feat(permissions): update permission checks for creating personal access tokens and enhance UI with permission validation

feat(permissions): update permission identifiers for service accounts and bots management
feat(permissions): update permission checks for query history access
2026-04-14 19:32:53 +00:00 · 2026-04-11 18:15:42 +05:30 · 2026-04-11 17:51:50 +05:30 · 2026-04-11 17:45:41 +05:30 · 2026-04-10 10:35:29 +05:30 · 2026-04-09 17:56:13 +05:30
160 changed files with 5429 additions and 5149 deletions
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -13,7 +13,7 @@ permissions:
  id-token: write # zizmor: ignore[excessive-permissions]

 env:
-  EDGE_TAG: ${{ startsWith(github.ref_name, 'nightly-latest') || github.ref_name == 'edge' }}
+  EDGE_TAG: ${{ startsWith(github.ref_name, 'nightly-latest') }}

 jobs:
  # Determine which components to build based on the tag
@@ -156,7 +156,7 @@ jobs:
  check-version-tag:
    runs-on: ubuntu-slim
    timeout-minutes: 10
-    if: ${{ !startsWith(github.ref_name, 'nightly-latest') && github.ref_name != 'edge' && github.event_name != 'workflow_dispatch' }}
+    if: ${{ !startsWith(github.ref_name, 'nightly-latest') && github.event_name != 'workflow_dispatch' }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
--- a/backend/ee/onyx/db/user_group.py
+++ b/backend/ee/onyx/db/user_group.py
@@ -996,3 +996,72 @@ def set_group_permission__no_commit(

    db_session.flush()
    recompute_permissions_for_group__no_commit(group_id, db_session)
+
+
+def set_group_permissions_bulk__no_commit(
+    group_id: int,
+    desired_permissions: set[Permission],
+    granted_by: UUID,
+    db_session: Session,
+) -> list[Permission]:
+    """Set the full desired permission state for a group in one pass.
+
+    Enables permissions in `desired_permissions`, disables any toggleable
+    permission not in the set. Non-toggleable permissions are ignored.
+    Calls recompute once at the end. Does NOT commit.
+
+    Returns the resulting list of enabled permissions.
+    """
+
+    existing_grants = (
+        db_session.execute(
+            select(PermissionGrant)
+            .where(PermissionGrant.group_id == group_id)
+            .with_for_update()
+        )
+        .scalars()
+        .all()
+    )
+
+    grant_map: dict[Permission, PermissionGrant] = {
+        g.permission: g for g in existing_grants
+    }
+
+    # Enable desired permissions
+    for perm in desired_permissions:
+        existing = grant_map.get(perm)
+        if existing is not None:
+            if existing.is_deleted:
+                existing.is_deleted = False
+                existing.granted_by = granted_by
+                existing.granted_at = func.now()
+        else:
+            db_session.add(
+                PermissionGrant(
+                    group_id=group_id,
+                    permission=perm,
+                    grant_source=GrantSource.USER,
+                    granted_by=granted_by,
+                )
+            )
+
+    # Disable toggleable permissions not in the desired set
+    for perm, grant in grant_map.items():
+        if perm not in desired_permissions and not grant.is_deleted:
+            grant.is_deleted = True
+
+    db_session.flush()
+    recompute_permissions_for_group__no_commit(group_id, db_session)
+
+    # Return the resulting enabled set
+    return [
+        g.permission
+        for g in db_session.execute(
+            select(PermissionGrant).where(
+                PermissionGrant.group_id == group_id,
+                PermissionGrant.is_deleted.is_(False),
+            )
+        )
+        .scalars()
+        .all()
+    ]
--- a/backend/ee/onyx/server/query_history/api.py
+++ b/backend/ee/onyx/server/query_history/api.py
@@ -154,7 +154,7 @@ def snapshot_from_chat_session(
@router.get("/admin/chat-sessions")
 def admin_get_chat_sessions(
    user_id: UUID,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.READ_QUERY_HISTORY)),
    db_session: Session = Depends(get_session),
 ) -> ChatSessionsResponse:
    # we specifically don't allow this endpoint if "anonymized" since
@@ -197,7 +197,7 @@ def get_chat_session_history(
    feedback_type: QAFeedbackType | None = None,
    start_time: datetime | None = None,
    end_time: datetime | None = None,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.READ_QUERY_HISTORY)),
    db_session: Session = Depends(get_session),
 ) -> PaginatedReturn[ChatSessionMinimal]:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -235,7 +235,7 @@ def get_chat_session_history(
@router.get("/admin/chat-session-history/{chat_session_id}")
 def get_chat_session_admin(
    chat_session_id: UUID,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.READ_QUERY_HISTORY)),
    db_session: Session = Depends(get_session),
 ) -> ChatSessionSnapshot:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -270,7 +270,7 @@ def get_chat_session_admin(

@router.get("/admin/query-history/list")
 def list_all_query_history_exports(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.READ_QUERY_HISTORY)),
    db_session: Session = Depends(get_session),
 ) -> list[QueryHistoryExport]:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -298,7 +298,7 @@ def list_all_query_history_exports(

@router.post("/admin/query-history/start-export", tags=PUBLIC_API_TAGS)
 def start_query_history_export(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.READ_QUERY_HISTORY)),
    db_session: Session = Depends(get_session),
    start: datetime | None = None,
    end: datetime | None = None,
@@ -345,7 +345,7 @@ def start_query_history_export(
@router.get("/admin/query-history/export-status", tags=PUBLIC_API_TAGS)
 def get_query_history_export_status(
    request_id: str,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.READ_QUERY_HISTORY)),
    db_session: Session = Depends(get_session),
 ) -> dict[str, str]:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
@@ -379,7 +379,7 @@ def get_query_history_export_status(
@router.get("/admin/query-history/download", tags=PUBLIC_API_TAGS)
 def download_query_history_csv(
    request_id: str,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.READ_QUERY_HISTORY)),
    db_session: Session = Depends(get_session),
 ) -> StreamingResponse:
    ensure_query_history_is_enabled(disallowed=[QueryHistoryType.DISABLED])
--- a/backend/ee/onyx/server/user_group/api.py
+++ b/backend/ee/onyx/server/user_group/api.py
@@ -13,20 +13,21 @@ from ee.onyx.db.user_group import fetch_user_groups_for_user
 from ee.onyx.db.user_group import insert_user_group
 from ee.onyx.db.user_group import prepare_user_group_for_deletion
 from ee.onyx.db.user_group import rename_user_group
-from ee.onyx.db.user_group import set_group_permission__no_commit
+from ee.onyx.db.user_group import set_group_permissions_bulk__no_commit
 from ee.onyx.db.user_group import update_user_curator_relationship
 from ee.onyx.db.user_group import update_user_group
 from ee.onyx.server.user_group.models import AddUsersToUserGroupRequest
+from ee.onyx.server.user_group.models import BulkSetPermissionsRequest
 from ee.onyx.server.user_group.models import MinimalUserGroupSnapshot
 from ee.onyx.server.user_group.models import SetCuratorRequest
-from ee.onyx.server.user_group.models import SetPermissionRequest
-from ee.onyx.server.user_group.models import SetPermissionResponse
 from ee.onyx.server.user_group.models import UpdateGroupAgentsRequest
 from ee.onyx.server.user_group.models import UserGroup
 from ee.onyx.server.user_group.models import UserGroupCreate
 from ee.onyx.server.user_group.models import UserGroupRename
 from ee.onyx.server.user_group.models import UserGroupUpdate
 from onyx.auth.permissions import NON_TOGGLEABLE_PERMISSIONS
+from onyx.auth.permissions import PERMISSION_REGISTRY
+from onyx.auth.permissions import PermissionRegistryEntry
 from onyx.auth.permissions import require_permission
 from onyx.auth.users import current_curator_or_admin_user
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
@@ -48,24 +49,15 @@ router = APIRouter(prefix="/manage", tags=PUBLIC_API_TAGS)
@router.get("/admin/user-group")
 def list_user_groups(
    include_default: bool = False,
-    user: User = Depends(current_curator_or_admin_user),
+    _: User = Depends(require_permission(Permission.READ_USER_GROUPS)),
    db_session: Session = Depends(get_session),
 ) -> list[UserGroup]:
-    if user.role == UserRole.ADMIN:
-        user_groups = fetch_user_groups(
-            db_session,
-            only_up_to_date=False,
-            eager_load_for_snapshot=True,
-            include_default=include_default,
-        )
-    else:
-        user_groups = fetch_user_groups_for_user(
-            db_session=db_session,
-            user_id=user.id,
-            only_curator_groups=user.role == UserRole.CURATOR,
-            eager_load_for_snapshot=True,
-            include_default=include_default,
-        )
+    user_groups = fetch_user_groups(
+        db_session,
+        only_up_to_date=False,
+        eager_load_for_snapshot=True,
+        include_default=include_default,
+    )
    return [UserGroup.from_model(user_group) for user_group in user_groups]


@@ -92,6 +84,13 @@ def list_minimal_user_groups(
    ]


+@router.get("/admin/permissions/registry")
+def get_permission_registry(
+    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+) -> list[PermissionRegistryEntry]:
+    return PERMISSION_REGISTRY
+
+
@router.get("/admin/user-group/{user_group_id}/permissions")
 def get_user_group_permissions(
    user_group_id: int,
@@ -102,37 +101,39 @@ def get_user_group_permissions(
    if group is None:
        raise OnyxError(OnyxErrorCode.NOT_FOUND, "User group not found")
    return [
-        grant.permission for grant in group.permission_grants if not grant.is_deleted
+        grant.permission
+        for grant in group.permission_grants
+        if not grant.is_deleted and grant.permission not in NON_TOGGLEABLE_PERMISSIONS
    ]


@router.put("/admin/user-group/{user_group_id}/permissions")
-def set_user_group_permission(
+def set_user_group_permissions(
    user_group_id: int,
-    request: SetPermissionRequest,
+    request: BulkSetPermissionsRequest,
    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
    db_session: Session = Depends(get_session),
-) -> SetPermissionResponse:
+) -> list[Permission]:
    group = fetch_user_group(db_session, user_group_id)
    if group is None:
        raise OnyxError(OnyxErrorCode.NOT_FOUND, "User group not found")

-    if request.permission in NON_TOGGLEABLE_PERMISSIONS:
+    non_toggleable = [p for p in request.permissions if p in NON_TOGGLEABLE_PERMISSIONS]
+    if non_toggleable:
        raise OnyxError(
            OnyxErrorCode.INVALID_INPUT,
-            f"Permission '{request.permission}' cannot be toggled via this endpoint",
+            f"Permissions {non_toggleable} cannot be toggled via this endpoint",
        )

-    set_group_permission__no_commit(
+    result = set_group_permissions_bulk__no_commit(
        group_id=user_group_id,
-        permission=request.permission,
-        enabled=request.enabled,
+        desired_permissions=set(request.permissions),
        granted_by=user.id,
        db_session=db_session,
    )
    db_session.commit()

-    return SetPermissionResponse(permission=request.permission, enabled=request.enabled)
+    return result


@router.post("/admin/user-group")
--- a/backend/ee/onyx/server/user_group/models.py
+++ b/backend/ee/onyx/server/user_group/models.py
@@ -132,3 +132,7 @@ class SetPermissionRequest(BaseModel):
 class SetPermissionResponse(BaseModel):
    permission: Permission
    enabled: bool
+
+
+class BulkSetPermissionsRequest(BaseModel):
+    permissions: list[Permission]
--- a/backend/onyx/auth/permissions.py
+++ b/backend/onyx/auth/permissions.py
@@ -11,6 +11,8 @@ from collections.abc import Coroutine
 from typing import Any

 from fastapi import Depends
+from pydantic import BaseModel
+from pydantic import field_validator

 from onyx.auth.users import current_user
 from onyx.db.enums import Permission
@@ -29,14 +31,13 @@ IMPLIED_PERMISSIONS: dict[str, set[str]] = {
    Permission.MANAGE_AGENTS.value: {
        Permission.ADD_AGENTS.value,
        Permission.READ_AGENTS.value,
+        Permission.READ_DOCUMENT_SETS.value,
    },
    Permission.MANAGE_DOCUMENT_SETS.value: {
        Permission.READ_DOCUMENT_SETS.value,
        Permission.READ_CONNECTORS.value,
    },
-    Permission.ADD_CONNECTORS.value: {Permission.READ_CONNECTORS.value},
    Permission.MANAGE_CONNECTORS.value: {
-        Permission.ADD_CONNECTORS.value,
        Permission.READ_CONNECTORS.value,
    },
    Permission.MANAGE_USER_GROUPS.value: {
@@ -44,6 +45,11 @@ IMPLIED_PERMISSIONS: dict[str, set[str]] = {
        Permission.READ_DOCUMENT_SETS.value,
        Permission.READ_AGENTS.value,
        Permission.READ_USERS.value,
+        Permission.READ_USER_GROUPS.value,
+    },
+    Permission.MANAGE_LLMS.value: {
+        Permission.READ_USER_GROUPS.value,
+        Permission.READ_AGENTS.value,
    },
 }

@@ -58,10 +64,129 @@ NON_TOGGLEABLE_PERMISSIONS: frozenset[Permission] = frozenset(
        Permission.READ_DOCUMENT_SETS,
        Permission.READ_AGENTS,
        Permission.READ_USERS,
+        Permission.READ_USER_GROUPS,
    }
 )


+class PermissionRegistryEntry(BaseModel):
+    """A UI-facing permission row served by GET /admin/permissions/registry.
+
+    The field_validator ensures non-toggleable permissions (BASIC_ACCESS,
+    FULL_ADMIN_PANEL_ACCESS, READ_*) can never appear in the registry.
+    """
+
+    id: str
+    display_name: str
+    description: str
+    permissions: list[Permission]
+    group: int
+
+    @field_validator("permissions")
+    @classmethod
+    def must_be_toggleable(cls, v: list[Permission]) -> list[Permission]:
+        for p in v:
+            if p in NON_TOGGLEABLE_PERMISSIONS:
+                raise ValueError(
+                    f"Permission '{p.value}' is not toggleable and "
+                    "cannot be included in the permission registry"
+                )
+        return v
+
+
+# Registry of toggleable permissions exposed to the admin UI.
+# Single source of truth for display names, descriptions, grouping,
+# and which backend tokens each UI row controls.
+# The frontend fetches this via GET /admin/permissions/registry
+# and only adds icon mapping locally.
+PERMISSION_REGISTRY: list[PermissionRegistryEntry] = [
+    # Group 0 — System Configuration
+    PermissionRegistryEntry(
+        id="manage_llms",
+        display_name="Manage LLMs",
+        description="Add and update configurations for language models (LLMs).",
+        permissions=[Permission.MANAGE_LLMS],
+        group=0,
+    ),
+    PermissionRegistryEntry(
+        id="manage_connectors_and_document_sets",
+        display_name="Manage Connectors & Document Sets",
+        description="Add and update connectors and document sets.",
+        permissions=[
+            Permission.MANAGE_CONNECTORS,
+            Permission.MANAGE_DOCUMENT_SETS,
+        ],
+        group=0,
+    ),
+    PermissionRegistryEntry(
+        id="manage_actions",
+        display_name="Manage Actions",
+        description="Add and update custom tools and MCP/OpenAPI actions.",
+        permissions=[Permission.MANAGE_ACTIONS],
+        group=0,
+    ),
+    # Group 1 — User & Access Management
+    PermissionRegistryEntry(
+        id="manage_groups",
+        display_name="Manage Groups",
+        description="Add and update user groups.",
+        permissions=[Permission.MANAGE_USER_GROUPS],
+        group=1,
+    ),
+    PermissionRegistryEntry(
+        id="manage_service_accounts",
+        display_name="Manage Service Accounts",
+        description="Add and update service accounts and their API keys.",
+        permissions=[Permission.MANAGE_SERVICE_ACCOUNT_API_KEYS],
+        group=1,
+    ),
+    PermissionRegistryEntry(
+        id="manage_bots",
+        display_name="Manage Slack/Discord Bots",
+        description="Add and update Onyx integrations with Slack or Discord.",
+        permissions=[Permission.MANAGE_BOTS],
+        group=1,
+    ),
+    # Group 2 — Agents
+    PermissionRegistryEntry(
+        id="create_agents",
+        display_name="Create Agents",
+        description="Create and edit the user's own agents.",
+        permissions=[Permission.ADD_AGENTS],
+        group=2,
+    ),
+    PermissionRegistryEntry(
+        id="manage_agents",
+        display_name="Manage Agents",
+        description="View and update all public and shared agents in the organization.",
+        permissions=[Permission.MANAGE_AGENTS],
+        group=2,
+    ),
+    # Group 3 — Monitoring & Tokens
+    PermissionRegistryEntry(
+        id="view_agent_analytics",
+        display_name="View Agent Analytics",
+        description="View analytics for agents the group can manage.",
+        permissions=[Permission.READ_AGENT_ANALYTICS],
+        group=3,
+    ),
+    PermissionRegistryEntry(
+        id="view_query_history",
+        display_name="View Query History",
+        description="View query history of everyone in the organization.",
+        permissions=[Permission.READ_QUERY_HISTORY],
+        group=3,
+    ),
+    PermissionRegistryEntry(
+        id="create_user_access_token",
+        display_name="Create User Access Token",
+        description="Add and update the user's personal access tokens.",
+        permissions=[Permission.CREATE_USER_API_KEYS],
+        group=3,
+    ),
+]
+
+
 def resolve_effective_permissions(granted: set[str]) -> set[str]:
    """Expand granted permissions with their implied permissions.

