFICIENT_PERMISSIONS, detail)
 
 
 def fetch_user_group(db_session: Session, user_group_id: int) -> UserGroup | None:

backend/ee/onyx/main.py

@@ -4,6 +4,7 @@ from contextlib import asynccontextmanager
 from fastapi import FastAPI
 from httpx_oauth.clients.google import GoogleOAuth2
 
+from ee.onyx.configs.app_configs import LICENSE_ENFORCEMENT_ENABLED
 from ee.onyx.server.analytics.api import router as analytics_router
 from ee.onyx.server.auth_check import check_ee_router_auth
 from ee.onyx.server.billing.api import router as billing_router
@@ -152,9 +153,12 @@ def get_application() -> FastAPI:
     # License management
     include_router_with_global_prefix_prepended(application, license_router)
 
-    # Unified billing API - always registered in EE.
-    # Each endpoint is protected by the `current_admin_user` dependency (admin auth).
-    include_router_with_global_prefix_prepended(application, billing_router)
+    # Unified billing API - available when license system is enabled
+    # Works for both self-hosted and cloud deployments
+    # TODO(ENG-3533): Once frontend migrates to /admin/billing/*, this becomes the
+    # primary billing API and /tenants/* billing endpoints can be removed
+    if LICENSE_ENFORCEMENT_ENABLED:
+        include_router_with_global_prefix_prepended(application, billing_router)
 
     if MULTI_TENANT:
         # Tenant management

backend/ee/onyx/server/billing/api.py

@@ -246,11 +246,7 @@ async def get_billing_information(
         )
     except OnyxError as e:
         # Open circuit breaker on connection failures (self-hosted only)
-        if e.status_code in (
-            OnyxErrorCode.BAD_GATEWAY.status_code,
-            OnyxErrorCode.SERVICE_UNAVAILABLE.status_code,
-            OnyxErrorCode.GATEWAY_TIMEOUT.status_code,
-        ):
+        if e.status_code in (502, 503, 504):
             _open_billing_circuit()
         raise
 

backend/onyx/background/celery/celery_utils.py

@@ -39,13 +39,9 @@ CT = TypeVar("CT", bound=ConnectorCheckpoint)
 
 
 class SlimConnectorExtractionResult(BaseModel):
-    """Result of extracting document IDs and hierarchy nodes from a connector.
+    """Result of extracting document IDs and hierarchy nodes from a connector."""
 
-    raw_id_to_parent maps document ID → parent_hierarchy_raw_node_id (or None).
-    Use raw_id_to_parent.keys() wherever the old set of IDs was needed.
-    """
-
-    raw_id_to_parent: dict[str, str | None]
+    doc_ids: set[str]
     hierarchy_nodes: list[HierarchyNode]
 
 
@@ -97,37 +93,30 @@ def _get_failure_id(failure: ConnectorFailure) -> str | None:
     return None
 
 
-class BatchResult(BaseModel):
-    raw_id_to_parent: dict[str, str | None]
-    hierarchy_nodes: list[HierarchyNode]
-
-
 def _extract_from_batch(
     doc_list: Sequence[Document | SlimDocument | HierarchyNode | ConnectorFailure],
-) -> BatchResult:
-    """Separate a batch into document IDs (with parent mapping) and hierarchy nodes.
+) -> tuple[set[str], list[HierarchyNode]]:
+    """Separate a batch into document IDs and hierarchy nodes.
 
     ConnectorFailure items have their failed document/entity IDs added to the
-    ID dict so that failed-to-retrieve documents are not accidentally pruned.
+    ID set so that failed-to-retrieve documents are not accidentally pruned.
     """
-    ids: dict[str, str | None] = {}
+    ids: set[str] = set()
     hierarchy_nodes: list[HierarchyNode] = []
     for item in doc_list:
         if isinstance(item, HierarchyNode):
             hierarchy_nodes.append(item)
-            if item.raw_node_id not in ids:
-                ids[item.raw_node_id] = None
+            ids.add(item.raw_node_id)
         elif isinstance(item, ConnectorFailure):
             failed_id = _get_failure_id(item)
             if failed_id:
-                ids[failed_id] = None
+                ids.add(failed_id)
             logger.warning(
                 f"Failed to retrieve document {failed_id}: " f"{item.failure_message}"
             )
         else:
-            parent_raw = getattr(item, "parent_hierarchy_raw_node_id", None)
-            ids[item.id] = parent_raw
-    return BatchResult(raw_id_to_parent=ids, hierarchy_nodes=hierarchy_nodes)
+            ids.add(item.id)
+    return ids, hierarchy_nodes
 
 
 def extract_ids_from_runnable_connector(
@@ -143,7 +132,7 @@ def extract_ids_from_runnable_connector(
 
     Optionally, a callback can be passed to handle the length of each document batch.
     """
-    all_raw_id_to_parent: dict[str, str | None] = {}
+    all_connector_doc_ids: set[str] = set()
     all_hierarchy_nodes: list[HierarchyNode] = []
 
     # Sequence (covariant) lets all the specific list[...] iterator types unify here
@@ -188,20 +177,15 @@ def extract_ids_from_runnable_connector(
                 "extract_ids_from_runnable_connector: Stop signal detected"
             )
 
-        batch_result = _extract_from_batch(doc_list)
-        batch_ids = batch_result.raw_id_to_parent
-        batch_nodes = batch_result.hierarchy_nodes
-        doc_batch_processing_func(batch_ids)
-        for k, v in batch_ids.items():
-            if v is not None or k not in all_raw_id_to_parent:
-                all_raw_id_to_parent[k] = v
+        batch_ids, batch_nodes = _extract_from_batch(doc_list)
+        all_connector_doc_ids.update(doc_batch_processing_func(batch_ids))
         all_hierarchy_nodes.extend(batch_nodes)
 
         if callback:
             callback.progress("extract_ids_from_runnable_connector", len(batch_ids))
 
     return SlimConnectorExtractionResult(
-        raw_id_to_parent=all_raw_id_to_parent,
+        doc_ids=all_connector_doc_ids,
         hierarchy_nodes=all_hierarchy_nodes,
     )
 

backend/onyx/background/celery/tasks/pruning/tasks.py

@@ -29,7 +29,6 @@ from onyx.configs.constants import CELERY_GENERIC_BEAT_LOCK_TIMEOUT
 from onyx.configs.constants import CELERY_PRUNING_LOCK_TIMEOUT
 from onyx.configs.constants import CELERY_TASK_WAIT_FOR_FENCE_TIMEOUT
 from onyx.configs.constants import DANSWER_REDIS_FUNCTION_LOCK_PREFIX
-from onyx.configs.constants import DocumentSource
 from onyx.configs.constants import OnyxCeleryPriority
 from onyx.configs.constants import OnyxCeleryQueues
 from onyx.configs.constants import OnyxCeleryTask
@@ -48,8 +47,6 @@ from onyx.db.enums import AccessType
 from onyx.db.enums import ConnectorCredentialPairStatus
 from onyx.db.enums import SyncStatus
 from onyx.db.enums import SyncType
-from onyx.db.hierarchy import link_hierarchy_nodes_to_documents
-from onyx.db.hierarchy import update_document_parent_hierarchy_nodes
 from onyx.db.hierarchy import upsert_hierarchy_nodes_batch
 from onyx.db.models import ConnectorCredentialPair
 from onyx.db.sync_record import insert_sync_record
@@ -60,8 +57,6 @@ from onyx.redis.redis_connector_prune import RedisConnectorPrune
 from onyx.redis.redis_connector_prune import RedisConnectorPrunePayload
 from onyx.redis.redis_hierarchy import cache_hierarchy_nodes_batch
 from onyx.redis.redis_hierarchy import ensure_source_node_exists
-from onyx.redis.redis_hierarchy import get_node_id_from_raw_id
-from onyx.redis.redis_hierarchy import get_source_node_id_from_cache
 from onyx.redis.redis_hierarchy import HierarchyNodeCacheEntry
 from onyx.redis.redis_pool import get_redis_client
 from onyx.redis.redis_pool import get_redis_replica_client
@@ -118,38 +113,6 @@ class PruneCallback(IndexingCallbackBase):
         super().progress(tag, amount)
 
 
-def _resolve_and_update_document_parents(
-    db_session: Session,
-    redis_client: Redis,
-    source: DocumentSource,
-    raw_id_to_parent: dict[str, str | None],
-) -> None:
-    """Resolve parent_hierarchy_raw_node_id → parent_hierarchy_node_id for
-    each document and bulk-update the DB. Mirrors the resolution logic in
-    run_docfetching.py."""
-    source_node_id = get_source_node_id_from_cache(redis_client, db_session, source)
-
-    resolved: dict[str, int | None] = {}
-    for doc_id, raw_parent_id in raw_id_to_parent.items():
-        if raw_parent_id is None:
-            continue
-        node_id, found = get_node_id_from_raw_id(redis_client, source, raw_parent_id)
-        resolved[doc_id] = node_id if found else source_node_id
-
-    if not resolved:
-        return
-
-    update_document_parent_hierarchy_nodes(
-        db_session=db_session,
-        doc_parent_map=resolved,
-        commit=True,
-    )
-    task_logger.info(
-        f"Pruning: resolved and updated parent hierarchy for "
-        f"{len(resolved)} documents (source={source.value})"
-    )
-
-
 """Jobs / utils for kicking off pruning tasks."""
 
 
@@ -572,22 +535,22 @@ def connector_pruning_generator_task(
             extraction_result = extract_ids_from_runnable_connector(
                 runnable_connector, callback
             )
-            all_connector_doc_ids = extraction_result.raw_id_to_parent
+            all_connector_doc_ids = extraction_result.doc_ids
 
             # Process hierarchy nodes (same as docfetching):
             # upsert to Postgres and cache in Redis
-            source = cc_pair.connector.source
-            redis_client = get_redis_client(tenant_id=tenant_id)
-
             if extraction_result.hierarchy_nodes:
                 is_connector_public = cc_pair.access_type == AccessType.PUBLIC
 
-                ensure_source_node_exists(redis_client, db_session, source)
+                redis_client = get_redis_client(tenant_id=tenant_id)
+                ensure_source_node_exists(
+                    redis_client, db_session, cc_pair.connector.source
+                )
 
                 upserted_nodes = upsert_hierarchy_nodes_batch(
                     db_session=db_session,
                     nodes=extraction_result.hierarchy_nodes,
-                    source=source,
+                    source=cc_pair.connector.source,
                     commit=True,
                     is_connector_public=is_connector_public,
                 )
@@ -598,7 +561,7 @@ def connector_pruning_generator_task(
                 ]
                 cache_hierarchy_nodes_batch(
                     redis_client=redis_client,
-                    source=source,
+                    source=cc_pair.connector.source,
                     entries=cache_entries,
                 )
 
@@ -607,26 +570,6 @@ def connector_pruning_generator_task(
                     f"hierarchy nodes for cc_pair={cc_pair_id}"
                 )
 
-            ensure_source_node_exists(redis_client, db_session, source)
-            # Resolve parent_hierarchy_raw_node_id → parent_hierarchy_node_id
-            # and bulk-update documents, mirroring the docfetching resolution
-            _resolve_and_update_document_parents(
-                db_session=db_session,
-                redis_client=redis_client,
-                source=source,
-                raw_id_to_parent=all_connector_doc_ids,
-            )
-
-            # Link hierarchy nodes to documents for sources where pages can be
-            # both hierarchy nodes AND documents (e.g. Notion, Confluence)
-            all_doc_id_list = list(all_connector_doc_ids.keys())
-            link_hierarchy_nodes_to_documents(
-                db_session=db_session,
-                document_ids=all_doc_id_list,
-                source=source,
-                commit=True,
-            )
-
             # a list of docs in our local index
             all_indexed_document_ids = {
                 doc.id
@@ -638,9 +581,7 @@ def connector_pruning_generator_task(
             }
 
             # generate list of docs to remove (no longer in the source)
-            doc_ids_to_remove = list(
-                all_indexed_document_ids - all_connector_doc_ids.keys()
-            )
+            doc_ids_to_remove = list(all_indexed_document_ids - all_connector_doc_ids)
 
             task_logger.info(
                 "Pruning set collected: "

backend/onyx/background/indexing/run_docfetching.py

@@ -58,6 +58,8 @@ from onyx.file_store.document_batch_storage import DocumentBatchStorage
 from onyx.file_store.document_batch_storage import get_document_batch_storage
 from onyx.indexing.indexing_heartbeat import IndexingHeartbeatInterface
 from onyx.indexing.indexing_pipeline import index_doc_batch_prepare
+from onyx.indexing.postgres_sanitization import sanitize_document_for_postgres
+from onyx.indexing.postgres_sanitization import sanitize_hierarchy_nodes_for_postgres
 from onyx.redis.redis_hierarchy import cache_hierarchy_nodes_batch
 from onyx.redis.redis_hierarchy import ensure_source_node_exists
 from onyx.redis.redis_hierarchy import get_node_id_from_raw_id
@@ -69,8 +71,6 @@ from onyx.server.features.build.indexing.persistent_document_writer import (
 )
 from onyx.utils.logger import setup_logger
 from onyx.utils.middleware import make_randomized_onyx_request_id
-from onyx.utils.postgres_sanitization import sanitize_document_for_postgres
-from onyx.utils.postgres_sanitization import sanitize_hierarchy_nodes_for_postgres
 from onyx.utils.variable_functionality import global_version
 from shared_configs.configs import MULTI_TENANT
 from shared_configs.contextvars import INDEX_ATTEMPT_INFO_CONTEXTVAR

backend/onyx/chat/llm_loop.py

@@ -36,6 +36,7 @@ from onyx.db.memory import add_memory
 from onyx.db.memory import update_memory_at_index
 from onyx.db.memory import UserMemoryContext
 from onyx.db.models import Persona
+from onyx.llm.constants import LlmProviderNames
 from onyx.llm.interfaces import LLM
 from onyx.llm.interfaces import LLMUserIdentity
 from onyx.llm.interfaces import ToolChoiceOptions
@@ -83,6 +84,28 @@ def _looks_like_xml_tool_call_payload(text: str | None) -> bool:
     )
 
 
+def _should_keep_bedrock_tool_definitions(
+    llm: object, simple_chat_history: list[ChatMessageSimple]
+) -> bool:
+    """Bedrock requires tool config when history includes toolUse/toolResult blocks."""
+    model_provider = getattr(getattr(llm, "config", None), "model_provider", None)
+    if model_provider not in {
+        LlmProviderNames.BEDROCK,
+        LlmProviderNames.BEDROCK_CONVERSE,
+    }:
+        return False
+
+    return any(
+        (
+            msg.message_type == MessageType.ASSISTANT
+            and msg.tool_calls
+            and len(msg.tool_calls) > 0
+        )
+        or msg.message_type == MessageType.TOOL_CALL_RESPONSE
+        for msg in simple_chat_history
+    )
+
+
 def _try_fallback_tool_extraction(
     llm_step_result: LlmStepResult,
     tool_choice: ToolChoiceOptions,
@@ -663,7 +686,12 @@ def run_llm_loop(
             elif out_of_cycles or ran_image_gen:
                 # Last cycle, no tools allowed, just answer!
                 tool_choice = ToolChoiceOptions.NONE
-                final_tools = []
+                # Bedrock requires tool config in requests that include toolUse/toolResult history.
+                final_tools = (
+                    tools
+                    if _should_keep_bedrock_tool_definitions(llm, simple_chat_history)
+                    else []
+                )
             else:
                 tool_choice = ToolChoiceOptions.AUTO
                 final_tools = tools

backend/onyx/chat/llm_step.py

@@ -55,7 +55,6 @@ from onyx.tools.models import ToolCallKickoff
 from onyx.tracing.framework.create import generation_span
 from onyx.utils.b64 import get_image_type_from_bytes
 from onyx.utils.logger import setup_logger
-from onyx.utils.postgres_sanitization import sanitize_string
 from onyx.utils.text_processing import find_all_json_objects
 
 logger = setup_logger()
@@ -167,6 +166,15 @@ def _find_function_calls_open_marker(text_lower: str) -> int:
         search_from = idx + 1
 
 
+def _sanitize_llm_output(value: str) -> str:
+    """Remove characters that PostgreSQL's text/JSONB types cannot store.
+
+    - NULL bytes (\x00): Not allowed in PostgreSQL text types
+    - UTF-16 surrogates (\ud800-\udfff): Invalid in UTF-8 encoding
+    """
+    return "".join(c for c in value if c != "\x00" and not ("\ud800" <= c <= "\udfff"))
+
+
 def _try_parse_json_string(value: Any) -> Any:
     """Attempt to parse a JSON string value into its Python equivalent.
 
@@ -214,7 +222,9 @@ def _parse_tool_args_to_dict(raw_args: Any) -> dict[str, Any]:
     if isinstance(raw_args, dict):
         # Parse any string values that look like JSON arrays/objects
         return {
-            k: _try_parse_json_string(sanitize_string(v) if isinstance(v, str) else v)
+            k: _try_parse_json_string(
+                _sanitize_llm_output(v) if isinstance(v, str) else v
+            )
             for k, v in raw_args.items()
         }
 
@@ -222,7 +232,7 @@ def _parse_tool_args_to_dict(raw_args: Any) -> dict[str, Any]:
         return {}
 
     # Sanitize before parsing to remove NULL bytes and surrogates
-    raw_args = sanitize_string(raw_args)
+    raw_args = _sanitize_llm_output(raw_args)
 
     try:
         parsed1: Any = json.loads(raw_args)
@@ -535,12 +545,12 @@ def _extract_xml_attribute(attrs: str, attr_name: str) -> str | None:
     )
     if not attr_match:
         return None
-    return sanitize_string(unescape(attr_match.group(2).strip()))
+    return _sanitize_llm_output(unescape(attr_match.group(2).strip()))
 
 
 def _parse_xml_parameter_value(raw_value: str, string_attr: str | None) -> Any:
     """Parse a parameter value from XML-style tool call payloads."""
-    value = sanitize_string(unescape(raw_value).strip())
+    value = _sanitize_llm_output(unescape(raw_value).strip())
 
     if string_attr and string_attr.lower() == "true":
         return value
@@ -559,7 +569,6 @@ def _resolve_tool_arguments(obj: dict[str, Any]) -> dict[str, Any] | None:
     """
     arguments = obj.get("arguments", obj.get("parameters", {}))
     if isinstance(arguments, str):
-        arguments = sanitize_string(arguments)
         try:
             arguments = json.loads(arguments)
         except json.JSONDecodeError:

backend/onyx/chat/save_chat.py

@@ -19,7 +19,6 @@ from onyx.natural_language_processing.utils import get_tokenizer
 from onyx.server.query_and_chat.chat_utils import mime_type_to_chat_file_type
 from onyx.tools.models import ToolCallInfo
 from onyx.utils.logger import setup_logger
-from onyx.utils.postgres_sanitization import sanitize_string
 
 logger = setup_logger()
 
@@ -202,13 +201,8 @@ def save_chat_turn(
         pre_answer_processing_time: Duration of processing before answer starts (in seconds)
     """
     # 1. Update ChatMessage with message content, reasoning tokens, and token count
-    sanitized_message_text = (
-        sanitize_string(message_text) if message_text else message_text
-    )
-    assistant_message.message = sanitized_message_text
-    assistant_message.reasoning_tokens = (
-        sanitize_string(reasoning_tokens) if reasoning_tokens else reasoning_tokens
-    )
+    assistant_message.message = message_text
+    assistant_message.reasoning_tokens = reasoning_tokens
     assistant_message.is_clarification = is_clarification
 
     # Use pre-answer processing time (captured when MESSAGE_START was emitted)
@@ -218,10 +212,8 @@ def save_chat_turn(
     # Calculate token count using default tokenizer, when storing, this should not use the LLM
     # specific one so we use a system default tokenizer here.
     default_tokenizer = get_tokenizer(None, None)
-    if sanitized_message_text:
-        assistant_message.token_count = len(
-            default_tokenizer.encode(sanitized_message_text)
-        )
+    if message_text:
+        assistant_message.token_count = len(default_tokenizer.encode(message_text))
     else:
         assistant_message.token_count = 0
 
@@ -336,10 +328,8 @@ def save_chat_turn(
     # 8. Attach code interpreter generated files that the assistant actually
     # referenced in its response, so they are available via load_all_chat_files
     # on subsequent turns. Files not mentioned are intermediate artifacts.
-    if sanitized_message_text:
-        referenced = _extract_referenced_file_descriptors(
-            tool_calls, sanitized_message_text
-        )
+    if message_text:
+        referenced = _extract_referenced_file_descriptors(tool_calls, message_text)
         if referenced:
             existing_files = assistant_message.files or []
             assistant_message.files = existing_files + referenced

backend/onyx/connectors/confluence/connector.py

@@ -943,9 +943,6 @@ class ConfluenceConnector(
                         if include_permissions
                         else None
                     ),
-                    parent_hierarchy_raw_node_id=self._get_parent_hierarchy_raw_id(
-                        page
-                    ),
                 )
             )
 
@@ -995,7 +992,6 @@ class ConfluenceConnector(
                             if include_permissions
                             else None
                         ),
-                        parent_hierarchy_raw_node_id=page_id,
                     )
                 )
 

backend/onyx/connectors/google_drive/doc_conversion.py

@@ -781,5 +781,4 @@ def build_slim_document(
     return SlimDocument(
         id=onyx_document_id_from_drive_file(file),
         external_access=external_access,
-        parent_hierarchy_raw_node_id=(file.get("parents") or [None])[0],
     )

backend/onyx/connectors/jira/connector.py

@@ -902,11 +902,6 @@ class JiraConnector(
                         external_access=self._get_project_permissions(
                             project_key, add_prefix=False
                         ),
-                        parent_hierarchy_raw_node_id=(
-                            self._get_parent_hierarchy_raw_node_id(issue, project_key)
-                            if project_key
-                            else None
-                        ),
                     )
                 )
                 current_offset += 1

backend/onyx/connectors/models.py

@@ -385,7 +385,6 @@ class IndexingDocument(Document):
 class SlimDocument(BaseModel):
     id: str
     external_access: ExternalAccess | None = None
-    parent_hierarchy_raw_node_id: str | None = None
 
 
 class HierarchyNode(BaseModel):

backend/onyx/connectors/sharepoint/connector.py

@@ -772,7 +772,6 @@ def _convert_driveitem_to_slim_document(
     drive_name: str,
     ctx: ClientContext,
     graph_client: GraphClient,
-    parent_hierarchy_raw_node_id: str | None = None,
 ) -> SlimDocument:
     if driveitem.id is None:
         raise ValueError("DriveItem ID is required")
@@ -788,15 +787,11 @@ def _convert_driveitem_to_slim_document(
     return SlimDocument(
         id=driveitem.id,
         external_access=external_access,
-        parent_hierarchy_raw_node_id=parent_hierarchy_raw_node_id,
     )
 
 
 def _convert_sitepage_to_slim_document(
-    site_page: dict[str, Any],
-    ctx: ClientContext | None,
-    graph_client: GraphClient,
-    parent_hierarchy_raw_node_id: str | None = None,
+    site_page: dict[str, Any], ctx: ClientContext | None, graph_client: GraphClient
 ) -> SlimDocument:
     """Convert a SharePoint site page to a SlimDocument object."""
     if site_page.get("id") is None:
@@ -813,7 +808,6 @@ def _convert_sitepage_to_slim_document(
     return SlimDocument(
         id=id,
         external_access=external_access,
-        parent_hierarchy_raw_node_id=parent_hierarchy_raw_node_id,
     )
 
 
@@ -1600,22 +1594,12 @@ class SharepointConnector(
                             )
                         )
 
-                    parent_hierarchy_url: str | None = None
-                    if drive_web_url:
-                        parent_hierarchy_url = self._get_parent_hierarchy_url(
-                            site_url, drive_web_url, drive_name, driveitem
-                        )
-
                     try:
                         logger.debug(f"Processing: {driveitem.web_url}")
                         ctx = self._create_rest_client_context(site_descriptor.url)
                         doc_batch.append(
                             _convert_driveitem_to_slim_document(
-                                driveitem,
-                                drive_name,
-                                ctx,
-                                self.graph_client,
-                                parent_hierarchy_raw_node_id=parent_hierarchy_url,
+                                driveitem, drive_name, ctx, self.graph_client
                             )
                         )
                     except Exception as e:
@@ -1635,10 +1619,7 @@ class SharepointConnector(
                     ctx = self._create_rest_client_context(site_descriptor.url)
                     doc_batch.append(
                         _convert_sitepage_to_slim_document(
-                            site_page,
-                            ctx,
-                            self.graph_client,
-                            parent_hierarchy_raw_node_id=site_descriptor.url,
+                            site_page, ctx, self.graph_client
                         )
                     )
                     if len(doc_batch) >= SLIM_BATCH_SIZE:

backend/onyx/connectors/slack/connector.py

@@ -565,7 +565,6 @@ def _get_all_doc_ids(
                             channel_id=channel_id, thread_ts=message["ts"]
                         ),
                         external_access=external_access,
-                        parent_hierarchy_raw_node_id=channel_id,
                     )
                 )
 

backend/onyx/db/chat.py

@@ -5,7 +5,6 @@ from datetime import timezone
 from typing import Tuple
 from uuid import UUID
 
-from fastapi import HTTPException
 from sqlalchemy import delete
 from sqlalchemy import desc
 from sqlalchemy import exists
@@ -32,13 +31,14 @@ from onyx.db.models import SearchDoc as DBSearchDoc
 from onyx.db.models import ToolCall
 from onyx.db.models import User
 from onyx.db.persona import get_best_persona_id_for_user
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.file_store.file_store import get_default_file_store
 from onyx.file_store.models import FileDescriptor
 from onyx.llm.override_models import LLMOverride
 from onyx.llm.override_models import PromptOverride
 from onyx.server.query_and_chat.models import ChatMessageDetail
 from onyx.utils.logger import setup_logger
-from onyx.utils.postgres_sanitization import sanitize_string
 
 
 logger = setup_logger()
@@ -228,7 +228,9 @@ def duplicate_chat_session_for_user_from_slack(
         db_session=db_session,
     )
     if not chat_session:
-        raise HTTPException(status_code=400, detail="Invalid Chat Session ID provided")
+        raise OnyxError(
+            OnyxErrorCode.SESSION_NOT_FOUND, "Invalid Chat Session ID provided"
+        )
 
     # This enforces permissions and sets a default
     new_persona_id = get_best_persona_id_for_user(
@@ -676,43 +678,58 @@ def set_as_latest_chat_message(
     db_session.commit()
 
 
+def _sanitize_for_postgres(value: str) -> str:
+    """Remove NUL (0x00) characters from strings as PostgreSQL doesn't allow them."""
+    sanitized = value.replace("\x00", "")
+    if value and not sanitized:
+        logger.warning("Sanitization removed all characters from string")
+    return sanitized
+
+
+def _sanitize_list_for_postgres(values: list[str]) -> list[str]:
+    """Remove NUL (0x00) characters from all strings in a list."""
+    return [_sanitize_for_postgres(v) for v in values]
+
+
 def create_db_search_doc(
     server_search_doc: ServerSearchDoc,
     db_session: Session,
     commit: bool = True,
 ) -> DBSearchDoc:
+    # Sanitize string fields to remove NUL characters (PostgreSQL doesn't allow them)
     db_search_doc = DBSearchDoc(
-        document_id=sanitize_string(server_search_doc.document_id),
+        document_id=_sanitize_for_postgres(server_search_doc.document_id),
         chunk_ind=server_search_doc.chunk_ind,
-        semantic_id=sanitize_string(server_search_doc.semantic_identifier),
+        semantic_id=_sanitize_for_postgres(server_search_doc.semantic_identifier),
         link=(
-            sanitize_string(server_search_doc.link)
+            _sanitize_for_postgres(server_search_doc.link)
             if server_search_doc.link is not None
             else None
         ),
-        blurb=sanitize_string(server_search_doc.blurb),
+        blurb=_sanitize_for_postgres(server_search_doc.blurb),
         source_type=server_search_doc.source_type,
         boost=server_search_doc.boost,
         hidden=server_search_doc.hidden,
         doc_metadata=server_search_doc.metadata,
         is_relevant=server_search_doc.is_relevant,
         relevance_explanation=(
-            sanitize_string(server_search_doc.relevance_explanation)
+            _sanitize_for_postgres(server_search_doc.relevance_explanation)
             if server_search_doc.relevance_explanation is not None
             else None
         ),
+        # For docs further down that aren't reranked, we can't use the retrieval score
         score=server_search_doc.score or 0.0,
-        match_highlights=[
-            sanitize_string(h) for h in server_search_doc.match_highlights
-        ],
+        match_highlights=_sanitize_list_for_postgres(
+            server_search_doc.match_highlights
+        ),
         updated_at=server_search_doc.updated_at,
         primary_owners=(
-            [sanitize_string(o) for o in server_search_doc.primary_owners]
+            _sanitize_list_for_postgres(server_search_doc.primary_owners)
             if server_search_doc.primary_owners is not None
             else None
         ),
         secondary_owners=(
-            [sanitize_string(o) for o in server_search_doc.secondary_owners]
+            _sanitize_list_for_postgres(server_search_doc.secondary_owners)
             if server_search_doc.secondary_owners is not None
             else None
         ),

backend/onyx/db/connector_credential_pair.py

@@ -2,7 +2,6 @@ from datetime import datetime
 from enum import Enum
 from typing import TypeVarTuple
 