@@ -83,7 +208,12 @@ def resolve_effective_permissions(granted: set[str]) -> set[str]:


 def get_effective_permissions(user: User) -> set[Permission]:
-    """Read granted permissions from the column and expand implied permissions."""
+    """Read granted permissions from the column and expand implied permissions.
+
+    Admin-role users always receive all permissions regardless of the JSONB
+    column, maintaining backward compatibility with role-based access control.
+    """
+
    granted: set[Permission] = set()
    for p in user.effective_permissions:
        try:
@@ -96,6 +226,11 @@ def get_effective_permissions(user: User) -> set[Permission]:
    return {Permission(p) for p in expanded}


+def has_permission(user: User, permission: Permission) -> bool:
+    """Check whether *user* holds *permission* (directly or via implication/admin override)."""
+    return permission in get_effective_permissions(user)
+
+
 def require_permission(
    required: Permission,
 ) -> Callable[..., Coroutine[Any, Any, User]]:
--- a/backend/onyx/background/celery/celery_utils.py
+++ b/backend/onyx/background/celery/celery_utils.py
@@ -1,4 +1,3 @@
-import time
 from collections.abc import Generator
 from collections.abc import Iterator
 from collections.abc import Sequence
@@ -31,8 +30,6 @@ from onyx.connectors.models import HierarchyNode
 from onyx.connectors.models import SlimDocument
 from onyx.httpx.httpx_pool import HttpxPool
 from onyx.indexing.indexing_heartbeat import IndexingHeartbeatInterface
-from onyx.server.metrics.pruning_metrics import inc_pruning_rate_limit_error
-from onyx.server.metrics.pruning_metrics import observe_pruning_enumeration_duration
 from onyx.utils.logger import setup_logger


@@ -133,7 +130,6 @@ def _extract_from_batch(
 def extract_ids_from_runnable_connector(
    runnable_connector: BaseConnector,
    callback: IndexingHeartbeatInterface | None = None,
-    connector_type: str = "unknown",
 ) -> SlimConnectorExtractionResult:
    """
    Extract document IDs and hierarchy nodes from a runnable connector.
@@ -183,38 +179,21 @@ def extract_ids_from_runnable_connector(
    )

    # process raw batches to extract both IDs and hierarchy nodes
-    enumeration_start = time.monotonic()
-    try:
-        for doc_list in raw_batch_generator:
-            if callback and callback.should_stop():
-                raise RuntimeError(
-                    "extract_ids_from_runnable_connector: Stop signal detected"
-                )
+    for doc_list in raw_batch_generator:
+        if callback and callback.should_stop():
+            raise RuntimeError(
+                "extract_ids_from_runnable_connector: Stop signal detected"
+            )

-            batch_result = _extract_from_batch(doc_list)
-            batch_ids = batch_result.raw_id_to_parent
-            batch_nodes = batch_result.hierarchy_nodes
-            doc_batch_processing_func(batch_ids)
-            all_raw_id_to_parent.update(batch_ids)
-            all_hierarchy_nodes.extend(batch_nodes)
+        batch_result = _extract_from_batch(doc_list)
+        batch_ids = batch_result.raw_id_to_parent
+        batch_nodes = batch_result.hierarchy_nodes
+        doc_batch_processing_func(batch_ids)
+        all_raw_id_to_parent.update(batch_ids)
+        all_hierarchy_nodes.extend(batch_nodes)

-            if callback:
-                callback.progress("extract_ids_from_runnable_connector", len(batch_ids))
-    except Exception as e:
-        # Best-effort rate limit detection via string matching.
-        # Connectors surface rate limits inconsistently — some raise HTTP 429,
-        # some use SDK-specific exceptions (e.g. google.api_core.exceptions.ResourceExhausted)
-        # that may or may not include "rate limit" or "429" in the message.
-        # TODO(Bo): replace with a standard ConnectorRateLimitError exception that all
-        # connectors raise when rate limited, making this check precise.
-        error_str = str(e)
-        if "rate limit" in error_str.lower() or "429" in error_str:
-            inc_pruning_rate_limit_error(connector_type)
-        raise
-    finally:
-        observe_pruning_enumeration_duration(
-            time.monotonic() - enumeration_start, connector_type
-        )
+        if callback:
+            callback.progress("extract_ids_from_runnable_connector", len(batch_ids))

    return SlimConnectorExtractionResult(
        raw_id_to_parent=all_raw_id_to_parent,
--- a/backend/onyx/background/celery/tasks/pruning/tasks.py
+++ b/backend/onyx/background/celery/tasks/pruning/tasks.py
@@ -72,7 +72,6 @@ from onyx.redis.redis_hierarchy import get_source_node_id_from_cache
 from onyx.redis.redis_hierarchy import HierarchyNodeCacheEntry
 from onyx.redis.redis_pool import get_redis_client
 from onyx.redis.redis_pool import get_redis_replica_client
-from onyx.server.metrics.pruning_metrics import observe_pruning_diff_duration
 from onyx.server.runtime.onyx_runtime import OnyxRuntime
 from onyx.server.utils import make_short_id
 from onyx.utils.logger import format_error_for_logging
@@ -571,9 +570,8 @@ def connector_pruning_generator_task(
            )

            # Extract docs and hierarchy nodes from the source
-            connector_type = cc_pair.connector.source.value
            extraction_result = extract_ids_from_runnable_connector(
-                runnable_connector, callback, connector_type=connector_type
+                runnable_connector, callback
            )
            all_connector_doc_ids = extraction_result.raw_id_to_parent

@@ -638,46 +636,40 @@ def connector_pruning_generator_task(
                commit=True,
            )

-            diff_start = time.monotonic()
-            try:
-                # a list of docs in our local index
-                all_indexed_document_ids = {
-                    doc.id
-                    for doc in get_documents_for_connector_credential_pair(
-                        db_session=db_session,
-                        connector_id=connector_id,
-                        credential_id=credential_id,
-                    )
-                }
+            # a list of docs in our local index
+            all_indexed_document_ids = {
+                doc.id
+                for doc in get_documents_for_connector_credential_pair(
+                    db_session=db_session,
+                    connector_id=connector_id,
+                    credential_id=credential_id,
+                )
+            }

-                # generate list of docs to remove (no longer in the source)
-                doc_ids_to_remove = list(
-                    all_indexed_document_ids - all_connector_doc_ids.keys()
-                )
+            # generate list of docs to remove (no longer in the source)
+            doc_ids_to_remove = list(
+                all_indexed_document_ids - all_connector_doc_ids.keys()
+            )

-                task_logger.info(
-                    "Pruning set collected: "
-                    f"cc_pair={cc_pair_id} "
-                    f"connector_source={cc_pair.connector.source} "
-                    f"docs_to_remove={len(doc_ids_to_remove)}"
-                )
+            task_logger.info(
+                "Pruning set collected: "
+                f"cc_pair={cc_pair_id} "
+                f"connector_source={cc_pair.connector.source} "
+                f"docs_to_remove={len(doc_ids_to_remove)}"
+            )

-                task_logger.info(
-                    f"RedisConnector.prune.generate_tasks starting. cc_pair={cc_pair_id}"
-                )
-                tasks_generated = redis_connector.prune.generate_tasks(
-                    set(doc_ids_to_remove), self.app, db_session, None
-                )
-                if tasks_generated is None:
-                    return None
+            task_logger.info(
+                f"RedisConnector.prune.generate_tasks starting. cc_pair={cc_pair_id}"
+            )
+            tasks_generated = redis_connector.prune.generate_tasks(
+                set(doc_ids_to_remove), self.app, db_session, None
+            )
+            if tasks_generated is None:
+                return None

-                task_logger.info(
-                    f"RedisConnector.prune.generate_tasks finished. cc_pair={cc_pair_id} tasks_generated={tasks_generated}"
-                )
-            finally:
-                observe_pruning_diff_duration(
-                    time.monotonic() - diff_start, connector_type
-                )
+            task_logger.info(
+                f"RedisConnector.prune.generate_tasks finished. cc_pair={cc_pair_id} tasks_generated={tasks_generated}"
+            )

            redis_connector.prune.generator_complete = tasks_generated

--- a/backend/onyx/db/document_set.py
+++ b/backend/onyx/db/document_set.py
@@ -4,7 +4,6 @@ from uuid import UUID

 from sqlalchemy import and_
 from sqlalchemy import delete
-from sqlalchemy import exists
 from sqlalchemy import func
 from sqlalchemy import or_
 from sqlalchemy import Select
@@ -13,22 +12,21 @@ from sqlalchemy.orm import aliased
 from sqlalchemy.orm import selectinload
 from sqlalchemy.orm import Session

+from onyx.auth.permissions import has_permission
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
 from onyx.db.connector_credential_pair import get_cc_pair_groups_for_ids
 from onyx.db.connector_credential_pair import get_connector_credential_pairs
 from onyx.db.enums import AccessType
 from onyx.db.enums import ConnectorCredentialPairStatus
+from onyx.db.enums import Permission
 from onyx.db.federated import create_federated_connector_document_set_mapping
 from onyx.db.models import ConnectorCredentialPair
 from onyx.db.models import Document
 from onyx.db.models import DocumentByConnectorCredentialPair
 from onyx.db.models import DocumentSet as DocumentSetDBModel
 from onyx.db.models import DocumentSet__ConnectorCredentialPair
-from onyx.db.models import DocumentSet__UserGroup
 from onyx.db.models import FederatedConnector__DocumentSet
 from onyx.db.models import User
-from onyx.db.models import User__UserGroup
-from onyx.db.models import UserRole
 from onyx.server.features.document_set.models import DocumentSetCreationRequest
 from onyx.server.features.document_set.models import DocumentSetUpdateRequest
 from onyx.utils.logger import setup_logger
@@ -38,54 +36,16 @@ logger = setup_logger()


 def _add_user_filters(stmt: Select, user: User, get_editable: bool = True) -> Select:
-    if user.role == UserRole.ADMIN:
+    # MANAGE → always return all
+    if has_permission(user, Permission.MANAGE_DOCUMENT_SETS):
        return stmt
-
-    stmt = stmt.distinct()
-    DocumentSet__UG = aliased(DocumentSet__UserGroup)
-    User__UG = aliased(User__UserGroup)
-    """
-    Here we select cc_pairs by relation:
-    User -> User__UserGroup -> DocumentSet__UserGroup -> DocumentSet
-    """
-    stmt = stmt.outerjoin(DocumentSet__UG).outerjoin(
-        User__UserGroup,
-        User__UserGroup.user_group_id == DocumentSet__UG.user_group_id,
-    )
-    """
-    Filter DocumentSets by:
-    - if the user is in the user_group that owns the DocumentSet
-    - if the user is not a global_curator, they must also have a curator relationship
-    to the user_group
-    - if editing is being done, we also filter out DocumentSets that are owned by groups
-    that the user isn't a curator for
-    - if we are not editing, we show all DocumentSets in the groups the user is a curator
-    for (as well as public DocumentSets)
-    """
-
-    # Anonymous users only see public DocumentSets
-    if user.is_anonymous:
-        where_clause = DocumentSetDBModel.is_public == True  # noqa: E712
-        return stmt.where(where_clause)
-
-    where_clause = User__UserGroup.user_id == user.id
-    if user.role == UserRole.CURATOR and get_editable:
-        where_clause &= User__UserGroup.is_curator == True  # noqa: E712
-    if get_editable:
-        user_groups = select(User__UG.user_group_id).where(User__UG.user_id == user.id)
-        if user.role == UserRole.CURATOR:
-            user_groups = user_groups.where(User__UG.is_curator == True)  # noqa: E712
-        where_clause &= (
-            ~exists()
-            .where(DocumentSet__UG.document_set_id == DocumentSetDBModel.id)
-            .where(~DocumentSet__UG.user_group_id.in_(user_groups))
-            .correlate(DocumentSetDBModel)
-        )
-        where_clause |= DocumentSetDBModel.user_id == user.id
-    else:
-        where_clause |= DocumentSetDBModel.is_public == True  # noqa: E712
-
-    return stmt.where(where_clause)
+    # READ → return all when reading, nothing when editing
+    if has_permission(user, Permission.READ_DOCUMENT_SETS):
+        if get_editable:
+            return stmt.where(False)
+        return stmt
+    # No permission → return nothing
+    return stmt.where(False)


 def _delete_document_set_cc_pairs__no_commit(
--- a/backend/onyx/db/enums.py
+++ b/backend/onyx/db/enums.py
@@ -366,12 +366,12 @@ class Permission(str, PyEnum):
    READ_DOCUMENT_SETS = "read:document_sets"
    READ_AGENTS = "read:agents"
    READ_USERS = "read:users"
+    READ_USER_GROUPS = "read:user_groups"

    # Add / Manage pairs
    ADD_AGENTS = "add:agents"
    MANAGE_AGENTS = "manage:agents"
    MANAGE_DOCUMENT_SETS = "manage:document_sets"
-    ADD_CONNECTORS = "add:connectors"
    MANAGE_CONNECTORS = "manage:connectors"
    MANAGE_LLMS = "manage:llms"

@@ -381,8 +381,8 @@ class Permission(str, PyEnum):
    READ_QUERY_HISTORY = "read:query_history"
    MANAGE_USER_GROUPS = "manage:user_groups"
    CREATE_USER_API_KEYS = "create:user_api_keys"
-    CREATE_SERVICE_ACCOUNT_API_KEYS = "create:service_account_api_keys"
-    CREATE_SLACK_DISCORD_BOTS = "create:slack_discord_bots"
+    MANAGE_SERVICE_ACCOUNT_API_KEYS = "manage:service_account_api_keys"
+    MANAGE_BOTS = "manage:bots"

    # Override — any permission check passes
    FULL_ADMIN_PANEL_ACCESS = "admin"
--- a/backend/onyx/db/persona.py
+++ b/backend/onyx/db/persona.py
@@ -16,12 +16,12 @@ from sqlalchemy.orm import selectinload
 from sqlalchemy.orm import Session

 from onyx.access.hierarchy_access import get_user_external_group_ids
-from onyx.auth.schemas import UserRole
-from onyx.configs.app_configs import CURATORS_CANNOT_VIEW_OR_EDIT_NON_OWNED_ASSISTANTS
+from onyx.auth.permissions import has_permission
 from onyx.configs.constants import DEFAULT_PERSONA_ID
 from onyx.configs.constants import NotificationType
 from onyx.db.constants import SLACK_BOT_PERSONA_PREFIX
 from onyx.db.document_access import get_accessible_documents_by_ids
+from onyx.db.enums import Permission
 from onyx.db.models import ConnectorCredentialPair
 from onyx.db.models import Document
 from onyx.db.models import DocumentSet
@@ -74,7 +74,9 @@ class PersonaLoadType(Enum):
 def _add_user_filters(
    stmt: Select[tuple[Persona]], user: User, get_editable: bool = True
 ) -> Select[tuple[Persona]]:
-    if user.role == UserRole.ADMIN:
+    if has_permission(user, Permission.MANAGE_AGENTS):
+        return stmt
+    if not get_editable and has_permission(user, Permission.READ_AGENTS):
        return stmt

    stmt = stmt.distinct()
@@ -98,12 +100,7 @@ def _add_user_filters(
    """
    Filter Personas by:
    - if the user is in the user_group that owns the Persona
-    - if the user is not a global_curator, they must also have a curator relationship
-    to the user_group
-    - if editing is being done, we also filter out Personas that are owned by groups
-    that the user isn't a curator for
-    - if we are not editing, we show all Personas in the groups the user is a curator
-    for (as well as public Personas)
+    - if we are not editing, we show all public and listed Personas
    - if we are not editing, we return all Personas directly connected to the user
    """

@@ -112,21 +109,9 @@ def _add_user_filters(
        where_clause = Persona.is_public == True  # noqa: E712
        return stmt.where(where_clause)

-    # If curator ownership restriction is enabled, curators can only access their own assistants
-    if CURATORS_CANNOT_VIEW_OR_EDIT_NON_OWNED_ASSISTANTS and user.role in [
-        UserRole.CURATOR,
-        UserRole.GLOBAL_CURATOR,
-    ]:
-        where_clause = (Persona.user_id == user.id) | (Persona.user_id.is_(None))
-        return stmt.where(where_clause)
-
    where_clause = User__UserGroup.user_id == user.id
-    if user.role == UserRole.CURATOR and get_editable:
-        where_clause &= User__UserGroup.is_curator == True  # noqa: E712
    if get_editable:
        user_groups = select(User__UG.user_group_id).where(User__UG.user_id == user.id)
-        if user.role == UserRole.CURATOR:
-            user_groups = user_groups.where(User__UG.is_curator == True)  # noqa: E712
        where_clause &= (
            ~exists()
            .where(Persona__UG.persona_id == Persona.id)
@@ -197,7 +182,7 @@ def _get_persona_by_name(
    - Non-admin users: can only see their own personas
    """
    stmt = select(Persona).where(Persona.name == persona_name)
-    if user and user.role != UserRole.ADMIN:
+    if user and not has_permission(user, Permission.MANAGE_AGENTS):
        stmt = stmt.where(Persona.user_id == user.id)
    result = db_session.execute(stmt).scalar_one_or_none()
    return result
@@ -271,12 +256,10 @@ def create_update_persona(
    try:
        # Featured persona validation
        if create_persona_request.is_featured:
-            # Curators can edit featured personas, but not make them
-            # TODO this will be reworked soon with RBAC permissions feature
-            if user.role == UserRole.CURATOR or user.role == UserRole.GLOBAL_CURATOR:
-                pass
-            elif user.role != UserRole.ADMIN:
-                raise ValueError("Only admins can make a featured persona")
+            if not has_permission(user, Permission.MANAGE_AGENTS):
+                raise ValueError(
+                    "Only users with agent management permissions can make a featured persona"
+                )

        # Convert incoming string UUIDs to UUID objects for DB operations
        converted_user_file_ids = None
@@ -353,7 +336,11 @@ def update_persona_shared(
        db_session=db_session, persona_id=persona_id, user=user, get_editable=True
    )

-    if user and user.role != UserRole.ADMIN and persona.user_id != user.id:
+    if (
+        user
+        and not has_permission(user, Permission.MANAGE_AGENTS)
+        and persona.user_id != user.id
+    ):
        raise PermissionError("You don't have permission to modify this persona")

    versioned_update_persona_access = fetch_versioned_implementation(
@@ -389,7 +376,10 @@ def update_persona_public_status(
    persona = fetch_persona_by_id_for_user(
        db_session=db_session, persona_id=persona_id, user=user, get_editable=True
    )
-    if user.role != UserRole.ADMIN and persona.user_id != user.id:
+    if (
+        not has_permission(user, Permission.MANAGE_AGENTS)
+        and persona.user_id != user.id
+    ):
        raise ValueError("You don't have permission to modify this persona")

    persona.is_public = is_public
@@ -1226,7 +1216,11 @@ def get_persona_by_id(
    if not include_deleted:
        persona_stmt = persona_stmt.where(Persona.deleted.is_(False))