-from fastapi import HTTPException
 from sqlalchemy import delete
 from sqlalchemy import desc
 from sqlalchemy import exists
@@ -32,6 +31,8 @@ from onyx.db.models import User
 from onyx.db.models import User__UserGroup
 from onyx.db.models import UserGroup__ConnectorCredentialPair
 from onyx.db.models import UserRole
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.models import StatusResponse
 from onyx.utils.logger import setup_logger
 from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
@@ -539,7 +540,7 @@ def add_credential_to_connector(
         )
 
     if connector is None:
-        raise HTTPException(status_code=404, detail="Connector does not exist")
+        raise OnyxError(OnyxErrorCode.CONNECTOR_NOT_FOUND, "Connector does not exist")
 
     if access_type == AccessType.SYNC:
         if not fetch_ee_implementation_or_noop(
@@ -547,9 +548,9 @@ def add_credential_to_connector(
             "check_if_valid_sync_source",
             noop_return_value=True,
         )(connector.source):
-            raise HTTPException(
-                status_code=400,
-                detail=f"Connector of type {connector.source} does not support SYNC access type",
+            raise OnyxError(
+                OnyxErrorCode.VALIDATION_ERROR,
+                f"Connector of type {connector.source} does not support SYNC access type",
             )
 
     if credential is None:
@@ -557,9 +558,9 @@ def add_credential_to_connector(
             f"Credential {credential_id} does not exist or does not belong to user"
         )
         logger.error(error_msg)
-        raise HTTPException(
-            status_code=401,
-            detail=error_msg,
+        raise OnyxError(
+            OnyxErrorCode.CREDENTIAL_NOT_FOUND,
+            error_msg,
         )
 
     existing_association = (
@@ -622,12 +623,12 @@ def remove_credential_from_connector(
     )
 
     if connector is None:
-        raise HTTPException(status_code=404, detail="Connector does not exist")
+        raise OnyxError(OnyxErrorCode.CONNECTOR_NOT_FOUND, "Connector does not exist")
 
     if credential is None:
-        raise HTTPException(
-            status_code=404,
-            detail="Credential does not exist or does not belong to user",
+        raise OnyxError(
+            OnyxErrorCode.CREDENTIAL_NOT_FOUND,
+            "Credential does not exist or does not belong to user",
         )
 
     association = get_connector_credential_pair_for_user(

backend/onyx/db/engine/async_sql_engine.py

@@ -4,7 +4,6 @@ from typing import Any
 from typing import AsyncContextManager
 
 import asyncpg  # type: ignore
-from fastapi import HTTPException
 from sqlalchemy import event
 from sqlalchemy import pool
 from sqlalchemy.ext.asyncio import AsyncEngine
@@ -28,6 +27,8 @@ from onyx.db.engine.sql_engine import build_connection_string
 from onyx.db.engine.sql_engine import is_valid_schema_name
 from onyx.db.engine.sql_engine import SqlEngine
 from onyx.db.engine.sql_engine import USE_IAM_AUTH
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from shared_configs.configs import MULTI_TENANT
 from shared_configs.configs import POSTGRES_DEFAULT_SCHEMA_STANDARD_VALUE
 from shared_configs.contextvars import get_current_tenant_id
@@ -114,7 +115,7 @@ async def get_async_session(
         tenant_id = get_current_tenant_id()
 
     if not is_valid_schema_name(tenant_id):
-        raise HTTPException(status_code=400, detail="Invalid tenant ID")
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "Invalid tenant ID")
 
     engine = get_sqlalchemy_async_engine()
 

backend/onyx/db/engine/sql_engine.py

@@ -6,7 +6,6 @@ from collections.abc import Generator
 from contextlib import contextmanager
 from typing import Any
 
-from fastapi import HTTPException
 from sqlalchemy import event
 from sqlalchemy import pool
 from sqlalchemy.engine import create_engine
@@ -27,6 +26,8 @@ from onyx.configs.app_configs import POSTGRES_USE_NULL_POOL
 from onyx.configs.app_configs import POSTGRES_USER
 from onyx.configs.constants import POSTGRES_UNKNOWN_APP_NAME
 from onyx.db.engine.iam_auth import provide_iam_token
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.utils import BasicAuthenticationError
 from onyx.utils.logger import setup_logger
 from shared_configs.configs import MULTI_TENANT
@@ -344,7 +345,7 @@ def get_session_with_tenant(*, tenant_id: str) -> Generator[Session, None, None]
     engine = get_sqlalchemy_engine()
 
     if not is_valid_schema_name(tenant_id):
-        raise HTTPException(status_code=400, detail="Invalid tenant ID")
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "Invalid tenant ID")
 
     # no need to use the schema translation map for self-hosted + default schema
     if not MULTI_TENANT and tenant_id == POSTGRES_DEFAULT_SCHEMA_STANDARD_VALUE:
@@ -371,7 +372,7 @@ def get_session() -> Generator[Session, None, None]:
         raise BasicAuthenticationError(detail="User must authenticate")
 
     if not is_valid_schema_name(tenant_id):
-        raise HTTPException(status_code=400, detail="Invalid tenant ID")
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "Invalid tenant ID")
 
     with get_session_with_current_tenant() as db_session:
         yield db_session
@@ -390,7 +391,7 @@ def get_db_readonly_user_session_with_current_tenant() -> (
     readonly_engine = get_readonly_sqlalchemy_engine()
 
     if not is_valid_schema_name(tenant_id):
-        raise HTTPException(status_code=400, detail="Invalid tenant ID")
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "Invalid tenant ID")
 
     # no need to use the schema translation map for self-hosted + default schema
     if not MULTI_TENANT and tenant_id == POSTGRES_DEFAULT_SCHEMA_STANDARD_VALUE:

backend/onyx/db/feedback.py

@@ -2,7 +2,6 @@ from datetime import datetime
 from datetime import timezone
 from uuid import UUID
 
-from fastapi import HTTPException
 from sqlalchemy import and_
 from sqlalchemy import asc
 from sqlalchemy import delete
@@ -26,6 +25,8 @@ from onyx.db.models import User
 from onyx.db.models import User__UserGroup
 from onyx.db.models import UserGroup__ConnectorCredentialPair
 from onyx.db.models import UserRole
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.utils.logger import setup_logger
 
 logger = setup_logger()
@@ -134,8 +135,9 @@ def update_document_boost_for_user(
     stmt = _add_user_filters(stmt, user, get_editable=True)
     result: DbDocument | None = db_session.execute(stmt).scalar_one_or_none()
     if result is None:
-        raise HTTPException(
-            status_code=400, detail="Document is not editable by this user"
+        raise OnyxError(
+            OnyxErrorCode.UNAUTHORIZED,
+            "Document is not editable by this user",
         )
 
     result.boost = boost
@@ -156,8 +158,9 @@ def update_document_hidden_for_user(
     stmt = _add_user_filters(stmt, user, get_editable=True)
     result = db_session.execute(stmt).scalar_one_or_none()
     if result is None:
-        raise HTTPException(
-            status_code=400, detail="Document is not editable by this user"
+        raise OnyxError(
+            OnyxErrorCode.UNAUTHORIZED,
+            "Document is not editable by this user",
         )
 
     result.hidden = hidden

backend/onyx/db/hierarchy.py

@@ -1,7 +1,5 @@
 """CRUD operations for HierarchyNode."""
 
-from collections import defaultdict
-
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 
@@ -527,53 +525,6 @@ def get_document_parent_hierarchy_node_ids(
     return {doc_id: parent_id for doc_id, parent_id in results}
 
 
-def update_document_parent_hierarchy_nodes(
-    db_session: Session,
-    doc_parent_map: dict[str, int | None],
-    commit: bool = True,
-) -> int:
-    """Bulk-update Document.parent_hierarchy_node_id for multiple documents.
-
-    Only updates rows whose current value differs from the desired value to
-    avoid unnecessary writes.
-
-    Args:
-        db_session: SQLAlchemy session
-        doc_parent_map: Mapping of document_id → desired parent_hierarchy_node_id
-        commit: Whether to commit the transaction
-
-    Returns:
-        Number of documents actually updated
-    """
-    if not doc_parent_map:
-        return 0
-
-    doc_ids = list(doc_parent_map.keys())
-    existing = get_document_parent_hierarchy_node_ids(db_session, doc_ids)
-
-    by_parent: dict[int | None, list[str]] = defaultdict(list)
-    for doc_id, desired_parent_id in doc_parent_map.items():
-        current = existing.get(doc_id)
-        if current == desired_parent_id or doc_id not in existing:
-            continue
-        by_parent[desired_parent_id].append(doc_id)
-
-    updated = 0
-    for desired_parent_id, ids in by_parent.items():
-        db_session.query(Document).filter(Document.id.in_(ids)).update(
-            {Document.parent_hierarchy_node_id: desired_parent_id},
-            synchronize_session=False,
-        )
-        updated += len(ids)
-
-    if commit:
-        db_session.commit()
-    elif updated:
-        db_session.flush()
-
-    return updated
-
-
 def update_hierarchy_node_permissions(
     db_session: Session,
     raw_node_id: str,

backend/onyx/db/input_prompt.py

@@ -1,6 +1,5 @@
 from uuid import UUID
 
-from fastapi import HTTPException
 from sqlalchemy import or_
 from sqlalchemy import select
 from sqlalchemy.dialects.postgresql import insert as pg_insert
@@ -11,6 +10,8 @@ from sqlalchemy.orm import Session
 from onyx.db.models import InputPrompt
 from onyx.db.models import InputPrompt__User
 from onyx.db.models import User
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.features.input_prompt.models import InputPromptSnapshot
 from onyx.server.manage.models import UserInfo
 from onyx.utils.logger import setup_logger
@@ -54,9 +55,9 @@ def insert_input_prompt(
     input_prompt = result.scalar_one_or_none()
 
     if input_prompt is None:
-        raise HTTPException(
-            status_code=409,
-            detail=f"A prompt shortcut with the name '{prompt}' already exists",
+        raise OnyxError(
+            OnyxErrorCode.DUPLICATE_RESOURCE,
+            f"A prompt shortcut with the name '{prompt}' already exists",
         )
 
     db_session.commit()
@@ -78,7 +79,7 @@ def update_input_prompt(
         raise ValueError(f"No input prompt with id {input_prompt_id}")
 
     if not validate_user_prompt_authorization(user, input_prompt):
-        raise HTTPException(status_code=401, detail="You don't own this prompt")
+        raise OnyxError(OnyxErrorCode.UNAUTHORIZED, "You don't own this prompt")
 
     input_prompt.prompt = prompt
     input_prompt.content = content
@@ -88,9 +89,9 @@ def update_input_prompt(
         db_session.commit()
     except IntegrityError:
         db_session.rollback()
-        raise HTTPException(
-            status_code=409,
-            detail=f"A prompt shortcut with the name '{prompt}' already exists",
+        raise OnyxError(
+            OnyxErrorCode.DUPLICATE_RESOURCE,
+            f"A prompt shortcut with the name '{prompt}' already exists",
         )
 
     return input_prompt
@@ -121,7 +122,7 @@ def remove_public_input_prompt(input_prompt_id: int, db_session: Session) -> Non
         raise ValueError(f"No input prompt with id {input_prompt_id}")
 
     if not input_prompt.is_public:
-        raise HTTPException(status_code=400, detail="This prompt is not public")
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "This prompt is not public")
 
     db_session.delete(input_prompt)
     db_session.commit()
@@ -140,12 +141,13 @@ def remove_input_prompt(
         raise ValueError(f"No input prompt with id {input_prompt_id}")
 
     if input_prompt.is_public and not delete_public:
-        raise HTTPException(
-            status_code=400, detail="Cannot delete public prompts with this method"
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "Cannot delete public prompts with this method",
         )
 
     if not validate_user_prompt_authorization(user, input_prompt):
-        raise HTTPException(status_code=401, detail="You do not own this prompt")
+        raise OnyxError(OnyxErrorCode.UNAUTHORIZED, "You do not own this prompt")
 
     db_session.delete(input_prompt)
     db_session.commit()
@@ -167,7 +169,7 @@ def fetch_input_prompt_by_id(
     result = db_session.scalar(query)
 
     if result is None:
-        raise HTTPException(422, "No input prompt found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "No input prompt found")
 
     return result
 

backend/onyx/db/llm.py

@@ -25,11 +25,8 @@ from onyx.server.manage.embedding.models import CloudEmbeddingProvider
 from onyx.server.manage.embedding.models import CloudEmbeddingProviderCreationRequest
 from onyx.server.manage.llm.models import LLMProviderUpsertRequest
 from onyx.server.manage.llm.models import LLMProviderView
-from onyx.utils.logger import setup_logger
 from shared_configs.enums import EmbeddingProvider
 
-logger = setup_logger()
-
 
 def update_group_llm_provider_relationships__no_commit(
     llm_provider_id: int,
@@ -270,34 +267,10 @@ def upsert_llm_provider(
         mc.name for mc in llm_provider_upsert_request.model_configurations
     }
 
-    default_model = fetch_default_llm_model(db_session)
-
-    # Build a lookup of requested visibility by model name
-    requested_visibility = {
-        mc.name: mc.is_visible
-        for mc in llm_provider_upsert_request.model_configurations
-    }
-
     # Delete removed models
     removed_ids = [
         mc.id for name, mc in existing_by_name.items() if name not in models_to_exist
     ]
-
-    # Prevent removing and hiding the default model
-    if default_model:
-        for name, mc in existing_by_name.items():
-            if mc.id == default_model.id:
-                if name not in models_to_exist:
-                    raise ValueError(
-                        f"Cannot remove the default model '{name}'. "
-                        "Please change the default model before removing."
-                    )
-                if not requested_visibility.get(name, True):
-                    raise ValueError(
-                        f"Cannot hide the default model '{name}'. "
-                        "Please change the default model before hiding."
-                    )
-
     if removed_ids:
         db_session.query(ModelConfiguration).filter(
             ModelConfiguration.id.in_(removed_ids)
@@ -562,6 +535,7 @@ def fetch_default_model(
         .options(selectinload(ModelConfiguration.llm_provider))
         .join(LLMModelFlow)
         .where(
+            ModelConfiguration.is_visible == True,  # noqa: E712
             LLMModelFlow.llm_model_flow_type == flow_type,
             LLMModelFlow.is_default == True,  # noqa: E712
         )
@@ -838,43 +812,6 @@ def sync_auto_mode_models(
             changes += 1
 
     db_session.commit()
-
-    # Update the default if this provider currently holds the global CHAT default
-    recommended_default = llm_recommendations.get_default_model(provider.provider)
-    if recommended_default:
-        current_default_name = db_session.scalar(
-            select(ModelConfiguration.name)
-            .join(
-                LLMModelFlow,
-                LLMModelFlow.model_configuration_id == ModelConfiguration.id,
-            )
-            .where(
-                ModelConfiguration.llm_provider_id == provider.id,
-                LLMModelFlow.llm_model_flow_type == LLMModelFlowType.CHAT,
-                LLMModelFlow.is_default == True,  # noqa: E712
-            )
-        )
-
-        if (
-            current_default_name is not None
-            and current_default_name != recommended_default.name
-        ):
-            try:
-                _update_default_model(
-                    db_session=db_session,
-                    provider_id=provider.id,
-                    model=recommended_default.name,
-                    flow_type=LLMModelFlowType.CHAT,
-                )
-                changes += 1
-            except ValueError:
-                logger.warning(
-                    "Recommended default model '%s' not found "
-                    "for provider_id=%s; skipping default update.",
-                    recommended_default.name,
-                    provider.id,
-                )
-
     return changes
 
 

backend/onyx/db/persona.py

@@ -3,7 +3,6 @@ from datetime import datetime
 from enum import Enum
 from uuid import UUID
 
-from fastapi import HTTPException
 from sqlalchemy import exists
 from sqlalchemy import func
 from sqlalchemy import not_
@@ -38,6 +37,8 @@ from onyx.db.models import User__UserGroup
 from onyx.db.models import UserFile
 from onyx.db.models import UserGroup
 from onyx.db.notification import create_notification
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.features.persona.models import FullPersonaSnapshot
 from onyx.server.features.persona.models import MinimalPersonaSnapshot
 from onyx.server.features.persona.models import PersonaSharedNotificationData
@@ -144,9 +145,9 @@ def fetch_persona_by_id_for_user(
     stmt = _add_user_filters(stmt=stmt, user=user, get_editable=get_editable)
     persona = db_session.scalars(stmt).one_or_none()
     if not persona:
-        raise HTTPException(
-            status_code=403,
-            detail=f"Persona with ID {persona_id} does not exist or user is not authorized to access it",
+        raise OnyxError(
+            OnyxErrorCode.INSUFFICIENT_PERMISSIONS,
+            f"Persona with ID {persona_id} does not exist or user is not authorized to access it",
         )
     return persona
 
@@ -315,7 +316,7 @@ def create_update_persona(
 
     except ValueError as e:
         logger.exception("Failed to create persona")
-        raise HTTPException(status_code=400, detail=str(e))
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, str(e))
 
     return FullPersonaSnapshot.from_model(persona)
 

backend/onyx/db/projects.py

@@ -3,7 +3,6 @@ import uuid
 from typing import List
 from uuid import UUID
 
-from fastapi import HTTPException
 from fastapi import UploadFile
 from pydantic import BaseModel
 from pydantic import ConfigDict
@@ -20,6 +19,8 @@ from onyx.db.models import Project__UserFile
 from onyx.db.models import User
 from onyx.db.models import UserFile
 from onyx.db.models import UserProject
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.documents.connector import upload_files
 from onyx.server.features.projects.projects_file_utils import categorize_uploaded_files
 from onyx.server.features.projects.projects_file_utils import RejectedFile
@@ -110,7 +111,7 @@ def upload_files_to_user_files_with_indexing(
 ) -> CategorizedFilesResult:
     if project_id is not None and user is not None:
         if not check_project_ownership(project_id, user.id, db_session):
-            raise HTTPException(status_code=404, detail="Project not found")
+            raise OnyxError(OnyxErrorCode.NOT_FOUND, "Project not found")
 
     categorized_files_result = create_user_files(
         files,

backend/onyx/db/search_settings.py

@@ -129,7 +129,7 @@ def get_current_search_settings(db_session: Session) -> SearchSettings:
     latest_settings = result.scalars().first()
 
     if not latest_settings:
-        raise RuntimeError("No search settings specified; DB is not in a valid state.")
+        raise RuntimeError("No search settings specified, DB is not in a valid state")
     return latest_settings
 
 

backend/onyx/db/tools.py

@@ -13,15 +13,12 @@ from onyx.db.constants import UNSET
 from onyx.db.constants import UnsetType
 from onyx.db.enums import MCPServerStatus
 from onyx.db.models import MCPServer
-from onyx.db.models import OAuthConfig
 from onyx.db.models import Tool
 from onyx.db.models import ToolCall
 from onyx.server.features.tool.models import Header
 from onyx.tools.built_in_tools import BUILT_IN_TOOL_TYPES
 from onyx.utils.headers import HeaderItemDict
 from onyx.utils.logger import setup_logger
-from onyx.utils.postgres_sanitization import sanitize_json_like
-from onyx.utils.postgres_sanitization import sanitize_string
 
 if TYPE_CHECKING:
     pass
@@ -162,26 +159,10 @@ def update_tool(
         ]
     if passthrough_auth is not None:
         tool.passthrough_auth = passthrough_auth
-    old_oauth_config_id = tool.oauth_config_id
     if not isinstance(oauth_config_id, UnsetType):
         tool.oauth_config_id = oauth_config_id
-        db_session.flush()
-
-    # Clean up orphaned OAuthConfig if the oauth_config_id was changed
-    if (
-        old_oauth_config_id is not None
-        and not isinstance(oauth_config_id, UnsetType)
-        and old_oauth_config_id != oauth_config_id
-    ):
-        other_tools = db_session.scalars(
-            select(Tool).where(Tool.oauth_config_id == old_oauth_config_id)
-        ).all()
-        if not other_tools:
-            oauth_config = db_session.get(OAuthConfig, old_oauth_config_id)
-            if oauth_config:
-                db_session.delete(oauth_config)
-
     db_session.commit()
+
     return tool
 
 
@@ -190,21 +171,8 @@ def delete_tool__no_commit(tool_id: int, db_session: Session) -> None:
     if tool is None:
         raise ValueError(f"Tool with ID {tool_id} does not exist")
 
-    oauth_config_id = tool.oauth_config_id
-
     db_session.delete(tool)
-    db_session.flush()
-
-    # Clean up orphaned OAuthConfig if no other tools reference it
-    if oauth_config_id is not None:
-        other_tools = db_session.scalars(
-            select(Tool).where(Tool.oauth_config_id == oauth_config_id)
-        ).all()
-        if not other_tools:
-            oauth_config = db_session.get(OAuthConfig, oauth_config_id)
-            if oauth_config:
-                db_session.delete(oauth_config)
-                db_session.flush()
+    db_session.flush()  # Don't commit yet, let caller decide when to commit
 
 
 def get_builtin_tool(
@@ -288,13 +256,11 @@ def create_tool_call_no_commit(
         tab_index=tab_index,
         tool_id=tool_id,
         tool_call_id=tool_call_id,
-        reasoning_tokens=(
-            sanitize_string(reasoning_tokens) if reasoning_tokens else reasoning_tokens
-        ),
-        tool_call_arguments=sanitize_json_like(tool_call_arguments),
-        tool_call_response=sanitize_json_like(tool_call_response),
+        reasoning_tokens=reasoning_tokens,
+        tool_call_arguments=tool_call_arguments,
+        tool_call_response=tool_call_response,
         tool_call_tokens=tool_call_tokens,
-        generated_images=sanitize_json_like(generated_images),
+        generated_images=generated_images,
     )
 
     db_session.add(tool_call)

backend/onyx/db/users.py

@@ -2,7 +2,6 @@ from collections.abc import Sequence
 from typing import Any
 from uuid import UUID
 
-from fastapi import HTTPException
 from fastapi_users.password import PasswordHelper
 from sqlalchemy import func
 from sqlalchemy import select
@@ -24,6 +23,8 @@ from onyx.db.models import Persona__User
 from onyx.db.models import SamlAccount
 from onyx.db.models import User
 from onyx.db.models import User__UserGroup
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
 
 
@@ -44,22 +45,22 @@ def validate_user_role_update(
     """
 
     if current_role == UserRole.SLACK_USER:
-        raise HTTPException(
-            status_code=400,
-            detail="To change a Slack User's role, they must first login to Onyx via the web app.",
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "To change a Slack User's role, they must first login to Onyx via the web app.",
         )
 
     if current_role == UserRole.EXT_PERM_USER:
         # This shouldn't happen, but just in case
-        raise HTTPException(
-            status_code=400,
-            detail="To change an External Permissioned User's role, they must first login to Onyx via the web app.",
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "To change an External Permissioned User's role, they must first login to Onyx via the web app.",
         )
 
     if current_role == UserRole.LIMITED:
-        raise HTTPException(
-            status_code=400,
-            detail="To change a Limited User's role, they must first login to Onyx via the web app.",
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "To change a Limited User's role, they must first login to Onyx via the web app.",
         )
 
     if explicit_override:
@@ -67,40 +68,34 @@ def validate_user_role_update(
 
     if requested_role == UserRole.CURATOR:
         # This shouldn't happen, but just in case
-        raise HTTPException(
-            status_code=400,
-            detail="Curator role must be set via the User Group Menu",
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "Curator role must be set via the User Group Menu",
         )
 
     if requested_role == UserRole.LIMITED:
         # This shouldn't happen, but just in case
-        raise HTTPException(
-            status_code=400,
-            detail=(
-                "A user cannot be set to a Limited User role. "
-                "This role is automatically assigned to users through certain endpoints in the API."
-            ),
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "A user cannot be set to a Limited User role. "
+            "This role is automatically assigned to users through certain endpoints in the API.",
         )
 
     if requested_role == UserRole.SLACK_USER:
         # This shouldn't happen, but just in case
-        raise HTTPException(
-            status_code=400,
-            detail=(
-                "A user cannot be set to a Slack User role. "
-                "This role is automatically assigned to users who only use Onyx via Slack."
-            ),
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "A user cannot be set to a Slack User role. "
+            "This role is automatically assigned to users who only use Onyx via Slack.",
         )
 
     if requested_role == UserRole.EXT_PERM_USER:
         # This shouldn't happen, but just in case
-        raise HTTPException(
-            status_code=400,
-            detail=(
-                "A user cannot be set to an External Permissioned User role. "
-                "This role is automatically assigned to users who have been "
-                "pulled in to the system via an external permissions system."
-            ),
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "A user cannot be set to an External Permissioned User role. "
+            "This role is automatically assigned to users who have been "
+            "pulled in to the system via an external permissions system.",
         )
 
 

backend/onyx/document_index/document_index_utils.py

@@ -32,6 +32,9 @@ def get_multipass_config(search_settings: SearchSettings) -> MultipassConfig:
     Determines whether to enable multipass and large chunks by examining
     the current search settings and the embedder configuration.
     """
+    if not search_settings:
+        return MultipassConfig(multipass_indexing=False, enable_large_chunks=False)
+
     multipass = should_use_multipass(search_settings)
     enable_large_chunks = SearchSettings.can_use_large_chunks(
         multipass, search_settings.model_name, search_settings.provider_type

backend/onyx/document_index/factory.py

@@ -26,10 +26,11 @@ def get_default_document_index(
     To be used for retrieval only. Indexing should be done through both indices
     until Vespa is deprecated.
 
+    Pre-existing docstring for this function, although secondary indices are not
+    currently supported:
     Primary index is the index that is used for querying/updating etc. Secondary
     index is for when both the currently used index and the upcoming index both
-    need to be updated. Updates are applied to both indices.
-    WARNING: In that case, get_all_document_indices should be used.
+    need to be updated, updates are applied to both indices.
     """
     if DISABLE_VECTOR_DB:
         return DisabledDocumentIndex(
@@ -50,26 +51,11 @@ def get_default_document_index(
     opensearch_retrieval_enabled = get_opensearch_retrieval_state(db_session)
     if opensearch_retrieval_enabled:
         indexing_setting = IndexingSetting.from_db_model(search_settings)
-        secondary_indexing_setting = (
-            IndexingSetting.from_db_model(secondary_search_settings)
-            if secondary_search_settings
-            else None
-        )
         return OpenSearchOldDocumentIndex(
             index_name=search_settings.index_name,
             embedding_dim=indexing_setting.final_embedding_dim,
             embedding_precision=indexing_setting.embedding_precision,
             secondary_index_name=secondary_index_name,
-            secondary_embedding_dim=(
-                secondary_indexing_setting.final_embedding_dim
-                if secondary_indexing_setting
-                else None
-            ),
-            secondary_embedding_precision=(
-                secondary_indexing_setting.embedding_precision
-                if secondary_indexing_setting
-                else None
-            ),
             large_chunks_enabled=search_settings.large_chunks_enabled,
             secondary_large_chunks_enabled=secondary_large_chunks_enabled,
             multitenant=MULTI_TENANT,
@@ -100,7 +86,8 @@ def get_all_document_indices(
     Used for indexing only. Until Vespa is deprecated we will index into both
     document indices. Retrieval is done through only one index however.
 
-    Large chunks are not currently supported so we hardcode appropriate values.
+    Large chunks and secondary indices are not currently supported so we
+    hardcode appropriate values.
 
     NOTE: Make sure the Vespa index object is returned first. In the rare event
     that there is some conflict between indexing and the migration task, it is
@@ -136,36 +123,13 @@ def get_all_document_indices(
     opensearch_document_index: OpenSearchOldDocumentIndex | None = None
     if ENABLE_OPENSEARCH_INDEXING_FOR_ONYX:
         indexing_setting = IndexingSetting.from_db_model(search_settings)
-        secondary_indexing_setting = (
-            IndexingSetting.from_db_model(secondary_search_settings)
-            if secondary_search_settings
-            else None
-        )
         opensearch_document_index = OpenSearchOldDocumentIndex(
             index_name=search_settings.index_name,
             embedding_dim=indexing_setting.final_embedding_dim,
             embedding_precision=indexing_setting.embedding_precision,
-            secondary_index_name=(
-                secondary_search_settings.index_name
-                if secondary_search_settings
-                else None
-            ),
-            secondary_embedding_dim=(
-                secondary_indexing_setting.final_embedding_dim
-                if secondary_indexing_setting
-                else None
-            ),
-            secondary_embedding_precision=(
-                secondary_indexing_setting.embedding_precision
-                if secondary_indexing_setting
-                else None
-            ),
-            large_chunks_enabled=search_settings.large_chunks_enabled,
-            secondary_large_chunks_enabled=(
-                secondary_search_settings.large_chunks_enabled
-                if secondary_search_settings
-                else None
-            ),
+            secondary_index_name=None,
+            large_chunks_enabled=False,
+            secondary_large_chunks_enabled=None,
             multitenant=MULTI_TENANT,
             httpx_client=httpx_client,
         )

backend/onyx/document_index/opensearch/client.py

@@ -61,25 +61,6 @@ class SearchHit(BaseModel, Generic[SchemaDocumentModel]):
     explanation: dict[str, Any] | None = None
 
 
-class IndexInfo(BaseModel):
-    """
-    Represents information about an OpenSearch index.
-    """
-
-    model_config = {"frozen": True}
-
-    name: str
-    health: str
-    status: str
-    num_primary_shards: str
-    num_replica_shards: str
-    docs_count: str
-    docs_deleted: str
-    created_at: str
-    total_size: str
-    primary_shards_size: str
-
-
 def get_new_body_without_vectors(body: dict[str, Any]) -> dict[str, Any]:
     """Recursively replaces vectors in the body with their length.
 
@@ -178,8 +159,8 @@ class OpenSearchClient(AbstractContextManager):
         Raises:
             Exception: There was an error creating the search pipeline.
         """
-        response = self._client.search_pipeline.put(id=pipeline_id, body=pipeline_body)
-        if not response.get("acknowledged", False):
+        result = self._client.search_pipeline.put(id=pipeline_id, body=pipeline_body)
+        if not result.get("acknowledged", False):
             raise RuntimeError(f"Failed to create search pipeline {pipeline_id}.")
 
     @log_function_time(print_only=True, debug_only=True, include_args=True)
@@ -192,8 +173,8 @@ class OpenSearchClient(AbstractContextManager):
         Raises:
             Exception: There was an error deleting the search pipeline.
         """
-        response = self._client.search_pipeline.delete(id=pipeline_id)
-        if not response.get("acknowledged", False):
+        result = self._client.search_pipeline.delete(id=pipeline_id)
+        if not result.get("acknowledged", False):
             raise RuntimeError(f"Failed to delete search pipeline {pipeline_id}.")
 
     @log_function_time(print_only=True, debug_only=True, include_args=True)
@@ -217,34 +198,6 @@ class OpenSearchClient(AbstractContextManager):
             logger.error(f"Failed to put cluster settings: {response}.")
             return False
 
-    @log_function_time(print_only=True, debug_only=True)
-    def list_indices_with_info(self) -> list[IndexInfo]:
-        """
-        Lists the indices in the OpenSearch cluster with information about each
-        index.
-
-        Returns:
-            A list of IndexInfo objects for each index.
-        """
-        response = self._client.cat.indices(format="json")
-        indices: list[IndexInfo] = []
-        for raw_index_info in response:
-            indices.append(
-                IndexInfo(
-                    name=raw_index_info.get("index", ""),
-                    health=raw_index_info.get("health", ""),
-                    status=raw_index_info.get("status", ""),
-                    num_primary_shards=raw_index_info.get("pri", ""),
-                    num_replica_shards=raw_index_info.get("rep", ""),
-                    docs_count=raw_index_info.get("docs.count", ""),
-                    docs_deleted=raw_index_info.get("docs.deleted", ""),
-                    created_at=raw_index_info.get("creation.date.string", ""),
-                    total_size=raw_index_info.get("store.size", ""),
-                    primary_shards_size=raw_index_info.get("pri.store.size", ""),
-                )
-            )
-        return indices
-
     @log_function_time(print_only=True, debug_only=True)
     def ping(self) -> bool:
         """Pings the OpenSearch cluster.

backend/onyx/document_index/opensearch/opensearch_document_index.py

@@ -271,9 +271,6 @@ class OpenSearchOldDocumentIndex(OldDocumentIndex):
         embedding_dim: int,
         embedding_precision: EmbeddingPrecision,
         secondary_index_name: str | None,
-        secondary_embedding_dim: int | None,
-        secondary_embedding_precision: EmbeddingPrecision | None,
-        # NOTE: We do not support large chunks right now.
         large_chunks_enabled: bool,  # noqa: ARG002
         secondary_large_chunks_enabled: bool | None,  # noqa: ARG002
         multitenant: bool = False,
@@ -289,25 +286,12 @@ class OpenSearchOldDocumentIndex(OldDocumentIndex):
                 f"Expected {MULTI_TENANT}, got {multitenant}."
             )
         tenant_id = get_current_tenant_id()
-        tenant_state = TenantState(tenant_id=tenant_id, multitenant=multitenant)
         self._real_index = OpenSearchDocumentIndex(
-            tenant_state=tenant_state,
+            tenant_state=TenantState(tenant_id=tenant_id, multitenant=multitenant),
             index_name=index_name,
             embedding_dim=embedding_dim,
             embedding_precision=embedding_precision,
         )
-        self._secondary_real_index: OpenSearchDocumentIndex | None = None
-        if self.secondary_index_name:
-            if secondary_embedding_dim is None or secondary_embedding_precision is None:
-                raise ValueError(
-                    "Bug: Secondary index embedding dimension and precision are not set."
-                )
-            self._secondary_real_index = OpenSearchDocumentIndex(
-                tenant_state=tenant_state,
-                index_name=self.secondary_index_name,
-                embedding_dim=secondary_embedding_dim,
-                embedding_precision=secondary_embedding_precision,
-            )
 
     @staticmethod
     def register_multitenant_indices(
@@ -323,38 +307,19 @@ class OpenSearchOldDocumentIndex(OldDocumentIndex):
         self,
         primary_embedding_dim: int,
         primary_embedding_precision: EmbeddingPrecision,
-        secondary_index_embedding_dim: int | None,
-        secondary_index_embedding_precision: EmbeddingPrecision | None,
+        secondary_index_embedding_dim: int | None,  # noqa: ARG002
+        secondary_index_embedding_precision: EmbeddingPrecision | None,  # noqa: ARG002
     ) -> None:
-        self._real_index.verify_and_create_index_if_necessary(
+        # Only handle primary index for now, ignore secondary.
+        return self._real_index.verify_and_create_index_if_necessary(
             primary_embedding_dim, primary_embedding_precision
         )
-        if self.secondary_index_name:
-            if (
-                secondary_index_embedding_dim is None
-                or secondary_index_embedding_precision is None
-            ):
-                raise ValueError(
-                    "Bug: Secondary index embedding dimension and precision are not set."
-                )
-            assert (
-                self._secondary_real_index is not None
-            ), "Bug: Secondary index is not initialized."
-            self._secondary_real_index.verify_and_create_index_if_necessary(
-                secondary_index_embedding_dim, secondary_index_embedding_precision
-            )
 
     def index(
         self,
         chunks: list[DocMetadataAwareIndexChunk],
         index_batch_params: IndexBatchParams,
     ) -> set[OldDocumentInsertionRecord]:
-        """
-        NOTE: Do NOT consider the secondary index here. A separate indexing
-        pipeline will be responsible for indexing to the secondary index. This
-        design is not ideal and we should reconsider this when revamping index
-        swapping.
-        """
         # Convert IndexBatchParams to IndexingMetadata.
         chunk_counts: dict[str, IndexingMetadata.ChunkCounts] = {}
         for doc_id in index_batch_params.doc_id_to_new_chunk_cnt:
@@ -386,20 +351,7 @@ class OpenSearchOldDocumentIndex(OldDocumentIndex):
         tenant_id: str,  # noqa: ARG002
         chunk_count: int | None,
     ) -> int:
-        """
-        NOTE: Remember to handle the secondary index here. There is no separate
-        pipeline for deleting chunks in the secondary index. This design is not
-        ideal and we should reconsider this when revamping index swapping.
-        """
-        total_chunks_deleted = self._real_index.delete(doc_id, chunk_count)
-        if self.secondary_index_name:
-            assert (
-                self._secondary_real_index is not None
-            ), "Bug: Secondary index is not initialized."
-            total_chunks_deleted += self._secondary_real_index.delete(
-                doc_id, chunk_count
-            )
-        return total_chunks_deleted
+        return self._real_index.delete(doc_id, chunk_count)
 
     def update_single(
         self,
@@ -410,11 +362,6 @@ class OpenSearchOldDocumentIndex(OldDocumentIndex):
         fields: VespaDocumentFields | None,
         user_fields: VespaDocumentUserFields | None,
     ) -> None:
-        """
-        NOTE: Remember to handle the secondary index here. There is no separate
-        pipeline for updating chunks in the secondary index. This design is not
-        ideal and we should reconsider this when revamping index swapping.
-        """
         if fields is None and user_fields is None:
             logger.warning(
                 f"Tried to update document {doc_id} with no updated fields or user fields."
@@ -445,11 +392,6 @@ class OpenSearchOldDocumentIndex(OldDocumentIndex):
 
         try:
             self._real_index.update([update_request])
-            if self.secondary_index_name:
-                assert (
-                    self._secondary_real_index is not None
-                ), "Bug: Secondary index is not initialized."
-                self._secondary_real_index.update([update_request])
         except NotFoundError:
             logger.exception(
                 f"Tried to update document {doc_id} but at least one of its chunks was not found in OpenSearch. "
@@ -739,8 +681,7 @@ class OpenSearchDocumentIndex(DocumentIndex):
             The number of chunks successfully deleted.
         """
         logger.debug(
-            f"[OpenSearchDocumentIndex] Deleting document {document_id} from index "
-            f"{self._index_name}."
+            f"[OpenSearchDocumentIndex] Deleting document {document_id} from index {self._index_name}."
         )
         query_body = DocumentQuery.delete_from_document_id_query(
             document_id=document_id,
@@ -776,8 +717,7 @@ class OpenSearchDocumentIndex(DocumentIndex):
                 specified documents.
         """
         logger.debug(
-            f"[OpenSearchDocumentIndex] Updating {len(update_requests)} chunks for index "
-            f"{self._index_name}."
+            f"[OpenSearchDocumentIndex] Updating {len(update_requests)} chunks for index {self._index_name}."
         )
         for update_request in update_requests:
             properties_to_update: dict[str, Any] = dict()
@@ -833,11 +773,9 @@ class OpenSearchDocumentIndex(DocumentIndex):
                     # here.
                     # TODO(andrei): Fix the aforementioned race condition.
                     raise ChunkCountNotFoundError(
-                        f"Tried to update document {doc_id} but its chunk count is not known. "
-                        "Older versions of the application used to permit this but is not a "
-                        "supported state for a document when using OpenSearch. The document was "
-                        "likely just added to the indexing pipeline and the chunk count will be "
-                        "updated shortly."
+                        f"Tried to update document {doc_id} but its chunk count is not known. Older versions of the "
+                        "application used to permit this but is not a supported state for a document when using OpenSearch. "
+                        "The document was likely just added to the indexing pipeline and the chunk count will be updated shortly."
                     )
                 if doc_chunk_count == 0:
                     raise ValueError(
@@ -869,8 +807,7 @@ class OpenSearchDocumentIndex(DocumentIndex):
         chunk IDs vs querying for matching document chunks.
         """
         logger.debug(
-            f"[OpenSearchDocumentIndex] Retrieving {len(chunk_requests)} chunks for index "
-            f"{self._index_name}."
+            f"[OpenSearchDocumentIndex] Retrieving {len(chunk_requests)} chunks for index {self._index_name}."
         )
         results: list[InferenceChunk] = []
         for chunk_request in chunk_requests:
@@ -917,8 +854,7 @@ class OpenSearchDocumentIndex(DocumentIndex):
         num_to_retrieve: int,
     ) -> list[InferenceChunk]:
         logger.debug(
-            f"[OpenSearchDocumentIndex] Hybrid retrieving {num_to_retrieve} chunks for index "
-            f"{self._index_name}."
+            f"[OpenSearchDocumentIndex] Hybrid retrieving {num_to_retrieve} chunks for index {self._index_name}."
         )
         # TODO(andrei): This could be better, the caller should just make this
         # decision when passing in the query param. See the above comment in the
@@ -938,10 +874,8 @@ class OpenSearchDocumentIndex(DocumentIndex):
             index_filters=filters,
             include_hidden=False,
         )
-        # NOTE: Using z-score normalization here because it's better for hybrid
-        # search from a theoretical standpoint. Empirically on a small dataset
-        # of up to 10K docs, it's not very different. Likely more impactful at
-        # scale.
+        # NOTE: Using z-score normalization here because it's better for hybrid search from a theoretical standpoint.
+        # Empirically on a small dataset of up to 10K docs, it's not very different. Likely more impactful at scale.
         # https://opensearch.org/blog/introducing-the-z-score-normalization-technique-for-hybrid-search/
         search_hits: list[SearchHit[DocumentChunk]] = self._client.search(
             body=query_body,
@@ -968,8 +902,7 @@ class OpenSearchDocumentIndex(DocumentIndex):
         dirty: bool | None = None,  # noqa: ARG002
     ) -> list[InferenceChunk]:
         logger.debug(
-            f"[OpenSearchDocumentIndex] Randomly retrieving {num_to_retrieve} chunks for index "
-            f"{self._index_name}."
+            f"[OpenSearchDocumentIndex] Randomly retrieving {num_to_retrieve} chunks for index {self._index_name}."
         )
         query_body = DocumentQuery.get_random_search_query(
             tenant_state=self._tenant_state,
@@ -999,8 +932,7 @@ class OpenSearchDocumentIndex(DocumentIndex):
         complete.
         """
         logger.debug(
-            f"[OpenSearchDocumentIndex] Indexing {len(chunks)} raw chunks for index "
-            f"{self._index_name}."
+            f"[OpenSearchDocumentIndex] Indexing {len(chunks)} raw chunks for index {self._index_name}."
         )
         # Do not raise if the document already exists, just update. This is
         # because the document may already have been indexed during the

backend/onyx/document_index/opensearch/schema.py

@@ -243,8 +243,7 @@ class DocumentChunk(BaseModel):
             return value
         if not isinstance(value, int):
             raise ValueError(
-                f"Bug: Expected an int for the last_updated property from OpenSearch, got "
-                f"{type(value)} instead."
+                f"Bug: Expected an int for the last_updated property from OpenSearch, got {type(value)} instead."
             )
         return datetime.fromtimestamp(value, tz=timezone.utc)
 
@@ -285,22 +284,19 @@ class DocumentChunk(BaseModel):
         elif isinstance(value, TenantState):
             if MULTI_TENANT != value.multitenant:
                 raise ValueError(
-                    f"Bug: An existing TenantState object was supplied to the DocumentChunk model "
-                    f"but its multi-tenant mode ({value.multitenant}) does not match the program's "
-                    "current global tenancy state."
+                    f"Bug: An existing TenantState object was supplied to the DocumentChunk model but its multi-tenant mode "
+                    f"({value.multitenant}) does not match the program's current global tenancy state."
                 )
             return value
         elif not isinstance(value, str):
             raise ValueError(
-                f"Bug: Expected a str for the tenant_id property from OpenSearch, got "
-                f"{type(value)} instead."
+                f"Bug: Expected a str for the tenant_id property from OpenSearch, got {type(value)} instead."
             )
         else:
             if not MULTI_TENANT:
                 raise ValueError(
-                    "Bug: Got a non-null str for the tenant_id property from OpenSearch but "
-                    "multi-tenant mode is not enabled. This is unexpected because in single-tenant "
-                    "mode we don't expect to see a tenant_id."
+                    "Bug: Got a non-null str for the tenant_id property from OpenSearch but multi-tenant mode is not enabled. "
+                    "This is unexpected because in single-tenant mode we don't expect to see a tenant_id."
                 )
             return TenantState(tenant_id=value, multitenant=MULTI_TENANT)
 
@@ -356,10 +352,8 @@ class DocumentSchema:
             "properties": {
                 TITLE_FIELD_NAME: {
                     "type": "text",
-                    # Language analyzer (e.g. english) stems at index and search
-                    # time for variant matching. Configure via
-                    # OPENSEARCH_TEXT_ANALYZER. Existing indices need reindexing
-                    # after a change.
+                    # Language analyzer (e.g. english) stems at index and search time for variant matching.
+                    # Configure via OPENSEARCH_TEXT_ANALYZER. Existing indices need reindexing after a change.
                     "analyzer": OPENSEARCH_TEXT_ANALYZER,
                     "fields": {
                         # Subfield accessed as title.keyword. Not indexed for

backend/onyx/document_index/vespa/index.py

@@ -465,12 +465,6 @@ class VespaIndex(DocumentIndex):
         chunks: list[DocMetadataAwareIndexChunk],
         index_batch_params: IndexBatchParams,
     ) -> set[OldDocumentInsertionRecord]:
-        """
-        NOTE: Do NOT consider the secondary index here. A separate indexing
-        pipeline will be responsible for indexing to the secondary index. This
-        design is not ideal and we should reconsider this when revamping index
-        swapping.
-        """
         if len(index_batch_params.doc_id_to_previous_chunk_cnt) != len(
             index_batch_params.doc_id_to_new_chunk_cnt
         ):
@@ -665,10 +659,6 @@ class VespaIndex(DocumentIndex):
         """Note: if the document id does not exist, the update will be a no-op and the
         function will complete with no errors or exceptions.
         Handle other exceptions if you wish to implement retry behavior
-
-        NOTE: Remember to handle the secondary index here. There is no separate
-        pipeline for updating chunks in the secondary index. This design is not
-        ideal and we should reconsider this when revamping index swapping.
         """
         if fields is None and user_fields is None:
             logger.warning(
@@ -689,6 +679,13 @@ class VespaIndex(DocumentIndex):
                 f"Bug: Tenant ID mismatch. Expected {tenant_state.tenant_id}, got {tenant_id}."
             )
 
+        vespa_document_index = VespaDocumentIndex(
+            index_name=self.index_name,
+            tenant_state=tenant_state,
+            large_chunks_enabled=self.large_chunks_enabled,
+            httpx_client=self.httpx_client,
+        )
+
         project_ids: set[int] | None = None
         if user_fields is not None and user_fields.user_projects is not None:
             project_ids = set(user_fields.user_projects)
@@ -708,20 +705,7 @@ class VespaIndex(DocumentIndex):
             persona_ids=persona_ids,
         )
 
-        indices = [self.index_name]
-        if self.secondary_index_name:
-            indices.append(self.secondary_index_name)
-
-        for index_name in indices:
-            vespa_document_index = VespaDocumentIndex(
-                index_name=index_name,
-                tenant_state=tenant_state,
-                large_chunks_enabled=self.index_to_large_chunks_enabled.get(
-                    index_name, False
-                ),
-                httpx_client=self.httpx_client,
-            )
-            vespa_document_index.update([update_request])
+        vespa_document_index.update([update_request])
 
     def delete_single(
         self,
@@ -730,11 +714,6 @@ class VespaIndex(DocumentIndex):
         tenant_id: str,
         chunk_count: int | None,
     ) -> int:
-        """
-        NOTE: Remember to handle the secondary index here. There is no separate
-        pipeline for deleting chunks in the secondary index. This design is not
-        ideal and we should reconsider this when revamping index swapping.
-        """
         tenant_state = TenantState(
             tenant_id=get_current_tenant_id(),
             multitenant=MULTI_TENANT,
@@ -747,25 +726,13 @@ class VespaIndex(DocumentIndex):
             raise ValueError(
                 f"Bug: Tenant ID mismatch. Expected {tenant_state.tenant_id}, got {tenant_id}."
             )
-        indices = [self.index_name]
-        if self.secondary_index_name:
-            indices.append(self.secondary_index_name)
-
-        total_chunks_deleted = 0
-        for index_name in indices:
-            vespa_document_index = VespaDocumentIndex(
-                index_name=index_name,
-                tenant_state=tenant_state,
-                large_chunks_enabled=self.index_to_large_chunks_enabled.get(
-                    index_name, False
-                ),
-                httpx_client=self.httpx_client,
-            )
-            total_chunks_deleted += vespa_document_index.delete(
-                document_id=doc_id, chunk_count=chunk_count
-            )
-
-        return total_chunks_deleted
+        vespa_document_index = VespaDocumentIndex(
+            index_name=self.index_name,
+            tenant_state=tenant_state,
+            large_chunks_enabled=self.large_chunks_enabled,
+            httpx_client=self.httpx_client,
+        )
+        return vespa_document_index.delete(document_id=doc_id, chunk_count=chunk_count)
 
     def id_based_retrieval(
         self,

backend/onyx/error_handling/exceptions.py

@@ -48,11 +48,10 @@ class OnyxError(Exception):
         *,
         status_code_override: int | None = None,
     ) -> None:
-        resolved_message = message or error_code.code
-        super().__init__(resolved_message)
         self.error_code = error_code
-        self.message = resolved_message
+        self.message = message or error_code.code
         self._status_code_override = status_code_override
+        super().__init__(self.message)
 
     @property
     def status_code(self) -> int:

backend/onyx/indexing/indexing_pipeline.py

@@ -49,6 +49,7 @@ from onyx.indexing.embedder import IndexingEmbedder
 from onyx.indexing.models import DocAwareChunk
 from onyx.indexing.models import IndexingBatchAdapter
 from onyx.indexing.models import UpdatableChunkData
+from onyx.indexing.postgres_sanitization import sanitize_documents_for_postgres
 from onyx.indexing.vector_db_insertion import write_chunks_to_vector_db_with_backoff
 from onyx.llm.factory import get_default_llm_with_vision
 from onyx.llm.factory import get_llm_for_contextual_rag
@@ -64,7 +65,6 @@ from onyx.prompts.contextual_retrieval import CONTEXTUAL_RAG_PROMPT1
 from onyx.prompts.contextual_retrieval import CONTEXTUAL_RAG_PROMPT2
 from onyx.prompts.contextual_retrieval import DOCUMENT_SUMMARY_PROMPT
 from onyx.utils.logger import setup_logger
-from onyx.utils.postgres_sanitization import sanitize_documents_for_postgres
 from onyx.utils.threadpool_concurrency import run_functions_tuples_in_parallel
 from onyx.utils.timing import log_function_time
 

backend/onyx/indexing/postgres_sanitization.py

@@ -1,49 +1,30 @@
-import re
 from typing import Any
 
 from onyx.access.models import ExternalAccess
 from onyx.connectors.models import BasicExpertInfo
 from onyx.connectors.models import Document
 from onyx.connectors.models import HierarchyNode
-from onyx.utils.logger import setup_logger
-
-logger = setup_logger()
-
-_SURROGATE_RE = re.compile(r"[\ud800-\udfff]")
 
 
-def sanitize_string(value: str) -> str:
-    """Strip characters that PostgreSQL text/JSONB columns cannot store.
-
-    Removes:
-    - NUL bytes (\\x00)
-    - UTF-16 surrogates (\\ud800-\\udfff), which are invalid in UTF-8
-    """
-    sanitized = value.replace("\x00", "")
-    sanitized = _SURROGATE_RE.sub("", sanitized)
-    if value and not sanitized:
-        logger.warning(
-            "sanitize_string: all characters were removed from a non-empty string"
-        )
-    return sanitized
+def _sanitize_string(value: str) -> str:
+    return value.replace("\x00", "")
 
 
-def sanitize_json_like(value: Any) -> Any:
-    """Recursively sanitize all strings in a JSON-like structure (dict/list/tuple)."""
+def _sanitize_json_like(value: Any) -> Any:
     if isinstance(value, str):
-        return sanitize_string(value)
+        return _sanitize_string(value)
 
     if isinstance(value, list):
-        return [sanitize_json_like(item) for item in value]
+        return [_sanitize_json_like(item) for item in value]
 
     if isinstance(value, tuple):
-        return tuple(sanitize_json_like(item) for item in value)
+        return tuple(_sanitize_json_like(item) for item in value)
 
     if isinstance(value, dict):
         sanitized: dict[Any, Any] = {}
         for key, nested_value in value.items():
-            cleaned_key = sanitize_string(key) if isinstance(key, str) else key
-            sanitized[cleaned_key] = sanitize_json_like(nested_value)
+            cleaned_key = _sanitize_string(key) if isinstance(key, str) else key
+            sanitized[cleaned_key] = _sanitize_json_like(nested_value)
         return sanitized
 
     return value
@@ -53,27 +34,27 @@ def _sanitize_expert_info(expert: BasicExpertInfo) -> BasicExpertInfo:
     return expert.model_copy(
         update={
             "display_name": (
-                sanitize_string(expert.display_name)
+                _sanitize_string(expert.display_name)
                 if expert.display_name is not None
                 else None
             ),
             "first_name": (
-                sanitize_string(expert.first_name)
+                _sanitize_string(expert.first_name)
                 if expert.first_name is not None
                 else None
             ),
             "middle_initial": (
-                sanitize_string(expert.middle_initial)
+                _sanitize_string(expert.middle_initial)
                 if expert.middle_initial is not None
                 else None
             ),
             "last_name": (
-                sanitize_string(expert.last_name)
+                _sanitize_string(expert.last_name)
                 if expert.last_name is not None
                 else None
             ),
             "email": (
-                sanitize_string(expert.email) if expert.email is not None else None
+                _sanitize_string(expert.email) if expert.email is not None else None
             ),
         }
     )
@@ -82,10 +63,10 @@ def _sanitize_expert_info(expert: BasicExpertInfo) -> BasicExpertInfo:
 def _sanitize_external_access(external_access: ExternalAccess) -> ExternalAccess:
     return ExternalAccess(
         external_user_emails={
-            sanitize_string(email) for email in external_access.external_user_emails
+            _sanitize_string(email) for email in external_access.external_user_emails
         },
         external_user_group_ids={
-            sanitize_string(group_id)
+            _sanitize_string(group_id)
             for group_id in external_access.external_user_group_ids
         },
         is_public=external_access.is_public,
@@ -95,26 +76,26 @@ def _sanitize_external_access(external_access: ExternalAccess) -> ExternalAccess
 def sanitize_document_for_postgres(document: Document) -> Document:
     cleaned_doc = document.model_copy(deep=True)
 
-    cleaned_doc.id = sanitize_string(cleaned_doc.id)
-    cleaned_doc.semantic_identifier = sanitize_string(cleaned_doc.semantic_identifier)
+    cleaned_doc.id = _sanitize_string(cleaned_doc.id)
+    cleaned_doc.semantic_identifier = _sanitize_string(cleaned_doc.semantic_identifier)
     if cleaned_doc.title is not None:
-        cleaned_doc.title = sanitize_string(cleaned_doc.title)
+        cleaned_doc.title = _sanitize_string(cleaned_doc.title)
     if cleaned_doc.parent_hierarchy_raw_node_id is not None:
-        cleaned_doc.parent_hierarchy_raw_node_id = sanitize_string(
+        cleaned_doc.parent_hierarchy_raw_node_id = _sanitize_string(
             cleaned_doc.parent_hierarchy_raw_node_id
         )
 
     cleaned_doc.metadata = {
-        sanitize_string(key): (
-            [sanitize_string(item) for item in value]
+        _sanitize_string(key): (
+            [_sanitize_string(item) for item in value]
             if isinstance(value, list)
-            else sanitize_string(value)
+            else _sanitize_string(value)
         )
         for key, value in cleaned_doc.metadata.items()
     }
 
     if cleaned_doc.doc_metadata is not None:
-        cleaned_doc.doc_metadata = sanitize_json_like(cleaned_doc.doc_metadata)
+        cleaned_doc.doc_metadata = _sanitize_json_like(cleaned_doc.doc_metadata)
 
     if cleaned_doc.primary_owners is not None:
         cleaned_doc.primary_owners = [
@@ -132,11 +113,11 @@ def sanitize_document_for_postgres(document: Document) -> Document:
 
     for section in cleaned_doc.sections:
         if section.link is not None:
-            section.link = sanitize_string(section.link)
+            section.link = _sanitize_string(section.link)
         if section.text is not None:
-            section.text = sanitize_string(section.text)
+            section.text = _sanitize_string(section.text)
         if section.image_file_id is not None:
-            section.image_file_id = sanitize_string(section.image_file_id)
+            section.image_file_id = _sanitize_string(section.image_file_id)
 
     return cleaned_doc
 
@@ -148,12 +129,12 @@ def sanitize_documents_for_postgres(documents: list[Document]) -> list[Document]
 def sanitize_hierarchy_node_for_postgres(node: HierarchyNode) -> HierarchyNode:
     cleaned_node = node.model_copy(deep=True)
 
-    cleaned_node.raw_node_id = sanitize_string(cleaned_node.raw_node_id)
-    cleaned_node.display_name = sanitize_string(cleaned_node.display_name)
+    cleaned_node.raw_node_id = _sanitize_string(cleaned_node.raw_node_id)
+    cleaned_node.display_name = _sanitize_string(cleaned_node.display_name)
     if cleaned_node.raw_parent_id is not None:
-        cleaned_node.raw_parent_id = sanitize_string(cleaned_node.raw_parent_id)
+        cleaned_node.raw_parent_id = _sanitize_string(cleaned_node.raw_parent_id)
     if cleaned_node.link is not None:
-        cleaned_node.link = sanitize_string(cleaned_node.link)
+        cleaned_node.link = _sanitize_string(cleaned_node.link)
 
     if cleaned_node.external_access is not None:
         cleaned_node.external_access = _sanitize_external_access(

backend/onyx/llm/constants.py

@@ -22,7 +22,6 @@ class LlmProviderNames(str, Enum):
     OPENROUTER = "openrouter"
     AZURE = "azure"
     OLLAMA_CHAT = "ollama_chat"
-    LM_STUDIO = "lm_studio"
     MISTRAL = "mistral"
     LITELLM_PROXY = "litellm_proxy"
 
@@ -42,7 +41,6 @@ WELL_KNOWN_PROVIDER_NAMES = [
     LlmProviderNames.OPENROUTER,
     LlmProviderNames.AZURE,
     LlmProviderNames.OLLAMA_CHAT,
-    LlmProviderNames.LM_STUDIO,
 ]
 
 
@@ -58,7 +56,6 @@ PROVIDER_DISPLAY_NAMES: dict[str, str] = {
     LlmProviderNames.AZURE: "Azure",
     "ollama": "Ollama",
     LlmProviderNames.OLLAMA_CHAT: "Ollama",
-    LlmProviderNames.LM_STUDIO: "LM Studio",
     "groq": "Groq",
     "anyscale": "Anyscale",
     "deepseek": "DeepSeek",
@@ -106,7 +103,6 @@ AGGREGATOR_PROVIDERS: set[str] = {
     LlmProviderNames.BEDROCK_CONVERSE,
     LlmProviderNames.OPENROUTER,
     LlmProviderNames.OLLAMA_CHAT,
-    LlmProviderNames.LM_STUDIO,
     LlmProviderNames.VERTEX_AI,
     LlmProviderNames.AZURE,
 }

backend/onyx/llm/factory.py

@@ -20,9 +20,7 @@ from onyx.llm.multi_llm import LitellmLLM
 from onyx.llm.override_models import LLMOverride
 from onyx.llm.utils import get_max_input_tokens_from_llm_provider
 from onyx.llm.utils import model_supports_image_input
-from onyx.llm.well_known_providers.constants import (
-    PROVIDERS_WITH_SPECIAL_API_KEY_HANDLING,
-)
+from onyx.llm.well_known_providers.constants import OLLAMA_API_KEY_CONFIG_KEY
 from onyx.natural_language_processing.utils import get_tokenizer
 from onyx.server.manage.llm.models import LLMProviderView
 from onyx.utils.headers import build_llm_extra_headers
@@ -34,18 +32,14 @@ logger = setup_logger()
 def _build_provider_extra_headers(
     provider: str, custom_config: dict[str, str] | None
 ) -> dict[str, str]:
-    if provider in PROVIDERS_WITH_SPECIAL_API_KEY_HANDLING and custom_config:
-        raw = custom_config.get(PROVIDERS_WITH_SPECIAL_API_KEY_HANDLING[provider])
-        api_key = raw.strip() if raw else None
+    if provider == LlmProviderNames.OLLAMA_CHAT and custom_config:
+        raw_api_key = custom_config.get(OLLAMA_API_KEY_CONFIG_KEY)
+        api_key = raw_api_key.strip() if raw_api_key else None
         if not api_key:
             return {}
-        return {
-            "Authorization": (
-                api_key
-                if api_key.lower().startswith("bearer ")
-                else f"Bearer {api_key}"
-            )
-        }
+        if not api_key.lower().startswith("bearer "):
+            api_key = f"Bearer {api_key}"
+        return {"Authorization": api_key}
 
     # Passing these will put Onyx on the OpenRouter leaderboard
     elif provider == LlmProviderNames.OPENROUTER:

backend/onyx/llm/model_metadata_enrichments.json

@@ -2516,10 +2516,6 @@
     "model_vendor": "openai",
     "model_version": "2025-10-06"
   },
-  "gpt-5.4": {
-    "display_name": "GPT-5.4",
-    "model_vendor": "openai"
-  },
   "gpt-5.2-pro-2025-12-11": {
     "display_name": "GPT-5.2 Pro",
     "model_vendor": "openai",

backend/onyx/llm/multi_llm.py

@@ -42,7 +42,6 @@ from onyx.llm.well_known_providers.constants import AWS_SECRET_ACCESS_KEY_KWARG
 from onyx.llm.well_known_providers.constants import (
     AWS_SECRET_ACCESS_KEY_KWARG_ENV_VAR_FORMAT,
 )
-from onyx.llm.well_known_providers.constants import LM_STUDIO_API_KEY_CONFIG_KEY
 from onyx.llm.well_known_providers.constants import OLLAMA_API_KEY_CONFIG_KEY
 from onyx.llm.well_known_providers.constants import VERTEX_CREDENTIALS_FILE_KWARG
 from onyx.llm.well_known_providers.constants import (
@@ -93,98 +92,6 @@ def _prompt_to_dicts(prompt: LanguageModelInput) -> list[dict[str, Any]]:
     return [prompt.model_dump(exclude_none=True)]
 