-    if not user or user.role == UserRole.ADMIN:
+    if (
+        not user
+        or has_permission(user, Permission.MANAGE_AGENTS)
+        or (not is_for_edit and has_permission(user, Permission.READ_AGENTS))
+    ):
        result = db_session.execute(persona_stmt)
        persona = result.scalar_one_or_none()
        if persona is None:
@@ -1243,14 +1237,6 @@ def get_persona_by_id(
        # if the user is in the .users of the persona
        or_conditions |= User.id == user.id
        or_conditions |= Persona.is_public == True  # noqa: E712
-    elif user.role == UserRole.GLOBAL_CURATOR:
-        # global curators can edit personas for the groups they are in
-        or_conditions |= User__UserGroup.user_id == user.id
-    elif user.role == UserRole.CURATOR:
-        # curators can edit personas for the groups they are curators of
-        or_conditions |= (User__UserGroup.user_id == user.id) & (
-            User__UserGroup.is_curator == True  # noqa: E712
-        )

    persona_stmt = persona_stmt.where(or_conditions)
    result = db_session.execute(persona_stmt)
--- a/backend/onyx/error_handling/error_codes.py
+++ b/backend/onyx/error_handling/error_codes.py
@@ -56,6 +56,7 @@ class OnyxErrorCode(Enum):
    DOCUMENT_NOT_FOUND = ("DOCUMENT_NOT_FOUND", 404)
    SESSION_NOT_FOUND = ("SESSION_NOT_FOUND", 404)
    USER_NOT_FOUND = ("USER_NOT_FOUND", 404)
+    DOCUMENT_SET_NOT_FOUND = ("DOCUMENT_SET_NOT_FOUND", 404)

    # ------------------------------------------------------------------
    # Conflict (409)
--- a/backend/onyx/llm/constants.py
+++ b/backend/onyx/llm/constants.py
@@ -66,7 +66,7 @@ PROVIDER_DISPLAY_NAMES: dict[str, str] = {
    LlmProviderNames.LM_STUDIO: "LM Studio",
    LlmProviderNames.LITELLM_PROXY: "LiteLLM Proxy",
    LlmProviderNames.BIFROST: "Bifrost",
-    LlmProviderNames.OPENAI_COMPATIBLE: "OpenAI-Compatible",
+    LlmProviderNames.OPENAI_COMPATIBLE: "OpenAI Compatible",
    "groq": "Groq",
    "anyscale": "Anyscale",
    "deepseek": "DeepSeek",
@@ -87,44 +87,6 @@ PROVIDER_DISPLAY_NAMES: dict[str, str] = {
    "gemini": "Gemini",
    "stability": "Stability",
    "writer": "Writer",
-    # Custom provider display names (used in the custom provider picker)
-    "aiml": "AI/ML",
-    "assemblyai": "AssemblyAI",
-    "aws_polly": "AWS Polly",
-    "azure_ai": "Azure AI",
-    "chatgpt": "ChatGPT",
-    "cohere_chat": "Cohere Chat",
-    "datarobot": "DataRobot",
-    "deepgram": "Deepgram",
-    "deepinfra": "DeepInfra",
-    "elevenlabs": "ElevenLabs",
-    "fal_ai": "fal.ai",
-    "featherless_ai": "Featherless AI",
-    "fireworks_ai": "Fireworks AI",
-    "friendliai": "FriendliAI",
-    "gigachat": "GigaChat",
-    "github_copilot": "GitHub Copilot",
-    "gradient_ai": "Gradient AI",
-    "huggingface": "HuggingFace",
-    "jina_ai": "Jina AI",
-    "lambda_ai": "Lambda AI",
-    "llamagate": "LlamaGate",
-    "meta_llama": "Meta Llama",
-    "minimax": "MiniMax",
-    "nlp_cloud": "NLP Cloud",
-    "nvidia_nim": "NVIDIA NIM",
-    "oci": "OCI",
-    "ovhcloud": "OVHcloud",
-    "palm": "PaLM",
-    "publicai": "PublicAI",
-    "runwayml": "RunwayML",
-    "sambanova": "SambaNova",
-    "together_ai": "Together AI",
-    "vercel_ai_gateway": "Vercel AI Gateway",
-    "volcengine": "Volcengine",
-    "wandb": "W&B",
-    "watsonx": "IBM watsonx",
-    "zai": "ZAI",
 }

 # Map vendors to their brand names (used for provider_display_name generation)
--- a/backend/onyx/llm/well_known_providers/llm_provider_options.py
+++ b/backend/onyx/llm/well_known_providers/llm_provider_options.py
@@ -338,7 +338,7 @@ def get_provider_display_name(provider_name: str) -> str:
        VERTEXAI_PROVIDER_NAME: "Google Vertex AI",
        OPENROUTER_PROVIDER_NAME: "OpenRouter",
        LITELLM_PROXY_PROVIDER_NAME: "LiteLLM Proxy",
-        OPENAI_COMPATIBLE_PROVIDER_NAME: "OpenAI-Compatible",
+        OPENAI_COMPATIBLE_PROVIDER_NAME: "OpenAI Compatible",
    }

    if provider_name in _ONYX_PROVIDER_DISPLAY_NAMES:
--- a/backend/onyx/onyxbot/slack/listener.py
+++ b/backend/onyx/onyxbot/slack/listener.py
@@ -90,7 +90,6 @@ from onyx.onyxbot.slack.utils import respond_in_thread_or_channel
 from onyx.onyxbot.slack.utils import TenantSocketModeClient
 from onyx.redis.redis_pool import get_redis_client
 from onyx.server.manage.models import SlackBotTokens
-from onyx.tracing.setup import setup_tracing
 from onyx.utils.logger import setup_logger
 from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
 from onyx.utils.variable_functionality import set_is_ee_based_on_env_variable
@@ -1207,7 +1206,6 @@ if __name__ == "__main__":
    tenant_handler = SlackbotHandler()

    set_is_ee_based_on_env_variable()
-    setup_tracing()

    try:
        # Keep the main thread alive
--- a/backend/onyx/server/api_key/api.py
+++ b/backend/onyx/server/api_key/api.py
@@ -20,7 +20,7 @@ router = APIRouter(prefix="/admin/api-key")

@router.get("")
 def list_api_keys(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_SERVICE_ACCOUNT_API_KEYS)),
    db_session: Session = Depends(get_session),
 ) -> list[ApiKeyDescriptor]:
    return fetch_api_keys(db_session)
@@ -29,7 +29,9 @@ def list_api_keys(
@router.post("")
 def create_api_key(
    api_key_args: APIKeyArgs,
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(
+        require_permission(Permission.MANAGE_SERVICE_ACCOUNT_API_KEYS)
+    ),
    db_session: Session = Depends(get_session),
 ) -> ApiKeyDescriptor:
    return insert_api_key(db_session, api_key_args, user.id)
@@ -38,7 +40,7 @@ def create_api_key(
@router.post("/{api_key_id}/regenerate")
 def regenerate_existing_api_key(
    api_key_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_SERVICE_ACCOUNT_API_KEYS)),
    db_session: Session = Depends(get_session),
 ) -> ApiKeyDescriptor:
    return regenerate_api_key(db_session, api_key_id)
@@ -48,7 +50,7 @@ def regenerate_existing_api_key(
 def update_existing_api_key(
    api_key_id: int,
    api_key_args: APIKeyArgs,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_SERVICE_ACCOUNT_API_KEYS)),
    db_session: Session = Depends(get_session),
 ) -> ApiKeyDescriptor:
    return update_api_key(db_session, api_key_id, api_key_args)
@@ -57,7 +59,7 @@ def update_existing_api_key(
@router.delete("/{api_key_id}")
 def delete_api_key(
    api_key_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_SERVICE_ACCOUNT_API_KEYS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    remove_api_key(db_session, api_key_id)
--- a/backend/onyx/server/features/build/sandbox/kubernetes/docker/README.md
+++ b/backend/onyx/server/features/build/sandbox/kubernetes/docker/README.md
@@ -58,7 +58,7 @@ docker buildx build --platform linux/amd64,linux/arm64 \

 1. **Build and push** the new image (see above)

-2. **Update the ConfigMap** in in the internal repo
+2. **Update the ConfigMap** in `cloud-deployment-yamls/danswer/configmap/env-configmap.yaml`:
   ```yaml
   SANDBOX_CONTAINER_IMAGE: "onyxdotapp/sandbox:v0.1.x"
   ```
--- a/backend/onyx/server/features/document_set/api.py
+++ b/backend/onyx/server/features/document_set/api.py
@@ -1,11 +1,9 @@
 from fastapi import APIRouter
 from fastapi import Depends
-from fastapi import HTTPException
 from fastapi import Query
 from sqlalchemy.orm import Session

 from onyx.auth.permissions import require_permission
-from onyx.auth.users import current_curator_or_admin_user
 from onyx.background.celery.versioned_apps.client import app as client_app
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
 from onyx.configs.constants import OnyxCeleryPriority
@@ -20,6 +18,8 @@ from onyx.db.document_set import update_document_set
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import Permission
 from onyx.db.models import User
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.features.document_set.models import CheckDocSetPublicRequest
 from onyx.server.features.document_set.models import CheckDocSetPublicResponse
 from onyx.server.features.document_set.models import DocumentSetCreationRequest
@@ -35,7 +35,7 @@ router = APIRouter(prefix="/manage")
@router.post("/admin/document-set")
 def create_document_set(
    document_set_creation_request: DocumentSetCreationRequest,
-    user: User = Depends(current_curator_or_admin_user),
+    user: User = Depends(require_permission(Permission.MANAGE_DOCUMENT_SETS)),
    db_session: Session = Depends(get_session),
    tenant_id: str = Depends(get_current_tenant_id),
 ) -> int:
@@ -55,7 +55,7 @@ def create_document_set(
            db_session=db_session,
        )
    except Exception as e:
-        raise HTTPException(status_code=400, detail=str(e))
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, str(e))

    if not DISABLE_VECTOR_DB:
        client_app.send_task(
@@ -70,15 +70,15 @@ def create_document_set(
@router.patch("/admin/document-set")
 def patch_document_set(
    document_set_update_request: DocumentSetUpdateRequest,
-    user: User = Depends(current_curator_or_admin_user),
+    user: User = Depends(require_permission(Permission.MANAGE_DOCUMENT_SETS)),
    db_session: Session = Depends(get_session),
    tenant_id: str = Depends(get_current_tenant_id),
 ) -> None:
    document_set = get_document_set_by_id(db_session, document_set_update_request.id)
    if document_set is None:
-        raise HTTPException(
-            status_code=404,
-            detail=f"Document set {document_set_update_request.id} does not exist",
+        raise OnyxError(
+            OnyxErrorCode.DOCUMENT_SET_NOT_FOUND,
+            f"Document set {document_set_update_request.id} does not exist",
        )

    fetch_ee_implementation_or_noop(
@@ -98,7 +98,7 @@ def patch_document_set(
            user=user,
        )
    except Exception as e:
-        raise HTTPException(status_code=400, detail=str(e))
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, str(e))

    if not DISABLE_VECTOR_DB:
        client_app.send_task(
@@ -111,15 +111,15 @@ def patch_document_set(
@router.delete("/admin/document-set/{document_set_id}")
 def delete_document_set(
    document_set_id: int,
-    user: User = Depends(current_curator_or_admin_user),
+    user: User = Depends(require_permission(Permission.MANAGE_DOCUMENT_SETS)),
    db_session: Session = Depends(get_session),
    tenant_id: str = Depends(get_current_tenant_id),
 ) -> None:
    document_set = get_document_set_by_id(db_session, document_set_id)
    if document_set is None:
-        raise HTTPException(
-            status_code=404,
-            detail=f"Document set {document_set_id} does not exist",
+        raise OnyxError(
+            OnyxErrorCode.DOCUMENT_SET_NOT_FOUND,
+            f"Document set {document_set_id} does not exist",
        )

    # check if the user has "edit" access to the document set.
@@ -142,7 +142,7 @@ def delete_document_set(
            user=user,
        )
    except Exception as e:
-        raise HTTPException(status_code=400, detail=str(e))
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, str(e))

    if DISABLE_VECTOR_DB:
        db_session.refresh(document_set)
--- a/backend/onyx/server/features/persona/api.py
+++ b/backend/onyx/server/features/persona/api.py
@@ -11,7 +11,6 @@ from sqlalchemy.orm import Session

 from onyx.auth.permissions import require_permission
 from onyx.auth.users import current_chat_accessible_user
-from onyx.auth.users import current_curator_or_admin_user
 from onyx.auth.users import current_limited_user
 from onyx.configs.app_configs import DISABLE_VECTOR_DB
 from onyx.configs.constants import FileOrigin
@@ -135,7 +134,7 @@ class IsFeaturedRequest(BaseModel):
 def patch_persona_visibility(
    persona_id: int,
    is_listed_request: IsListedRequest,
-    user: User = Depends(current_curator_or_admin_user),
+    user: User = Depends(require_permission(Permission.MANAGE_AGENTS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    update_persona_visibility(
@@ -150,7 +149,7 @@ def patch_persona_visibility(
 def patch_user_persona_public_status(
    persona_id: int,
    is_public_request: IsPublicRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(require_permission(Permission.ADD_AGENTS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
@@ -169,7 +168,7 @@ def patch_user_persona_public_status(
 def patch_persona_featured_status(
    persona_id: int,
    is_featured_request: IsFeaturedRequest,
-    user: User = Depends(current_curator_or_admin_user),
+    user: User = Depends(require_permission(Permission.MANAGE_AGENTS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
@@ -204,7 +203,7 @@ def patch_agents_display_priorities(

@admin_router.get("", tags=PUBLIC_API_TAGS)
 def list_personas_admin(
-    user: User = Depends(current_curator_or_admin_user),
+    user: User = Depends(require_permission(Permission.READ_AGENTS)),
    db_session: Session = Depends(get_session),
    include_deleted: bool = False,
    get_editable: bool = Query(False, description="If true, return editable personas"),
@@ -221,7 +220,7 @@ def list_personas_admin(
 def get_agents_admin_paginated(
    page_num: int = Query(0, ge=0, description="Page number (0-indexed)."),
    page_size: int = Query(10, ge=1, le=1000, description="Items per page."),
-    user: User = Depends(current_curator_or_admin_user),
+    user: User = Depends(require_permission(Permission.READ_AGENTS)),
    db_session: Session = Depends(get_session),
    include_deleted: bool = Query(
        False, description="If true, includes deleted personas."
@@ -298,7 +297,7 @@ def upload_file(
@basic_router.post("", tags=PUBLIC_API_TAGS)
 def create_persona(
    persona_upsert_request: PersonaUpsertRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(require_permission(Permission.ADD_AGENTS)),
    db_session: Session = Depends(get_session),
 ) -> PersonaSnapshot:
    tenant_id = get_current_tenant_id()
@@ -328,7 +327,7 @@ def create_persona(
 def update_persona(
    persona_id: int,
    persona_upsert_request: PersonaUpsertRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(require_permission(Permission.ADD_AGENTS)),
    db_session: Session = Depends(get_session),
 ) -> PersonaSnapshot:
    _validate_user_knowledge_enabled(persona_upsert_request, "update")
@@ -410,7 +409,7 @@ class PersonaShareRequest(BaseModel):
 def share_persona(
    persona_id: int,
    persona_share_request: PersonaShareRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(require_permission(Permission.ADD_AGENTS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    try:
@@ -434,7 +433,7 @@ def share_persona(
@basic_router.delete("/{persona_id}", tags=PUBLIC_API_TAGS)
 def delete_persona(
    persona_id: int,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(require_permission(Permission.ADD_AGENTS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    mark_persona_as_deleted(
--- a/backend/onyx/server/manage/discord_bot/api.py
+++ b/backend/onyx/server/manage/discord_bot/api.py
@@ -2,8 +2,6 @@

 from fastapi import APIRouter
 from fastapi import Depends
-from fastapi import HTTPException
-from fastapi import status
 from sqlalchemy.orm import Session

 from onyx.auth.permissions import require_permission
@@ -25,6 +23,8 @@ from onyx.db.discord_bot import update_guild_config
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import Permission
 from onyx.db.models import User
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.manage.discord_bot.models import DiscordBotConfigCreateRequest
 from onyx.server.manage.discord_bot.models import DiscordBotConfigResponse
 from onyx.server.manage.discord_bot.models import DiscordChannelConfigResponse
@@ -48,14 +48,14 @@ def _check_bot_config_api_access() -> None:
    - When DISCORD_BOT_TOKEN env var is set (managed via env)
    """
    if AUTH_TYPE == AuthType.CLOUD:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Discord bot configuration is managed by Onyx on Cloud.",
+        raise OnyxError(
+            OnyxErrorCode.INSUFFICIENT_PERMISSIONS,
+            "Discord bot configuration is managed by Onyx on Cloud.",
        )
    if DISCORD_BOT_TOKEN:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Discord bot is configured via environment variables. API access disabled.",
+        raise OnyxError(
+            OnyxErrorCode.INSUFFICIENT_PERMISSIONS,
+            "Discord bot is configured via environment variables. API access disabled.",
        )