 
-def _normalize_content(raw: Any) -> str:
-    """Normalize a message content field to a plain string.
-
-    Content can be a string, None, or a list of content-block dicts
-    (e.g. [{"type": "text", "text": "..."}]).
-    """
-    if raw is None:
-        return ""
-    if isinstance(raw, str):
-        return raw
-    if isinstance(raw, list):
-        return "\n".join(
-            block.get("text", "") if isinstance(block, dict) else str(block)
-            for block in raw
-        )
-    return str(raw)
-
-
-def _strip_tool_content_from_messages(
-    messages: list[dict[str, Any]],
-) -> list[dict[str, Any]]:
-    """Convert tool-related messages to plain text.
-
-    Bedrock's Converse API requires toolConfig when messages contain
-    toolUse/toolResult content blocks. When no tools are provided for the
-    current request, we must convert any tool-related history into plain text
-    to avoid the "toolConfig field must be defined" error.
-
-    This is the same approach used by _OllamaHistoryMessageFormatter.
-    """
-    result: list[dict[str, Any]] = []
-    for msg in messages:
-        role = msg.get("role")
-        tool_calls = msg.get("tool_calls")
-
-        if role == "assistant" and tool_calls:
-            # Convert structured tool calls to text representation
-            tool_call_lines = []
-            for tc in tool_calls:
-                func = tc.get("function", {})
-                name = func.get("name", "unknown")
-                args = func.get("arguments", "{}")
-                tc_id = tc.get("id", "")
-                tool_call_lines.append(
-                    f"[Tool Call] name={name} id={tc_id} args={args}"
-                )
-
-            existing_content = _normalize_content(msg.get("content"))
-            parts = (
-                [existing_content] + tool_call_lines
-                if existing_content
-                else tool_call_lines
-            )
-            new_msg = {
-                "role": "assistant",
-                "content": "\n".join(parts),
-            }
-            result.append(new_msg)
-
-        elif role == "tool":
-            # Convert tool response to user message with text content
-            tool_call_id = msg.get("tool_call_id", "")
-            content = _normalize_content(msg.get("content"))
-            tool_result_text = f"[Tool Result] id={tool_call_id}\n{content}"
-            # Merge into previous user message if it is also a converted
-            # tool result to avoid consecutive user messages (Bedrock requires
-            # strict user/assistant alternation).
-            if (
-                result
-                and result[-1]["role"] == "user"
-                and "[Tool Result]" in result[-1].get("content", "")
-            ):
-                result[-1]["content"] += "\n\n" + tool_result_text
-            else:
-                result.append({"role": "user", "content": tool_result_text})
-
-        else:
-            result.append(msg)
-
-    return result
-
-
-def _messages_contain_tool_content(messages: list[dict[str, Any]]) -> bool:
-    """Check if any messages contain tool-related content blocks."""
-    for msg in messages:
-        if msg.get("role") == "tool":
-            return True
-        if msg.get("role") == "assistant" and msg.get("tool_calls"):
-            return True
-    return False
-
-
 def _is_vertex_model_rejecting_output_config(model_name: str) -> bool:
     normalized_model_name = model_name.lower()
     return any(
@@ -250,9 +157,6 @@ class LitellmLLM(LLM):
                 elif model_provider == LlmProviderNames.OLLAMA_CHAT:
                     if k == OLLAMA_API_KEY_CONFIG_KEY:
                         model_kwargs["api_key"] = v
-                elif model_provider == LlmProviderNames.LM_STUDIO:
-                    if k == LM_STUDIO_API_KEY_CONFIG_KEY:
-                        model_kwargs["api_key"] = v
                 elif model_provider == LlmProviderNames.BEDROCK:
                     if k == AWS_REGION_NAME_KWARG:
                         model_kwargs[k] = v
@@ -269,19 +173,6 @@ class LitellmLLM(LLM):
                     elif k == AWS_SECRET_ACCESS_KEY_KWARG_ENV_VAR_FORMAT:
                         model_kwargs[AWS_SECRET_ACCESS_KEY_KWARG] = v
 
-        # LM Studio: LiteLLM defaults to "fake-api-key" when no key is provided,
-        # which LM Studio rejects. Ensure we always pass an explicit key (or empty
-        # string) to prevent LiteLLM from injecting its fake default.
-        if model_provider == LlmProviderNames.LM_STUDIO:
-            model_kwargs.setdefault("api_key", "")
-
-            # Users provide the server root (e.g. http://localhost:1234) but LiteLLM
-            # needs /v1 for OpenAI-compatible calls.
-            if self._api_base is not None:
-                base = self._api_base.rstrip("/")
-                self._api_base = base if base.endswith("/v1") else f"{base}/v1"
-                model_kwargs["api_base"] = self._api_base
-
         # Default vertex_location to "global" if not provided for Vertex AI
         # Latest gemini models are only available through the global region
         if (
@@ -513,30 +404,13 @@ class LitellmLLM(LLM):
                 else nullcontext()
             )
             with env_ctx:
-                messages = _prompt_to_dicts(prompt)
-
-                # Bedrock's Converse API requires toolConfig when messages
-                # contain toolUse/toolResult content blocks. When no tools are
-                # provided for this request but the history contains tool
-                # content from previous turns, strip it to plain text.
-                is_bedrock = self._model_provider in {
-                    LlmProviderNames.BEDROCK,
-                    LlmProviderNames.BEDROCK_CONVERSE,
-                }
-                if (
-                    is_bedrock
-                    and not tools
-                    and _messages_contain_tool_content(messages)
-                ):
-                    messages = _strip_tool_content_from_messages(messages)
-
                 response = litellm.completion(
                     mock_response=get_llm_mock_response() or MOCK_LLM_RESPONSE,
                     model=model,
                     base_url=self._api_base or None,
                     api_version=self._api_version or None,
                     custom_llm_provider=self._custom_llm_provider or None,
-                    messages=messages,
+                    messages=_prompt_to_dicts(prompt),
                     tools=tools,
                     tool_choice=tool_choice,
                     stream=stream,

backend/onyx/llm/utils.py

@@ -322,7 +322,7 @@ def test_llm(llm: LLM) -> str | None:
     error_msg = None
     for _ in range(2):
         try:
-            llm.invoke(UserMessage(content="Do not respond"), max_tokens=50)
+            llm.invoke(UserMessage(content="Do not respond"))
             return None
         except Exception as e:
             error_msg = str(e)

backend/onyx/llm/well_known_providers/constants.py

@@ -1,5 +1,3 @@
-from onyx.llm.constants import LlmProviderNames
-
 OPENAI_PROVIDER_NAME = "openai"
 # Curated list of OpenAI models to show by default in the UI
 OPENAI_VISIBLE_MODEL_NAMES = {
@@ -37,15 +35,6 @@ def _fallback_bedrock_regions() -> list[str]:
 OLLAMA_PROVIDER_NAME = "ollama_chat"
 OLLAMA_API_KEY_CONFIG_KEY = "OLLAMA_API_KEY"
 
-LM_STUDIO_PROVIDER_NAME = "lm_studio"
-LM_STUDIO_API_KEY_CONFIG_KEY = "LM_STUDIO_API_KEY"
-
-# Providers that use optional Bearer auth from custom_config
-PROVIDERS_WITH_SPECIAL_API_KEY_HANDLING: dict[str, str] = {
-    LlmProviderNames.OLLAMA_CHAT: OLLAMA_API_KEY_CONFIG_KEY,
-    LlmProviderNames.LM_STUDIO: LM_STUDIO_API_KEY_CONFIG_KEY,
-}
-
 # OpenRouter
 OPENROUTER_PROVIDER_NAME = "openrouter"
 

backend/onyx/llm/well_known_providers/llm_provider_options.py

@@ -15,7 +15,6 @@ from onyx.llm.well_known_providers.auto_update_service import (
 from onyx.llm.well_known_providers.constants import ANTHROPIC_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import AZURE_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import BEDROCK_PROVIDER_NAME
-from onyx.llm.well_known_providers.constants import LM_STUDIO_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OLLAMA_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OPENAI_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OPENROUTER_PROVIDER_NAME
@@ -45,7 +44,6 @@ def _get_provider_to_models_map() -> dict[str, list[str]]:
         ANTHROPIC_PROVIDER_NAME: get_anthropic_model_names(),
         VERTEXAI_PROVIDER_NAME: get_vertexai_model_names(),
         OLLAMA_PROVIDER_NAME: [],  # Dynamic - fetched from Ollama API
-        LM_STUDIO_PROVIDER_NAME: [],  # Dynamic - fetched from LM Studio API
         OPENROUTER_PROVIDER_NAME: [],  # Dynamic - fetched from OpenRouter API
     }
 
@@ -325,7 +323,6 @@ def get_provider_display_name(provider_name: str) -> str:
     _ONYX_PROVIDER_DISPLAY_NAMES: dict[str, str] = {
         OPENAI_PROVIDER_NAME: "ChatGPT (OpenAI)",
         OLLAMA_PROVIDER_NAME: "Ollama",
-        LM_STUDIO_PROVIDER_NAME: "LM Studio",
         ANTHROPIC_PROVIDER_NAME: "Claude (Anthropic)",
         AZURE_PROVIDER_NAME: "Azure OpenAI",
         BEDROCK_PROVIDER_NAME: "Amazon Bedrock",

backend/onyx/llm/well_known_providers/recommended-models.json

@@ -1,12 +1,12 @@
 {
   "version": "1.1",
-  "updated_at": "2026-03-05T00:00:00Z",
+  "updated_at": "2026-02-05T00:00:00Z",
   "providers": {
     "openai": {
-      "default_model": { "name": "gpt-5.4" },
+      "default_model": { "name": "gpt-5.2" },
       "additional_visible_models": [
-        { "name": "gpt-5.4" },
-        { "name": "gpt-5.2" }
+        { "name": "gpt-5-mini" },
+        { "name": "gpt-4.1" }
       ]
     },
     "anthropic": {

backend/onyx/server/features/build/sandbox/kubernetes/docker/templates/outputs/web/package-lock.json

@@ -961,9 +961,9 @@
       "license": "MIT"
     },
     "node_modules/@hono/node-server": {
-      "version": "1.19.10",
-      "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.10.tgz",
-      "integrity": "sha512-hZ7nOssGqRgyV3FVVQdfi+U4q02uB23bpnYpdvNXkYTRRyWx84b7yf1ans+dnJ/7h41sGL3CeQTfO+ZGxuO+Iw==",
+      "version": "1.19.9",
+      "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.9.tgz",
+      "integrity": "sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw==",
       "license": "MIT",
       "engines": {
         "node": ">=18.14.1"
@@ -1573,6 +1573,27 @@
         }
       }
     },
+    "node_modules/@isaacs/balanced-match": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@isaacs/balanced-match/-/balanced-match-4.0.1.tgz",
+      "integrity": "sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==",
+      "license": "MIT",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
+    "node_modules/@isaacs/brace-expansion": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.1.tgz",
+      "integrity": "sha512-WMz71T1JS624nWj2n2fnYAuPovhv7EUhk69R6i9dsVyzxt5eM3bjwvgk9L+APE1TRscGysAVMANkB0jh0LQZrQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@isaacs/balanced-match": "^4.0.1"
+      },
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/@jridgewell/gen-mapping": {
       "version": "0.3.13",
       "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
@@ -1659,9 +1680,9 @@
       }
     },
     "node_modules/@modelcontextprotocol/sdk/node_modules/ajv": {
-      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "version": "8.17.1",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
+      "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
@@ -3834,27 +3855,6 @@
         "path-browserify": "^1.0.1"
       }
     },
-    "node_modules/@ts-morph/common/node_modules/balanced-match": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
-      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
-      "license": "MIT",
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
-    "node_modules/@ts-morph/common/node_modules/brace-expansion": {
-      "version": "5.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz",
-      "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
     "node_modules/@ts-morph/common/node_modules/fast-glob": {
       "version": "3.3.3",
       "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz",
@@ -3884,15 +3884,15 @@
       }
     },
     "node_modules/@ts-morph/common/node_modules/minimatch": {
-      "version": "10.2.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
-      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz",
+      "integrity": "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ==",
       "license": "BlueOak-1.0.0",
       "dependencies": {
-        "brace-expansion": "^5.0.2"
+        "@isaacs/brace-expansion": "^5.0.0"
       },
       "engines": {
-        "node": "18 || 20 || >=22"
+        "node": "20 || >=22"
       },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
@@ -4234,13 +4234,13 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-      "version": "9.0.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
-      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.2"
+        "brace-expansion": "^2.0.1"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -4619,9 +4619,9 @@
       }
     },
     "node_modules/ajv": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
-      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+      "version": "6.12.6",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
+      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4653,9 +4653,9 @@
       }
     },
     "node_modules/ajv-formats/node_modules/ajv": {
-      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "version": "8.17.1",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
+      "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
@@ -8831,9 +8831,9 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -9699,9 +9699,9 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.14.2",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
-      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
+      "version": "6.14.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "side-channel": "^1.1.0"

backend/onyx/server/manage/llm/api.py

@@ -48,7 +48,6 @@ from onyx.llm.utils import test_llm
 from onyx.llm.well_known_providers.auto_update_service import (
     fetch_llm_recommendations_from_github,
 )
-from onyx.llm.well_known_providers.constants import LM_STUDIO_API_KEY_CONFIG_KEY
 from onyx.llm.well_known_providers.llm_provider_options import (
     fetch_available_well_known_llms,
 )
@@ -63,9 +62,6 @@ from onyx.server.manage.llm.models import LLMProviderDescriptor
 from onyx.server.manage.llm.models import LLMProviderResponse
 from onyx.server.manage.llm.models import LLMProviderUpsertRequest
 from onyx.server.manage.llm.models import LLMProviderView
-from onyx.server.manage.llm.models import LMStudioFinalModelResponse
-from onyx.server.manage.llm.models import LMStudioModelsRequest
-from onyx.server.manage.llm.models import ModelConfigurationUpsertRequest
 from onyx.server.manage.llm.models import OllamaFinalModelResponse
 from onyx.server.manage.llm.models import OllamaModelDetails
 from onyx.server.manage.llm.models import OllamaModelsRequest
@@ -77,7 +73,6 @@ from onyx.server.manage.llm.models import VisionProviderResponse
 from onyx.server.manage.llm.utils import generate_bedrock_display_name
 from onyx.server.manage.llm.utils import generate_ollama_display_name
 from onyx.server.manage.llm.utils import infer_vision_support
-from onyx.server.manage.llm.utils import is_reasoning_model
 from onyx.server.manage.llm.utils import is_valid_bedrock_model
 from onyx.server.manage.llm.utils import ModelMetadata
 from onyx.server.manage.llm.utils import strip_openrouter_vendor_prefix
@@ -446,18 +441,6 @@ def put_llm_provider(
         not existing_provider or not existing_provider.is_auto_mode
     )
 
-    # When transitioning to auto mode, preserve existing model configurations
-    # so the upsert doesn't try to delete them (which would trip the default
-    # model protection guard). sync_auto_mode_models will handle the model
-    # lifecycle afterward — adding new models, hiding removed ones, and
-    # updating the default. This is safe even if sync fails: the provider
-    # keeps its old models and default rather than losing them.
-    if transitioning_to_auto_mode and existing_provider:
-        llm_provider_upsert_request.model_configurations = [
-            ModelConfigurationUpsertRequest.from_model(mc)
-            for mc in existing_provider.model_configurations
-        ]
-
     try:
         result = upsert_llm_provider(
             llm_provider_upsert_request=llm_provider_upsert_request,
@@ -470,6 +453,7 @@ def put_llm_provider(
 
             config = fetch_llm_recommendations_from_github()
             if config and llm_provider_upsert_request.provider in config.providers:
+                # Refetch the provider to get the updated model
                 updated_provider = fetch_existing_llm_provider_by_id(
                     id=result.id, db_session=db_session
                 )
@@ -1233,117 +1217,3 @@ def get_openrouter_available_models(
             logger.warning(f"Failed to sync OpenRouter models to DB: {e}")
 
     return sorted_results
-
-
-@admin_router.post("/lm-studio/available-models")
-def get_lm_studio_available_models(
-    request: LMStudioModelsRequest,
-    _: User = Depends(current_admin_user),
-    db_session: Session = Depends(get_session),
-) -> list[LMStudioFinalModelResponse]:
-    """Fetch available models from an LM Studio server.
-
-    Uses the LM Studio-native /api/v1/models endpoint which exposes
-    rich metadata including capabilities (vision, reasoning),
-    display names, and context lengths.
-    """
-    cleaned_api_base = request.api_base.strip().rstrip("/")
-    # Strip /v1 suffix that users may copy from OpenAI-compatible tool configs;
-    # the native metadata endpoint lives at /api/v1/models, not /v1/api/v1/models.
-    cleaned_api_base = cleaned_api_base.removesuffix("/v1")
-    if not cleaned_api_base:
-        raise OnyxError(
-            OnyxErrorCode.VALIDATION_ERROR,
-            "API base URL is required to fetch LM Studio models.",
-        )
-
-    # If provider_name is given and the api_key hasn't been changed by the user,
-    # fall back to the stored API key from the database (the form value is masked).
-    api_key = request.api_key
-    if request.provider_name and not request.api_key_changed:
-        existing_provider = fetch_existing_llm_provider(
-            name=request.provider_name, db_session=db_session
-        )
-        if existing_provider and existing_provider.custom_config:
-            api_key = existing_provider.custom_config.get(LM_STUDIO_API_KEY_CONFIG_KEY)
-
-    url = f"{cleaned_api_base}/api/v1/models"
-    headers: dict[str, str] = {}
-    if api_key:
-        headers["Authorization"] = f"Bearer {api_key}"
-
-    try:
-        response = httpx.get(url, headers=headers, timeout=10.0)
-        response.raise_for_status()
-        response_json = response.json()
-    except Exception as e:
-        raise OnyxError(
-            OnyxErrorCode.BAD_GATEWAY,
-            f"Failed to fetch LM Studio models: {e}",
-        )
-
-    models = response_json.get("models", [])
-    if not isinstance(models, list) or len(models) == 0:
-        raise OnyxError(
-            OnyxErrorCode.VALIDATION_ERROR,
-            "No models found from your LM Studio server.",
-        )
-
-    results: list[LMStudioFinalModelResponse] = []
-    for item in models:
-        # Filter to LLM-type models only (skip embeddings, etc.)
-        if item.get("type") != "llm":
-            continue
-
-        model_key = item.get("key")
-        if not model_key:
-            continue
-
-        display_name = item.get("display_name") or model_key
-        max_context_length = item.get("max_context_length")
-        capabilities = item.get("capabilities") or {}
-
-        results.append(
-            LMStudioFinalModelResponse(
-                name=model_key,
-                display_name=display_name,
-                max_input_tokens=max_context_length,
-                supports_image_input=capabilities.get("vision", False),
-                supports_reasoning=capabilities.get("reasoning", False)
-                or is_reasoning_model(model_key, display_name),
-            )
-        )
-
-    if not results:
-        raise OnyxError(
-            OnyxErrorCode.VALIDATION_ERROR,
-            "No compatible models found from LM Studio server.",
-        )
-
-    sorted_results = sorted(results, key=lambda m: m.name.lower())
-
-    # Sync new models to DB if provider_name is specified
-    if request.provider_name:
-        try:
-            models_to_sync = [
-                {
-                    "name": r.name,
-                    "display_name": r.display_name,
-                    "max_input_tokens": r.max_input_tokens,
-                    "supports_image_input": r.supports_image_input,
-                }
-                for r in sorted_results
-            ]
-            new_count = sync_model_configurations(
-                db_session=db_session,
-                provider_name=request.provider_name,
-                models=models_to_sync,
-            )
-            if new_count > 0:
-                logger.info(
-                    f"Added {new_count} new LM Studio models to provider '{request.provider_name}'"
-                )
-        except ValueError as e:
-            logger.warning(f"Failed to sync LM Studio models to DB: {e}")
-
-    return sorted_results

backend/onyx/server/manage/llm/models.py

@@ -371,22 +371,6 @@ class OpenRouterFinalModelResponse(BaseModel):
     supports_image_input: bool
 
 
-# LM Studio dynamic models fetch
-class LMStudioModelsRequest(BaseModel):
-    api_base: str
-    api_key: str | None = None
-    api_key_changed: bool = False
-    provider_name: str | None = None  # Optional: to save models to existing provider
-
-
-class LMStudioFinalModelResponse(BaseModel):
-    name: str  # Model ID from LM Studio (e.g., "lmstudio-community/Meta-Llama-3-8B")
-    display_name: str  # Human-readable name
-    max_input_tokens: int | None  # From LM Studio API or None if unavailable
-    supports_image_input: bool
-    supports_reasoning: bool
-
-
 class DefaultModel(BaseModel):
     provider_id: int
     model_name: str

backend/onyx/server/manage/llm/utils.py

@@ -12,7 +12,6 @@ from typing import TypedDict
 
 from onyx.llm.constants import BEDROCK_MODEL_NAME_MAPPINGS
 from onyx.llm.constants import LlmProviderNames
-from onyx.llm.constants import MODEL_PREFIX_TO_VENDOR
 from onyx.llm.constants import OLLAMA_MODEL_NAME_MAPPINGS
 from onyx.llm.constants import OLLAMA_MODEL_TO_VENDOR
 from onyx.llm.constants import PROVIDER_DISPLAY_NAMES
@@ -24,7 +23,6 @@ DYNAMIC_LLM_PROVIDERS = frozenset(
         LlmProviderNames.OPENROUTER,
         LlmProviderNames.BEDROCK,
         LlmProviderNames.OLLAMA_CHAT,
-        LlmProviderNames.LM_STUDIO,
     }
 )
 
@@ -350,19 +348,4 @@ def extract_vendor_from_model_name(model_name: str, provider: str) -> str | None
         # Fallback: capitalize the base name as vendor
         return base_name.split("-")[0].title()
 
-    elif provider == LlmProviderNames.LM_STUDIO:
-        # LM Studio model IDs can be paths like "publisher/model-name"
-        # or simple names. Use MODEL_PREFIX_TO_VENDOR for matching.
-
-        model_lower = model_name.lower()
-        # Check for slash-separated vendor prefix first
-        if "/" in model_lower:
-            vendor_key = model_lower.split("/")[0]
-            return PROVIDER_DISPLAY_NAMES.get(vendor_key, vendor_key.title())
-        # Fallback to model prefix matching
-        for prefix, vendor in MODEL_PREFIX_TO_VENDOR.items():
-            if model_lower.startswith(prefix):
-                return PROVIDER_DISPLAY_NAMES.get(vendor, vendor.title())
-        return None
-
     return None

backend/onyx/server/manage/search_settings.py

@@ -6,11 +6,8 @@ from sqlalchemy.orm import Session
 
 from onyx.auth.users import current_admin_user
 from onyx.auth.users import current_user
-from onyx.configs.app_configs import DISABLE_INDEX_UPDATE_ON_SWAP
 from onyx.context.search.models import SavedSearchSettings
 from onyx.context.search.models import SearchSettingsCreationRequest
-from onyx.db.connector_credential_pair import get_connector_credential_pairs
-from onyx.db.connector_credential_pair import resync_cc_pair
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.index_attempt import expire_index_attempts
 from onyx.db.llm import fetch_existing_llm_provider
@@ -18,25 +15,20 @@ from onyx.db.llm import update_default_contextual_model
 from onyx.db.llm import update_no_default_contextual_rag_provider
 from onyx.db.models import IndexModelStatus
 from onyx.db.models import User
-from onyx.db.search_settings import create_search_settings
 from onyx.db.search_settings import delete_search_settings
 from onyx.db.search_settings import get_current_search_settings
-from onyx.db.search_settings import get_embedding_provider_from_provider_type
 from onyx.db.search_settings import get_secondary_search_settings
 from onyx.db.search_settings import update_current_search_settings
 from onyx.db.search_settings import update_search_settings_status
-from onyx.document_index.factory import get_all_document_indices
 from onyx.document_index.factory import get_default_document_index
 from onyx.file_processing.unstructured import delete_unstructured_api_key
 from onyx.file_processing.unstructured import get_unstructured_api_key
 from onyx.file_processing.unstructured import update_unstructured_api_key
-from onyx.natural_language_processing.search_nlp_models import clean_model_name
 from onyx.server.manage.embedding.models import SearchSettingsDeleteRequest
 from onyx.server.manage.models import FullModelVersionResponse
 from onyx.server.models import IdReturn
 from onyx.server.utils_vector_db import require_vector_db
 from onyx.utils.logger import setup_logger
-from shared_configs.configs import ALT_INDEX_SUFFIX
 from shared_configs.configs import MULTI_TENANT
 
 router = APIRouter(prefix="/search-settings")
@@ -49,99 +41,110 @@ def set_new_search_settings(
     _: User = Depends(current_admin_user),
     db_session: Session = Depends(get_session),  # noqa: ARG001
 ) -> IdReturn:
+    """Creates a new EmbeddingModel row and cancels the previous secondary indexing if any
+    Gives an error if the same model name is used as the current or secondary index
     """
-    Creates a new SearchSettings row and cancels the previous secondary indexing
-    if any exists.
-    """
-    if search_settings_new.index_name:
-        logger.warning("Index name was specified by request, this is not suggested")
-
-    # Disallow contextual RAG for cloud deployments.
-    if MULTI_TENANT and search_settings_new.enable_contextual_rag:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail="Contextual RAG disabled in Onyx Cloud",
-        )
-
-    # Validate cloud provider exists or create new LiteLLM provider.
-    if search_settings_new.provider_type is not None:
-        cloud_provider = get_embedding_provider_from_provider_type(
-            db_session, provider_type=search_settings_new.provider_type
-        )
-
-        if cloud_provider is None:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=f"No embedding provider exists for cloud embedding type {search_settings_new.provider_type}",
-            )
-
-    validate_contextual_rag_model(
-        provider_name=search_settings_new.contextual_rag_llm_provider,
-        model_name=search_settings_new.contextual_rag_llm_name,
-        db_session=db_session,
+    # TODO(andrei): Re-enable.
+    # NOTE Enable integration external dependency tests in test_search_settings.py
+    # when this is reenabled. They are currently skipped
+    logger.error("Setting new search settings is temporarily disabled.")
+    raise HTTPException(
+        status_code=status.HTTP_501_NOT_IMPLEMENTED,
+        detail="Setting new search settings is temporarily disabled.",
     )
+    # if search_settings_new.index_name:
+    #     logger.warning("Index name was specified by request, this is not suggested")
 
-    search_settings = get_current_search_settings(db_session)
+    # # Disallow contextual RAG for cloud deployments
+    # if MULTI_TENANT and search_settings_new.enable_contextual_rag:
+    #     raise HTTPException(
+    #         status_code=status.HTTP_400_BAD_REQUEST,
+    #         detail="Contextual RAG disabled in Onyx Cloud",
+    #     )
 
-    if search_settings_new.index_name is None:
-        # We define index name here.
-        index_name = f"danswer_chunk_{clean_model_name(search_settings_new.model_name)}"
-        if (
-            search_settings_new.model_name == search_settings.model_name
-            and not search_settings.index_name.endswith(ALT_INDEX_SUFFIX)
-        ):
-            index_name += ALT_INDEX_SUFFIX
-        search_values = search_settings_new.model_dump()
-        search_values["index_name"] = index_name
-        new_search_settings_request = SavedSearchSettings(**search_values)
-    else:
-        new_search_settings_request = SavedSearchSettings(
-            **search_settings_new.model_dump()
-        )
+    # # Validate cloud provider exists or create new LiteLLM provider
+    # if search_settings_new.provider_type is not None:
+    #     cloud_provider = get_embedding_provider_from_provider_type(
+    #         db_session, provider_type=search_settings_new.provider_type
+    #     )
 
-    secondary_search_settings = get_secondary_search_settings(db_session)
+    #     if cloud_provider is None:
+    #         raise HTTPException(
+    #             status_code=status.HTTP_400_BAD_REQUEST,
+    #             detail=f"No embedding provider exists for cloud embedding type {search_settings_new.provider_type}",
+    #         )
 
-    if secondary_search_settings:
-        # Cancel any background indexing jobs.
-        expire_index_attempts(
-            search_settings_id=secondary_search_settings.id, db_session=db_session
-        )
+    # validate_contextual_rag_model(
+    #     provider_name=search_settings_new.contextual_rag_llm_provider,
+    #     model_name=search_settings_new.contextual_rag_llm_name,
+    #     db_session=db_session,
+    # )
 
-        # Mark previous model as a past model directly.
-        update_search_settings_status(
-            search_settings=secondary_search_settings,
-            new_status=IndexModelStatus.PAST,
-            db_session=db_session,
-        )
+    # search_settings = get_current_search_settings(db_session)
 
-    new_search_settings = create_search_settings(
-        search_settings=new_search_settings_request, db_session=db_session
-    )
+    # if search_settings_new.index_name is None:
+    #     # We define index name here
+    #     index_name = f"danswer_chunk_{clean_model_name(search_settings_new.model_name)}"
+    #     if (
+    #         search_settings_new.model_name == search_settings.model_name
+    #         and not search_settings.index_name.endswith(ALT_INDEX_SUFFIX)
+    #     ):
+    #         index_name += ALT_INDEX_SUFFIX
+    #     search_values = search_settings_new.model_dump()
+    #     search_values["index_name"] = index_name
+    #     new_search_settings_request = SavedSearchSettings(**search_values)
+    # else:
+    #     new_search_settings_request = SavedSearchSettings(
+    #         **search_settings_new.model_dump()
+    #     )
 
-    # Ensure the document indices have the new index immediately.
-    document_indices = get_all_document_indices(search_settings, new_search_settings)
-    for document_index in document_indices:
-        document_index.ensure_indices_exist(
-            primary_embedding_dim=search_settings.final_embedding_dim,
-            primary_embedding_precision=search_settings.embedding_precision,
-            secondary_index_embedding_dim=new_search_settings.final_embedding_dim,
-            secondary_index_embedding_precision=new_search_settings.embedding_precision,
-        )
+    # secondary_search_settings = get_secondary_search_settings(db_session)
 
-    # Pause index attempts for the currently in-use index to preserve resources.
-    if DISABLE_INDEX_UPDATE_ON_SWAP:
-        expire_index_attempts(
-            search_settings_id=search_settings.id, db_session=db_session
-        )
-        for cc_pair in get_connector_credential_pairs(db_session):
-            resync_cc_pair(
-                cc_pair=cc_pair,
-                search_settings_id=new_search_settings.id,
-                db_session=db_session,
-            )
+    # if secondary_search_settings:
+    #     # Cancel any background indexing jobs
+    #     expire_index_attempts(
+    #         search_settings_id=secondary_search_settings.id, db_session=db_session
+    #     )
 
-    db_session.commit()
-    return IdReturn(id=new_search_settings.id)
+    #     # Mark previous model as a past model directly
+    #     update_search_settings_status(
+    #         search_settings=secondary_search_settings,
+    #         new_status=IndexModelStatus.PAST,
+    #         db_session=db_session,
+    #     )
+
+    # new_search_settings = create_search_settings(
+    #     search_settings=new_search_settings_request, db_session=db_session
+    # )
+
+    # # Ensure Vespa has the new index immediately
+    # get_multipass_config(search_settings)
+    # get_multipass_config(new_search_settings)
+    # document_index = get_default_document_index(
+    #     search_settings, new_search_settings, db_session
+    # )
+
+    # document_index.ensure_indices_exist(
+    #     primary_embedding_dim=search_settings.final_embedding_dim,
+    #     primary_embedding_precision=search_settings.embedding_precision,
+    #     secondary_index_embedding_dim=new_search_settings.final_embedding_dim,
+    #     secondary_index_embedding_precision=new_search_settings.embedding_precision,
+    # )
+
+    # # Pause index attempts for the currently in use index to preserve resources
+    # if DISABLE_INDEX_UPDATE_ON_SWAP:
+    #     expire_index_attempts(
+    #         search_settings_id=search_settings.id, db_session=db_session
+    #     )
+    #     for cc_pair in get_connector_credential_pairs(db_session):
+    #         resync_cc_pair(
+    #             cc_pair=cc_pair,
+    #             search_settings_id=new_search_settings.id,
+    #             db_session=db_session,
+    #         )
+
+    # db_session.commit()
+    # return IdReturn(id=new_search_settings.id)
 
 
 @router.post("/cancel-new-embedding", dependencies=[Depends(require_vector_db)])

backend/onyx/server/query_and_chat/chat_backend.py

@@ -1,5 +1,6 @@
 import datetime
 import json
+import os
 from collections.abc import Generator
 from datetime import timedelta
 from uuid import UUID
@@ -60,6 +61,7 @@ from onyx.db.persona import get_persona_by_id
 from onyx.db.usage import increment_usage
 from onyx.db.usage import UsageType
 from onyx.db.user_file import get_file_id_by_user_file_id
+from onyx.file_processing.extract_file_text import docx_to_txt_filename
 from onyx.file_store.file_store import get_default_file_store
 from onyx.llm.constants import LlmProviderNames
 from onyx.llm.factory import get_default_llm
@@ -810,6 +812,18 @@ def fetch_chat_file(
     if not file_record:
         raise HTTPException(status_code=404, detail="File not found")
 
+    original_file_name = file_record.display_name
+    if file_record.file_type.startswith(
+        "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
+    ):
+        # Check if a converted text file exists for .docx files
+        txt_file_name = docx_to_txt_filename(original_file_name)
+        txt_file_id = os.path.join(os.path.dirname(file_id), txt_file_name)
+        txt_file_record = file_store.read_file_record(txt_file_id)
+        if txt_file_record:
+            file_record = txt_file_record
+            file_id = txt_file_id
+
     media_type = file_record.file_type
     file_io = file_store.read_file(file_id, mode="b")
 

backend/onyx/server/settings/models.py

@@ -60,11 +60,9 @@ class Settings(BaseModel):
     deep_research_enabled: bool | None = None
     search_ui_enabled: bool | None = None
 
-    # Whether EE features are unlocked for use.
-    # Depends on license status: True when the user has a valid license
-    # (ACTIVE, GRACE_PERIOD, PAYMENT_REMINDER), False when there's no license
-    # or the license is expired (GATED_ACCESS).
-    # This controls UI visibility of EE features (user groups, analytics, RBAC, etc.).
+    # Enterprise features flag - set by license enforcement at runtime
+    # When LICENSE_ENFORCEMENT_ENABLED=true, this reflects license status
+    # When LICENSE_ENFORCEMENT_ENABLED=false, defaults to False
     ee_features_enabled: bool = False
 
     temperature_override_enabled: bool | None = False

backend/onyx/tools/tool_implementations/open_url/snippet_matcher.py

@@ -111,26 +111,19 @@ def _normalize_text_with_mapping(text: str) -> tuple[str, list[int]]:
     # Step 1: NFC normalization with position mapping
     nfc_text = unicodedata.normalize("NFC", text)
 
-    # Map NFD positions → original positions.
-    # NFD only decomposes, so each original char produces 1+ NFD chars.
-    nfd_to_orig: list[int] = []
-    for orig_idx, orig_char in enumerate(original_text):
-        nfd_of_char = unicodedata.normalize("NFD", orig_char)
-        for _ in nfd_of_char:
-            nfd_to_orig.append(orig_idx)
-
-    # Map NFC positions → NFD positions.
-    # Each NFC char, when decomposed, tells us exactly how many NFD
-    # chars it was composed from.
+    # Build mapping from NFC positions to original start positions
     nfc_to_orig: list[int] = []
-    nfd_idx = 0
+    orig_idx = 0
     for nfc_char in nfc_text:
-        if nfd_idx < len(nfd_to_orig):
-            nfc_to_orig.append(nfd_to_orig[nfd_idx])
+        nfc_to_orig.append(orig_idx)
+        # Find how many original chars contributed to this NFC char
+        for length in range(1, len(original_text) - orig_idx + 1):
+            substr = original_text[orig_idx : orig_idx + length]
+            if unicodedata.normalize("NFC", substr) == nfc_char:
+                orig_idx += length
+                break
         else:
-            nfc_to_orig.append(len(original_text) - 1)
-        nfd_of_nfc = unicodedata.normalize("NFD", nfc_char)
-        nfd_idx += len(nfd_of_nfc)
+            orig_idx += 1  # Fallback
 
     # Work with NFC text from here
     text = nfc_text

backend/requirements/default.txt

@@ -65,7 +65,7 @@ attrs==25.4.0
     #   jsonschema
     #   referencing
     #   zeep
-authlib==1.6.7
+authlib==1.6.6
     # via fastmcp
 babel==2.17.0
     # via courlan
@@ -109,7 +109,9 @@ brotli==1.2.0
 bytecode==0.17.0
     # via ddtrace
 cachetools==6.2.2
-    # via py-key-value-aio
+    # via
+    #   google-auth
+    #   py-key-value-aio
 caio==0.9.25
     # via aiofile
 celery==5.5.1
@@ -188,7 +190,6 @@ courlan==1.3.2
 cryptography==46.0.5
     # via
     #   authlib
-    #   google-auth
     #   msal
     #   msoffcrypto-tool
     #   pdfminer-six
@@ -229,7 +230,9 @@ distro==1.9.0
 dnspython==2.8.0
     # via email-validator
 docstring-parser==0.17.0
-    # via cyclopts
+    # via
+    #   cyclopts
+    #   google-cloud-aiplatform
 docutils==0.22.3
     # via rich-rst
 dropbox==12.0.2
@@ -294,15 +297,26 @@ gitdb==4.0.12
 gitpython==3.1.45
     # via braintrust
 google-api-core==2.28.1
-    # via google-api-python-client
+    # via
+    #   google-api-python-client
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
 google-api-python-client==2.86.0
     # via onyx
-google-auth==2.48.0
+google-auth==2.43.0
     # via
     #   google-api-core
     #   google-api-python-client
     #   google-auth-httplib2
     #   google-auth-oauthlib
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
     #   google-genai
     #   kubernetes
 google-auth-httplib2==0.1.0
@@ -311,16 +325,51 @@ google-auth-httplib2==0.1.0
     #   onyx
 google-auth-oauthlib==1.0.0
     # via onyx
-google-genai==1.52.0
+google-cloud-aiplatform==1.121.0
     # via onyx
+google-cloud-bigquery==3.38.0
+    # via google-cloud-aiplatform
+google-cloud-core==2.5.0
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
+google-cloud-resource-manager==1.15.0
+    # via google-cloud-aiplatform
+google-cloud-storage==2.19.0
+    # via google-cloud-aiplatform
+google-crc32c==1.7.1
+    # via
+    #   google-cloud-storage
+    #   google-resumable-media
+google-genai==1.52.0
+    # via
+    #   google-cloud-aiplatform
+    #   onyx
+google-resumable-media==2.7.2
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
 googleapis-common-protos==1.72.0
     # via
     #   google-api-core
+    #   grpc-google-iam-v1
+    #   grpcio-status
     #   opentelemetry-exporter-otlp-proto-http
 greenlet==3.2.4
     # via
     #   playwright
     #   sqlalchemy
+grpc-google-iam-v1==0.14.3
+    # via google-cloud-resource-manager
+grpcio==1.76.0
+    # via
+    #   google-api-core
+    #   google-cloud-resource-manager
+    #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
+grpcio-status==1.76.0
+    # via google-api-core
 h11==0.16.0
     # via
     #   httpcore
@@ -621,6 +670,8 @@ packaging==24.2
     #   dask
     #   distributed
     #   fastmcp
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
     #   huggingface-hub
     #   jira
     #   kombu
@@ -670,12 +721,19 @@ propcache==0.4.1
     #   aiohttp
     #   yarl
 proto-plus==1.26.1
-    # via google-api-core
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
 protobuf==6.33.5
     # via
     #   ddtrace
     #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
     #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
     #   onnxruntime
     #   opentelemetry-proto
     #   proto-plus
@@ -713,6 +771,7 @@ pydantic==2.11.7
     #   exa-py
     #   fastapi
     #   fastmcp
+    #   google-cloud-aiplatform
     #   google-genai
     #   langchain-core
     #   langfuse
@@ -776,6 +835,7 @@ python-dateutil==2.8.2
     #   botocore
     #   celery
     #   dateparser
+    #   google-cloud-bigquery
     #   htmldate
     #   hubspot-api-client
     #   kubernetes
@@ -867,6 +927,8 @@ requests==2.32.5
     #   dropbox
     #   exa-py
     #   google-api-core
+    #   google-cloud-bigquery
+    #   google-cloud-storage
     #   google-genai
     #   hubspot-api-client
     #   huggingface-hub
@@ -940,7 +1002,9 @@ sendgrid==6.12.5
 sentry-sdk==2.14.0
     # via onyx
 shapely==2.0.6
-    # via onyx
+    # via
+    #   google-cloud-aiplatform
+    #   onyx
 shellingham==1.5.4
     # via typer
 simple-salesforce==1.12.6
@@ -1054,7 +1118,9 @@ typing-extensions==4.15.0
     #   exa-py
     #   exceptiongroup
     #   fastapi
+    #   google-cloud-aiplatform
     #   google-genai
+    #   grpcio
     #   huggingface-hub
     #   jira
     #   langchain-core

backend/requirements/dev.txt

@@ -59,6 +59,8 @@ botocore==1.39.11
     #   s3transfer
 brotli==1.2.0
     # via onyx
+cachetools==6.2.2
+    # via google-auth
 celery-types==0.19.0
     # via onyx
 certifi==2025.11.12
@@ -98,9 +100,7 @@ comm==0.2.3
 contourpy==1.3.3
     # via matplotlib
 cryptography==46.0.5
-    # via
-    #   google-auth
-    #   pyjwt
+    # via pyjwt
 cycler==0.12.1
     # via matplotlib
 debugpy==1.8.17
@@ -115,6 +115,8 @@ distlib==0.4.0
     # via virtualenv
 distro==1.9.0
     # via openai
+docstring-parser==0.17.0
+    # via google-cloud-aiplatform
 durationpy==0.10
     # via kubernetes
 execnet==2.1.2
@@ -143,14 +145,65 @@ frozenlist==1.8.0
     #   aiosignal
 fsspec==2025.10.0
     # via huggingface-hub
-google-auth==2.48.0
+google-api-core==2.28.1
     # via
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
+google-auth==2.43.0
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
     #   google-genai
     #   kubernetes
-google-genai==1.52.0
+google-cloud-aiplatform==1.121.0
     # via onyx
+google-cloud-bigquery==3.38.0
+    # via google-cloud-aiplatform
+google-cloud-core==2.5.0
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
+google-cloud-resource-manager==1.15.0
+    # via google-cloud-aiplatform
+google-cloud-storage==2.19.0
+    # via google-cloud-aiplatform
+google-crc32c==1.7.1
+    # via
+    #   google-cloud-storage
+    #   google-resumable-media
+google-genai==1.52.0
+    # via
+    #   google-cloud-aiplatform
+    #   onyx
+google-resumable-media==2.7.2
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
+googleapis-common-protos==1.72.0
+    # via
+    #   google-api-core
+    #   grpc-google-iam-v1
+    #   grpcio-status
 greenlet==3.2.4 ; platform_machine == 'AMD64' or platform_machine == 'WIN32' or platform_machine == 'aarch64' or platform_machine == 'amd64' or platform_machine == 'ppc64le' or platform_machine == 'win32' or platform_machine == 'x86_64'
     # via sqlalchemy
+grpc-google-iam-v1==0.14.3
+    # via google-cloud-resource-manager
+grpcio==1.76.0
+    # via
+    #   google-api-core
+    #   google-cloud-resource-manager
+    #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
+grpcio-status==1.76.0
+    # via google-api-core
 h11==0.16.0
     # via
     #   httpcore
@@ -258,12 +311,13 @@ numpy==2.4.1
     #   contourpy
     #   matplotlib
     #   pandas-stubs
+    #   shapely
     #   voyageai
 oauthlib==3.2.2
     # via
     #   kubernetes
     #   requests-oauthlib
-onyx-devtools==0.6.3
+onyx-devtools==0.6.2
     # via onyx
 openai==2.14.0
     # via
@@ -276,6 +330,8 @@ openapi-generator-cli==7.17.0
 packaging==24.2
     # via
     #   black
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
     #   hatchling
     #   huggingface-hub
     #   ipykernel
@@ -318,6 +374,20 @@ propcache==0.4.1
     # via
     #   aiohttp
     #   yarl
+proto-plus==1.26.1
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
+protobuf==6.33.5
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
+    #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
+    #   proto-plus
 psutil==7.1.3
     # via ipykernel
 ptyprocess==0.7.0 ; sys_platform != 'emscripten' and sys_platform != 'win32'
@@ -339,6 +409,7 @@ pydantic==2.11.7
     #   agent-client-protocol
     #   cohere
     #   fastapi
+    #   google-cloud-aiplatform
     #   google-genai
     #   litellm
     #   mcp
@@ -379,6 +450,7 @@ python-dateutil==2.8.2
     # via
     #   aiobotocore
     #   botocore
+    #   google-cloud-bigquery
     #   jupyter-client
     #   kubernetes
     #   matplotlib
@@ -413,6 +485,9 @@ reorder-python-imports-black==3.14.0
 requests==2.32.5
     # via
     #   cohere
+    #   google-api-core
+    #   google-cloud-bigquery
+    #   google-cloud-storage
     #   google-genai
     #   huggingface-hub
     #   kubernetes
@@ -435,6 +510,8 @@ s3transfer==0.13.1
     # via boto3
 sentry-sdk==2.14.0
     # via onyx
+shapely==2.0.6
+    # via google-cloud-aiplatform
 six==1.17.0
     # via
     #   kubernetes
@@ -525,7 +602,9 @@ typing-extensions==4.15.0
     #   celery-types
     #   cohere
     #   fastapi
+    #   google-cloud-aiplatform
     #   google-genai
+    #   grpcio
     #   huggingface-hub
     #   ipython
     #   mcp

backend/requirements/ee.txt

@@ -53,6 +53,8 @@ botocore==1.39.11
     #   s3transfer
 brotli==1.2.0
     # via onyx
+cachetools==6.2.2
+    # via google-auth
 certifi==2025.11.12
     # via
     #   httpcore
@@ -77,15 +79,15 @@ colorama==0.4.6 ; sys_platform == 'win32'
     #   click
     #   tqdm
 cryptography==46.0.5
-    # via
-    #   google-auth
-    #   pyjwt
+    # via pyjwt
 decorator==5.2.1
     # via retry
 discord-py==2.4.0
     # via onyx
 distro==1.9.0
     # via openai
+docstring-parser==0.17.0
+    # via google-cloud-aiplatform
 durationpy==0.10
     # via kubernetes
 fastapi==0.133.1
@@ -102,12 +104,63 @@ frozenlist==1.8.0
     #   aiosignal
 fsspec==2025.10.0
     # via huggingface-hub
-google-auth==2.48.0
+google-api-core==2.28.1
     # via
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
+google-auth==2.43.0
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
     #   google-genai
     #   kubernetes
-google-genai==1.52.0
+google-cloud-aiplatform==1.121.0
     # via onyx
+google-cloud-bigquery==3.38.0
+    # via google-cloud-aiplatform
+google-cloud-core==2.5.0
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
+google-cloud-resource-manager==1.15.0
+    # via google-cloud-aiplatform
+google-cloud-storage==2.19.0
+    # via google-cloud-aiplatform
+google-crc32c==1.7.1
+    # via
+    #   google-cloud-storage
+    #   google-resumable-media
+google-genai==1.52.0
+    # via
+    #   google-cloud-aiplatform
+    #   onyx
+google-resumable-media==2.7.2
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
+googleapis-common-protos==1.72.0
+    # via
+    #   google-api-core
+    #   grpc-google-iam-v1
+    #   grpcio-status
+grpc-google-iam-v1==0.14.3
+    # via google-cloud-resource-manager
+grpcio==1.76.0
+    # via
+    #   google-api-core
+    #   google-cloud-resource-manager
+    #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
+grpcio-status==1.76.0
+    # via google-api-core
 h11==0.16.0
     # via
     #   httpcore
@@ -168,7 +221,9 @@ multidict==6.7.0
     #   aiohttp
     #   yarl
 numpy==2.4.1
-    # via voyageai
+    # via
+    #   shapely
+    #   voyageai
 oauthlib==3.2.2
     # via
     #   kubernetes
@@ -178,7 +233,10 @@ openai==2.14.0
     #   litellm
     #   onyx
 packaging==24.2
-    # via huggingface-hub
+    # via
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   huggingface-hub
 parameterized==0.9.0
     # via cohere
 posthog==3.7.4
@@ -193,6 +251,20 @@ propcache==0.4.1
     # via
     #   aiohttp
     #   yarl
+proto-plus==1.26.1
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
+protobuf==6.33.5
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
+    #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
+    #   proto-plus
 py==1.11.0
     # via retry
 pyasn1==0.6.2
@@ -208,6 +280,7 @@ pydantic==2.11.7
     #   agent-client-protocol
     #   cohere
     #   fastapi
+    #   google-cloud-aiplatform
     #   google-genai
     #   litellm
     #   mcp
@@ -224,6 +297,7 @@ python-dateutil==2.8.2
     # via
     #   aiobotocore
     #   botocore
+    #   google-cloud-bigquery
     #   kubernetes
     #   posthog
 python-dotenv==1.1.1
@@ -247,6 +321,9 @@ regex==2025.11.3
 requests==2.32.5
     # via
     #   cohere
+    #   google-api-core
+    #   google-cloud-bigquery
+    #   google-cloud-storage
     #   google-genai
     #   huggingface-hub
     #   kubernetes
@@ -268,6 +345,8 @@ s3transfer==0.13.1
     # via boto3
 sentry-sdk==2.14.0
     # via onyx
+shapely==2.0.6
+    # via google-cloud-aiplatform
 six==1.17.0
     # via
     #   kubernetes
@@ -306,7 +385,9 @@ typing-extensions==4.15.0
     #   anyio
     #   cohere
     #   fastapi
+    #   google-cloud-aiplatform
     #   google-genai
+    #   grpcio
     #   huggingface-hub
     #   mcp
     #   openai

backend/requirements/model_server.txt

@@ -57,6 +57,8 @@ botocore==1.39.11
     #   s3transfer
 brotli==1.2.0
     # via onyx
+cachetools==6.2.2
+    # via google-auth
 celery==5.5.1
     # via sentry-sdk
 certifi==2025.11.12
@@ -93,15 +95,15 @@ colorama==0.4.6 ; sys_platform == 'win32'
     #   click
     #   tqdm
 cryptography==46.0.5
-    # via
-    #   google-auth
-    #   pyjwt
+    # via pyjwt
 decorator==5.2.1
     # via retry
 discord-py==2.4.0
     # via onyx
 distro==1.9.0
     # via openai
+docstring-parser==0.17.0
+    # via google-cloud-aiplatform
 durationpy==0.10
     # via kubernetes
 einops==0.8.1
@@ -127,12 +129,63 @@ fsspec==2025.10.0
     # via
     #   huggingface-hub
     #   torch
-google-auth==2.48.0
+google-api-core==2.28.1
     # via
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
+google-auth==2.43.0
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
+    #   google-cloud-core
+    #   google-cloud-resource-manager
+    #   google-cloud-storage
     #   google-genai
     #   kubernetes
-google-genai==1.52.0
+google-cloud-aiplatform==1.121.0
     # via onyx
+google-cloud-bigquery==3.38.0
+    # via google-cloud-aiplatform
+google-cloud-core==2.5.0
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
+google-cloud-resource-manager==1.15.0
+    # via google-cloud-aiplatform
+google-cloud-storage==2.19.0
+    # via google-cloud-aiplatform
+google-crc32c==1.7.1
+    # via
+    #   google-cloud-storage
+    #   google-resumable-media
+google-genai==1.52.0
+    # via
+    #   google-cloud-aiplatform
+    #   onyx
+google-resumable-media==2.7.2
+    # via
+    #   google-cloud-bigquery
+    #   google-cloud-storage
+googleapis-common-protos==1.72.0
+    # via
+    #   google-api-core
+    #   grpc-google-iam-v1
+    #   grpcio-status
+grpc-google-iam-v1==0.14.3
+    # via google-cloud-resource-manager
+grpcio==1.76.0
+    # via
+    #   google-api-core
+    #   google-cloud-resource-manager
+    #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
+grpcio-status==1.76.0
+    # via google-api-core
 h11==0.16.0
     # via
     #   httpcore
@@ -210,6 +263,7 @@ numpy==2.4.1
     #   onyx
     #   scikit-learn
     #   scipy
+    #   shapely
     #   transformers
     #   voyageai
 nvidia-cublas-cu12==12.8.4.1 ; platform_machine == 'x86_64' and sys_platform == 'linux'
@@ -262,6 +316,8 @@ openai==2.14.0
 packaging==24.2
     # via
     #   accelerate
+    #   google-cloud-aiplatform
+    #   google-cloud-bigquery
     #   huggingface-hub
     #   kombu
     #   transformers
@@ -281,6 +337,20 @@ propcache==0.4.1
     # via
     #   aiohttp
     #   yarl
+proto-plus==1.26.1
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
+protobuf==6.33.5
+    # via
+    #   google-api-core
+    #   google-cloud-aiplatform
+    #   google-cloud-resource-manager
+    #   googleapis-common-protos
+    #   grpc-google-iam-v1
+    #   grpcio-status
+    #   proto-plus
 psutil==7.1.3
     # via accelerate
 py==1.11.0
@@ -298,6 +368,7 @@ pydantic==2.11.7
     #   agent-client-protocol
     #   cohere
     #   fastapi
+    #   google-cloud-aiplatform
     #   google-genai
     #   litellm
     #   mcp
@@ -315,6 +386,7 @@ python-dateutil==2.8.2
     #   aiobotocore
     #   botocore
     #   celery
+    #   google-cloud-bigquery
     #   kubernetes
 python-dotenv==1.1.1
     # via
@@ -341,6 +413,9 @@ regex==2025.11.3
 requests==2.32.5
     # via
     #   cohere
+    #   google-api-core
+    #   google-cloud-bigquery
+    #   google-cloud-storage
     #   google-genai
     #   huggingface-hub
     #   kubernetes
@@ -377,6 +452,8 @@ sentry-sdk==2.14.0
     # via onyx
 setuptools==80.9.0 ; python_full_version >= '3.12'
     # via torch
+shapely==2.0.6
+    # via google-cloud-aiplatform
 six==1.17.0
     # via
     #   kubernetes
@@ -433,7 +510,9 @@ typing-extensions==4.15.0
     #   anyio
     #   cohere
     #   fastapi
+    #   google-cloud-aiplatform
     #   google-genai
+    #   grpcio
     #   huggingface-hub
     #   mcp
     #   openai

backend/scripts/debugging/opensearch/opensearch_debug.py

@@ -1,171 +0,0 @@
-#!/usr/bin/env python3
-"""A utility to interact with OpenSearch.
-
-Usage:
-    python3 opensearch_debug.py --help
-    python3 opensearch_debug.py list
-    python3 opensearch_debug.py delete <index_name>
-
-Environment Variables:
-    OPENSEARCH_HOST: OpenSearch host
-    OPENSEARCH_REST_API_PORT: OpenSearch port
-    OPENSEARCH_ADMIN_USERNAME: Admin username
-    OPENSEARCH_ADMIN_PASSWORD: Admin password
-
-Dependencies:
-    backend/shared_configs/configs.py
-    backend/onyx/document_index/opensearch/client.py
-"""
-
-import argparse
-import os
-import sys
-
-from onyx.document_index.opensearch.client import OpenSearchClient
-from onyx.document_index.opensearch.client import OpenSearchIndexClient
-from shared_configs.configs import MULTI_TENANT
-
-
-def list_indices(client: OpenSearchClient) -> None:
-    indices = client.list_indices_with_info()
-    print(f"Found {len(indices)} indices.")
-    print("-" * 80)
-    for index in sorted(indices, key=lambda x: x.name):
-        print(f"Index: {index.name}")
-        print(f"Health: {index.health}")
-        print(f"Status: {index.status}")
-        print(f"Num Primary Shards: {index.num_primary_shards}")
-        print(f"Num Replica Shards: {index.num_replica_shards}")
-        print(f"Docs Count: {index.docs_count}")
-        print(f"Docs Deleted: {index.docs_deleted}")
-        print(f"Created At: {index.created_at}")
-        print(f"Total Size: {index.total_size}")
-        print(f"Primary Shards Size: {index.primary_shards_size}")
-        print("-" * 80)
-
-
-def delete_index(client: OpenSearchIndexClient) -> None:
-    if not client.index_exists():
-        print(f"Index '{client._index_name}' does not exist.")
-        return
-
-    confirm = input(f"Delete index '{client._index_name}'? (yes/no): ")
-    if confirm.lower() != "yes":
-        print("Aborted.")
-        return
-
-    if client.delete_index():
-        print(f"Deleted index '{client._index_name}'.")
-    else:
-        print(f"Failed to delete index '{client._index_name}' for an unknown reason.")
-
-
-def main() -> None:
-    def add_standard_arguments(parser: argparse.ArgumentParser) -> None:
-        parser.add_argument(
-            "--host",
-            help="OpenSearch host. If not provided, will fall back to OPENSEARCH_HOST, then prompt "
-            "for input.",
-            type=str,
-            default=os.environ.get("OPENSEARCH_HOST", ""),
-        )
-        parser.add_argument(
-            "--port",
-            help="OpenSearch port. If not provided, will fall back to OPENSEARCH_REST_API_PORT, "
-            "then prompt for input.",
-            type=int,
-            default=int(os.environ.get("OPENSEARCH_REST_API_PORT", 0)),
-        )
-        parser.add_argument(
-            "--username",
-            help="OpenSearch username. If not provided, will fall back to OPENSEARCH_ADMIN_USERNAME, "
-            "then prompt for input.",
-            type=str,
-            default=os.environ.get("OPENSEARCH_ADMIN_USERNAME", ""),
-        )
-        parser.add_argument(
-            "--password",
-            help="OpenSearch password. If not provided, will fall back to OPENSEARCH_ADMIN_PASSWORD, "
-            "then prompt for input.",
-            type=str,
-            default=os.environ.get("OPENSEARCH_ADMIN_PASSWORD", ""),
-        )
-        parser.add_argument(
-            "--no-ssl", help="Disable SSL.", action="store_true", default=False
-        )
-        parser.add_argument(
-            "--no-verify-certs",
-            help="Disable certificate verification (for self-signed certs).",
-            action="store_true",
-            default=False,
-        )
-        parser.add_argument(
-            "--use-aws-managed-opensearch",
-            help="Whether to use AWS-managed OpenSearch. If not provided, will fall back to checking "
-            "USING_AWS_MANAGED_OPENSEARCH=='true', then default to False.",
-            action=argparse.BooleanOptionalAction,
-            default=os.environ.get("USING_AWS_MANAGED_OPENSEARCH", "").lower()
-            == "true",
-        )
-
-    parser = argparse.ArgumentParser(
-        description="A utility to interact with OpenSearch."
-    )
-    subparsers = parser.add_subparsers(
-        dest="command", help="Command to execute.", required=True
-    )
-
-    list_parser = subparsers.add_parser("list", help="List all indices with info.")
-    add_standard_arguments(list_parser)
-
-    delete_parser = subparsers.add_parser("delete", help="Delete an index.")
-    delete_parser.add_argument("index", help="Index name.", type=str)
-    add_standard_arguments(delete_parser)
-
-    args = parser.parse_args()
-
-    if not (host := args.host or input("Enter the OpenSearch host: ")):
-        print("Error: OpenSearch host is required.")
-        sys.exit(1)
-    if not (port := args.port or int(input("Enter the OpenSearch port: "))):
-        print("Error: OpenSearch port is required.")
-        sys.exit(1)
-    if not (username := args.username or input("Enter the OpenSearch username: ")):
-        print("Error: OpenSearch username is required.")
-        sys.exit(1)
-    if not (password := args.password or input("Enter the OpenSearch password: ")):
-        print("Error: OpenSearch password is required.")
-        sys.exit(1)
-    print("Using AWS-managed OpenSearch: ", args.use_aws_managed_opensearch)
-    print(f"MULTI_TENANT: {MULTI_TENANT}")
-
-    with (
-        OpenSearchIndexClient(
-            index_name=args.index,
-            host=host,
-            port=port,
-            auth=(username, password),
-            use_ssl=not args.no_ssl,
-            verify_certs=not args.no_verify_certs,
-        )
-        if args.command == "delete"
-        else OpenSearchClient(
-            host=host,
-            port=port,
-            auth=(username, password),
-            use_ssl=not args.no_ssl,
-            verify_certs=not args.no_verify_certs,
-        )
-    ) as client:
-        if not client.ping():
-            print("Error: Could not connect to OpenSearch.")
-            sys.exit(1)
-
-        if args.command == "list":
-            list_indices(client)
-        elif args.command == "delete":
-            delete_index(client)
-
-
-if __name__ == "__main__":
-    main()

backend/scripts/restart_containers.sh

@@ -1,20 +1,10 @@
 #!/bin/bash
 set -e
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-COMPOSE_FILE="$SCRIPT_DIR/../../deployment/docker_compose/docker-compose.yml"
-COMPOSE_DEV_FILE="$SCRIPT_DIR/../../deployment/docker_compose/docker-compose.dev.yml"
-
-stop_and_remove_containers() {
-  docker stop onyx_postgres onyx_vespa onyx_redis onyx_minio onyx_code_interpreter 2>/dev/null || true
-  docker rm onyx_postgres onyx_vespa onyx_redis onyx_minio onyx_code_interpreter 2>/dev/null || true
-  docker compose -f "$COMPOSE_FILE" -f "$COMPOSE_DEV_FILE" --profile opensearch-enabled stop opensearch 2>/dev/null || true
-  docker compose -f "$COMPOSE_FILE" -f "$COMPOSE_DEV_FILE" --profile opensearch-enabled rm -f opensearch 2>/dev/null || true
-}
-
 cleanup() {
   echo "Error occurred. Cleaning up..."
-  stop_and_remove_containers
+  docker stop onyx_postgres onyx_vespa onyx_redis onyx_minio onyx_code_interpreter 2>/dev/null || true
+  docker rm onyx_postgres onyx_vespa onyx_redis onyx_minio onyx_code_interpreter 2>/dev/null || true
 }
 