@@ -65,7 +65,7 @@ def _check_bot_config_api_access() -> None:
@router.get("/config", response_model=DiscordBotConfigResponse)
 def get_bot_config(
    _: None = Depends(_check_bot_config_api_access),
-    __: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    __: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> DiscordBotConfigResponse:
    """Get Discord bot config. Returns 403 on Cloud or if env vars set."""
@@ -83,7 +83,7 @@ def get_bot_config(
 def create_bot_request(
    request: DiscordBotConfigCreateRequest,
    _: None = Depends(_check_bot_config_api_access),
-    __: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    __: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> DiscordBotConfigResponse:
    """Create Discord bot config. Returns 403 on Cloud or if env vars set."""
@@ -93,9 +93,9 @@ def create_bot_request(
            bot_token=request.bot_token,
        )
    except ValueError:
-        raise HTTPException(
-            status_code=status.HTTP_409_CONFLICT,
-            detail="Discord bot config already exists. Delete it first to create a new one.",
+        raise OnyxError(
+            OnyxErrorCode.CONFLICT,
+            "Discord bot config already exists. Delete it first to create a new one.",
        )

    db_session.commit()
@@ -109,7 +109,7 @@ def create_bot_request(
@router.delete("/config")
 def delete_bot_config_endpoint(
    _: None = Depends(_check_bot_config_api_access),
-    __: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    __: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> dict:
    """Delete Discord bot config.
@@ -118,7 +118,7 @@ def delete_bot_config_endpoint(
    """
    deleted = delete_discord_bot_config(db_session)
    if not deleted:
-        raise HTTPException(status_code=404, detail="Bot config not found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Bot config not found")

    # Also delete the service API key used by the Discord bot
    delete_discord_service_api_key(db_session)
@@ -132,7 +132,7 @@ def delete_bot_config_endpoint(

@router.delete("/service-api-key")
 def delete_service_api_key_endpoint(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> dict:
    """Delete the Discord service API key.
@@ -145,7 +145,7 @@ def delete_service_api_key_endpoint(
    """
    deleted = delete_discord_service_api_key(db_session)
    if not deleted:
-        raise HTTPException(status_code=404, detail="Service API key not found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Service API key not found")
    db_session.commit()
    return {"deleted": True}

@@ -155,7 +155,7 @@ def delete_service_api_key_endpoint(

@router.get("/guilds", response_model=list[DiscordGuildConfigResponse])
 def list_guild_configs(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> list[DiscordGuildConfigResponse]:
    """List all guild configs (pending and registered)."""
@@ -165,7 +165,7 @@ def list_guild_configs(

@router.post("/guilds", response_model=DiscordGuildConfigCreateResponse)
 def create_guild_request(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> DiscordGuildConfigCreateResponse:
    """Create new guild config with registration key. Key shown once."""
@@ -184,13 +184,13 @@ def create_guild_request(
@router.get("/guilds/{config_id}", response_model=DiscordGuildConfigResponse)
 def get_guild_config(
    config_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> DiscordGuildConfigResponse:
    """Get specific guild config."""
    config = get_guild_config_by_internal_id(db_session, internal_id=config_id)
    if not config:
-        raise HTTPException(status_code=404, detail="Guild config not found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Guild config not found")
    return DiscordGuildConfigResponse.model_validate(config)


@@ -198,13 +198,13 @@ def get_guild_config(
 def update_guild_request(
    config_id: int,
    request: DiscordGuildConfigUpdateRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> DiscordGuildConfigResponse:
    """Update guild config."""
    config = get_guild_config_by_internal_id(db_session, internal_id=config_id)
    if not config:
-        raise HTTPException(status_code=404, detail="Guild config not found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Guild config not found")

    config = update_guild_config(
        db_session,
@@ -220,7 +220,7 @@ def update_guild_request(
@router.delete("/guilds/{config_id}")
 def delete_guild_request(
    config_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> dict:
    """Delete guild config (invalidates registration key).
@@ -229,7 +229,7 @@ def delete_guild_request(
    """
    deleted = delete_guild_config(db_session, config_id)
    if not deleted:
-        raise HTTPException(status_code=404, detail="Guild config not found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Guild config not found")

    # On Cloud, delete service API key when all guilds are removed
    if AUTH_TYPE == AuthType.CLOUD:
@@ -249,15 +249,15 @@ def delete_guild_request(
 )
 def list_channel_configs(
    config_id: int,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> list[DiscordChannelConfigResponse]:
    """List whitelisted channels for a guild."""
    guild_config = get_guild_config_by_internal_id(db_session, internal_id=config_id)
    if not guild_config:
-        raise HTTPException(status_code=404, detail="Guild config not found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Guild config not found")
    if not guild_config.guild_id:
-        raise HTTPException(status_code=400, detail="Guild not yet registered")
+        raise OnyxError(OnyxErrorCode.INVALID_INPUT, "Guild not yet registered")

    configs = get_channel_configs(db_session, config_id)
    return [DiscordChannelConfigResponse.model_validate(c) for c in configs]
@@ -271,7 +271,7 @@ def update_channel_request(
    guild_config_id: int,
    channel_config_id: int,
    request: DiscordChannelConfigUpdateRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
    db_session: Session = Depends(get_session),
 ) -> DiscordChannelConfigResponse:
    """Update channel config."""
@@ -279,7 +279,7 @@ def update_channel_request(
        db_session, guild_config_id, channel_config_id
    )
    if not config:
-        raise HTTPException(status_code=404, detail="Channel config not found")
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Channel config not found")

    config = update_discord_channel_config(
        db_session,
--- a/backend/onyx/server/manage/llm/api.py
+++ b/backend/onyx/server/manage/llm/api.py
@@ -15,8 +15,8 @@ from fastapi import Query
 from pydantic import ValidationError
 from sqlalchemy.orm import Session

+from onyx.auth.permissions import has_permission
 from onyx.auth.permissions import require_permission
-from onyx.auth.schemas import UserRole
 from onyx.auth.users import current_chat_accessible_user
 from onyx.db.engine.sql_engine import get_session
 from onyx.db.enums import LLMModelFlowType
@@ -40,15 +40,11 @@ from onyx.db.models import User
 from onyx.db.persona import user_can_access_persona
 from onyx.error_handling.error_codes import OnyxErrorCode
 from onyx.error_handling.exceptions import OnyxError
-from onyx.llm.constants import PROVIDER_DISPLAY_NAMES
-from onyx.llm.constants import WELL_KNOWN_PROVIDER_NAMES
 from onyx.llm.factory import get_default_llm
 from onyx.llm.factory import get_llm
 from onyx.llm.factory import get_max_input_tokens_from_llm_provider
 from onyx.llm.utils import get_bedrock_token_limit
 from onyx.llm.utils import get_llm_contextual_cost
-from onyx.llm.utils import get_max_input_tokens
-from onyx.llm.utils import litellm_thinks_model_supports_image_input
 from onyx.llm.utils import test_llm
 from onyx.llm.well_known_providers.auto_update_service import (
    fetch_llm_recommendations_from_github,
@@ -64,9 +60,6 @@ from onyx.server.manage.llm.models import BedrockFinalModelResponse
 from onyx.server.manage.llm.models import BedrockModelsRequest
 from onyx.server.manage.llm.models import BifrostFinalModelResponse
 from onyx.server.manage.llm.models import BifrostModelsRequest
-from onyx.server.manage.llm.models import CustomProviderModelResponse
-from onyx.server.manage.llm.models import CustomProviderModelsRequest
-from onyx.server.manage.llm.models import CustomProviderOption
 from onyx.server.manage.llm.models import DefaultModel
 from onyx.server.manage.llm.models import LitellmFinalModelResponse
 from onyx.server.manage.llm.models import LitellmModelDetails
@@ -257,184 +250,9 @@ def _validate_llm_provider_change(
        )


-@admin_router.get("/custom-provider-names")
-def fetch_custom_provider_names(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
-) -> list[CustomProviderOption]:
-    """Returns the sorted list of LiteLLM provider names that can be used
-    with the custom provider modal (i.e. everything that is not already
-    covered by a well-known provider modal)."""
-    import litellm
-
-    well_known = {p.value for p in WELL_KNOWN_PROVIDER_NAMES}
-    return sorted(
-        (
-            CustomProviderOption(
-                value=name,
-                label=PROVIDER_DISPLAY_NAMES.get(name, name.replace("_", " ").title()),
-            )
-            for name in litellm.models_by_provider.keys()
-            if name not in well_known
-        ),
-        key=lambda o: o.label.lower(),
-    )
-
-
-@admin_router.post("/custom/available-models")
-def fetch_custom_provider_models(
-    request: CustomProviderModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
-) -> list[CustomProviderModelResponse]:
-    """Fetch models for a custom provider.
-
-    When ``api_base`` is provided the endpoint hits the provider's
-    OpenAI-compatible ``/v1/models`` (or ``/{api_version}/models``) to
-    discover live models.  Otherwise it falls back to the static list
-    that LiteLLM ships for the given provider slug.
-
-    In both cases the response is enriched with metadata from LiteLLM
-    (display name, max input tokens, vision support) when available.
-    """
-    if request.api_base:
-        return _fetch_custom_models_from_api(
-            provider=request.provider,
-            api_base=request.api_base,
-            api_key=request.api_key,
-            api_version=request.api_version,
-        )
-
-    return _fetch_custom_models_from_litellm(request.provider)
-
-
-def _enrich_custom_model(
-    name: str,
-    provider: str,
-    *,
-    api_display_name: str | None = None,
-    api_max_input_tokens: int | None = None,
-    api_supports_image_input: bool | None = None,
-) -> CustomProviderModelResponse:
-    """Build a ``CustomProviderModelResponse`` enriched with LiteLLM metadata.
-
-    Values explicitly provided by the source API take precedence; LiteLLM
-    metadata is used as a fallback.
-    """
-    from onyx.llm.model_name_parser import parse_litellm_model_name
-
-    # LiteLLM keys are typically "provider/model"
-    litellm_key = f"{provider}/{name}" if not name.startswith(f"{provider}/") else name
-    parsed = parse_litellm_model_name(litellm_key)
-
-    # display_name: prefer API-provided name, then LiteLLM enrichment, then raw name
-    if api_display_name and api_display_name != name:
-        display_name = api_display_name
-    else:
-        display_name = parsed.display_name or name
-
-    # max_input_tokens: prefer API value, then LiteLLM lookup
-    if api_max_input_tokens is not None:
-        max_input_tokens: int | None = api_max_input_tokens
-    else:
-        try:
-            max_input_tokens = get_max_input_tokens(name, provider)
-        except Exception:
-            max_input_tokens = None
-
-    # supports_image_input: prefer API value, then LiteLLM inference
-    if api_supports_image_input is not None:
-        supports_image = api_supports_image_input
-    else:
-        supports_image = litellm_thinks_model_supports_image_input(name, provider)
-
-    return CustomProviderModelResponse(
-        name=name,
-        display_name=display_name,
-        max_input_tokens=max_input_tokens,
-        supports_image_input=supports_image,
-    )
-
-
-def _fetch_custom_models_from_api(
-    provider: str,
-    api_base: str,
-    api_key: str | None,
-    api_version: str | None,
-) -> list[CustomProviderModelResponse]:
-    """Hit an OpenAI-compatible ``/v1/models`` (or versioned variant)."""
-    cleaned = api_base.strip().rstrip("/")
-    if api_version:
-        url = f"{cleaned}/{api_version.strip().strip('/')}/models"
-    elif cleaned.endswith("/v1"):
-        url = f"{cleaned}/models"
-    else:
-        url = f"{cleaned}/v1/models"
-
-    response_json = _get_openai_compatible_models_response(
-        url=url,
-        source_name="Custom provider",
-        api_key=api_key,
-    )
-
-    models = response_json.get("data", [])
-    if not isinstance(models, list) or len(models) == 0:
-        raise OnyxError(
-            OnyxErrorCode.VALIDATION_ERROR,
-            "No models found from the provider's API.",
-        )
-
-    results: list[CustomProviderModelResponse] = []
-    for model in models:
-        try:
-            model_id = model.get("id", "")
-            if not model_id:
-                continue
-            if is_embedding_model(model_id):
-                continue
-            results.append(
-                _enrich_custom_model(
-                    model_id,
-                    provider,
-                    api_display_name=model.get("name"),
-                    api_max_input_tokens=model.get("context_length"),
-                    api_supports_image_input=infer_vision_support(model_id),
-                )
-            )
-        except Exception as e:
-            logger.warning(
-                "Failed to parse custom provider model entry",
-                extra={"error": str(e), "item": str(model)[:1000]},
-            )
-
-    if not results:
-        raise OnyxError(
-            OnyxErrorCode.VALIDATION_ERROR,
-            "No compatible models found from the provider's API.",
-        )
-
-    return sorted(results, key=lambda m: m.name.lower())
-
-
-def _fetch_custom_models_from_litellm(
-    provider: str,
-) -> list[CustomProviderModelResponse]:
-    """Fall back to litellm's static ``models_by_provider`` mapping."""
-    import litellm
-
-    model_names = litellm.models_by_provider.get(provider)
-    if model_names is None:
-        raise OnyxError(
-            OnyxErrorCode.NOT_FOUND,
-            f"Unknown provider: {provider}",
-        )
-    return sorted(
-        (_enrich_custom_model(name, provider) for name in model_names),
-        key=lambda m: m.name.lower(),
-    )
-
-
@admin_router.get("/built-in/options")
 def fetch_llm_options(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
 ) -> list[WellKnownLLMProviderDescriptor]:
    return fetch_available_well_known_llms()

@@ -442,7 +260,7 @@ def fetch_llm_options(
@admin_router.get("/built-in/options/{provider_name}")
 def fetch_llm_provider_options(
    provider_name: str,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
 ) -> WellKnownLLMProviderDescriptor:
    well_known_llms = fetch_available_well_known_llms()
    for well_known_llm in well_known_llms:
@@ -454,7 +272,7 @@ def fetch_llm_provider_options(
@admin_router.post("/test")
 def test_llm_configuration(
    test_llm_request: TestLLMRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    """Test LLM configuration settings"""
@@ -512,7 +330,7 @@ def test_llm_configuration(

@admin_router.post("/test/default")
 def test_default_provider(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
 ) -> None:
    try:
        llm = get_default_llm()
@@ -528,7 +346,7 @@ def test_default_provider(
@admin_router.get("/provider")
 def list_llm_providers(
    include_image_gen: bool = Query(False),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> LLMProviderResponse[LLMProviderView]:
    start_time = datetime.now(timezone.utc)
@@ -573,7 +391,7 @@ def put_llm_provider(
        False,
        description="True if creating a new one, False if updating an existing provider",
    ),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> LLMProviderView:
    # validate request (e.g. if we're intending to create but the name already exists we should throw an error)
@@ -711,7 +529,7 @@ def put_llm_provider(
 def delete_llm_provider(
    provider_id: int,
    force: bool = Query(False),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    if not force:
@@ -732,7 +550,7 @@ def delete_llm_provider(
@admin_router.post("/default")
 def set_provider_as_default(
    default_model_request: DefaultModel,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    update_default_provider(
@@ -745,7 +563,7 @@ def set_provider_as_default(
@admin_router.post("/default-vision")
 def set_provider_as_default_vision(
    default_model: DefaultModel,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> None:
    update_default_vision_provider(
@@ -757,7 +575,7 @@ def set_provider_as_default_vision(

@admin_router.get("/auto-config")
 def get_auto_config(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
 ) -> dict:
    """Get the current Auto mode configuration from GitHub.

@@ -775,7 +593,7 @@ def get_auto_config(

@admin_router.get("/vision-providers")
 def get_vision_capable_providers(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> LLMProviderResponse[VisionProviderResponse]:
    """Return a list of LLM providers and their models that support image input"""
@@ -837,7 +655,7 @@ def list_llm_provider_basics(

    all_providers = fetch_existing_llm_providers(db_session, [])
    user_group_ids = fetch_user_group_ids(db_session, user)
-    is_admin = user.role == UserRole.ADMIN
+    can_manage_llms = has_permission(user, Permission.MANAGE_LLMS)

    accessible_providers = []

@@ -849,7 +667,7 @@ def list_llm_provider_basics(
        # - Excludes providers with persona restrictions (requires specific persona)
        # - Excludes non-public providers with no restrictions (admin-only)
        if can_user_access_llm_provider(
-            provider, user_group_ids, persona=None, is_admin=is_admin
+            provider, user_group_ids, persona=None, is_admin=can_manage_llms
        ):
            accessible_providers.append(LLMProviderDescriptor.from_model(provider))

@@ -885,17 +703,19 @@ def get_valid_model_names_for_persona(
    if not persona:
        return []

-    is_admin = user.role == UserRole.ADMIN
+    can_manage_llms = has_permission(user, Permission.MANAGE_LLMS)
    all_providers = fetch_existing_llm_providers(
        db_session, [LLMModelFlowType.CHAT, LLMModelFlowType.VISION]
    )
-    user_group_ids = set() if is_admin else fetch_user_group_ids(db_session, user)
+    user_group_ids = (
+        set() if can_manage_llms else fetch_user_group_ids(db_session, user)
+    )

    valid_models = []
    for llm_provider_model in all_providers:
        # Check access with persona context — respects all RBAC restrictions
        if can_user_access_llm_provider(
-            llm_provider_model, user_group_ids, persona, is_admin=is_admin
+            llm_provider_model, user_group_ids, persona, is_admin=can_manage_llms
        ):
            # Collect all model names from this provider
            for model_config in llm_provider_model.model_configurations:
@@ -934,18 +754,20 @@ def list_llm_providers_for_persona(
            "You don't have access to this assistant",
        )

-    is_admin = user.role == UserRole.ADMIN
+    can_manage_llms = has_permission(user, Permission.MANAGE_LLMS)
    all_providers = fetch_existing_llm_providers(
        db_session, [LLMModelFlowType.CHAT, LLMModelFlowType.VISION]
    )
-    user_group_ids = set() if is_admin else fetch_user_group_ids(db_session, user)
+    user_group_ids = (
+        set() if can_manage_llms else fetch_user_group_ids(db_session, user)
+    )

    llm_provider_list: list[LLMProviderDescriptor] = []

    for llm_provider_model in all_providers:
        # Check access with persona context — respects persona restrictions
        if can_user_access_llm_provider(
-            llm_provider_model, user_group_ids, persona, is_admin=is_admin
+            llm_provider_model, user_group_ids, persona, is_admin=can_manage_llms
        ):
            llm_provider_list.append(
                LLMProviderDescriptor.from_model(llm_provider_model)
@@ -973,7 +795,7 @@ def list_llm_providers_for_persona(
    if persona_default_provider:
        provider = fetch_existing_llm_provider(persona_default_provider, db_session)
        if provider and can_user_access_llm_provider(
-            provider, user_group_ids, persona, is_admin=is_admin
+            provider, user_group_ids, persona, is_admin=can_manage_llms
        ):
            if persona_default_model:
                # Persona specifies both provider and model — use them directly
@@ -1006,7 +828,7 @@ def list_llm_providers_for_persona(

@admin_router.get("/provider-contextual-cost")
 def get_provider_contextual_cost(
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[LLMCost]:
    """
@@ -1055,7 +877,7 @@ def get_provider_contextual_cost(
@admin_router.post("/bedrock/available-models")
 def get_bedrock_available_models(
    request: BedrockModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[BedrockFinalModelResponse]:
    """Fetch available Bedrock models for a specific region and credentials.
@@ -1230,7 +1052,7 @@ def _get_ollama_available_model_names(api_base: str) -> set[str]:
@admin_router.post("/ollama/available-models")
 def get_ollama_available_models(
    request: OllamaModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[OllamaFinalModelResponse]:
    """Fetch the list of available models from an Ollama server."""
@@ -1354,7 +1176,7 @@ def _get_openrouter_models_response(api_base: str, api_key: str) -> dict:
@admin_router.post("/openrouter/available-models")
 def get_openrouter_available_models(
    request: OpenRouterModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[OpenRouterFinalModelResponse]:
    """Fetch available models from OpenRouter `/models` endpoint.
@@ -1435,7 +1257,7 @@ def get_openrouter_available_models(
@admin_router.post("/lm-studio/available-models")
 def get_lm_studio_available_models(
    request: LMStudioModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[LMStudioFinalModelResponse]:
    """Fetch available models from an LM Studio server.
@@ -1542,7 +1364,7 @@ def get_lm_studio_available_models(
@admin_router.post("/litellm/available-models")
 def get_litellm_available_models(
    request: LitellmModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[LitellmFinalModelResponse]:
    """Fetch available models from Litellm proxy /v1/models endpoint."""
@@ -1675,7 +1497,7 @@ def _get_openai_compatible_models_response(
@admin_router.post("/bifrost/available-models")
 def get_bifrost_available_models(
    request: BifrostModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[BifrostFinalModelResponse]:
    """Fetch available models from Bifrost gateway /v1/models endpoint."""
@@ -1765,7 +1587,7 @@ def _get_bifrost_models_response(api_base: str, api_key: str | None = None) -> d
@admin_router.post("/openai-compatible/available-models")
 def get_openai_compatible_server_available_models(
    request: OpenAICompatibleModelsRequest,
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_LLMS)),
    db_session: Session = Depends(get_session),
 ) -> list[OpenAICompatibleFinalModelResponse]:
    """Fetch available models from a generic OpenAI-compatible /v1/models endpoint."""
@@ -1830,7 +1652,7 @@ def get_openai_compatible_server_available_models(
                )
                for r in sorted_results
            ],
-            source_label="OpenAI-Compatible",
+            source_label="OpenAI Compatible",
        )

    return sorted_results
@@ -1849,6 +1671,6 @@ def _get_openai_compatible_server_response(

    return _get_openai_compatible_models_response(
        url=url,
-        source_name="OpenAI-Compatible",
+        source_name="OpenAI Compatible",
        api_key=api_key,
    )
--- a/backend/onyx/server/manage/llm/models.py
+++ b/backend/onyx/server/manage/llm/models.py
@@ -28,13 +28,6 @@ if TYPE_CHECKING:
 T = TypeVar("T", "LLMProviderDescriptor", "LLMProviderView", "VisionProviderResponse")


-class CustomProviderOption(BaseModel):
-    """A provider slug + human-friendly label for the custom-provider picker."""
-
-    value: str
-    label: str
-
-
 class TestLLMRequest(BaseModel):
    # provider level
    id: int | None = None
@@ -477,21 +470,6 @@ class BifrostFinalModelResponse(BaseModel):
    supports_reasoning: bool


-# Custom provider dynamic models fetch
-class CustomProviderModelsRequest(BaseModel):
-    provider: str  # LiteLLM provider slug (e.g. "deepseek", "fireworks_ai")
-    api_base: str | None = None  # If set, fetches live models via /v1/models
-    api_key: str | None = None
-    api_version: str | None = None  # If set, used to construct the models URL
-
-
-class CustomProviderModelResponse(BaseModel):
-    name: str
-    display_name: str
-    max_input_tokens: int | None
-    supports_image_input: bool
-
-
 # OpenAI Compatible dynamic models fetch
 class OpenAICompatibleModelsRequest(BaseModel):
    api_base: str
--- a/backend/onyx/server/manage/models.py
+++ b/backend/onyx/server/manage/models.py
@@ -135,6 +135,7 @@ class UserInfo(BaseModel):
    is_anonymous_user: bool | None = None
    password_configured: bool | None = None
    tenant_info: TenantInfo | None = None
+    effective_permissions: list[str] = Field(default_factory=list)

    @classmethod
    def from_model(
@@ -148,6 +149,7 @@ class UserInfo(BaseModel):
        tenant_info: TenantInfo | None = None,
        assistant_specific_configs: UserSpecificAssistantPreferences | None = None,
        memories: list[MemoryItem] | None = None,
+        effective_permissions: list[str] | None = None,
    ) -> "UserInfo":
        return cls(
            id=str(user.id),
@@ -187,6 +189,7 @@ class UserInfo(BaseModel):
            is_cloud_superuser=is_cloud_superuser,
            is_anonymous_user=is_anonymous_user,
            tenant_info=tenant_info,
+            effective_permissions=effective_permissions or [],
            personalization=UserPersonalization(
                name=user.personal_name or "",
                role=user.personal_role or "",
--- a/backend/onyx/server/manage/slack_bot.py
+++ b/backend/onyx/server/manage/slack_bot.py
@@ -114,7 +114,7 @@ def _form_channel_config(
 def create_slack_channel_config(
    slack_channel_config_creation_request: SlackChannelConfigCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> SlackChannelConfig:
    channel_config = _form_channel_config(
        db_session=db_session,
@@ -155,7 +155,7 @@ def patch_slack_channel_config(
    slack_channel_config_id: int,
    slack_channel_config_creation_request: SlackChannelConfigCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> SlackChannelConfig:
    channel_config = _form_channel_config(
        db_session=db_session,
@@ -216,7 +216,7 @@ def patch_slack_channel_config(
 def delete_slack_channel_config(
    slack_channel_config_id: int,
    db_session: Session = Depends(get_session),
-    user: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    user: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> None:
    remove_slack_channel_config(
        db_session=db_session,
@@ -228,7 +228,7 @@ def delete_slack_channel_config(
@router.get("/admin/slack-app/channel")
 def list_slack_channel_configs(
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> list[SlackChannelConfig]:
    slack_channel_config_models = fetch_slack_channel_configs(db_session=db_session)
    return [
@@ -241,7 +241,7 @@ def list_slack_channel_configs(
 def create_bot(
    slack_bot_creation_request: SlackBotCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> SlackBot:
    tenant_id = get_current_tenant_id()

@@ -287,7 +287,7 @@ def patch_bot(
    slack_bot_id: int,
    slack_bot_creation_request: SlackBotCreationRequest,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> SlackBot:
    validate_bot_token(slack_bot_creation_request.bot_token)
    validate_app_token(slack_bot_creation_request.app_token)
@@ -308,7 +308,7 @@ def patch_bot(
 def delete_bot(
    slack_bot_id: int,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> None:
    remove_slack_bot(
        db_session=db_session,
@@ -320,7 +320,7 @@ def delete_bot(
 def get_bot_by_id(
    slack_bot_id: int,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> SlackBot:
    slack_bot_model = fetch_slack_bot(
        db_session=db_session,
@@ -332,7 +332,7 @@ def get_bot_by_id(
@router.get("/admin/slack-app/bots")
 def list_bots(
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> list[SlackBot]:
    slack_bot_models = fetch_slack_bots(db_session=db_session)
    return [
@@ -344,7 +344,7 @@ def list_bots(
 def list_bot_configs(
    bot_id: int,
    db_session: Session = Depends(get_session),
-    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+    _: User = Depends(require_permission(Permission.MANAGE_BOTS)),
 ) -> list[SlackChannelConfig]:
    slack_bot_config_models = fetch_slack_channel_configs(
        db_session=db_session, slack_bot_id=bot_id
--- a/backend/onyx/server/manage/users.py
+++ b/backend/onyx/server/manage/users.py
@@ -857,6 +857,7 @@ def verify_user_logged_in(
            invitation=tenant_invitation,
        ),
        memories=memories,
+        effective_permissions=sorted(p.value for p in get_effective_permissions(user)),
    )

    return user_info
--- a/backend/onyx/server/metrics/pruning_metrics.py
+++ b/backend/onyx/server/metrics/pruning_metrics.py
@@ -1,72 +0,0 @@
-"""Pruning-specific Prometheus metrics.
-
-Tracks three pruning pipeline phases for connector_pruning_generator_task:
-  1. Document ID enumeration duration (extract_ids_from_runnable_connector)
-  2. Diff + dispatch duration (DB lookup, set diff, generate_tasks)
-  3. Rate limit errors during enumeration
-
-All metrics are labeled by connector_type to identify which connector sources
-are the most expensive to prune. cc_pair_id is intentionally excluded to avoid
-unbounded cardinality.
-
-Usage:
-    from onyx.server.metrics.pruning_metrics import (
-        observe_pruning_enumeration_duration,
-        observe_pruning_diff_duration,
-        inc_pruning_rate_limit_error,
-    )
-"""
-
-from prometheus_client import Counter
-from prometheus_client import Histogram
-
-from onyx.utils.logger import setup_logger
-
-logger = setup_logger()
-
-PRUNING_ENUMERATION_DURATION = Histogram(
-    "onyx_pruning_enumeration_duration_seconds",
-    "Duration of document ID enumeration from the source connector during pruning",
-    ["connector_type"],
-    buckets=[1, 5, 15, 30, 60, 120, 300, 600, 1800, 3600],
-)
-
-PRUNING_DIFF_DURATION = Histogram(
-    "onyx_pruning_diff_duration_seconds",
-    "Duration of diff computation and subtask dispatch during pruning",
-    ["connector_type"],
-    buckets=[1, 5, 15, 30, 60, 120, 300, 600, 1800, 3600],
-)
-
-PRUNING_RATE_LIMIT_ERRORS = Counter(
-    "onyx_pruning_rate_limit_errors_total",
-    "Total rate limit errors encountered during pruning document ID enumeration",
-    ["connector_type"],
-)
-
-
-def observe_pruning_enumeration_duration(
-    duration_seconds: float, connector_type: str
-) -> None:
-    try:
-        PRUNING_ENUMERATION_DURATION.labels(connector_type=connector_type).observe(
-            duration_seconds
-        )
-    except Exception:
-        logger.debug("Failed to record pruning enumeration duration", exc_info=True)
-
-
-def observe_pruning_diff_duration(duration_seconds: float, connector_type: str) -> None:
-    try:
-        PRUNING_DIFF_DURATION.labels(connector_type=connector_type).observe(
-            duration_seconds
-        )
-    except Exception:
-        logger.debug("Failed to record pruning diff duration", exc_info=True)
-
-
-def inc_pruning_rate_limit_error(connector_type: str) -> None:
-    try:
-        PRUNING_RATE_LIMIT_ERRORS.labels(connector_type=connector_type).inc()
-    except Exception:
-        logger.debug("Failed to record pruning rate limit error", exc_info=True)
--- a/backend/onyx/server/pat/api.py
+++ b/backend/onyx/server/pat/api.py
@@ -2,7 +2,6 @@

 from fastapi import APIRouter
 from fastapi import Depends
-from fastapi import HTTPException
 from sqlalchemy.orm import Session

 from onyx.auth.permissions import require_permission
@@ -12,6 +11,8 @@ from onyx.db.models import User
 from onyx.db.pat import create_pat
 from onyx.db.pat import list_user_pats
 from onyx.db.pat import revoke_pat
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.server.pat.models import CreatedTokenResponse
 from onyx.server.pat.models import CreateTokenRequest
 from onyx.server.pat.models import TokenResponse
@@ -46,7 +47,7 @@ def list_tokens(
@router.post("")
 def create_token(
    request: CreateTokenRequest,
-    user: User = Depends(require_permission(Permission.BASIC_ACCESS)),
+    user: User = Depends(require_permission(Permission.CREATE_USER_API_KEYS)),
    db_session: Session = Depends(get_session),
 ) -> CreatedTokenResponse:
    """Create new personal access token for current user."""
@@ -58,7 +59,7 @@ def create_token(
            expiration_days=request.expiration_days,
        )
    except ValueError as e:
-        raise HTTPException(status_code=400, detail=str(e))
+        raise OnyxError(OnyxErrorCode.BAD_REQUEST, str(e))

    logger.info(f"User {user.email} created PAT '{request.name}'")

@@ -82,9 +83,7 @@ def delete_token(
    """Delete (revoke) personal access token. Only owner can revoke their own tokens."""
    success = revoke_pat(db_session, token_id, user.id)
    if not success:
-        raise HTTPException(
-            status_code=404, detail="Token not found or not owned by user"
-        )
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Token not found or not owned by user")

    logger.info(f"User {user.email} revoked token {token_id}")
    return {"message": "Token deleted successfully"}
--- a/backend/requirements/dev.txt
+++ b/backend/requirements/dev.txt
@@ -263,7 +263,7 @@ oauthlib==3.2.2
    # via
    #   kubernetes
    #   requests-oauthlib
-onyx-devtools==0.7.3
+onyx-devtools==0.7.2
    # via onyx
 openai==2.14.0
    # via
--- a/backend/tests/integration/common_utils/managers/user_group.py
+++ b/backend/tests/integration/common_utils/managers/user_group.py
@@ -117,15 +117,14 @@ class UserGroupManager:
        return response.json()

    @staticmethod
-    def set_permission(
+    def set_permissions(
        user_group: DATestUserGroup,
-        permission: str,
-        enabled: bool,
+        permissions: list[str],
        user_performing_action: DATestUser,
    ) -> requests.Response:
        response = requests.put(
            f"{API_SERVER_URL}/manage/admin/user-group/{user_group.id}/permissions",
-            json={"permission": permission, "enabled": enabled},
+            json={"permissions": permissions},
            headers=user_performing_action.headers,
        )
        return response
--- a/backend/tests/integration/tests/usergroup/test_group_permission_toggle.py
+++ b/backend/tests/integration/tests/usergroup/test_group_permission_toggle.py
@@ -13,7 +13,7 @@ ENTERPRISE_SKIP = pytest.mark.skipif(


@ENTERPRISE_SKIP
-def test_grant_permission_via_toggle(reset: None) -> None:  # noqa: ARG001
+def test_grant_permission_via_bulk(reset: None) -> None:  # noqa: ARG001
    admin_user: DATestUser = UserManager.create(name="admin_grant")
    basic_user: DATestUser = UserManager.create(name="basic_grant")

@@ -23,10 +23,11 @@ def test_grant_permission_via_toggle(reset: None) -> None:  # noqa: ARG001
        user_performing_action=admin_user,
    )

-    # Grant manage:llms
-    resp = UserGroupManager.set_permission(group, "manage:llms", True, admin_user)
+    # Set desired permissions to [manage:llms]
+    resp = UserGroupManager.set_permissions(group, ["manage:llms"], admin_user)
    resp.raise_for_status()
-    assert resp.json() == {"permission": "manage:llms", "enabled": True}
+    result = resp.json()
+    assert "manage:llms" in result, f"Expected manage:llms in {result}"

    # Verify group permissions
    group_perms = UserGroupManager.get_permissions(group, admin_user)
@@ -38,7 +39,7 @@ def test_grant_permission_via_toggle(reset: None) -> None:  # noqa: ARG001


@ENTERPRISE_SKIP
-def test_revoke_permission_via_toggle(reset: None) -> None:  # noqa: ARG001
+def test_revoke_permission_via_bulk(reset: None) -> None:  # noqa: ARG001
    admin_user: DATestUser = UserManager.create(name="admin_revoke")
    basic_user: DATestUser = UserManager.create(name="basic_revoke")

@@ -48,13 +49,11 @@ def test_revoke_permission_via_toggle(reset: None) -> None:  # noqa: ARG001
        user_performing_action=admin_user,
    )

-    # Grant then revoke
-    UserGroupManager.set_permission(
-        group, "manage:llms", True, admin_user
-    ).raise_for_status()
-    UserGroupManager.set_permission(
-        group, "manage:llms", False, admin_user
+    # Grant then revoke by sending empty list
+    UserGroupManager.set_permissions(
+        group, ["manage:llms"], admin_user
    ).raise_for_status()
+    UserGroupManager.set_permissions(group, [], admin_user).raise_for_status()

    # Verify removed from group
    group_perms = UserGroupManager.get_permissions(group, admin_user)
@@ -68,7 +67,7 @@ def test_revoke_permission_via_toggle(reset: None) -> None:  # noqa: ARG001


@ENTERPRISE_SKIP
-def test_idempotent_grant(reset: None) -> None:  # noqa: ARG001
+def test_idempotent_bulk_set(reset: None) -> None:  # noqa: ARG001
    admin_user: DATestUser = UserManager.create(name="admin_idempotent_grant")

    group = UserGroupManager.create(
@@ -77,12 +76,12 @@ def test_idempotent_grant(reset: None) -> None:  # noqa: ARG001
        user_performing_action=admin_user,
    )

-    # Toggle ON twice
-    UserGroupManager.set_permission(
-        group, "manage:llms", True, admin_user
+    # Set same permissions twice
+    UserGroupManager.set_permissions(
+        group, ["manage:llms"], admin_user
    ).raise_for_status()
-    UserGroupManager.set_permission(
-        group, "manage:llms", True, admin_user
+    UserGroupManager.set_permissions(
+        group, ["manage:llms"], admin_user
    ).raise_for_status()

    group_perms = UserGroupManager.get_permissions(group, admin_user)
@@ -92,22 +91,22 @@ def test_idempotent_grant(reset: None) -> None:  # noqa: ARG001