 # Trap errors and output a message, then cleanup
@@ -22,26 +12,16 @@ trap 'echo "Error occurred on line $LINENO. Exiting script." >&2; cleanup' ERR
 
 # Usage of the script with optional volume arguments
 # ./restart_containers.sh [vespa_volume] [postgres_volume] [redis_volume]
-# [minio_volume] [--keep-opensearch-data]
 
-KEEP_OPENSEARCH_DATA=false
-POSITIONAL_ARGS=()
-for arg in "$@"; do
-    if [[ "$arg" == "--keep-opensearch-data" ]]; then
-        KEEP_OPENSEARCH_DATA=true
-    else
-        POSITIONAL_ARGS+=("$arg")
-    fi
-done
-
-VESPA_VOLUME=${POSITIONAL_ARGS[0]:-""}
-POSTGRES_VOLUME=${POSITIONAL_ARGS[1]:-""}
-REDIS_VOLUME=${POSITIONAL_ARGS[2]:-""}
-MINIO_VOLUME=${POSITIONAL_ARGS[3]:-""}
+VESPA_VOLUME=${1:-""}  # Default is empty if not provided
+POSTGRES_VOLUME=${2:-""}  # Default is empty if not provided
+REDIS_VOLUME=${3:-""}  # Default is empty if not provided
+MINIO_VOLUME=${4:-""}  # Default is empty if not provided
 
 # Stop and remove the existing containers
 echo "Stopping and removing existing containers..."
-stop_and_remove_containers
+docker stop onyx_postgres onyx_vespa onyx_redis onyx_minio onyx_code_interpreter 2>/dev/null || true
+docker rm onyx_postgres onyx_vespa onyx_redis onyx_minio onyx_code_interpreter 2>/dev/null || true
 
 # Start the PostgreSQL container with optional volume
 echo "Starting PostgreSQL container..."
@@ -59,29 +39,6 @@ else
     docker run --detach --name onyx_vespa --hostname vespa-container --publish 8081:8081 --publish 19071:19071 vespaengine/vespa:8
 fi
 
-# If OPENSEARCH_ADMIN_PASSWORD is not already set, try loading it from
-# .vscode/.env so existing dev setups that stored it there aren't silently
-# broken.
-VSCODE_ENV="$SCRIPT_DIR/../../.vscode/.env"
-if [[ -z "${OPENSEARCH_ADMIN_PASSWORD:-}" && -f "$VSCODE_ENV" ]]; then
-    set -a
-    # shellcheck source=/dev/null
-    source "$VSCODE_ENV"
-    set +a
-fi
-
-# Start the OpenSearch container using the same service from docker-compose that
-# our users use, setting OPENSEARCH_INITIAL_ADMIN_PASSWORD from the env's
-# OPENSEARCH_ADMIN_PASSWORD if it exists, else defaulting to StrongPassword123!.
-# Pass --keep-opensearch-data to preserve the opensearch-data volume across
-# restarts, else the volume is deleted so the container starts fresh.
-if [[ "$KEEP_OPENSEARCH_DATA" == "false" ]]; then
-    echo "Deleting opensearch-data volume..."
-    docker volume rm onyx_opensearch-data 2>/dev/null || true
-fi
-echo "Starting OpenSearch container..."
-docker compose -f "$COMPOSE_FILE" -f "$COMPOSE_DEV_FILE" --profile opensearch-enabled up --force-recreate -d opensearch
-
 # Start the Redis container with optional volume
 echo "Starting Redis container..."
 if [[ -n "$REDIS_VOLUME" ]]; then
@@ -103,6 +60,7 @@ echo "Starting Code Interpreter container..."
 docker run --detach --name onyx_code_interpreter --publish 8000:8000 --user root -v /var/run/docker.sock:/var/run/docker.sock onyxdotapp/code-interpreter:latest bash ./entrypoint.sh code-interpreter-api
 
 # Ensure alembic runs in the correct directory (backend/)
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 PARENT_DIR="$(dirname "$SCRIPT_DIR")"
 cd "$PARENT_DIR"
 

backend/scripts/restart_opensearch_container.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# We get OPENSEARCH_ADMIN_PASSWORD from the repo .env file.
+source "$(dirname "$0")/../../.vscode/.env"
+
+cd "$(dirname "$0")/../../deployment/docker_compose"
+
+# Start OpenSearch.
+echo "Forcefully starting fresh OpenSearch container..."
+docker compose -f docker-compose.opensearch.yml up --force-recreate -d opensearch

backend/tests/external_dependency_unit/celery/test_docprocessing_priority.py

@@ -145,10 +145,6 @@ class TestDocprocessingPriorityInDocumentExtraction:
     @patch("onyx.background.indexing.run_docfetching.get_document_batch_storage")
     @patch("onyx.background.indexing.run_docfetching.MemoryTracer")
     @patch("onyx.background.indexing.run_docfetching._get_connector_runner")
-    @patch(
-        "onyx.background.indexing.run_docfetching.strip_null_characters",
-        side_effect=lambda batch: batch,
-    )
     @patch(
         "onyx.background.indexing.run_docfetching.get_recent_completed_attempts_for_cc_pair"
     )
@@ -173,7 +169,6 @@ class TestDocprocessingPriorityInDocumentExtraction:
         mock_save_checkpoint: MagicMock,  # noqa: ARG002
         mock_get_last_successful_attempt_poll_range_end: MagicMock,
         mock_get_recent_completed_attempts: MagicMock,
-        mock_strip_null_characters: MagicMock,  # noqa: ARG002
         mock_get_connector_runner: MagicMock,
         mock_memory_tracer_class: MagicMock,
         mock_get_batch_storage: MagicMock,

backend/tests/external_dependency_unit/celery/test_pruning_hierarchy_nodes.py

@@ -5,8 +5,6 @@ Verifies that:
 1. extract_ids_from_runnable_connector correctly separates hierarchy nodes from doc IDs
 2. Extracted hierarchy nodes are correctly upserted to Postgres via upsert_hierarchy_nodes_batch
 3. Upserting is idempotent (running twice doesn't duplicate nodes)
-4. Document-to-hierarchy-node linkage is updated during pruning
-5. link_hierarchy_nodes_to_documents links nodes that are also documents
 
 Uses a mock SlimConnectorWithPermSync that yields known hierarchy nodes and slim documents,
 combined with a real PostgreSQL database for verifying persistence.
@@ -29,13 +27,9 @@ from onyx.db.enums import HierarchyNodeType
 from onyx.db.hierarchy import ensure_source_node_exists
 from onyx.db.hierarchy import get_all_hierarchy_nodes_for_source
 from onyx.db.hierarchy import get_hierarchy_node_by_raw_id
-from onyx.db.hierarchy import link_hierarchy_nodes_to_documents
-from onyx.db.hierarchy import update_document_parent_hierarchy_nodes
 from onyx.db.hierarchy import upsert_hierarchy_nodes_batch
-from onyx.db.models import Document as DbDocument
 from onyx.db.models import HierarchyNode as DBHierarchyNode
 from onyx.indexing.indexing_heartbeat import IndexingHeartbeatInterface
-from onyx.kg.models import KGStage
 
 # ---------------------------------------------------------------------------
 # Constants
@@ -95,18 +89,8 @@ def _make_hierarchy_nodes() -> list[PydanticHierarchyNode]:
     ]
 
 
-DOC_PARENT_MAP = {
-    "msg-001": CHANNEL_A_ID,
-    "msg-002": CHANNEL_A_ID,
-    "msg-003": CHANNEL_B_ID,
-}
-
-
 def _make_slim_docs() -> list[SlimDocument | PydanticHierarchyNode]:
-    return [
-        SlimDocument(id=doc_id, parent_hierarchy_raw_node_id=DOC_PARENT_MAP.get(doc_id))
-        for doc_id in SLIM_DOC_IDS
-    ]
+    return [SlimDocument(id=doc_id) for doc_id in SLIM_DOC_IDS]
 
 
 class MockSlimConnectorWithPermSync(SlimConnectorWithPermSync):
@@ -142,31 +126,14 @@ class MockSlimConnectorWithPermSync(SlimConnectorWithPermSync):
 # ---------------------------------------------------------------------------
 
 
-def _cleanup_test_data(db_session: Session) -> None:
-    """Remove all test hierarchy nodes and documents to isolate tests."""
-    for doc_id in SLIM_DOC_IDS:
-        db_session.query(DbDocument).filter(DbDocument.id == doc_id).delete()
+def _cleanup_test_hierarchy_nodes(db_session: Session) -> None:
+    """Remove all hierarchy nodes for TEST_SOURCE to isolate tests."""
     db_session.query(DBHierarchyNode).filter(
         DBHierarchyNode.source == TEST_SOURCE
     ).delete()
     db_session.commit()
 
 
-def _create_test_documents(db_session: Session) -> list[DbDocument]:
-    """Insert minimal Document rows for our test doc IDs."""
-    docs = []
-    for doc_id in SLIM_DOC_IDS:
-        doc = DbDocument(
-            id=doc_id,
-            semantic_id=doc_id,
-            kg_stage=KGStage.NOT_STARTED,
-        )
-        db_session.add(doc)
-        docs.append(doc)
-    db_session.commit()
-    return docs
-
-
 # ---------------------------------------------------------------------------
 # Tests
 # ---------------------------------------------------------------------------
@@ -180,14 +147,14 @@ def test_pruning_extracts_hierarchy_nodes(db_session: Session) -> None:  # noqa:
     result = extract_ids_from_runnable_connector(connector, callback=None)
 
     # Doc IDs should include both slim doc IDs and hierarchy node raw_node_ids
-    # (hierarchy node IDs are added to raw_id_to_parent so they aren't pruned)
+    # (hierarchy node IDs are added to doc_ids so they aren't pruned)
     expected_ids = {
         CHANNEL_A_ID,
         CHANNEL_B_ID,
         CHANNEL_C_ID,
         *SLIM_DOC_IDS,
     }
-    assert result.raw_id_to_parent.keys() == expected_ids
+    assert result.doc_ids == expected_ids
 
     # Hierarchy nodes should be the 3 channels
     assert len(result.hierarchy_nodes) == 3
@@ -198,7 +165,7 @@ def test_pruning_extracts_hierarchy_nodes(db_session: Session) -> None:  # noqa:
 def test_pruning_upserts_hierarchy_nodes_to_db(db_session: Session) -> None:
     """Full flow: extract hierarchy nodes from mock connector, upsert to Postgres,
     then verify the DB state (node count, parent relationships, permissions)."""
-    _cleanup_test_data(db_session)
+    _cleanup_test_hierarchy_nodes(db_session)
 
     # Step 1: ensure the SOURCE node exists (mirrors what the pruning task does)
     source_node = ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
@@ -263,7 +230,7 @@ def test_pruning_upserts_hierarchy_nodes_public_connector(
 ) -> None:
     """When the connector's access type is PUBLIC, all hierarchy nodes must be
     marked is_public=True regardless of their external_access settings."""
-    _cleanup_test_data(db_session)
+    _cleanup_test_hierarchy_nodes(db_session)
 
     ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
 
@@ -290,7 +257,7 @@ def test_pruning_upserts_hierarchy_nodes_public_connector(
 def test_pruning_hierarchy_node_upsert_idempotency(db_session: Session) -> None:
     """Upserting the same hierarchy nodes twice must not create duplicates.
     The second call should update existing rows in place."""
-    _cleanup_test_data(db_session)
+    _cleanup_test_hierarchy_nodes(db_session)
 
     ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
 
@@ -328,7 +295,7 @@ def test_pruning_hierarchy_node_upsert_idempotency(db_session: Session) -> None:
 
 def test_pruning_hierarchy_node_upsert_updates_fields(db_session: Session) -> None:
     """Upserting a hierarchy node with changed fields should update the existing row."""
-    _cleanup_test_data(db_session)
+    _cleanup_test_hierarchy_nodes(db_session)
 
     ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
 
@@ -375,193 +342,3 @@ def test_pruning_hierarchy_node_upsert_updates_fields(db_session: Session) -> No
     assert db_node.is_public is True
     assert db_node.external_user_emails is not None
     assert set(db_node.external_user_emails) == {"new_user@example.com"}
-
-
-# ---------------------------------------------------------------------------
-# Document-to-hierarchy-node linkage tests
-# ---------------------------------------------------------------------------
-
-
-def test_extraction_preserves_parent_hierarchy_raw_node_id(
-    db_session: Session,  # noqa: ARG001
-) -> None:
-    """extract_ids_from_runnable_connector should carry the
-    parent_hierarchy_raw_node_id from SlimDocument into the raw_id_to_parent dict."""
-    connector = MockSlimConnectorWithPermSync()
-    result = extract_ids_from_runnable_connector(connector, callback=None)
-
-    for doc_id, expected_parent in DOC_PARENT_MAP.items():
-        assert (
-            result.raw_id_to_parent[doc_id] == expected_parent
-        ), f"raw_id_to_parent[{doc_id}] should be {expected_parent}"
-
-    # Hierarchy node entries have None parent (they aren't documents)
-    for channel_id in [CHANNEL_A_ID, CHANNEL_B_ID, CHANNEL_C_ID]:
-        assert result.raw_id_to_parent[channel_id] is None
-
-
-def test_update_document_parent_hierarchy_nodes(db_session: Session) -> None:
-    """update_document_parent_hierarchy_nodes should set
-    Document.parent_hierarchy_node_id for each document in the mapping."""
-    _cleanup_test_data(db_session)
-
-    source_node = ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
-    upserted = upsert_hierarchy_nodes_batch(
-        db_session=db_session,
-        nodes=_make_hierarchy_nodes(),
-        source=TEST_SOURCE,
-        commit=True,
-        is_connector_public=False,
-    )
-    node_id_by_raw = {n.raw_node_id: n.id for n in upserted}
-
-    # Create documents with no parent set
-    docs = _create_test_documents(db_session)
-    for doc in docs:
-        assert doc.parent_hierarchy_node_id is None
-
-    # Build resolved map (same logic as _resolve_and_update_document_parents)
-    resolved: dict[str, int | None] = {}
-    for doc_id, raw_parent in DOC_PARENT_MAP.items():
-        resolved[doc_id] = node_id_by_raw.get(raw_parent, source_node.id)
-
-    updated = update_document_parent_hierarchy_nodes(
-        db_session=db_session,
-        doc_parent_map=resolved,
-        commit=True,
-    )
-    assert updated == len(SLIM_DOC_IDS)
-
-    # Verify each document now points to the correct hierarchy node
-    db_session.expire_all()
-    for doc_id, raw_parent in DOC_PARENT_MAP.items():
-        tmp_doc = db_session.get(DbDocument, doc_id)
-        assert tmp_doc is not None
-        doc = tmp_doc
-        expected_node_id = node_id_by_raw[raw_parent]
-        assert (
-            doc.parent_hierarchy_node_id == expected_node_id
-        ), f"Document {doc_id} should point to node for {raw_parent}"
-
-
-def test_update_document_parent_is_idempotent(db_session: Session) -> None:
-    """Running update_document_parent_hierarchy_nodes a second time with the
-    same mapping should update zero rows."""
-    _cleanup_test_data(db_session)
-
-    ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
-    upserted = upsert_hierarchy_nodes_batch(
-        db_session=db_session,
-        nodes=_make_hierarchy_nodes(),
-        source=TEST_SOURCE,
-        commit=True,
-        is_connector_public=False,
-    )
-    node_id_by_raw = {n.raw_node_id: n.id for n in upserted}
-    _create_test_documents(db_session)
-
-    resolved: dict[str, int | None] = {
-        doc_id: node_id_by_raw[raw_parent]
-        for doc_id, raw_parent in DOC_PARENT_MAP.items()
-    }
-
-    first_updated = update_document_parent_hierarchy_nodes(
-        db_session=db_session,
-        doc_parent_map=resolved,
-        commit=True,
-    )
-    assert first_updated == len(SLIM_DOC_IDS)
-
-    second_updated = update_document_parent_hierarchy_nodes(
-        db_session=db_session,
-        doc_parent_map=resolved,
-        commit=True,
-    )
-    assert second_updated == 0
-
-
-def test_link_hierarchy_nodes_to_documents_for_confluence(
-    db_session: Session,
-) -> None:
-    """For sources in SOURCES_WITH_HIERARCHY_NODE_DOCUMENTS (e.g. Confluence),
-    link_hierarchy_nodes_to_documents should set HierarchyNode.document_id
-    when a hierarchy node's raw_node_id matches a document ID."""
-    _cleanup_test_data(db_session)
-    confluence_source = DocumentSource.CONFLUENCE
-
-    # Clean up any existing Confluence hierarchy nodes
-    db_session.query(DBHierarchyNode).filter(
-        DBHierarchyNode.source == confluence_source
-    ).delete()
-    db_session.commit()
-
-    ensure_source_node_exists(db_session, confluence_source, commit=True)
-
-    # Create a hierarchy node whose raw_node_id matches a document ID
-    page_node_id = "confluence-page-123"
-    nodes = [
-        PydanticHierarchyNode(
-            raw_node_id=page_node_id,
-            raw_parent_id=None,
-            display_name="Test Page",
-            link="https://wiki.example.com/page/123",
-            node_type=HierarchyNodeType.PAGE,
-        ),
-    ]
-    upsert_hierarchy_nodes_batch(
-        db_session=db_session,
-        nodes=nodes,
-        source=confluence_source,
-        commit=True,
-        is_connector_public=False,
-    )
-
-    # Verify the node exists but has no document_id yet
-    db_node = get_hierarchy_node_by_raw_id(db_session, page_node_id, confluence_source)
-    assert db_node is not None
-    assert db_node.document_id is None
-
-    # Create a document with the same ID as the hierarchy node
-    doc = DbDocument(
-        id=page_node_id,
-        semantic_id="Test Page",
-        kg_stage=KGStage.NOT_STARTED,
-    )
-    db_session.add(doc)
-    db_session.commit()
-
-    # Link nodes to documents
-    linked = link_hierarchy_nodes_to_documents(
-        db_session=db_session,
-        document_ids=[page_node_id],
-        source=confluence_source,
-        commit=True,
-    )
-    assert linked == 1
-
-    # Verify the hierarchy node now has document_id set
-    db_session.expire_all()
-    db_node = get_hierarchy_node_by_raw_id(db_session, page_node_id, confluence_source)
-    assert db_node is not None
-    assert db_node.document_id == page_node_id
-
-    # Cleanup
-    db_session.query(DbDocument).filter(DbDocument.id == page_node_id).delete()
-    db_session.query(DBHierarchyNode).filter(
-        DBHierarchyNode.source == confluence_source
-    ).delete()
-    db_session.commit()
-
-
-def test_link_hierarchy_nodes_skips_non_hierarchy_sources(
-    db_session: Session,
-) -> None:
-    """link_hierarchy_nodes_to_documents should return 0 for sources that
-    don't support hierarchy-node-as-document (e.g. Slack, Google Drive)."""
-    linked = link_hierarchy_nodes_to_documents(
-        db_session=db_session,
-        document_ids=SLIM_DOC_IDS,
-        source=TEST_SOURCE,  # Slack — not in SOURCES_WITH_HIERARCHY_NODE_DOCUMENTS
-        commit=False,
-    )
-    assert linked == 0

backend/tests/external_dependency_unit/llm/test_llm_provider_auto_mode.py

@@ -698,99 +698,6 @@ class TestAutoModeMissingFlows:
 class TestAutoModeTransitionsAndResync:
     """Tests for auto/manual transitions, config evolution, and sync idempotency."""
 
-    def test_transition_to_auto_mode_preserves_default(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """When the default provider transitions from manual to auto mode,
-        the global default should be preserved (set to the recommended model).
-
-        Steps:
-        1. Create a manual-mode provider with models, set it as global default.
-        2. Transition to auto mode (model_configurations=[] triggers cascade
-           delete of old ModelConfigurations and their LLMModelFlow rows).
-        3. Verify the provider is still the global default, now using the
-           recommended default model from the GitHub config.
-        """
-        initial_models = [
-            ModelConfigurationUpsertRequest(name="gpt-4o", is_visible=True),
-            ModelConfigurationUpsertRequest(name="gpt-4o-mini", is_visible=True),
-        ]
-
-        auto_config = _create_mock_llm_recommendations(
-            provider=LlmProviderNames.OPENAI,
-            default_model_name="gpt-4o-mini",
-            additional_models=["gpt-4o"],
-        )
-
-        try:
-            # Step 1: Create manual-mode provider and set as default
-            put_llm_provider(
-                llm_provider_upsert_request=LLMProviderUpsertRequest(
-                    name=provider_name,
-                    provider=LlmProviderNames.OPENAI,
-                    api_key="sk-test-key-00000000000000000000000000000000000",
-                    api_key_changed=True,
-                    is_auto_mode=False,
-                    model_configurations=initial_models,
-                ),
-                is_creation=True,
-                _=_create_mock_admin(),
-                db_session=db_session,
-            )
-
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            update_default_provider(provider.id, "gpt-4o", db_session)
-
-            default_before = fetch_default_llm_model(db_session)
-            assert default_before is not None
-            assert default_before.name == "gpt-4o"
-            assert default_before.llm_provider_id == provider.id
-
-            # Step 2: Transition to auto mode
-            with patch(
-                "onyx.server.manage.llm.api.fetch_llm_recommendations_from_github",
-                return_value=auto_config,
-            ):
-                put_llm_provider(
-                    llm_provider_upsert_request=LLMProviderUpsertRequest(
-                        id=provider.id,
-                        name=provider_name,
-                        provider=LlmProviderNames.OPENAI,
-                        api_key=None,
-                        api_key_changed=False,
-                        is_auto_mode=True,
-                        model_configurations=[],
-                    ),
-                    is_creation=False,
-                    _=_create_mock_admin(),
-                    db_session=db_session,
-                )
-
-            # Step 3: Default should be preserved on this provider
-            db_session.expire_all()
-            default_after = fetch_default_llm_model(db_session)
-            assert default_after is not None, (
-                "Default model should not be None after transitioning to auto mode — "
-                "the provider was the default before and should remain so"
-            )
-            assert (
-                default_after.llm_provider_id == provider.id
-            ), "Default should still belong to the same provider after transition"
-            assert default_after.name == "gpt-4o-mini", (
-                f"Default should be updated to the recommended model 'gpt-4o-mini', "
-                f"got '{default_after.name}'"
-            )
-
-        finally:
-            db_session.rollback()
-            _cleanup_provider(db_session, provider_name)
-
     def test_auto_to_manual_mode_preserves_models_and_stops_syncing(
         self,
         db_session: Session,
@@ -1135,195 +1042,14 @@ class TestAutoModeTransitionsAndResync:
             assert visibility["gpt-4o"] is False, "Removed default should be hidden"
             assert visibility["gpt-4o-mini"] is True, "New default should be visible"
 
-            # The old default (gpt-4o) is now hidden. sync_auto_mode_models
-            # should update the global default to the new recommended default
-            # (gpt-4o-mini) so that it is not silently lost.
+            # The LLMModelFlow row for gpt-4o still exists (is_default=True),
+            # but the model is hidden. fetch_default_llm_model filters on
+            # is_visible=True, so it should NOT return gpt-4o.
             db_session.expire_all()
             default_after = fetch_default_llm_model(db_session)
-            assert default_after is not None, (
-                "Default model should not be None — sync should set the new "
-                "recommended default when the old one is hidden"
-            )
-            assert default_after.name == "gpt-4o-mini", (
-                f"Default should be updated to the new recommended model "
-                f"'gpt-4o-mini', but got '{default_after.name}'"
-            )
-
-        finally:
-            db_session.rollback()
-            _cleanup_provider(db_session, provider_name)
-
-    def test_sync_updates_default_when_recommended_default_changes(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """When the provider owns the CHAT default and a sync arrives with a
-        different recommended default model (both models still in config),
-        the global default should be updated to the new recommendation.
-
-        Steps:
-        1. Create auto-mode provider with config v1: default=gpt-4o.
-        2. Set gpt-4o as the global CHAT default.
-        3. Re-sync with config v2: default=gpt-4o-mini (gpt-4o still present).
-        4. Verify the CHAT default switched to gpt-4o-mini and both models
-           remain visible.
-        """
-        config_v1 = _create_mock_llm_recommendations(
-            provider=LlmProviderNames.OPENAI,
-            default_model_name="gpt-4o",
-            additional_models=["gpt-4o-mini"],
-        )
-        config_v2 = _create_mock_llm_recommendations(
-            provider=LlmProviderNames.OPENAI,
-            default_model_name="gpt-4o-mini",
-            additional_models=["gpt-4o"],
-        )
-
-        try:
-            with patch(
-                "onyx.server.manage.llm.api.fetch_llm_recommendations_from_github",
-                return_value=config_v1,
-            ):
-                put_llm_provider(
-                    llm_provider_upsert_request=LLMProviderUpsertRequest(
-                        name=provider_name,
-                        provider=LlmProviderNames.OPENAI,
-                        api_key="sk-test-key-00000000000000000000000000000000000",
-                        api_key_changed=True,
-                        is_auto_mode=True,
-                        model_configurations=[],
-                    ),
-                    is_creation=True,
-                    _=_create_mock_admin(),
-                    db_session=db_session,
-                )
-
-            # Set gpt-4o as the global CHAT default
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            update_default_provider(provider.id, "gpt-4o", db_session)
-
-            default_before = fetch_default_llm_model(db_session)
-            assert default_before is not None
-            assert default_before.name == "gpt-4o"
-
-            # Re-sync with config v2 (recommended default changed)
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-
-            changes = sync_auto_mode_models(
-                db_session=db_session,
-                provider=provider,
-                llm_recommendations=config_v2,
-            )
-            assert changes > 0, "Sync should report changes when default switches"
-
-            # Both models should remain visible
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            visibility = {
-                mc.name: mc.is_visible for mc in provider.model_configurations
-            }
-            assert visibility["gpt-4o"] is True
-            assert visibility["gpt-4o-mini"] is True
-
-            # The CHAT default should now be gpt-4o-mini
-            default_after = fetch_default_llm_model(db_session)
-            assert default_after is not None
             assert (
-                default_after.name == "gpt-4o-mini"
-            ), f"Default should be updated to 'gpt-4o-mini', got '{default_after.name}'"
-
-        finally:
-            db_session.rollback()
-            _cleanup_provider(db_session, provider_name)
-
-    def test_sync_idempotent_when_default_already_matches(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """When the provider owns the CHAT default and it already matches the
-        recommended default, re-syncing should report zero changes.
-
-        This is a regression test for the bug where changes was unconditionally
-        incremented even when the default was already correct.
-        """
-        config = _create_mock_llm_recommendations(
-            provider=LlmProviderNames.OPENAI,
-            default_model_name="gpt-4o",
-            additional_models=["gpt-4o-mini"],
-        )
-
-        try:
-            with patch(
-                "onyx.server.manage.llm.api.fetch_llm_recommendations_from_github",
-                return_value=config,
-            ):
-                put_llm_provider(
-                    llm_provider_upsert_request=LLMProviderUpsertRequest(
-                        name=provider_name,
-                        provider=LlmProviderNames.OPENAI,
-                        api_key="sk-test-key-00000000000000000000000000000000000",
-                        api_key_changed=True,
-                        is_auto_mode=True,
-                        model_configurations=[],
-                    ),
-                    is_creation=True,
-                    _=_create_mock_admin(),
-                    db_session=db_session,
-                )
-
-            # Set gpt-4o (the recommended default) as global CHAT default
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            update_default_provider(provider.id, "gpt-4o", db_session)
-
-            # First sync to stabilize state
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            sync_auto_mode_models(
-                db_session=db_session,
-                provider=provider,
-                llm_recommendations=config,
-            )
-
-            # Second sync — default already matches, should be a no-op
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            changes = sync_auto_mode_models(
-                db_session=db_session,
-                provider=provider,
-                llm_recommendations=config,
-            )
-            assert changes == 0, (
-                f"Expected 0 changes when default already matches recommended, "
-                f"got {changes}"
-            )
-
-            # Default should still be gpt-4o
-            default_model = fetch_default_llm_model(db_session)
-            assert default_model is not None
-            assert default_model.name == "gpt-4o"
+                default_after is None or default_after.name != "gpt-4o"
+            ), "Hidden model should not be returned as the default"
 
         finally:
             db_session.rollback()

backend/tests/external_dependency_unit/llm/test_llm_provider_default_model_protection.py