@ENTERPRISE_SKIP
-def test_idempotent_revoke(reset: None) -> None:  # noqa: ARG001
-    admin_user: DATestUser = UserManager.create(name="admin_idempotent_revoke")
+def test_empty_permissions_is_valid(reset: None) -> None:  # noqa: ARG001
+    admin_user: DATestUser = UserManager.create(name="admin_empty")

    group = UserGroupManager.create(
-        name="idempotent-revoke-group",
+        name="empty-perms-group",
        user_ids=[admin_user.id],
        user_performing_action=admin_user,
    )

-    # Toggle OFF when never granted — should not error
-    resp = UserGroupManager.set_permission(group, "manage:llms", False, admin_user)
+    # Setting empty list should not error
+    resp = UserGroupManager.set_permissions(group, [], admin_user)
    resp.raise_for_status()


@ENTERPRISE_SKIP
-def test_cannot_toggle_basic_access(reset: None) -> None:  # noqa: ARG001
+def test_cannot_set_basic_access(reset: None) -> None:  # noqa: ARG001
    admin_user: DATestUser = UserManager.create(name="admin_basic_block")

    group = UserGroupManager.create(
@@ -116,12 +115,12 @@ def test_cannot_toggle_basic_access(reset: None) -> None:  # noqa: ARG001
        user_performing_action=admin_user,
    )

-    resp = UserGroupManager.set_permission(group, "basic", True, admin_user)
+    resp = UserGroupManager.set_permissions(group, ["basic"], admin_user)
    assert resp.status_code == 400, f"Expected 400, got {resp.status_code}"


@ENTERPRISE_SKIP
-def test_cannot_toggle_admin(reset: None) -> None:  # noqa: ARG001
+def test_cannot_set_admin(reset: None) -> None:  # noqa: ARG001
    admin_user: DATestUser = UserManager.create(name="admin_admin_block")

    group = UserGroupManager.create(
@@ -130,7 +129,7 @@ def test_cannot_toggle_admin(reset: None) -> None:  # noqa: ARG001
        user_performing_action=admin_user,
    )

-    resp = UserGroupManager.set_permission(group, "admin", True, admin_user)
+    resp = UserGroupManager.set_permissions(group, ["admin"], admin_user)
    assert resp.status_code == 400, f"Expected 400, got {resp.status_code}"


@@ -146,11 +145,44 @@ def test_implied_permissions_expand(reset: None) -> None:  # noqa: ARG001
    )

    # Grant manage:agents — should imply add:agents and read:agents
-    UserGroupManager.set_permission(
-        group, "manage:agents", True, admin_user
+    UserGroupManager.set_permissions(
+        group, ["manage:agents"], admin_user
    ).raise_for_status()

    user_perms = UserManager.get_permissions(basic_user)
    assert "manage:agents" in user_perms, f"Missing manage:agents: {user_perms}"
    assert "add:agents" in user_perms, f"Missing implied add:agents: {user_perms}"
    assert "read:agents" in user_perms, f"Missing implied read:agents: {user_perms}"
+
+
+@ENTERPRISE_SKIP
+def test_bulk_replaces_previous_state(reset: None) -> None:  # noqa: ARG001
+    """Setting a new permission list should disable ones no longer included."""
+    admin_user: DATestUser = UserManager.create(name="admin_replace")
+
+    group = UserGroupManager.create(
+        name="replace-state-group",
+        user_ids=[admin_user.id],
+        user_performing_action=admin_user,
+    )
+
+    # Set initial permissions
+    UserGroupManager.set_permissions(
+        group, ["manage:llms", "manage:actions"], admin_user
+    ).raise_for_status()
+
+    # Replace with a different set
+    UserGroupManager.set_permissions(
+        group, ["manage:actions", "manage:user_groups"], admin_user
+    ).raise_for_status()
+
+    group_perms = UserGroupManager.get_permissions(group, admin_user)
+    assert (
+        "manage:llms" not in group_perms
+    ), f"manage:llms should be removed: {group_perms}"
+    assert (
+        "manage:actions" in group_perms
+    ), f"manage:actions should remain: {group_perms}"
+    assert (
+        "manage:user_groups" in group_perms
+    ), f"manage:user_groups should be added: {group_perms}"
--- a/backend/tests/unit/background/init.py
+++ b/backend/tests/unit/background/init.py
--- a/backend/tests/unit/background/celery/init.py
+++ b/backend/tests/unit/background/celery/init.py
--- a/backend/tests/unit/background/celery/test_celery_utils.py
+++ b/backend/tests/unit/background/celery/test_celery_utils.py
@@ -1,149 +0,0 @@
-"""Unit tests for extract_ids_from_runnable_connector metrics instrumentation."""
-
-from collections.abc import Iterator
-from unittest.mock import MagicMock
-
-import pytest
-
-from onyx.background.celery.celery_utils import extract_ids_from_runnable_connector
-from onyx.connectors.interfaces import SlimConnector
-from onyx.connectors.models import SlimDocument
-from onyx.server.metrics.pruning_metrics import PRUNING_ENUMERATION_DURATION
-from onyx.server.metrics.pruning_metrics import PRUNING_RATE_LIMIT_ERRORS
-
-
-def _make_slim_connector(doc_ids: list[str]) -> SlimConnector:
-    """Mock SlimConnector that yields the given doc IDs in one batch."""
-    connector = MagicMock(spec=SlimConnector)
-    docs = [
-        MagicMock(spec=SlimDocument, id=doc_id, parent_hierarchy_raw_node_id=None)
-        for doc_id in doc_ids
-    ]
-    connector.retrieve_all_slim_docs.return_value = iter([docs])
-    return connector
-
-
-def _raising_connector(message: str) -> SlimConnector:
-    """Mock SlimConnector whose generator raises with the given message."""
-    connector = MagicMock(spec=SlimConnector)
-
-    def raising_iter() -> Iterator:
-        raise Exception(message)
-        yield
-
-    connector.retrieve_all_slim_docs.return_value = raising_iter()
-    return connector
-
-
-class TestEnumerationDuration:
-    def test_recorded_on_success(self) -> None:
-        connector = _make_slim_connector(["doc1"])
-        before = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="google_drive"
-        )._sum.get()
-
-        extract_ids_from_runnable_connector(connector, connector_type="google_drive")
-
-        after = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="google_drive"
-        )._sum.get()
-        assert after >= before  # duration observed (non-negative)
-
-    def test_recorded_on_exception(self) -> None:
-        connector = _raising_connector("unexpected error")
-        before = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="confluence"
-        )._sum.get()
-
-        with pytest.raises(Exception):
-            extract_ids_from_runnable_connector(connector, connector_type="confluence")
-
-        after = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="confluence"
-        )._sum.get()
-        assert after >= before  # duration observed even on exception
-
-
-class TestRateLimitDetection:
-    def test_increments_on_rate_limit_message(self) -> None:
-        connector = _raising_connector("rate limit exceeded")
-        before = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="google_drive"
-        )._value.get()
-
-        with pytest.raises(Exception, match="rate limit exceeded"):
-            extract_ids_from_runnable_connector(
-                connector, connector_type="google_drive"
-            )
-
-        after = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="google_drive"
-        )._value.get()
-        assert after == before + 1
-
-    def test_increments_on_429_in_message(self) -> None:
-        connector = _raising_connector("HTTP 429 Too Many Requests")
-        before = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="confluence"
-        )._value.get()
-
-        with pytest.raises(Exception, match="429"):
-            extract_ids_from_runnable_connector(connector, connector_type="confluence")
-
-        after = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="confluence"
-        )._value.get()
-        assert after == before + 1
-
-    def test_does_not_increment_on_non_rate_limit_exception(self) -> None:
-        connector = _raising_connector("connection timeout")
-        before = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="slack")._value.get()
-
-        with pytest.raises(Exception, match="connection timeout"):
-            extract_ids_from_runnable_connector(connector, connector_type="slack")
-
-        after = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="slack")._value.get()
-        assert after == before
-
-    def test_rate_limit_detection_is_case_insensitive(self) -> None:
-        connector = _raising_connector("RATE LIMIT exceeded")
-        before = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="jira")._value.get()
-
-        with pytest.raises(Exception):
-            extract_ids_from_runnable_connector(connector, connector_type="jira")
-
-        after = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="jira")._value.get()
-        assert after == before + 1
-
-    def test_connector_type_label_matches_input(self) -> None:
-        connector = _raising_connector("rate limit exceeded")
-        before_gd = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="google_drive"
-        )._value.get()
-        before_jira = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="jira"
-        )._value.get()
-
-        with pytest.raises(Exception):
-            extract_ids_from_runnable_connector(
-                connector, connector_type="google_drive"
-            )
-
-        assert (
-            PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="google_drive")._value.get()
-            == before_gd + 1
-        )
-        assert (
-            PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="jira")._value.get()
-            == before_jira
-        )
-
-    def test_defaults_to_unknown_connector_type(self) -> None:
-        connector = _raising_connector("rate limit exceeded")
-        before = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="unknown")._value.get()
-
-        with pytest.raises(Exception):
-            extract_ids_from_runnable_connector(connector)
-
-        after = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="unknown")._value.get()
-        assert after == before + 1
--- a/backend/tests/unit/server/metrics/test_pruning_metrics.py
+++ b/backend/tests/unit/server/metrics/test_pruning_metrics.py
@@ -1,128 +0,0 @@
-"""Tests for pruning-specific Prometheus metrics."""
-
-import pytest
-
-from onyx.server.metrics.pruning_metrics import inc_pruning_rate_limit_error
-from onyx.server.metrics.pruning_metrics import observe_pruning_diff_duration
-from onyx.server.metrics.pruning_metrics import observe_pruning_enumeration_duration
-from onyx.server.metrics.pruning_metrics import PRUNING_DIFF_DURATION
-from onyx.server.metrics.pruning_metrics import PRUNING_ENUMERATION_DURATION
-from onyx.server.metrics.pruning_metrics import PRUNING_RATE_LIMIT_ERRORS
-
-
-class TestObservePruningEnumerationDuration:
-    def test_observes_duration(self) -> None:
-        before = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="google_drive"
-        )._sum.get()
-
-        observe_pruning_enumeration_duration(10.0, "google_drive")
-
-        after = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="google_drive"
-        )._sum.get()
-        assert after == pytest.approx(before + 10.0)
-
-    def test_labels_by_connector_type(self) -> None:
-        before_gd = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="google_drive"
-        )._sum.get()
-        before_conf = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="confluence"
-        )._sum.get()
-
-        observe_pruning_enumeration_duration(5.0, "google_drive")
-
-        after_gd = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="google_drive"
-        )._sum.get()
-        after_conf = PRUNING_ENUMERATION_DURATION.labels(
-            connector_type="confluence"
-        )._sum.get()
-
-        assert after_gd == pytest.approx(before_gd + 5.0)
-        assert after_conf == pytest.approx(before_conf)
-
-    def test_does_not_raise_on_exception(self, monkeypatch: pytest.MonkeyPatch) -> None:
-        monkeypatch.setattr(
-            PRUNING_ENUMERATION_DURATION,
-            "labels",
-            lambda **_: (_ for _ in ()).throw(RuntimeError("boom")),
-        )
-        observe_pruning_enumeration_duration(1.0, "google_drive")
-
-
-class TestObservePruningDiffDuration:
-    def test_observes_duration(self) -> None:
-        before = PRUNING_DIFF_DURATION.labels(connector_type="confluence")._sum.get()
-
-        observe_pruning_diff_duration(3.0, "confluence")
-
-        after = PRUNING_DIFF_DURATION.labels(connector_type="confluence")._sum.get()
-        assert after == pytest.approx(before + 3.0)
-
-    def test_labels_by_connector_type(self) -> None:
-        before_conf = PRUNING_DIFF_DURATION.labels(
-            connector_type="confluence"
-        )._sum.get()
-        before_slack = PRUNING_DIFF_DURATION.labels(connector_type="slack")._sum.get()
-
-        observe_pruning_diff_duration(2.0, "confluence")
-
-        after_conf = PRUNING_DIFF_DURATION.labels(
-            connector_type="confluence"
-        )._sum.get()
-        after_slack = PRUNING_DIFF_DURATION.labels(connector_type="slack")._sum.get()
-
-        assert after_conf == pytest.approx(before_conf + 2.0)
-        assert after_slack == pytest.approx(before_slack)
-
-    def test_does_not_raise_on_exception(self, monkeypatch: pytest.MonkeyPatch) -> None:
-        monkeypatch.setattr(
-            PRUNING_DIFF_DURATION,
-            "labels",
-            lambda **_: (_ for _ in ()).throw(RuntimeError("boom")),
-        )
-        observe_pruning_diff_duration(1.0, "confluence")
-
-
-class TestIncPruningRateLimitError:
-    def test_increments_counter(self) -> None:
-        before = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="google_drive"
-        )._value.get()
-
-        inc_pruning_rate_limit_error("google_drive")
-
-        after = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="google_drive"
-        )._value.get()
-        assert after == before + 1
-
-    def test_labels_by_connector_type(self) -> None:
-        before_gd = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="google_drive"
-        )._value.get()
-        before_jira = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="jira"
-        )._value.get()
-
-        inc_pruning_rate_limit_error("google_drive")
-
-        after_gd = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="google_drive"
-        )._value.get()
-        after_jira = PRUNING_RATE_LIMIT_ERRORS.labels(
-            connector_type="jira"
-        )._value.get()
-
-        assert after_gd == before_gd + 1
-        assert after_jira == before_jira
-
-    def test_does_not_raise_on_exception(self, monkeypatch: pytest.MonkeyPatch) -> None:
-        monkeypatch.setattr(
-            PRUNING_RATE_LIMIT_ERRORS,
-            "labels",
-            lambda **_: (_ for _ in ()).throw(RuntimeError("boom")),
-        )
-        inc_pruning_rate_limit_error("google_drive")
--- a/deployment/helm/charts/onyx/Chart.lock
+++ b/deployment/helm/charts/onyx/Chart.lock
@@ -19,6 +19,6 @@ dependencies:
  version: 5.4.0
 - name: code-interpreter
  repository: https://onyx-dot-app.github.io/python-sandbox/
-  version: 0.3.3
-digest: sha256:a57f29088b1624a72f6c70e4c3ccc2f2aad675e4624278c4e9be92083d6d5dad
-generated: "2026-04-08T16:47:29.33368-07:00"
+  version: 0.3.2
+digest: sha256:74908ea45ace2b4be913ff762772e6d87e40bab64e92c6662aa51730eaeb9d87
+generated: "2026-04-06T15:34:02.597166-07:00"
--- a/deployment/helm/charts/onyx/Chart.yaml
+++ b/deployment/helm/charts/onyx/Chart.yaml
@@ -45,6 +45,6 @@ dependencies:
    repository: https://charts.min.io/
    condition: minio.enabled
  - name: code-interpreter
-    version: 0.3.3
+    version: 0.3.2
    repository: https://onyx-dot-app.github.io/python-sandbox/
    condition: codeInterpreter.enabled
--- a/deployment/helm/charts/onyx/templates/celery-worker-heavy-metrics-service.yaml
+++ b/deployment/helm/charts/onyx/templates/celery-worker-heavy-metrics-service.yaml
@@ -1,26 +0,0 @@
-{{- /* Metrics port must match the default in metrics_server.py (_DEFAULT_PORTS).
-       Do NOT use PROMETHEUS_METRICS_PORT env var in Helm — each worker needs its own port. */ -}}
-{{- if gt (int .Values.celery_worker_heavy.replicaCount) 0 }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "onyx.fullname" . }}-celery-worker-heavy-metrics
-  labels:
-    {{- include "onyx.labels" . | nindent 4 }}
-    {{- if .Values.celery_worker_heavy.deploymentLabels }}
-    {{- toYaml .Values.celery_worker_heavy.deploymentLabels | nindent 4 }}
-    {{- end }}
-    metrics: "true"
-spec:
-  type: ClusterIP
-  ports:
-    - port: 9094
-      targetPort: metrics
-      protocol: TCP
-      name: metrics
-  selector:
-    {{- include "onyx.selectorLabels" . | nindent 4 }}
-    {{- if .Values.celery_worker_heavy.deploymentLabels }}
-    {{- toYaml .Values.celery_worker_heavy.deploymentLabels | nindent 4 }}
-    {{- end }}
-{{- end }}
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -148,7 +148,7 @@ dev = [
    "matplotlib==3.10.8",
    "mypy-extensions==1.0.0",
    "mypy==1.13.0",
-    "onyx-devtools==0.7.3",
+    "onyx-devtools==0.7.2",
    "openapi-generator-cli==7.17.0",
    "pandas-stubs~=2.3.3",
    "pre-commit==3.2.2",
--- a/tools/ods/cmd/deploy.go
+++ b/tools/ods/cmd/deploy.go
@@ -1,19 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// NewDeployCommand creates the parent `ods deploy` command. Subcommands hang
-// off it (e.g. `ods deploy edge`) and represent ad-hoc deployment workflows.
-func NewDeployCommand() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:   "deploy",
-		Short: "Trigger ad-hoc deployments",
-		Long:  "Trigger ad-hoc deployments to Onyx-managed environments.",
-	}
-
-	cmd.AddCommand(NewDeployEdgeCommand())
-
-	return cmd
-}
--- a/tools/ods/cmd/deploy_edge.go
+++ b/tools/ods/cmd/deploy_edge.go
@@ -1,353 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	"fmt"
-	"os/exec"
-	"sort"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/onyx-dot-app/onyx/tools/ods/internal/config"
-	"github.com/onyx-dot-app/onyx/tools/ods/internal/git"
-	"github.com/onyx-dot-app/onyx/tools/ods/internal/paths"
-	"github.com/onyx-dot-app/onyx/tools/ods/internal/prompt"
-)
-
-const (
-	onyxRepo               = "onyx-dot-app/onyx"
-	deploymentWorkflowFile = "deployment.yml"
-	edgeTagName            = "edge"
-
-	// Polling configuration. Build runs typically take 20-30 minutes; deploys
-	// are much shorter. The "discover" phase polls fast for a short window
-	// because the run usually appears within seconds of pushing the tag /
-	// dispatching the workflow.
-	runDiscoveryInterval = 5 * time.Second
-	runDiscoveryTimeout  = 2 * time.Minute
-	runProgressInterval  = 30 * time.Second
-	buildPollTimeout     = 60 * time.Minute
-	deployPollTimeout    = 30 * time.Minute
-)
-
-// DeployEdgeOptions holds options for the deploy edge command.
-type DeployEdgeOptions struct {
-	TargetRepo     string
-	TargetWorkflow string
-	DryRun         bool
-	Yes            bool
-	NoWaitDeploy   bool
-}
-
-// NewDeployEdgeCommand creates the `ods deploy edge` command.
-func NewDeployEdgeCommand() *cobra.Command {
-	opts := &DeployEdgeOptions{}
-
-	cmd := &cobra.Command{
-		Use:   "edge",
-		Short: "Build edge images off main and deploy to the configured target",
-		Long: `Build edge images off origin/main and dispatch the configured deploy workflow.
-
-This command will:
-  1. Force-push the 'edge' tag to origin/main, triggering the build
-  2. Wait for the build workflow to finish
-  3. Dispatch the configured deploy workflow with version_tag=edge
-  4. Wait for the deploy workflow to finish
-
-All GitHub operations run through the gh CLI, so authorization is enforced
-by your gh credentials and GitHub's repo/workflow permissions.
-
-On first run, you'll be prompted for the deploy target repo and workflow
-filename. These are saved to the ods config file (~/.config/onyx-dev/config.json
-on Linux/macOS) and reused on subsequent runs. Pass --target-repo or
--target-workflow to override the saved values.
-
-Example usage:
-
-    $ ods deploy edge`,
-		Args: cobra.NoArgs,
-		Run: func(cmd *cobra.Command, args []string) {
-			deployEdge(opts)
-		},
-	}
-
-	cmd.Flags().StringVar(&opts.TargetRepo, "target-repo", "", "GitHub repo (owner/name) hosting the deploy workflow; overrides saved config")
-	cmd.Flags().StringVar(&opts.TargetWorkflow, "target-workflow", "", "Filename of the deploy workflow within the target repo; overrides saved config")
-	cmd.Flags().BoolVar(&opts.DryRun, "dry-run", false, "Perform local operations only; skip pushing the tag and dispatching workflows")
-	cmd.Flags().BoolVar(&opts.Yes, "yes", false, "Skip the confirmation prompt")
-	cmd.Flags().BoolVar(&opts.NoWaitDeploy, "no-wait-deploy", false, "Do not wait for the deploy workflow to finish after dispatching it")
-
-	return cmd
-}
-
-func deployEdge(opts *DeployEdgeOptions) {
-	git.CheckGitHubCLI()
-
-	deployRepo, deployWorkflow := resolveDeployTarget(opts)
-
-	if opts.DryRun {
-		log.Warning("=== DRY RUN MODE: tag push and workflow dispatch will be skipped (read-only gh and git fetch still run) ===")
-	}
-
-	if !opts.Yes {
-		msg := "About to force-push tag 'edge' to origin/main and trigger an ad-hoc deploy. Continue? (Y/n): "
-		if !prompt.Confirm(msg) {
-			log.Info("Exiting...")
-			return
-		}
-	}
-
-	// Capture the most recent existing edge build run id BEFORE pushing, so we
-	// can reliably identify the new run we trigger and not pick up a stale one.
-	priorBuildRunID, err := latestWorkflowRunID(onyxRepo, deploymentWorkflowFile, "push", edgeTagName)
-	if err != nil {
-		log.Fatalf("Failed to query existing deployment runs: %v", err)
-	}
-	log.Debugf("Most recent prior edge build run id: %d", priorBuildRunID)
-
-	log.Info("Fetching origin/main...")
-	if err := git.RunCommand("fetch", "origin", "main"); err != nil {
-		log.Fatalf("Failed to fetch origin/main: %v", err)
-	}
-
-	if opts.DryRun {
-		log.Warnf("[DRY RUN] Would move local '%s' tag to origin/main", edgeTagName)
-		log.Warnf("[DRY RUN] Would force-push tag '%s' to origin", edgeTagName)
-		log.Warn("[DRY RUN] Would wait for build then dispatch the configured deploy workflow")
-		return
-	}
-
-	log.Infof("Moving local '%s' tag to origin/main...", edgeTagName)
-	if err := git.RunCommand("tag", "-f", edgeTagName, "origin/main"); err != nil {
-		log.Fatalf("Failed to move local tag: %v", err)
-	}
-
-	log.Infof("Force-pushing tag '%s' to origin...", edgeTagName)
-	if err := git.RunCommand("push", "-f", "origin", edgeTagName); err != nil {
-		log.Fatalf("Failed to push edge tag: %v", err)
-	}
-
-	// Find the new build run, then poll it to completion.
-	log.Info("Waiting for build workflow to start...")
-	buildRun, err := waitForNewRun(onyxRepo, deploymentWorkflowFile, "push", edgeTagName, priorBuildRunID)
-	if err != nil {
-		log.Fatalf("Failed to find triggered build run: %v", err)
-	}
-	log.Infof("Build run started: %s", buildRun.URL)
-
-	if err := waitForRunCompletion(onyxRepo, buildRun.DatabaseID, buildPollTimeout, "build"); err != nil {
-		log.Fatalf("Build did not complete successfully: %v", err)
-	}
-	log.Info("Build completed successfully.")
-
-	// Dispatch the deploy workflow.
-	priorDeployRunID, err := latestWorkflowRunID(deployRepo, deployWorkflow, "workflow_dispatch", "")
-	if err != nil {
-		log.Fatalf("Failed to query existing deploy runs: %v", err)
-	}
-	log.Debugf("Most recent prior deploy run id: %d", priorDeployRunID)
-
-	log.Info("Dispatching deploy workflow with version_tag=edge...")
-	if err := dispatchWorkflow(deployRepo, deployWorkflow, map[string]string{"version_tag": edgeTagName}); err != nil {
-		log.Fatalf("Failed to dispatch deploy workflow: %v", err)
-	}
-
-	deployRun, err := waitForNewRun(deployRepo, deployWorkflow, "workflow_dispatch", "", priorDeployRunID)
-	if err != nil {
-		log.Fatalf("Failed to find dispatched deploy run: %v", err)
-	}
-	log.Infof("Deploy run started: %s", deployRun.URL)
-	log.Info("A kickoff Slack message will appear in #monitor-deployments.")
-
-	if opts.NoWaitDeploy {
-		log.Info("--no-wait-deploy set; not waiting for deploy completion.")
-		return
-	}
-
-	if err := waitForRunCompletion(deployRepo, deployRun.DatabaseID, deployPollTimeout, "deploy"); err != nil {
-		log.Fatalf("Deploy did not complete successfully: %v", err)
-	}
-	log.Info("Deploy completed successfully.")
-}
-
-// resolveDeployTarget returns the deploy target repo and workflow to use,
-// preferring explicit flags, then saved config, then prompting the user on
-// first-time setup. Any newly-prompted values are persisted back to the
-// config file so subsequent runs are non-interactive.
-func resolveDeployTarget(opts *DeployEdgeOptions) (string, string) {
-	cfg, err := config.Load()
-	if err != nil {
-		log.Fatalf("Failed to load ods config: %v", err)
-	}
-
-	repo := opts.TargetRepo
-	if repo == "" {
-		repo = cfg.DeployEdge.TargetRepo
-	}
-	workflow := opts.TargetWorkflow
-	if workflow == "" {
-		workflow = cfg.DeployEdge.TargetWorkflow
-	}
-
-	prompted := false
-	if repo == "" {
-		log.Infof("First-time setup: ods will save your deploy target to %s", paths.ConfigFilePath())
-		repo = prompt.String("Deploy target repo (owner/name): ")
-		prompted = true
-	}
-	if workflow == "" {
-		workflow = prompt.String("Deploy workflow filename (e.g. some-workflow.yml): ")
-		prompted = true
-	}
-
-	if prompted {
-		cfg.DeployEdge.TargetRepo = repo
-		cfg.DeployEdge.TargetWorkflow = workflow
-		if err := config.Save(cfg); err != nil {
-			log.Fatalf("Failed to save ods config: %v", err)
-		}
-		log.Infof("Saved deploy target to %s", paths.ConfigFilePath())
-	}
-
-	return repo, workflow
-}
-
-// workflowRun is a partial representation of a `gh run list` JSON entry.
-type workflowRun struct {
-	DatabaseID int64  `json:"databaseId"`
-	Status     string `json:"status"`
-	Conclusion string `json:"conclusion"`
-	URL        string `json:"url"`
-	Event      string `json:"event"`
-	HeadBranch string `json:"headBranch"`
-}
-
-// latestWorkflowRunID returns the highest databaseId for runs of the given
-// workflow filtered by event (and optional branch). Returns 0 if no runs
-// exist yet, which is a valid state.
-func latestWorkflowRunID(repo, workflowFile, event, branch string) (int64, error) {
-	runs, err := listWorkflowRuns(repo, workflowFile, event, branch, 10)
-	if err != nil {
-		return 0, err
-	}
-	var maxID int64
-	for _, r := range runs {
-		if r.DatabaseID > maxID {
-			maxID = r.DatabaseID
-		}
-	}
-	return maxID, nil
-}
-
-func listWorkflowRuns(repo, workflowFile, event, branch string, limit int) ([]workflowRun, error) {
-	args := []string{
-		"run", "list",
-		"-R", repo,
-		"--workflow", workflowFile,
-		"--limit", fmt.Sprintf("%d", limit),
-		"--json", "databaseId,status,conclusion,url,event,headBranch",
-	}
-	if event != "" {
-		args = append(args, "--event", event)
-	}
-	if branch != "" {
-		args = append(args, "--branch", branch)
-	}
-	cmd := exec.Command("gh", args...)
-	output, err := cmd.Output()
-	if err != nil {
-		if exitErr, ok := err.(*exec.ExitError); ok {
-			return nil, fmt.Errorf("gh run list failed: %w: %s", err, string(exitErr.Stderr))
-		}
-		return nil, fmt.Errorf("gh run list failed: %w", err)
-	}
-	var runs []workflowRun
-	if err := json.Unmarshal(output, &runs); err != nil {
-		return nil, fmt.Errorf("failed to parse gh run list output: %w", err)
-	}
-	// Sort newest-first by databaseId for predictable iteration.
-	sort.Slice(runs, func(i, j int) bool { return runs[i].DatabaseID > runs[j].DatabaseID })
-	return runs, nil
-}
-
-// waitForNewRun polls until a workflow run with databaseId > priorRunID
-// appears, or the discovery timeout fires.
-func waitForNewRun(repo, workflowFile, event, branch string, priorRunID int64) (*workflowRun, error) {
-	deadline := time.Now().Add(runDiscoveryTimeout)
-	for {
-		runs, err := listWorkflowRuns(repo, workflowFile, event, branch, 5)
-		if err != nil {
-			return nil, err
-		}
-		for _, r := range runs {
-			if r.DatabaseID > priorRunID {
-				return &r, nil
-			}
-		}
-		if time.Now().After(deadline) {
-			return nil, fmt.Errorf("no new run appeared within %s", runDiscoveryTimeout)
-		}
-		time.Sleep(runDiscoveryInterval)
-	}
-}
-
-// waitForRunCompletion polls a specific run until it reaches a terminal
-// status. Returns an error if the run does not conclude with success or the
-// timeout fires.
-func waitForRunCompletion(repo string, runID int64, timeout time.Duration, label string) error {
-	deadline := time.Now().Add(timeout)
-	for {
-		run, err := getRun(repo, runID)
-		if err != nil {
-			return err
-		}
-		log.Infof("[%s] run %d status=%s conclusion=%s", label, runID, run.Status, run.Conclusion)
-		if run.Status == "completed" {
-			if run.Conclusion == "success" {
-				return nil
-			}
-			return fmt.Errorf("%s run %d concluded with status %q (see %s)", label, runID, run.Conclusion, run.URL)
-		}
-		if time.Now().After(deadline) {
-			return fmt.Errorf("%s run %d did not complete within %s (see %s)", label, runID, timeout, run.URL)
-		}
-		time.Sleep(runProgressInterval)
-	}
-}
-
-func getRun(repo string, runID int64) (*workflowRun, error) {
-	cmd := exec.Command(
-		"gh", "run", "view", fmt.Sprintf("%d", runID),
-		"-R", repo,
-		"--json", "databaseId,status,conclusion,url,event,headBranch",
-	)
-	output, err := cmd.Output()
-	if err != nil {
-		if exitErr, ok := err.(*exec.ExitError); ok {
-			return nil, fmt.Errorf("gh run view failed: %w: %s", err, string(exitErr.Stderr))
-		}
-		return nil, fmt.Errorf("gh run view failed: %w", err)
-	}
-	var run workflowRun
-	if err := json.Unmarshal(output, &run); err != nil {
-		return nil, fmt.Errorf("failed to parse gh run view output: %w", err)
-	}
-	return &run, nil
-}
-
-// dispatchWorkflow fires a workflow_dispatch event for the given workflow with
-// the supplied string inputs.
-func dispatchWorkflow(repo, workflowFile string, inputs map[string]string) error {
-	args := []string{"workflow", "run", workflowFile, "-R", repo}
-	for k, v := range inputs {
-		args = append(args, "-f", fmt.Sprintf("%s=%s", k, v))
-	}
-	cmd := exec.Command("gh", args...)
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("gh workflow run failed: %w: %s", err, string(output))
-	}
-	return nil
-}
--- a/tools/ods/cmd/root.go
+++ b/tools/ods/cmd/root.go
@@ -45,7 +45,6 @@ func NewRootCommand() *cobra.Command {
 	cmd.AddCommand(NewCheckLazyImportsCommand())
 	cmd.AddCommand(NewCherryPickCommand())
 	cmd.AddCommand(NewDBCommand())
-	cmd.AddCommand(NewDeployCommand())
 	cmd.AddCommand(NewOpenAPICommand())
 	cmd.AddCommand(NewComposeCommand())
 	cmd.AddCommand(NewLogsCommand())
--- a/tools/ods/internal/config/config.go
+++ b/tools/ods/internal/config/config.go
@@ -1,56 +0,0 @@
-package config
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"os"
-
-	"github.com/onyx-dot-app/onyx/tools/ods/internal/paths"
-)
-
-// DeployEdgeConfig holds the persisted settings for `ods deploy edge`.
-type DeployEdgeConfig struct {
-	TargetRepo     string `json:"target_repo,omitempty"`
-	TargetWorkflow string `json:"target_workflow,omitempty"`
-}
-
-// Config is the top-level on-disk schema for ~/.config/onyx-dev/config.json.
-// New per-command sections should be added as additional fields.
-type Config struct {
-	DeployEdge DeployEdgeConfig `json:"deploy_edge,omitempty"`
-}
-
-// Load reads the config file. Returns a zero-valued Config if the file does
-// not exist (a fresh first-run state, not an error).
-func Load() (*Config, error) {
-	path := paths.ConfigFilePath()
-	data, err := os.ReadFile(path)
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return &Config{}, nil
-		}
-		return nil, fmt.Errorf("failed to read config file %s: %w", path, err)
-	}
-	var cfg Config
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse config file %s: %w", path, err)
-	}
-	return &cfg, nil
-}
-
-// Save persists the config to disk, creating the parent directory if needed.
-func Save(cfg *Config) error {
-	if err := paths.EnsureConfigDir(); err != nil {
-		return fmt.Errorf("failed to create config directory: %w", err)
-	}
-	data, err := json.MarshalIndent(cfg, "", "  ")
-	if err != nil {
-		return fmt.Errorf("failed to marshal config: %w", err)
-	}
-	path := paths.ConfigFilePath()
-	if err := os.WriteFile(path, data, 0644); err != nil {
-		return fmt.Errorf("failed to write config file %s: %w", path, err)
-	}
-	return nil
-}
--- a/tools/ods/internal/paths/paths.go
+++ b/tools/ods/internal/paths/paths.go
@@ -47,43 +47,6 @@ func DataDir() string {
 	return filepath.Join(base, "onyx-dev")
 }

-// ConfigDir returns the per-user config directory for onyx-dev tools.
-// On Linux/macOS: ~/.config/onyx-dev/ (respects XDG_CONFIG_HOME)
-// On Windows:    %APPDATA%/onyx-dev/
-func ConfigDir() string {
-	var base string
-	if runtime.GOOS == "windows" {
-		base = os.Getenv("APPDATA")
-		if base == "" {
-			base = os.Getenv("USERPROFILE")
-			if base == "" {
-				log.Fatalf("Cannot determine config directory: APPDATA and USERPROFILE are not set")
-			}
-			base = filepath.Join(base, "AppData", "Roaming")
-		}
-	} else {
-		base = os.Getenv("XDG_CONFIG_HOME")
-		if base == "" {
-			home, err := os.UserHomeDir()
-			if err != nil || home == "" {
-				log.Fatalf("Cannot determine config directory: XDG_CONFIG_HOME not set and home directory unknown: %v", err)
-			}
-			base = filepath.Join(home, ".config")
-		}
-	}
-	return filepath.Join(base, "onyx-dev")
-}
-
-// ConfigFilePath returns the path to the ods config file.
-func ConfigFilePath() string {
-	return filepath.Join(ConfigDir(), "config.json")
-}
-
-// EnsureConfigDir creates the config directory if it doesn't exist.
-func EnsureConfigDir() error {
-	return os.MkdirAll(ConfigDir(), 0755)
-}
-
 // SnapshotsDir returns the directory for database snapshots.
 func SnapshotsDir() string {
 	return filepath.Join(DataDir(), "snapshots")
--- a/tools/ods/internal/prompt/prompt.go
+++ b/tools/ods/internal/prompt/prompt.go
@@ -12,23 +12,6 @@ import (
 // reader is the input reader, can be replaced for testing
 var reader = bufio.NewReader(os.Stdin)