@@ -1,220 +0,0 @@
-"""
-This should act as the main point of reference for testing that default model
-logic is consisten.
-
- -
-"""
-
-from collections.abc import Generator
-from uuid import uuid4
-
-import pytest
-from sqlalchemy.orm import Session
-
-from onyx.db.llm import fetch_existing_llm_provider
-from onyx.db.llm import remove_llm_provider
-from onyx.db.llm import update_default_provider
-from onyx.db.llm import update_default_vision_provider
-from onyx.db.llm import upsert_llm_provider
-from onyx.llm.constants import LlmProviderNames
-from onyx.server.manage.llm.models import LLMProviderUpsertRequest
-from onyx.server.manage.llm.models import LLMProviderView
-from onyx.server.manage.llm.models import ModelConfigurationUpsertRequest
-
-
-def _create_test_provider(
-    db_session: Session,
-    name: str,
-    models: list[ModelConfigurationUpsertRequest] | None = None,
-) -> LLMProviderView:
-    """Helper to create a test LLM provider with multiple models."""
-    if models is None:
-        models = [
-            ModelConfigurationUpsertRequest(
-                name="gpt-4o", is_visible=True, supports_image_input=True
-            ),
-            ModelConfigurationUpsertRequest(
-                name="gpt-4o-mini", is_visible=True, supports_image_input=False
-            ),
-        ]
-    return upsert_llm_provider(
-        LLMProviderUpsertRequest(
-            name=name,
-            provider=LlmProviderNames.OPENAI,
-            api_key="sk-test-key-00000000000000000000000000000000000",
-            api_key_changed=True,
-            model_configurations=models,
-        ),
-        db_session=db_session,
-    )
-
-
-def _cleanup_provider(db_session: Session, name: str) -> None:
-    """Helper to clean up a test provider by name."""
-    provider = fetch_existing_llm_provider(name=name, db_session=db_session)
-    if provider:
-        remove_llm_provider(db_session, provider.id)
-
-
-@pytest.fixture
-def provider_name(db_session: Session) -> Generator[str, None, None]:
-    """Generate a unique provider name for each test, with automatic cleanup."""
-    name = f"test-provider-{uuid4().hex[:8]}"
-    yield name
-    db_session.rollback()
-    _cleanup_provider(db_session, name)
-
-
-class TestDefaultModelProtection:
-    """Tests that the default model cannot be removed or hidden."""
-
-    def test_cannot_remove_default_text_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Removing the default text model from a provider should raise ValueError."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Try to update the provider without the default model
-        with pytest.raises(ValueError, match="Cannot remove the default model"):
-            upsert_llm_provider(
-                LLMProviderUpsertRequest(
-                    id=provider.id,
-                    name=provider_name,
-                    provider=LlmProviderNames.OPENAI,
-                    api_key="sk-test-key-00000000000000000000000000000000000",
-                    api_key_changed=True,
-                    model_configurations=[
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o-mini", is_visible=True
-                        ),
-                    ],
-                ),
-                db_session=db_session,
-            )
-
-    def test_cannot_hide_default_text_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Setting is_visible=False on the default text model should raise ValueError."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Try to hide the default model
-        with pytest.raises(ValueError, match="Cannot hide the default model"):
-            upsert_llm_provider(
-                LLMProviderUpsertRequest(
-                    id=provider.id,
-                    name=provider_name,
-                    provider=LlmProviderNames.OPENAI,
-                    api_key="sk-test-key-00000000000000000000000000000000000",
-                    api_key_changed=True,
-                    model_configurations=[
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o", is_visible=False
-                        ),
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o-mini", is_visible=True
-                        ),
-                    ],
-                ),
-                db_session=db_session,
-            )
-
-    def test_cannot_remove_default_vision_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Removing the default vision model from a provider should raise ValueError."""
-        provider = _create_test_provider(db_session, provider_name)
-        # Set gpt-4o as both the text and vision default
-        update_default_provider(provider.id, "gpt-4o", db_session)
-        update_default_vision_provider(provider.id, "gpt-4o", db_session)
-
-        # Try to remove the default vision model
-        with pytest.raises(ValueError, match="Cannot remove the default model"):
-            upsert_llm_provider(
-                LLMProviderUpsertRequest(
-                    id=provider.id,
-                    name=provider_name,
-                    provider=LlmProviderNames.OPENAI,
-                    api_key="sk-test-key-00000000000000000000000000000000000",
-                    api_key_changed=True,
-                    model_configurations=[
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o-mini", is_visible=True
-                        ),
-                    ],
-                ),
-                db_session=db_session,
-            )
-
-    def test_can_remove_non_default_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Removing a non-default model should succeed."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Remove gpt-4o-mini (not default) — should succeed
-        updated = upsert_llm_provider(
-            LLMProviderUpsertRequest(
-                id=provider.id,
-                name=provider_name,
-                provider=LlmProviderNames.OPENAI,
-                api_key="sk-test-key-00000000000000000000000000000000000",
-                api_key_changed=True,
-                model_configurations=[
-                    ModelConfigurationUpsertRequest(
-                        name="gpt-4o", is_visible=True, supports_image_input=True
-                    ),
-                ],
-            ),
-            db_session=db_session,
-        )
-
-        model_names = {mc.name for mc in updated.model_configurations}
-        assert "gpt-4o" in model_names
-        assert "gpt-4o-mini" not in model_names
-
-    def test_can_hide_non_default_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Hiding a non-default model should succeed."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Hide gpt-4o-mini (not default) — should succeed
-        updated = upsert_llm_provider(
-            LLMProviderUpsertRequest(
-                id=provider.id,
-                name=provider_name,
-                provider=LlmProviderNames.OPENAI,
-                api_key="sk-test-key-00000000000000000000000000000000000",
-                api_key_changed=True,
-                model_configurations=[
-                    ModelConfigurationUpsertRequest(
-                        name="gpt-4o", is_visible=True, supports_image_input=True
-                    ),
-                    ModelConfigurationUpsertRequest(
-                        name="gpt-4o-mini", is_visible=False
-                    ),
-                ],
-            ),
-            db_session=db_session,
-        )
-
-        model_visibility = {
-            mc.name: mc.is_visible for mc in updated.model_configurations
-        }
-        assert model_visibility["gpt-4o"] is True
-        assert model_visibility["gpt-4o-mini"] is False

backend/tests/external_dependency_unit/search_settings/test_search_settings.py

@@ -11,7 +11,6 @@ from onyx.context.search.models import SavedSearchSettings
 from onyx.context.search.models import SearchSettingsCreationRequest
 from onyx.db.enums import EmbeddingPrecision
 from onyx.db.llm import fetch_default_contextual_rag_model
-from onyx.db.llm import fetch_existing_llm_provider
 from onyx.db.llm import update_default_contextual_model
 from onyx.db.llm import upsert_llm_provider
 from onyx.db.models import IndexModelStatus
@@ -38,8 +37,6 @@ def _create_llm_provider_and_model(
     model_name: str,
 ) -> None:
     """Insert an LLM provider with a single visible model configuration."""
-    if fetch_existing_llm_provider(name=provider_name, db_session=db_session):
-        return
     upsert_llm_provider(
         LLMProviderUpsertRequest(
             name=provider_name,
@@ -149,8 +146,8 @@ def baseline_search_settings(
     )
 
 
+@pytest.mark.skip(reason="Set new search settings is temporarily disabled.")
 @patch("onyx.db.swap_index.get_all_document_indices")
-@patch("onyx.server.manage.search_settings.get_all_document_indices")
 @patch("onyx.server.manage.search_settings.get_default_document_index")
 @patch("onyx.indexing.indexing_pipeline.get_llm_for_contextual_rag")
 @patch("onyx.indexing.indexing_pipeline.index_doc_batch_with_handler")
@@ -158,7 +155,6 @@ def test_indexing_pipeline_uses_contextual_rag_settings_from_create(
     mock_index_handler: MagicMock,
     mock_get_llm: MagicMock,
     mock_get_doc_index: MagicMock,  # noqa: ARG001
-    mock_get_all_doc_indices_search_settings: MagicMock,  # noqa: ARG001
     mock_get_all_doc_indices: MagicMock,
     baseline_search_settings: None,  # noqa: ARG001
     db_session: Session,
@@ -200,8 +196,8 @@ def test_indexing_pipeline_uses_contextual_rag_settings_from_create(
     )
 
 
+@pytest.mark.skip(reason="Set new search settings is temporarily disabled.")
 @patch("onyx.db.swap_index.get_all_document_indices")
-@patch("onyx.server.manage.search_settings.get_all_document_indices")
 @patch("onyx.server.manage.search_settings.get_default_document_index")
 @patch("onyx.indexing.indexing_pipeline.get_llm_for_contextual_rag")
 @patch("onyx.indexing.indexing_pipeline.index_doc_batch_with_handler")
@@ -209,7 +205,6 @@ def test_indexing_pipeline_uses_updated_contextual_rag_settings(
     mock_index_handler: MagicMock,
     mock_get_llm: MagicMock,
     mock_get_doc_index: MagicMock,  # noqa: ARG001
-    mock_get_all_doc_indices_search_settings: MagicMock,  # noqa: ARG001
     mock_get_all_doc_indices: MagicMock,
     baseline_search_settings: None,  # noqa: ARG001
     db_session: Session,
@@ -271,7 +266,7 @@ def test_indexing_pipeline_uses_updated_contextual_rag_settings(
     )
 
 
-@patch("onyx.server.manage.search_settings.get_all_document_indices")
+@pytest.mark.skip(reason="Set new search settings is temporarily disabled.")
 @patch("onyx.server.manage.search_settings.get_default_document_index")
 @patch("onyx.indexing.indexing_pipeline.get_llm_for_contextual_rag")
 @patch("onyx.indexing.indexing_pipeline.index_doc_batch_with_handler")
@@ -279,7 +274,6 @@ def test_indexing_pipeline_skips_llm_when_contextual_rag_disabled(
     mock_index_handler: MagicMock,
     mock_get_llm: MagicMock,
     mock_get_doc_index: MagicMock,  # noqa: ARG001
-    mock_get_all_doc_indices_search_settings: MagicMock,  # noqa: ARG001
     baseline_search_settings: None,  # noqa: ARG001
     db_session: Session,
 ) -> None:

backend/tests/external_dependency_unit/tools/test_oauth_config_crud.py

@@ -21,8 +21,6 @@ from onyx.db.oauth_config import get_tools_by_oauth_config
 from onyx.db.oauth_config import get_user_oauth_token
 from onyx.db.oauth_config import update_oauth_config
 from onyx.db.oauth_config import upsert_user_oauth_token
-from onyx.db.tools import delete_tool__no_commit
-from onyx.db.tools import update_tool
 from tests.external_dependency_unit.conftest import create_test_user
 
 
@@ -314,85 +312,6 @@ class TestOAuthConfigCRUD:
         # Tool should still exist but oauth_config_id should be NULL
         assert tool.oauth_config_id is None
 
-    def test_update_tool_cleans_up_orphaned_oauth_config(
-        self, db_session: Session
-    ) -> None:
-        """Test that changing a tool's oauth_config_id deletes the old config if no other tool uses it."""
-        old_config = _create_test_oauth_config(db_session)
-        new_config = _create_test_oauth_config(db_session)
-        tool = _create_test_tool_with_oauth(db_session, old_config)
-        old_config_id = old_config.id
-
-        update_tool(
-            tool_id=tool.id,
-            name=None,
-            description=None,
-            openapi_schema=None,
-            custom_headers=None,
-            user_id=None,
-            db_session=db_session,
-            passthrough_auth=None,
-            oauth_config_id=new_config.id,
-        )
-
-        assert tool.oauth_config_id == new_config.id
-        assert get_oauth_config(old_config_id, db_session) is None
-
-    def test_delete_tool_cleans_up_orphaned_oauth_config(
-        self, db_session: Session
-    ) -> None:
-        """Test that deleting the last tool referencing an OAuthConfig also deletes the config."""
-        config = _create_test_oauth_config(db_session)
-        tool = _create_test_tool_with_oauth(db_session, config)
-        config_id = config.id
-
-        delete_tool__no_commit(tool.id, db_session)
-        db_session.commit()
-
-        assert get_oauth_config(config_id, db_session) is None
-
-    def test_update_tool_preserves_shared_oauth_config(
-        self, db_session: Session
-    ) -> None:
-        """Test that updating one tool's oauth_config_id preserves the config when another tool still uses it."""
-        shared_config = _create_test_oauth_config(db_session)
-        new_config = _create_test_oauth_config(db_session)
-        tool_a = _create_test_tool_with_oauth(db_session, shared_config)
-        tool_b = _create_test_tool_with_oauth(db_session, shared_config)
-        shared_config_id = shared_config.id
-
-        # Move tool_a to a new config; tool_b still references shared_config
-        update_tool(
-            tool_id=tool_a.id,
-            name=None,
-            description=None,
-            openapi_schema=None,
-            custom_headers=None,
-            user_id=None,
-            db_session=db_session,
-            passthrough_auth=None,
-            oauth_config_id=new_config.id,
-        )
-
-        assert tool_a.oauth_config_id == new_config.id
-        assert tool_b.oauth_config_id == shared_config_id
-        assert get_oauth_config(shared_config_id, db_session) is not None
-
-    def test_delete_tool_preserves_shared_oauth_config(
-        self, db_session: Session
-    ) -> None:
-        """Test that deleting one tool preserves the config when another tool still uses it."""
-        shared_config = _create_test_oauth_config(db_session)
-        tool_a = _create_test_tool_with_oauth(db_session, shared_config)
-        tool_b = _create_test_tool_with_oauth(db_session, shared_config)
-        shared_config_id = shared_config.id
-
-        delete_tool__no_commit(tool_a.id, db_session)
-        db_session.commit()
-
-        assert tool_b.oauth_config_id == shared_config_id
-        assert get_oauth_config(shared_config_id, db_session) is not None
-
 
 class TestOAuthUserTokenCRUD:
     """Tests for OAuth user token CRUD operations"""

backend/tests/integration/tests/search_settings/test_search_settings.py

@@ -1,3 +1,4 @@
+import pytest
 import requests
 
 from tests.integration.common_utils.constants import API_SERVER_URL
@@ -364,6 +365,7 @@ def test_update_contextual_rag_missing_model_name(
     assert "Provider name and model name are required" in response.json()["detail"]
 
 
+@pytest.mark.skip(reason="Set new search settings is temporarily disabled.")
 def test_set_new_search_settings_with_contextual_rag(
     reset: None,  # noqa: ARG001
     admin_user: DATestUser,
@@ -392,6 +394,7 @@ def test_set_new_search_settings_with_contextual_rag(
     _cancel_new_embedding(admin_user)
 
 
+@pytest.mark.skip(reason="Set new search settings is temporarily disabled.")
 def test_set_new_search_settings_without_contextual_rag(
     reset: None,  # noqa: ARG001
     admin_user: DATestUser,
@@ -416,6 +419,7 @@ def test_set_new_search_settings_without_contextual_rag(
     _cancel_new_embedding(admin_user)
 
 
+@pytest.mark.skip(reason="Set new search settings is temporarily disabled.")
 def test_set_new_then_update_inference_settings(
     reset: None,  # noqa: ARG001
     admin_user: DATestUser,
@@ -453,6 +457,7 @@ def test_set_new_then_update_inference_settings(
     _cancel_new_embedding(admin_user)
 
 
+@pytest.mark.skip(reason="Set new search settings is temporarily disabled.")
 def test_set_new_search_settings_replaces_previous_secondary(
     reset: None,  # noqa: ARG001
     admin_user: DATestUser,

backend/tests/unit/ee/onyx/server/settings/test_license_enforcement_settings.py

@@ -281,10 +281,9 @@ class TestApplyLicenseStatusToSettings:
         }
 
 
-class TestSettingsDefaults:
-    """Verify Settings model defaults for CE deployments."""
+class TestSettingsDefaultEEDisabled:
+    """Verify the Settings model defaults ee_features_enabled to False."""
 
     def test_default_ee_features_disabled(self) -> None:
-        """CE default: ee_features_enabled is False."""
         settings = Settings()
         assert settings.ee_features_enabled is False

backend/tests/unit/onyx/chat/test_llm_loop.py

@@ -2,6 +2,7 @@
 
 import pytest
 
+from onyx.chat.llm_loop import _should_keep_bedrock_tool_definitions
 from onyx.chat.llm_loop import _try_fallback_tool_extraction
 from onyx.chat.llm_loop import construct_message_history
 from onyx.chat.models import ChatLoadedFile
@@ -13,11 +14,22 @@ from onyx.chat.models import LlmStepResult
 from onyx.chat.models import ToolCallSimple
 from onyx.configs.constants import MessageType
 from onyx.file_store.models import ChatFileType
+from onyx.llm.constants import LlmProviderNames
 from onyx.llm.interfaces import ToolChoiceOptions
 from onyx.server.query_and_chat.placement import Placement
 from onyx.tools.models import ToolCallKickoff
 
 
+class _StubConfig:
+    def __init__(self, model_provider: str) -> None:
+        self.model_provider = model_provider
+
+
+class _StubLLM:
+    def __init__(self, model_provider: str) -> None:
+        self.config = _StubConfig(model_provider=model_provider)
+
+
 def create_message(
     content: str, message_type: MessageType, token_count: int | None = None
 ) -> ChatMessageSimple:
@@ -934,6 +946,37 @@ class TestForgottenFileMetadata:
             assert "moby_dick.txt" in forgotten.message
 
 
+class TestBedrockToolConfigGuard:
+    def test_bedrock_with_tool_history_keeps_tool_definitions(self) -> None:
+        llm = _StubLLM(LlmProviderNames.BEDROCK)
+        history = [
+            create_message("Question", MessageType.USER, 5),
+            create_assistant_with_tool_call("tc_1", "search", 5),
+            create_tool_response("tc_1", "Tool output", 5),
+        ]
+
+        assert _should_keep_bedrock_tool_definitions(llm, history) is True
+
+    def test_bedrock_without_tool_history_does_not_keep_tool_definitions(self) -> None:
+        llm = _StubLLM(LlmProviderNames.BEDROCK)
+        history = [
+            create_message("Question", MessageType.USER, 5),
+            create_message("Answer", MessageType.ASSISTANT, 5),
+        ]
+
+        assert _should_keep_bedrock_tool_definitions(llm, history) is False
+
+    def test_non_bedrock_with_tool_history_does_not_keep_tool_definitions(self) -> None:
+        llm = _StubLLM(LlmProviderNames.OPENAI)
+        history = [
+            create_message("Question", MessageType.USER, 5),
+            create_assistant_with_tool_call("tc_1", "search", 5),
+            create_tool_response("tc_1", "Tool output", 5),
+        ]
+
+        assert _should_keep_bedrock_tool_definitions(llm, history) is False
+
+
 class TestFallbackToolExtraction:
     def _tool_defs(self) -> list[dict]:
         return [

backend/tests/unit/onyx/chat/test_llm_step.py

@@ -8,6 +8,7 @@ from onyx.chat.llm_step import _extract_tool_call_kickoffs
 from onyx.chat.llm_step import _increment_turns
 from onyx.chat.llm_step import _parse_tool_args_to_dict
 from onyx.chat.llm_step import _resolve_tool_arguments
+from onyx.chat.llm_step import _sanitize_llm_output
 from onyx.chat.llm_step import _XmlToolCallContentFilter
 from onyx.chat.llm_step import extract_tool_calls_from_response_text
 from onyx.chat.llm_step import translate_history_to_llm_format
@@ -20,49 +21,48 @@ from onyx.llm.models import AssistantMessage
 from onyx.llm.models import ToolMessage
 from onyx.llm.models import UserMessage
 from onyx.server.query_and_chat.placement import Placement
-from onyx.utils.postgres_sanitization import sanitize_string
 
 
 class TestSanitizeLlmOutput:
-    """Tests for the sanitize_string function."""
+    """Tests for the _sanitize_llm_output function."""
 
     def test_removes_null_bytes(self) -> None:
         """Test that NULL bytes are removed from strings."""
-        assert sanitize_string("hello\x00world") == "helloworld"
-        assert sanitize_string("\x00start") == "start"
-        assert sanitize_string("end\x00") == "end"
-        assert sanitize_string("\x00\x00\x00") == ""
+        assert _sanitize_llm_output("hello\x00world") == "helloworld"
+        assert _sanitize_llm_output("\x00start") == "start"
+        assert _sanitize_llm_output("end\x00") == "end"
+        assert _sanitize_llm_output("\x00\x00\x00") == ""
 
     def test_removes_surrogates(self) -> None:
         """Test that UTF-16 surrogates are removed from strings."""
         # Low surrogate
-        assert sanitize_string("hello\ud800world") == "helloworld"
+        assert _sanitize_llm_output("hello\ud800world") == "helloworld"
         # High surrogate
-        assert sanitize_string("hello\udfffworld") == "helloworld"
+        assert _sanitize_llm_output("hello\udfffworld") == "helloworld"
         # Middle of surrogate range
-        assert sanitize_string("test\uda00value") == "testvalue"
+        assert _sanitize_llm_output("test\uda00value") == "testvalue"
 
     def test_removes_mixed_bad_characters(self) -> None:
         """Test removal of both NULL bytes and surrogates together."""
-        assert sanitize_string("a\x00b\ud800c\udfffd") == "abcd"
+        assert _sanitize_llm_output("a\x00b\ud800c\udfffd") == "abcd"
 
     def test_preserves_valid_unicode(self) -> None:
         """Test that valid Unicode characters are preserved."""
         # Emojis
-        assert sanitize_string("hello 👋 world") == "hello 👋 world"
+        assert _sanitize_llm_output("hello 👋 world") == "hello 👋 world"
         # Chinese characters
-        assert sanitize_string("你好世界") == "你好世界"
+        assert _sanitize_llm_output("你好世界") == "你好世界"
         # Mixed scripts
-        assert sanitize_string("Hello мир 世界") == "Hello мир 世界"
+        assert _sanitize_llm_output("Hello мир 世界") == "Hello мир 世界"
 
     def test_empty_string(self) -> None:
         """Test that empty strings are handled correctly."""
-        assert sanitize_string("") == ""
+        assert _sanitize_llm_output("") == ""
 
     def test_normal_ascii(self) -> None:
         """Test that normal ASCII strings pass through unchanged."""
-        assert sanitize_string("hello world") == "hello world"
-        assert sanitize_string('{"key": "value"}') == '{"key": "value"}'
+        assert _sanitize_llm_output("hello world") == "hello world"
+        assert _sanitize_llm_output('{"key": "value"}') == '{"key": "value"}'
 
 
 class TestParseToolArgsToDict:

backend/tests/unit/onyx/chat/test_save_chat_files.py

@@ -1,13 +1,10 @@
-"""Tests for save_chat.py.
+"""Tests for _extract_referenced_file_descriptors in save_chat.py.
 
-Covers _extract_referenced_file_descriptors and sanitization in save_chat_turn.
+Verifies that only code interpreter generated files actually referenced
+in the assistant's message text are extracted as FileDescriptors for
+cross-turn persistence.
 """
 
-from unittest.mock import MagicMock
-
-from pytest import MonkeyPatch
-
-from onyx.chat import save_chat
 from onyx.chat.save_chat import _extract_referenced_file_descriptors
 from onyx.file_store.models import ChatFileType
 from onyx.tools.models import PythonExecutionFile
@@ -32,9 +29,6 @@ def _make_tool_call_info(
     )
 
 
-# ---- _extract_referenced_file_descriptors tests ----
-
-
 def test_returns_empty_when_no_generated_files() -> None:
     tool_call = _make_tool_call_info(generated_files=None)
     result = _extract_referenced_file_descriptors([tool_call], "some message")
@@ -182,34 +176,3 @@ def test_skips_tool_calls_without_generated_files() -> None:
 
     assert len(result) == 1
     assert result[0]["id"] == file_id
-
-
-# ---- save_chat_turn sanitization test ----
-
-
-def test_save_chat_turn_sanitizes_message_and_reasoning(
-    monkeypatch: MonkeyPatch,
-) -> None:
-    mock_tokenizer = MagicMock()
-    mock_tokenizer.encode.return_value = [1, 2, 3]
-    monkeypatch.setattr(save_chat, "get_tokenizer", lambda *_a, **_kw: mock_tokenizer)
-
-    mock_msg = MagicMock()
-    mock_msg.id = 1
-    mock_msg.chat_session_id = "test"
-    mock_msg.files = None
-
-    mock_session = MagicMock()
-
-    save_chat.save_chat_turn(
-        message_text="hello\x00world\ud800",
-        reasoning_tokens="think\x00ing\udfff",
-        tool_calls=[],
-        citation_to_doc={},
-        all_search_docs={},
-        db_session=mock_session,
-        assistant_message=mock_msg,
-    )
-
-    assert mock_msg.message == "helloworld"
-    assert mock_msg.reasoning_tokens == "thinking"

backend/tests/unit/onyx/db/test_tools.py

@@ -1,27 +0,0 @@
-from unittest.mock import MagicMock
-from uuid import uuid4
-
-from onyx.db import tools as tools_mod
-
-
-def test_create_tool_call_no_commit_sanitizes_fields() -> None:
-    mock_session = MagicMock()
-
-    tool_call = tools_mod.create_tool_call_no_commit(
-        chat_session_id=uuid4(),
-        parent_chat_message_id=1,
-        turn_number=0,
-        tool_id=1,
-        tool_call_id="tc-1",
-        tool_call_arguments={"task\x00": "research\ud800 topic"},
-        tool_call_response="report\x00 text\udfff here",
-        tool_call_tokens=10,
-        db_session=mock_session,
-        reasoning_tokens="reason\x00ing\ud800",
-        generated_images=[{"url": "img\x00.png\udfff"}],
-    )
-
-    assert tool_call.tool_call_response == "report text here"
-    assert tool_call.reasoning_tokens == "reasoning"
-    assert tool_call.tool_call_arguments == {"task": "research topic"}
-    assert tool_call.generated_images == [{"url": "img.png"}]

backend/tests/unit/onyx/indexing/test_postgres_sanitization.py

@@ -9,79 +9,8 @@ from onyx.connectors.models import IndexAttemptMetadata
 from onyx.connectors.models import TextSection
 from onyx.db.enums import HierarchyNodeType
 from onyx.indexing import indexing_pipeline
-from onyx.utils.postgres_sanitization import sanitize_document_for_postgres
-from onyx.utils.postgres_sanitization import sanitize_hierarchy_node_for_postgres
-from onyx.utils.postgres_sanitization import sanitize_json_like
-from onyx.utils.postgres_sanitization import sanitize_string
-
-
-# ---- sanitize_string tests ----
-
-
-def test_sanitize_string_strips_nul_bytes() -> None:
-    assert sanitize_string("hello\x00world") == "helloworld"
-    assert sanitize_string("\x00\x00\x00") == ""
-    assert sanitize_string("clean") == "clean"
-
-
-def test_sanitize_string_strips_high_surrogates() -> None:
-    assert sanitize_string("before\ud800after") == "beforeafter"
-    assert sanitize_string("a\udbffb") == "ab"
-
-
-def test_sanitize_string_strips_low_surrogates() -> None:
-    assert sanitize_string("before\udc00after") == "beforeafter"
-    assert sanitize_string("a\udfffb") == "ab"
-
-
-def test_sanitize_string_strips_nul_and_surrogates_together() -> None:
-    assert sanitize_string("he\x00llo\ud800 wo\udfffrld\x00") == "hello world"
-
-
-def test_sanitize_string_preserves_valid_unicode() -> None:
-    assert sanitize_string("café ☕ 日本語 😀") == "café ☕ 日本語 😀"
-
-
-def test_sanitize_string_empty_input() -> None:
-    assert sanitize_string("") == ""
-
-
-# ---- sanitize_json_like tests ----
-
-
-def test_sanitize_json_like_handles_plain_string() -> None:
-    assert sanitize_json_like("he\x00llo\ud800") == "hello"
-
-
-def test_sanitize_json_like_handles_nested_dict() -> None:
-    dirty = {
-        "ke\x00y": "va\ud800lue",
-        "nested": {"inne\x00r": "de\udfffep"},
-    }
-    assert sanitize_json_like(dirty) == {
-        "key": "value",
-        "nested": {"inner": "deep"},
-    }
-
-
-def test_sanitize_json_like_handles_list_with_surrogates() -> None:
-    dirty = ["a\x00", "b\ud800", {"c\udc00": "d\udfff"}]
-    assert sanitize_json_like(dirty) == ["a", "b", {"c": "d"}]
-
-
-def test_sanitize_json_like_handles_tuple() -> None:
-    dirty = ("a\x00", "b\ud800")
-    assert sanitize_json_like(dirty) == ("a", "b")
-
-
-def test_sanitize_json_like_passes_through_non_strings() -> None:
-    assert sanitize_json_like(42) == 42
-    assert sanitize_json_like(3.14) == 3.14
-    assert sanitize_json_like(True) is True
-    assert sanitize_json_like(None) is None
-
-
-# ---- sanitize_document_for_postgres tests ----
+from onyx.indexing.postgres_sanitization import sanitize_document_for_postgres
+from onyx.indexing.postgres_sanitization import sanitize_hierarchy_node_for_postgres
 
 
 def test_sanitize_document_for_postgres_removes_nul_bytes() -> None:

backend/tests/unit/onyx/llm/test_multi_llm.py

@@ -1214,218 +1214,3 @@ def test_multithreaded_invoke_without_custom_config_skips_env_lock() -> None:
 
     # The env lock context manager should never have been called
     mock_env_lock.assert_not_called()
-
-
-# ---- Tests for Bedrock tool content stripping ----
-
-
-def test_messages_contain_tool_content_with_tool_role() -> None:
-    from onyx.llm.multi_llm import _messages_contain_tool_content
-
-    messages: list[dict[str, Any]] = [
-        {"role": "user", "content": "Hello"},
-        {"role": "assistant", "content": "I'll search for that."},
-        {"role": "tool", "content": "search results", "tool_call_id": "tc_1"},
-    ]
-    assert _messages_contain_tool_content(messages) is True
-
-
-def test_messages_contain_tool_content_with_tool_calls() -> None:
-    from onyx.llm.multi_llm import _messages_contain_tool_content
-
-    messages: list[dict[str, Any]] = [
-        {"role": "user", "content": "Hello"},
-        {
-            "role": "assistant",
-            "content": None,
-            "tool_calls": [
-                {
-                    "id": "tc_1",
-                    "type": "function",
-                    "function": {"name": "search", "arguments": "{}"},
-                }
-            ],
-        },
-    ]
-    assert _messages_contain_tool_content(messages) is True
-
-
-def test_messages_contain_tool_content_without_tools() -> None:
-    from onyx.llm.multi_llm import _messages_contain_tool_content
-
-    messages: list[dict[str, Any]] = [
-        {"role": "user", "content": "Hello"},
-        {"role": "assistant", "content": "Hi there!"},
-    ]
-    assert _messages_contain_tool_content(messages) is False
-
-
-def test_strip_tool_content_converts_assistant_tool_calls_to_text() -> None:
-    from onyx.llm.multi_llm import _strip_tool_content_from_messages
-
-    messages: list[dict[str, Any]] = [
-        {"role": "user", "content": "Search for cats"},
-        {
-            "role": "assistant",
-            "content": "Let me search.",
-            "tool_calls": [
-                {
-                    "id": "tc_1",
-                    "type": "function",
-                    "function": {
-                        "name": "search",
-                        "arguments": '{"query": "cats"}',
-                    },
-                }
-            ],
-        },
-        {
-            "role": "tool",
-            "content": "Found 3 results about cats.",
-            "tool_call_id": "tc_1",
-        },
-        {"role": "assistant", "content": "Here are the results."},
-    ]
-
-    result = _strip_tool_content_from_messages(messages)
-
-    assert len(result) == 4
-
-    # First message unchanged
-    assert result[0] == {"role": "user", "content": "Search for cats"}
-
-    # Assistant with tool calls → plain text
-    assert result[1]["role"] == "assistant"
-    assert "tool_calls" not in result[1]
-    assert "Let me search." in result[1]["content"]
-    assert "[Tool Call]" in result[1]["content"]
-    assert "search" in result[1]["content"]
-    assert "tc_1" in result[1]["content"]
-
-    # Tool response → user message
-    assert result[2]["role"] == "user"
-    assert "[Tool Result]" in result[2]["content"]
-    assert "tc_1" in result[2]["content"]
-    assert "Found 3 results about cats." in result[2]["content"]
-
-    # Final assistant message unchanged
-    assert result[3] == {"role": "assistant", "content": "Here are the results."}
-
-
-def test_strip_tool_content_handles_assistant_with_no_text_content() -> None:
-    from onyx.llm.multi_llm import _strip_tool_content_from_messages
-
-    messages: list[dict[str, Any]] = [
-        {
-            "role": "assistant",
-            "content": None,
-            "tool_calls": [
-                {
-                    "id": "tc_1",
-                    "type": "function",
-                    "function": {"name": "search", "arguments": "{}"},
-                }
-            ],
-        },
-    ]
-
-    result = _strip_tool_content_from_messages(messages)
-    assert result[0]["role"] == "assistant"
-    assert "[Tool Call]" in result[0]["content"]
-    assert "tool_calls" not in result[0]
-
-
-def test_strip_tool_content_passes_through_non_tool_messages() -> None:
-    from onyx.llm.multi_llm import _strip_tool_content_from_messages
-
-    messages: list[dict[str, Any]] = [
-        {"role": "system", "content": "You are helpful."},
-        {"role": "user", "content": "Hello"},
-        {"role": "assistant", "content": "Hi!"},
-    ]
-
-    result = _strip_tool_content_from_messages(messages)
-    assert result == messages
-
-
-def test_strip_tool_content_handles_list_content_blocks() -> None:
-    from onyx.llm.multi_llm import _strip_tool_content_from_messages
-
-    messages: list[dict[str, Any]] = [
-        {
-            "role": "assistant",
-            "content": [{"type": "text", "text": "Searching now."}],
-            "tool_calls": [
-                {
-                    "id": "tc_1",
-                    "type": "function",
-                    "function": {"name": "search", "arguments": "{}"},
-                }
-            ],
-        },
-        {
-            "role": "tool",
-            "content": [
-                {"type": "text", "text": "result A"},
-                {"type": "text", "text": "result B"},
-            ],
-            "tool_call_id": "tc_1",
-        },
-    ]
-
-    result = _strip_tool_content_from_messages(messages)
-
-    # Assistant: list content flattened + tool call appended
-    assert result[0]["role"] == "assistant"
-    assert "Searching now." in result[0]["content"]
-    assert "[Tool Call]" in result[0]["content"]
-    assert isinstance(result[0]["content"], str)
-
-    # Tool: list content flattened into user message
-    assert result[1]["role"] == "user"
-    assert "result A" in result[1]["content"]
-    assert "result B" in result[1]["content"]
-    assert isinstance(result[1]["content"], str)
-
-
-def test_strip_tool_content_merges_consecutive_tool_results() -> None:
-    """Bedrock requires strict user/assistant alternation. Multiple parallel
-    tool results must be merged into a single user message."""
-    from onyx.llm.multi_llm import _strip_tool_content_from_messages
-
-    messages: list[dict[str, Any]] = [
-        {"role": "user", "content": "weather and news?"},
-        {
-            "role": "assistant",
-            "content": None,
-            "tool_calls": [
-                {
-                    "id": "tc_1",
-                    "type": "function",
-                    "function": {"name": "search_weather", "arguments": "{}"},
-                },
-                {
-                    "id": "tc_2",
-                    "type": "function",
-                    "function": {"name": "search_news", "arguments": "{}"},
-                },
-            ],
-        },
-        {"role": "tool", "content": "sunny 72F", "tool_call_id": "tc_1"},
-        {"role": "tool", "content": "headline news", "tool_call_id": "tc_2"},
-        {"role": "assistant", "content": "Here are the results."},
-    ]
-
-    result = _strip_tool_content_from_messages(messages)
-
-    # user, assistant (flattened), user (merged tool results), assistant
-    assert len(result) == 4
-    roles = [m["role"] for m in result]
-    assert roles == ["user", "assistant", "user", "assistant"]
-
-    # Both tool results merged into one user message
-    merged = result[2]["content"]
-    assert "tc_1" in merged
-    assert "sunny 72F" in merged
-    assert "tc_2" in merged
-    assert "headline news" in merged

backend/tests/unit/onyx/server/manage/llm/test_fetch_models_api.py

@@ -10,8 +10,6 @@ from unittest.mock import patch
 
 import pytest
 
-from onyx.server.manage.llm.models import LMStudioFinalModelResponse
-from onyx.server.manage.llm.models import LMStudioModelsRequest
 from onyx.server.manage.llm.models import OllamaFinalModelResponse
 from onyx.server.manage.llm.models import OllamaModelsRequest
 from onyx.server.manage.llm.models import OpenRouterFinalModelResponse
@@ -319,298 +317,3 @@ class TestGetOpenRouterAvailableModels:
             # No DB operations should happen
             mock_session.execute.assert_not_called()
             mock_session.commit.assert_not_called()
-
-
-class TestGetLMStudioAvailableModels:
-    """Tests for the LM Studio model fetch endpoint."""
-
-    @pytest.fixture
-    def mock_lm_studio_response(self) -> dict:
-        """Mock response from LM Studio /api/v1/models endpoint."""
-        return {
-            "models": [
-                {
-                    "key": "lmstudio-community/Meta-Llama-3-8B",
-                    "type": "llm",
-                    "display_name": "Meta Llama 3 8B",
-                    "max_context_length": 8192,
-                    "capabilities": {"vision": False},
-                },
-                {
-                    "key": "lmstudio-community/Qwen2.5-VL-7B",
-                    "type": "llm",
-                    "display_name": "Qwen 2.5 VL 7B",
-                    "max_context_length": 32768,
-                    "capabilities": {"vision": True},
-                },
-                {
-                    "key": "text-embedding-nomic-embed-text-v1.5",
-                    "type": "embedding",
-                    "display_name": "Nomic Embed Text v1.5",
-                    "max_context_length": 2048,
-                    "capabilities": {},
-                },
-                {
-                    "key": "lmstudio-community/DeepSeek-R1-8B",
-                    "type": "llm",
-                    "display_name": "DeepSeek R1 8B",
-                    "max_context_length": 65536,
-                    "capabilities": {"vision": False},
-                },
-            ]
-        }
-
-    def test_returns_model_list(self, mock_lm_studio_response: dict) -> None:
-        """Test that endpoint returns properly formatted LLM-only model list."""
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = mock_lm_studio_response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(api_base="http://localhost:1234")
-            results = get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-            # Only LLM-type models should be returned (embedding filtered out)
-            assert len(results) == 3
-            assert all(isinstance(r, LMStudioFinalModelResponse) for r in results)
-            names = [r.name for r in results]
-            assert "text-embedding-nomic-embed-text-v1.5" not in names
-            # Results should be alphabetically sorted by model name
-            assert names == sorted(names, key=str.lower)
-
-    def test_infers_vision_support(self, mock_lm_studio_response: dict) -> None:
-        """Test that vision support is correctly read from capabilities."""
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = mock_lm_studio_response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(api_base="http://localhost:1234")
-            results = get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-            qwen = next(r for r in results if "Qwen" in r.display_name)
-            llama = next(r for r in results if "Llama" in r.display_name)
-
-            assert qwen.supports_image_input is True
-            assert llama.supports_image_input is False
-
-    def test_infers_reasoning_from_model_name(self) -> None:
-        """Test that reasoning is inferred from model name when not in capabilities."""
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-        response = {
-            "models": [
-                {
-                    "key": "lmstudio-community/DeepSeek-R1-8B",
-                    "type": "llm",
-                    "display_name": "DeepSeek R1 8B",
-                    "max_context_length": 65536,
-                    "capabilities": {},
-                },
-                {
-                    "key": "lmstudio-community/Meta-Llama-3-8B",
-                    "type": "llm",
-                    "display_name": "Meta Llama 3 8B",
-                    "max_context_length": 8192,
-                    "capabilities": {},
-                },
-            ]
-        }
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(api_base="http://localhost:1234")
-            results = get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-            deepseek = next(r for r in results if "DeepSeek" in r.display_name)
-            llama = next(r for r in results if "Llama" in r.display_name)
-
-            assert deepseek.supports_reasoning is True
-            assert llama.supports_reasoning is False
-
-    def test_uses_display_name_from_api(self, mock_lm_studio_response: dict) -> None:
-        """Test that display_name from the API is used directly."""
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = mock_lm_studio_response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(api_base="http://localhost:1234")
-            results = get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-            llama = next(r for r in results if "Llama" in r.name)
-            assert llama.display_name == "Meta Llama 3 8B"
-            assert llama.max_input_tokens == 8192
-
-    def test_strips_trailing_v1_from_api_base(self) -> None:
-        """Test that /v1 suffix is stripped before building the native API URL."""
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-        response = {
-            "models": [
-                {
-                    "key": "test-model",
-                    "type": "llm",
-                    "display_name": "Test",
-                    "max_context_length": 4096,
-                    "capabilities": {},
-                },
-            ]
-        }
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(api_base="http://localhost:1234/v1")
-            get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-            # Should hit /api/v1/models, not /v1/api/v1/models
-            mock_httpx.get.assert_called_once()
-            called_url = mock_httpx.get.call_args[0][0]
-            assert called_url == "http://localhost:1234/api/v1/models"
-
-    def test_falls_back_to_stored_api_key(self) -> None:
-        """Test that stored API key is used when api_key_changed is False."""
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-        mock_provider = MagicMock()
-        mock_provider.custom_config = {"LM_STUDIO_API_KEY": "stored-secret"}
-
-        response = {
-            "models": [
-                {
-                    "key": "test-model",
-                    "type": "llm",
-                    "display_name": "Test",
-                    "max_context_length": 4096,
-                    "capabilities": {},
-                },
-            ]
-        }
-
-        with (
-            patch("onyx.server.manage.llm.api.httpx") as mock_httpx,
-            patch(
-                "onyx.server.manage.llm.api.fetch_existing_llm_provider",
-                return_value=mock_provider,
-            ),
-        ):
-            mock_response = MagicMock()
-            mock_response.json.return_value = response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(
-                api_base="http://localhost:1234",
-                api_key="masked-value",
-                api_key_changed=False,
-                provider_name="my-lm-studio",
-            )
-            get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-            headers = mock_httpx.get.call_args[1]["headers"]
-            assert headers["Authorization"] == "Bearer stored-secret"
-
-    def test_uses_submitted_api_key_when_changed(self) -> None:
-        """Test that submitted API key is used when api_key_changed is True."""
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-        response = {
-            "models": [
-                {
-                    "key": "test-model",
-                    "type": "llm",
-                    "display_name": "Test",
-                    "max_context_length": 4096,
-                    "capabilities": {},
-                },
-            ]
-        }
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(
-                api_base="http://localhost:1234",
-                api_key="new-secret",
-                api_key_changed=True,
-                provider_name="my-lm-studio",
-            )
-            get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-            headers = mock_httpx.get.call_args[1]["headers"]
-            assert headers["Authorization"] == "Bearer new-secret"
-
-    def test_raises_on_empty_models(self) -> None:
-        """Test that an error is raised when no models are returned."""
-        from onyx.error_handling.exceptions import OnyxError
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = {"models": []}
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(api_base="http://localhost:1234")
-            with pytest.raises(OnyxError):
-                get_lm_studio_available_models(request, MagicMock(), mock_session)
-
-    def test_raises_on_only_non_llm_models(self) -> None:
-        """Test that an error is raised when all models are non-LLM type."""
-        from onyx.error_handling.exceptions import OnyxError
-        from onyx.server.manage.llm.api import get_lm_studio_available_models
-
-        mock_session = MagicMock()
-        response = {
-            "models": [
-                {
-                    "key": "embedding-model",
-                    "type": "embedding",
-                    "display_name": "Embedding",
-                    "max_context_length": 2048,
-                    "capabilities": {},
-                },
-            ]
-        }
-
-        with patch("onyx.server.manage.llm.api.httpx") as mock_httpx:
-            mock_response = MagicMock()
-            mock_response.json.return_value = response
-            mock_response.raise_for_status = MagicMock()
-            mock_httpx.get.return_value = mock_response
-
-            request = LMStudioModelsRequest(api_base="http://localhost:1234")
-            with pytest.raises(OnyxError):
-                get_lm_studio_available_models(request, MagicMock(), mock_session)

backend/tests/unit/onyx/tools/tool_implementations/open_url/test_snippet_finding.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 
 import json
-import unicodedata  # used to verify NFC expansion test preconditions
 from pathlib import Path
 
 import pytest
@@ -159,47 +158,3 @@ def test_snippet_finding(test_data: TestSchema) -> None:
         f"end_idx mismatch: expected {test_data.expected_result.expected_end_idx}, "
         f"got {result.end_idx}"
     )
-
-
-# Characters confirmed to expand from 1 → 2 codepoints under NFC
-NFC_EXPANDING_CHARS = [
-    ("\u0958", "Devanagari letter qa"),
-    ("\u0959", "Devanagari letter khha"),
-    ("\u095a", "Devanagari letter ghha"),
-]
-
-
-@pytest.mark.parametrize(
-    "char,description",
-    NFC_EXPANDING_CHARS,
-)
-def test_nfc_expanding_char_snippet_match(char: str, description: str) -> None:
-    """Snippet matching should produce valid indices for content
-    containing characters that expand under NFC normalization."""
-    nfc = unicodedata.normalize("NFC", char)
-    if len(nfc) <= 1:
-        pytest.skip(f"{description} does not expand under NFC on this platform")
-
-    content = f"before {char} after"
-    snippet = f"{char} after"
-
-    result = find_snippet_in_content(content, snippet)
-
-    assert result.snippet_located, f"[{description}] Snippet should be found in content"
-    assert (
-        0 <= result.start_idx < len(content)
-    ), f"[{description}] start_idx {result.start_idx} out of bounds"
-    assert (
-        0 <= result.end_idx < len(content)
-    ), f"[{description}] end_idx {result.end_idx} out of bounds"
-    assert (
-        result.start_idx <= result.end_idx
-    ), f"[{description}] start_idx {result.start_idx} > end_idx {result.end_idx}"
-
-    matched = content[result.start_idx : result.end_idx + 1]
-    matched_nfc = unicodedata.normalize("NFC", matched)
-    snippet_nfc = unicodedata.normalize("NFC", snippet)
-    assert snippet_nfc in matched_nfc or matched_nfc in snippet_nfc, (
-        f"[{description}] Matched span '{matched}' does not overlap "
-        f"with expected snippet '{snippet}'"
-    )

cli/.gitignore

@@ -1,3 +0,0 @@
-onyx-cli
-cli
-onyx.cli

cli/README.md

@@ -1,118 +0,0 @@
-# Onyx CLI
-
-A terminal interface for chatting with your [Onyx](https://github.com/onyx-dot-app/onyx) agent. Built with Go using [Bubble Tea](https://github.com/charmbracelet/bubbletea) for the TUI framework.
-
-## Installation
-
-```shell
-pip install onyx-cli
-```
-
-Or with uv:
-
-```shell
-uv pip install onyx-cli
-```
-
-## Setup
-
-Run the interactive setup:
-
-```shell
-onyx-cli configure
-```
-
-This prompts for your Onyx server URL and API key, tests the connection, and saves config to `~/.config/onyx-cli/config.json`.
-
-Environment variables override config file values:
-
-| Variable | Required | Description |
-|----------|----------|-------------|
-| `ONYX_SERVER_URL` | No | Server base URL (default: `http://localhost:3000`) |
-| `ONYX_API_KEY` | Yes | API key for authentication |
-| `ONYX_PERSONA_ID` | No | Default agent/persona ID |
-
-## Usage
-
-### Interactive chat (default)
-
-```shell
-onyx-cli
-```
-
-### One-shot question
-
-```shell
-onyx-cli ask "What is our company's PTO policy?"
-onyx-cli ask --agent-id 5 "Summarize this topic"
-onyx-cli ask --json "Hello"
-```
-
-| Flag | Description |
-|------|-------------|
-| `--agent-id <int>` | Agent ID to use (overrides default) |
-| `--json` | Output raw NDJSON events instead of plain text |
-
-### List agents
-
-```shell
-onyx-cli agents
-onyx-cli agents --json
-```
-
-## Commands
-
-| Command | Description |
-|---------|-------------|
-| `chat` | Launch the interactive chat TUI (default) |
-| `ask` | Ask a one-shot question (non-interactive) |
-| `agents` | List available agents |
-| `configure` | Configure server URL and API key |
-
-## Slash Commands (in TUI)
-
-| Command | Description |
-|---------|-------------|
-| `/help` | Show help message |
-| `/new` | Start a new chat session |
-| `/agent` | List and switch agents |
-| `/attach <path>` | Attach a file to next message |
-| `/sessions` | List recent chat sessions |
-| `/clear` | Clear the chat display |
-| `/configure` | Re-run connection setup |
-| `/connectors` | Open connectors in browser |
-| `/settings` | Open settings in browser |
-| `/quit` | Exit Onyx CLI |
-
-## Keyboard Shortcuts
-
-| Key | Action |
-|-----|--------|
-| `Enter` | Send message |
-| `Escape` | Cancel current generation |
-| `Ctrl+O` | Toggle source citations |
-| `Ctrl+D` | Quit (press twice) |
-| `Scroll` / `Shift+Up/Down` | Scroll chat history |
-| `Page Up` / `Page Down` | Scroll half page |
-
-## Building from Source
-
-Requires [Go 1.24+](https://go.dev/dl/).
-
-```shell
-cd cli
-go build -o onyx-cli .
-```
-
-## Development
-
-```shell
-# Run tests
-go test ./...
-
-# Build
-go build -o onyx-cli .
-
-# Lint
-staticcheck ./...
-```

cli/cmd/agents.go

@@ -1,63 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	"fmt"
-	"text/tabwriter"
-
-	"github.com/onyx-dot-app/onyx/cli/internal/api"
-	"github.com/onyx-dot-app/onyx/cli/internal/config"
-	"github.com/spf13/cobra"
-)
-
-func newAgentsCmd() *cobra.Command {
-	var agentsJSON bool
-
-	cmd := &cobra.Command{
-		Use:   "agents",
-		Short: "List available agents",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			cfg := config.Load()
-			if !cfg.IsConfigured() {
-				return fmt.Errorf("onyx CLI is not configured — run 'onyx-cli configure' first")
-			}
-
-			client := api.NewClient(cfg)
-			agents, err := client.ListAgents(cmd.Context())
-			if err != nil {
-				return fmt.Errorf("failed to list agents: %w", err)
-			}
-
-			if agentsJSON {
-				data, err := json.MarshalIndent(agents, "", "  ")
-				if err != nil {
-					return fmt.Errorf("failed to marshal agents: %w", err)
-				}
-				fmt.Println(string(data))
-				return nil
-			}
-
-			if len(agents) == 0 {
-				fmt.Println("No agents available.")
-				return nil
-			}
-
-			w := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 4, 2, ' ', 0)
-			_, _ = fmt.Fprintln(w, "ID\tNAME\tDESCRIPTION")
-			for _, a := range agents {
-				desc := a.Description
-				if len(desc) > 60 {
-					desc = desc[:57] + "..."
-				}
-				_, _ = fmt.Fprintf(w, "%d\t%s\t%s\n", a.ID, a.Name, desc)
-			}
-			_ = w.Flush()
-
-			return nil
-		},
-	}
-
-	cmd.Flags().BoolVar(&agentsJSON, "json", false, "Output agents as JSON")
-
-	return cmd
-}

cli/cmd/ask.go

@@ -1,124 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/onyx-dot-app/onyx/cli/internal/api"
-	"github.com/onyx-dot-app/onyx/cli/internal/config"
-	"github.com/onyx-dot-app/onyx/cli/internal/models"
-	"github.com/spf13/cobra"
-)
-
-func newAskCmd() *cobra.Command {
-	var (
-		askAgentID int
-		askJSON    bool
-	)
-
-	cmd := &cobra.Command{
-		Use:   "ask [question]",
-		Short: "Ask a one-shot question (non-interactive)",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			cfg := config.Load()
-			if !cfg.IsConfigured() {
-				return fmt.Errorf("onyx CLI is not configured — run 'onyx-cli configure' first")
-			}
-
-			question := args[0]
-			agentID := cfg.DefaultAgentID
-			if cmd.Flags().Changed("agent-id") {
-				agentID = askAgentID
-			}
-
-			ctx, stop := signal.NotifyContext(cmd.Context(), os.Interrupt, syscall.SIGTERM)
-			defer stop()
-
-			client := api.NewClient(cfg)
-			parentID := -1
-			ch := client.SendMessageStream(
-				ctx,
-				question,
-				nil,
-				agentID,
-				&parentID,
-				nil,
-			)
-
-			var sessionID string
-			var lastErr error
-			gotStop := false
-			for event := range ch {
-				if e, ok := event.(models.SessionCreatedEvent); ok {
-					sessionID = e.ChatSessionID
-				}
-
-				if askJSON {
-					wrapped := struct {
-						Type  string             `json:"type"`
-						Event models.StreamEvent `json:"event"`
-					}{
-						Type:  event.EventType(),
-						Event: event,
-					}
-					data, err := json.Marshal(wrapped)
-					if err != nil {
-						return fmt.Errorf("error marshaling event: %w", err)
-					}
-					fmt.Println(string(data))
-					if _, ok := event.(models.ErrorEvent); ok {
-						lastErr = fmt.Errorf("%s", event.(models.ErrorEvent).Error)
-					}
-					if _, ok := event.(models.StopEvent); ok {
-						gotStop = true
-					}
-					continue
-				}
-
-				switch e := event.(type) {
-				case models.MessageDeltaEvent:
-					fmt.Print(e.Content)
-				case models.ErrorEvent:
-					return fmt.Errorf("%s", e.Error)
-				case models.StopEvent:
-					fmt.Println()
-					return nil
-				}
-			}
-
-			if ctx.Err() != nil {
-				if sessionID != "" {
-					client.StopChatSession(context.Background(), sessionID)
-				}
-				if !askJSON {
-					fmt.Println()
-				}
-				return nil
-			}
-
-			if lastErr != nil {
-				return lastErr
-			}
-			if !gotStop {
-				if !askJSON {
-					fmt.Println()
-				}
-				return fmt.Errorf("stream ended unexpectedly")
-			}
-			if !askJSON {
-				fmt.Println()
-			}
-			return nil
-		},
-	}
-
-	cmd.Flags().IntVar(&askAgentID, "agent-id", 0, "Agent ID to use")
-	cmd.Flags().BoolVar(&askJSON, "json", false, "Output raw JSON events")
-	// Suppress cobra's default error/usage on RunE errors
-	return cmd
-}

cli/cmd/chat.go

@@ -1,33 +0,0 @@
-package cmd
-
-import (
-	tea "github.com/charmbracelet/bubbletea"
-	"github.com/onyx-dot-app/onyx/cli/internal/config"
-	"github.com/onyx-dot-app/onyx/cli/internal/onboarding"
-	"github.com/onyx-dot-app/onyx/cli/internal/tui"
-	"github.com/spf13/cobra"
-)
-
-func newChatCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "chat",
-		Short: "Launch the interactive chat TUI (default)",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			cfg := config.Load()
-
-			// First-run: onboarding
-			if !config.ConfigExists() || !cfg.IsConfigured() {
-				result := onboarding.Run(&cfg)
-				if result == nil {
-					return nil
-				}
-				cfg = *result
-			}
-
-			m := tui.NewModel(cfg)
-			p := tea.NewProgram(m, tea.WithAltScreen(), tea.WithMouseCellMotion())
-			_, err := p.Run()
-			return err
-		},
-	}
-}

cli/cmd/configure.go

@@ -1,19 +0,0 @@
-package cmd
-
-import (
-	"github.com/onyx-dot-app/onyx/cli/internal/config"
-	"github.com/onyx-dot-app/onyx/cli/internal/onboarding"
-	"github.com/spf13/cobra"
-)
-
-func newConfigureCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "configure",
-		Short: "Configure server URL and API key",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			cfg := config.Load()
-			onboarding.Run(&cfg)
-			return nil
-		},
-	}
-}

cli/cmd/root.go

@@ -1,40 +0,0 @@
-// Package cmd implements Cobra CLI commands for the Onyx CLI.
-package cmd
-
-import "github.com/spf13/cobra"
-
-// Version and Commit are set via ldflags at build time.
-var (
-	Version string
-	Commit  string
-)
-
-func fullVersion() string {
-	if Commit != "" && Commit != "none" && len(Commit) > 7 {
-		return Version + " (" + Commit[:7] + ")"
-	}
-	return Version
-}
-
-// Execute creates and runs the root command.
-func Execute() error {
-	rootCmd := &cobra.Command{
-		Use:     "onyx-cli",
-		Short:   "Terminal UI for chatting with Onyx",
-		Long:    "Onyx CLI — a terminal interface for chatting with your Onyx agent.",
-		Version: fullVersion(),
-	}
-
-	// Register subcommands
-	chatCmd := newChatCmd()
-	rootCmd.AddCommand(chatCmd)
-	rootCmd.AddCommand(newAskCmd())
-	rootCmd.AddCommand(newAgentsCmd())
-	rootCmd.AddCommand(newConfigureCmd())
-	rootCmd.AddCommand(newValidateConfigCmd())
-
-	// Default command is chat
-	rootCmd.RunE = chatCmd.RunE
-
-	return rootCmd.Execute()
-}

cli/cmd/validate.go

@@ -1,41 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-
-	"github.com/onyx-dot-app/onyx/cli/internal/api"
-	"github.com/onyx-dot-app/onyx/cli/internal/config"
-	"github.com/spf13/cobra"
-)
-
-func newValidateConfigCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "validate-config",
-		Short: "Validate configuration and test server connection",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			// Check config file
-			if !config.ConfigExists() {
-				return fmt.Errorf("config file not found at %s\n  Run 'onyx-cli configure' to set up", config.ConfigFilePath())
-			}
-
-			cfg := config.Load()
-
-			// Check API key
-			if !cfg.IsConfigured() {
-				return fmt.Errorf("API key is missing\n  Run 'onyx-cli configure' to set up")
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Config:  %s\n", config.ConfigFilePath())
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Server:  %s\n", cfg.ServerURL)
-
-			// Test connection
-			client := api.NewClient(cfg)
-			if err := client.TestConnection(cmd.Context()); err != nil {
-				return fmt.Errorf("connection failed: %w", err)
-			}
-
-			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Status:  connected and authenticated")
-			return nil
-		},
-	}
-}

cli/go.mod

@@ -1,45 +0,0 @@
-module github.com/onyx-dot-app/onyx/cli
-
-go 1.26.0
-
-require (
-	github.com/charmbracelet/bubbles v0.20.0
-	github.com/charmbracelet/bubbletea v1.3.4
-	github.com/charmbracelet/glamour v0.8.0
-	github.com/charmbracelet/lipgloss v1.1.0
-	github.com/spf13/cobra v1.9.1
-	golang.org/x/term v0.30.0
-	golang.org/x/text v0.34.0
-)
-
-require (
-	github.com/alecthomas/chroma/v2 v2.14.0 // indirect
-	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
-	github.com/aymerick/douceur v0.2.0 // indirect
-	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
-	github.com/charmbracelet/x/ansi v0.8.0 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
-	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/dlclark/regexp2 v1.11.0 // indirect
-	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
-	github.com/gorilla/css v1.0.1 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-localereader v0.0.1 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
-	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
-	github.com/muesli/cancelreader v0.2.2 // indirect
-	github.com/muesli/reflow v0.3.0 // indirect
-	github.com/muesli/termenv v0.16.0 // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/yuin/goldmark v1.7.4 // indirect
-	github.com/yuin/goldmark-emoji v1.0.3 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-)

cli/go.sum

@@ -1,94 +0,0 @@
-github.com/alecthomas/assert/v2 v2.7.0 h1:QtqSACNS3tF7oasA8CU6A6sXZSBDqnm7RfpLl9bZqbE=
-github.com/alecthomas/assert/v2 v2.7.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
-github.com/alecthomas/chroma/v2 v2.14.0 h1:R3+wzpnUArGcQz7fCETQBzO5n9IMNi13iIs46aU4V9E=
-github.com/alecthomas/chroma/v2 v2.14.0/go.mod h1:QolEbTfmUHIMVpBqxeDnNBj2uoeI4EbYP4i6n68SG4I=
-github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
-github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
-github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
-github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
-github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
-github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
-github.com/aymanbagabas/go-udiff v0.2.0 h1:TK0fH4MteXUDspT88n8CKzvK0X9O2xu9yQjWpi6yML8=
-github.com/aymanbagabas/go-udiff v0.2.0/go.mod h1:RE4Ex0qsGkTAJoQdQQCA0uG+nAzJO/pI/QwceO5fgrA=
-github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
-github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
-github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=
-github.com/charmbracelet/bubbles v0.20.0/go.mod h1:39slydyswPy+uVOHZ5x/GjwVAFkCsV8IIVy+4MhzwwU=
-github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
-github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
-github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
-github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
-github.com/charmbracelet/glamour v0.8.0 h1:tPrjL3aRcQbn++7t18wOpgLyl8wrOHUEDS7IZ68QtZs=
-github.com/charmbracelet/glamour v0.8.0/go.mod h1:ViRgmKkf3u5S7uakt2czJ272WSg2ZenlYEZXT2x7Bjw=
-github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
-github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
-github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
-github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
-github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd h1:vy0GVL4jeHEwG5YOXDmi86oYw2yuYUGqz6a8sLwg0X8=
-github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
-github.com/charmbracelet/x/exp/golden v0.0.0-20240815200342-61de596daa2b h1:MnAMdlwSltxJyULnrYbkZpp4k58Co7Tah3ciKhSNo0Q=
-github.com/charmbracelet/x/exp/golden v0.0.0-20240815200342-61de596daa2b/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
-github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
-github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
-github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
-github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
-github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
-github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
-github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
-github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
-github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
-github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
-github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
-github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
-github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
-github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
-github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
-github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
-github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
-github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
-github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
-github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
-github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=
-github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
-github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
-github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
-github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
-github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
-github.com/yuin/goldmark v1.7.1/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
-github.com/yuin/goldmark v1.7.4 h1:BDXOHExt+A7gwPCJgPIIq7ENvceR7we7rOS9TNoLZeg=
-github.com/yuin/goldmark v1.7.4/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
-github.com/yuin/goldmark-emoji v1.0.3 h1:aLRkLHOuBR2czCY4R8olwMjID+tENfhyFDMCRhbIQY4=
-github.com/yuin/goldmark-emoji v1.0.3/go.mod h1:tTkZEbwu5wkPmgTcitqddVxY9osFZiavD+r4AzQrh1U=
-golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
-golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=