-// String prompts the user for a free-form line of input. Re-prompts until a
-// non-empty value is entered.
-func String(prompt string) string {
-	for {
-		fmt.Print(prompt)
-		response, err := reader.ReadString('\n')
-		if err != nil {
-			log.Fatalf("Failed to read input: %v", err)
-		}
-		response = strings.TrimSpace(response)
-		if response != "" {
-			return response
-		}
-		fmt.Println("Value cannot be empty.")
-	}
-}
-
 // Confirm prompts the user with a yes/no question and returns true for yes, false for no.
 // It will keep prompting until a valid response is given.
 // Empty input (just pressing Enter) defaults to yes.
--- a/uv.lock
+++ b/uv.lock
@@ -4459,7 +4459,7 @@ requires-dist = [
    { name = "numpy", marker = "extra == 'model-server'", specifier = "==2.4.1" },
    { name = "oauthlib", marker = "extra == 'backend'", specifier = "==3.2.2" },
    { name = "office365-rest-python-client", marker = "extra == 'backend'", specifier = "==2.6.2" },
-    { name = "onyx-devtools", marker = "extra == 'dev'", specifier = "==0.7.3" },
+    { name = "onyx-devtools", marker = "extra == 'dev'", specifier = "==0.7.2" },
    { name = "openai", specifier = "==2.14.0" },
    { name = "openapi-generator-cli", marker = "extra == 'dev'", specifier = "==7.17.0" },
    { name = "openinference-instrumentation", marker = "extra == 'backend'", specifier = "==0.1.42" },
@@ -4564,19 +4564,19 @@ requires-dist = [{ name = "onyx", extras = ["backend", "dev", "ee"], editable =

 [[package]]
 name = "onyx-devtools"
-version = "0.7.3"
+version = "0.7.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "fastapi" },
    { name = "openapi-generator-cli" },
 ]
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/72/64/c75be8ab325896cc64bccd0e1e139a03ce305bf05598967922d380fc4694/onyx_devtools-0.7.3-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:675e2fdbd8d291fba4b8a6dfcf2bc94c56d22d11f395a9f0d0c3c0e5b39d7f9b", size = 4220613, upload-time = "2026-04-09T00:04:36.624Z" },
-    { url = "https://files.pythonhosted.org/packages/ae/1f/589ff6bd446c4498f5bcdfd2a315709e91fc15edf5440c91ff64cbf0800f/onyx_devtools-0.7.3-py3-none-macosx_11_0_arm64.whl", hash = "sha256:bf3993de8ba02d6c2f1ab12b5b9b965e005040b37502f97db8a7d88d9b0cde4b", size = 3897867, upload-time = "2026-04-09T00:04:40.781Z" },
-    { url = "https://files.pythonhosted.org/packages/10/c0/53c9173eefc13218707282c5b99753960d039684994c3b3caf90ce286094/onyx_devtools-0.7.3-py3-none-manylinux_2_17_aarch64.whl", hash = "sha256:6138a94084bed05c674ad210a0bc4006c43bc4384e8eb54d469233de85c72bd7", size = 3762408, upload-time = "2026-04-09T00:04:41.592Z" },
-    { url = "https://files.pythonhosted.org/packages/d2/37/69fadb65112854a596d200f704da94b837817d4dd0f46cb4482dc0309c94/onyx_devtools-0.7.3-py3-none-manylinux_2_17_x86_64.whl", hash = "sha256:90dac91b0cdc32eb8861f6e83545009a34c439fd3c41fc7dd499acd0105b660e", size = 4184427, upload-time = "2026-04-09T00:04:41.525Z" },
-    { url = "https://files.pythonhosted.org/packages/bd/45/91c829ccb45f1a15e7c9641eccc6dd154adb540e03c7dee2a8f28cea24d0/onyx_devtools-0.7.3-py3-none-win_amd64.whl", hash = "sha256:abc68d70bec06e349481beec4b212de28a1a8b7ed6ef3b41daf7093ee10b44f3", size = 4299935, upload-time = "2026-04-09T00:04:40.262Z" },
-    { url = "https://files.pythonhosted.org/packages/cc/30/c5adcb8e3b46b71d8d92c3f9ee0c1d0bc5e2adc9f46e93931f21b36a3ee4/onyx_devtools-0.7.3-py3-none-win_arm64.whl", hash = "sha256:9e4411cadc5e81fabc9ed991402e3b4b40f02800681299c277b2142e5af0dcee", size = 3840228, upload-time = "2026-04-09T00:04:39.708Z" },
+    { url = "https://files.pythonhosted.org/packages/22/b0/765ed49157470e8ccc8ab89e6a896ade50cde3aa2a494662ad4db92a48c4/onyx_devtools-0.7.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:553a2b5e61b29b7913c991c8d5aed78f930f0f81a0f42229c6a8de2b1e8ff57e", size = 4203859, upload-time = "2026-03-27T15:09:49.63Z" },
+    { url = "https://files.pythonhosted.org/packages/f7/9d/bba0a44a16d2fc27e5441aaf10727e10514e7a49bce70eca02bced566eb9/onyx_devtools-0.7.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:5cf0782dca8b3d861de9e18e65e990cfce5161cd559df44d8fabd3fefd54fdcd", size = 3879750, upload-time = "2026-03-27T15:09:42.413Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/d8/c5725e8af14c74fe0aeed29e4746400bb3c0a078fd1240df729dc6432b84/onyx_devtools-0.7.2-py3-none-manylinux_2_17_aarch64.whl", hash = "sha256:9a0d67373e16b4fbb38a5290c0d9dfd4cfa837e5da0c165b32841b9d37f7455b", size = 3743529, upload-time = "2026-03-27T15:09:44.546Z" },
+    { url = "https://files.pythonhosted.org/packages/1a/82/b7c398a21dbc3e14fd7a29e49caa86b1bc0f8d7c75c051514785441ab779/onyx_devtools-0.7.2-py3-none-manylinux_2_17_x86_64.whl", hash = "sha256:794af14b2de575d0ae41b94551399eca8f8ba9b950c5db7acb7612767fd228f9", size = 4166562, upload-time = "2026-03-27T15:09:49.471Z" },
+    { url = "https://files.pythonhosted.org/packages/26/76/be129e2baafc91fe792d919b1f4d73fc943ba9c2b728a60f1fb98e0c115a/onyx_devtools-0.7.2-py3-none-win_amd64.whl", hash = "sha256:83b3eb84df58d865e4f714222a5fab3ea464836e2c8690569454a940bbb651ff", size = 4282270, upload-time = "2026-03-27T15:09:44.676Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/72/29b8c8dbcf069c56475f00511f04c4aaa5ba3faba1dfc8276107d4b3ef7f/onyx_devtools-0.7.2-py3-none-win_arm64.whl", hash = "sha256:62f0836624ee6a5b31e64fd93162e7fce142ac8a4f959607e411824bc2b88174", size = 3823053, upload-time = "2026-03-27T15:09:43.546Z" },
 ]

 [[package]]
--- a/web/lib/opal/scripts/README.md
+++ b/web/lib/opal/scripts/README.md
@@ -14,23 +14,21 @@ All scripts in this directory should be run from the **opal package root** (`web
 web/lib/opal/
 ├── scripts/                          # SVG conversion tooling (this directory)
 │   ├── convert-svg.sh                # Converts SVGs into React components
-│   └── icon-template.js              # Shared SVGR template (used for icons, logos, and illustrations)
+│   └── icon-template.js              # Shared SVGR template (used for both icons and illustrations)
 ├── src/
 │   ├── icons/                        # Small, single-colour icons (stroke = currentColor)
-│   ├── logos/                        # Brand/vendor logos (original colours preserved)
 │   └── illustrations/                # Larger, multi-colour illustrations (colours preserved)
 └── package.json
 ```

-## Icons vs Logos vs Illustrations
+## Icons vs Illustrations

-| | Icons | Logos | Illustrations |
-|---|---|---|---|
-| **Import path** | `@opal/icons` | `@opal/logos` | `@opal/illustrations` |
-| **Location** | `src/icons/` | `src/logos/` | `src/illustrations/` |
-| **Colour** | Overridable via `currentColor` | Fixed — original brand colours preserved | Fixed — original SVG colours preserved |
-| **Script flag** | (none) | `--logo` | `--illustration` |
-| **Use case** | UI elements, actions, navigation | Provider logos, platform logos, brand marks | Empty states, error pages, placeholders |
+| | Icons | Illustrations |
+|---|---|---|
+| **Import path** | `@opal/icons` | `@opal/illustrations` |
+| **Location** | `src/icons/` | `src/illustrations/` |
+| **Colour** | Overridable via `currentColor` | Fixed — original SVG colours preserved |
+| **Script flag** | (none) | `--illustration` |

 ## Files in This Directory

@@ -51,19 +49,12 @@ Converts an SVG into a React component. Behaviour depends on the mode:
 - Adds `width={size}`, `height={size}`, and `stroke="currentColor"`
 - Result is colour-overridable via CSS `color` property

-**Logo mode** (`--logo`):
- Strips only `width` and `height` attributes (all colours preserved)
- Adds `width={size}` and `height={size}`
- Does **not** add `stroke="currentColor"` — logos keep their original brand colours
-
 **Illustration mode** (`--illustration`):
 - Strips only `width` and `height` attributes (all colours preserved)
 - Adds `width={size}` and `height={size}`
 - Does **not** add `stroke="currentColor"` — illustrations keep their original colours

-Both `--logo` and `--illustration` produce the same output — the distinction is purely organizational (different directories, different barrel exports).
-
-All modes automatically delete the source SVG file after successful conversion.
+Both modes automatically delete the source SVG file after successful conversion.

 ## Adding New SVGs

@@ -79,18 +70,6 @@ Then add the export to `src/icons/index.ts`:
 export { default as SvgMyIcon } from "@opal/icons/my-icon";
 ```

-### Logos
-
-```sh
-# From web/lib/opal/
-./scripts/convert-svg.sh --logo src/logos/my-logo.svg
-```
-
-Then add the export to `src/logos/index.ts`:
-```ts
-export { default as SvgMyLogo } from "@opal/logos/my-logo";
-```
-
 ### Illustrations

 ```sh
@@ -112,7 +91,7 @@ If you prefer to run the SVGR command directly:
 bunx @svgr/cli <file>.svg --typescript --svgo-config '{"plugins":[{"name":"removeAttrs","params":{"attrs":["stroke","stroke-opacity","width","height"]}}]}' --template scripts/icon-template.js > <file>.tsx
 ```

-**For logos and illustrations** (preserves colours):
+**For illustrations** (preserves colours):
 ```sh
 bunx @svgr/cli <file>.svg --typescript --svgo-config '{"plugins":[{"name":"removeAttrs","params":{"attrs":["width","height"]}}]}' --template scripts/icon-template.js > <file>.tsx
 ```
--- a/web/lib/opal/scripts/convert-svg.sh
+++ b/web/lib/opal/scripts/convert-svg.sh
@@ -4,36 +4,30 @@
 #
 # By default, converts to a colour-overridable icon (stroke colours stripped, replaced with currentColor).
 # With --illustration, converts to a fixed-colour illustration (all original colours preserved).
-# With --logo, converts to a fixed-colour logo (all original colours preserved, same as illustration).
 #
 # Usage (from the opal package root — web/lib/opal/):
 #   ./scripts/convert-svg.sh src/icons/<filename.svg>
 #   ./scripts/convert-svg.sh --illustration src/illustrations/<filename.svg>
-#   ./scripts/convert-svg.sh --logo src/logos/<filename.svg>

-MODE="icon"
+ILLUSTRATION=false

 # Parse flags
 while [[ "$1" == --* ]]; do
  case "$1" in
    --illustration)
-      MODE="illustration"
-      shift
-      ;;
-    --logo)
-      MODE="logo"
+      ILLUSTRATION=true
      shift
      ;;
    *)
      echo "Unknown flag: $1" >&2
-      echo "Usage: ./scripts/convert-svg.sh [--illustration | --logo] <filename.svg>" >&2
+      echo "Usage: ./scripts/convert-svg.sh [--illustration] <filename.svg>" >&2
      exit 1
      ;;
  esac
 done

 if [ -z "$1" ]; then
-  echo "Usage: ./scripts/convert-svg.sh [--illustration | --logo] <filename.svg>" >&2
+  echo "Usage: ./scripts/convert-svg.sh [--illustration] <filename.svg>" >&2
  exit 1
 fi

@@ -55,12 +49,12 @@ fi
 BASE_NAME="${SVG_FILE%.svg}"

 # Build the SVGO config based on mode
-if [ "$MODE" = "icon" ]; then
+if [ "$ILLUSTRATION" = true ]; then
+  # Illustrations: only strip width and height (preserve all colours)
+  SVGO_CONFIG='{"plugins":[{"name":"removeAttrs","params":{"attrs":["width","height"]}}]}'
+else
  # Icons: strip stroke, stroke-opacity, width, and height
  SVGO_CONFIG='{"plugins":[{"name":"removeAttrs","params":{"attrs":["stroke","stroke-opacity","width","height"]}}]}'
-else
-  # Illustrations and logos: only strip width and height (preserve all colours)
-  SVGO_CONFIG='{"plugins":[{"name":"removeAttrs","params":{"attrs":["width","height"]}}]}'
 fi

 # Resolve the template path relative to this script (not the caller's CWD)
@@ -91,7 +85,7 @@ if [ $? -eq 0 ]; then
  fi

  # Icons additionally get stroke="currentColor"
-  if [ "$MODE" = "icon" ]; then
+  if [ "$ILLUSTRATION" = false ]; then
    perl -i -pe 's/\{\.\.\.props\}/stroke="currentColor" {...props}/g' "${BASE_NAME}.tsx"
    if [ $? -ne 0 ]; then
      echo "Error: Failed to add stroke attribute" >&2
@@ -112,7 +106,7 @@ if [ $? -eq 0 ]; then
  fi

  # For icons, also verify stroke="currentColor" was added
-  if [ "$MODE" = "icon" ]; then
+  if [ "$ILLUSTRATION" = false ]; then
    if ! grep -q 'stroke="currentColor"' "${BASE_NAME}.tsx"; then
      echo "Error: Post-processing did not add stroke=\"currentColor\"" >&2
      exit 1
--- a/web/lib/opal/src/icons/DiscordMono.tsx
+++ b/web/lib/opal/src/icons/DiscordMono.tsx
@@ -0,0 +1,15 @@
+import type { IconProps } from "@opal/types";
+const SvgDiscordMono = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 52 52"
+    fill="currentColor"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path d="M32.7571 7.80005C32.288 8.63286 31.8668 9.4944 31.4839 10.3751C27.8463 9.82945 24.1417 9.82945 20.4946 10.3751C20.1213 9.4944 19.6905 8.63286 19.2214 7.80005C15.804 8.384 12.4727 9.40825 9.31379 10.8537C3.05329 20.1296 1.35894 29.1661 2.20134 38.0782C5.86763 40.7872 9.97429 42.8549 14.349 44.1759C15.3349 42.8549 16.2061 41.4477 16.9527 39.9831C15.536 39.4566 14.1671 38.7961 12.8556 38.0303C13.2002 37.7814 13.5353 37.523 13.8608 37.2741C21.5476 40.8925 30.4501 40.8925 38.1465 37.2741C38.4719 37.5421 38.807 37.8006 39.1516 38.0303C37.8401 38.8057 36.4713 39.4566 35.0449 39.9927C35.7916 41.4573 36.6627 42.8645 37.6487 44.1855C42.0233 42.8645 46.1299 40.8064 49.7965 38.0973C50.7918 27.7589 48.0924 18.799 42.6646 10.8633C39.5154 9.41784 36.1841 8.39355 32.7666 7.81919L32.7571 7.80005ZM18.0248 32.5931C15.6604 32.5931 13.698 30.4488 13.698 27.7972C13.698 25.1456 15.5838 22.9918 18.0153 22.9918C20.4468 22.9918 22.3804 25.1552 22.3421 27.7972C22.3038 30.4393 20.4372 32.5931 18.0248 32.5931ZM33.9728 32.5931C31.5988 32.5931 29.6556 30.4488 29.6556 27.7972C29.6556 25.1456 31.5414 22.9918 33.9728 22.9918C36.4043 22.9918 38.3284 25.1552 38.29 27.7972C38.2518 30.4393 36.3851 32.5931 33.9728 32.5931Z" />
+  </svg>
+);
+export default SvgDiscordMono;
--- a/web/lib/opal/src/icons/aws.tsx
+++ b/web/lib/opal/src/icons/aws.tsx
--- a/web/lib/opal/src/icons/azure.tsx
+++ b/web/lib/opal/src/icons/azure.tsx
--- a/web/lib/opal/src/icons/bifrost.tsx
+++ b/web/lib/opal/src/icons/bifrost.tsx
--- a/web/lib/opal/src/icons/claude.tsx
+++ b/web/lib/opal/src/icons/claude.tsx
--- a/web/lib/opal/src/icons/create-agent.tsx
+++ b/web/lib/opal/src/icons/create-agent.tsx
@@ -0,0 +1,27 @@
+import type { IconProps } from "@opal/types";
+
+const SvgCreateAgent = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M4.5 2.5L8 1L11.5 2.5M13.5 4.5L15 8L13.5 11.5M11.5 13.5L8 15L4.5 13.5M2.5 11.5L1 7.99999L2.5 4.5"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+    <path
+      d="M5 8L8 8.00001M8 8.00001L11 8.00001M8 8.00001L8 5M8 8.00001L8 11"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgCreateAgent;
--- a/web/lib/opal/src/icons/discord.tsx
+++ b/web/lib/opal/src/icons/discord.tsx
@@ -1,19 +0,0 @@
-import type { IconProps } from "@opal/types";
-
-const SvgDiscord = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 16 16"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    stroke="currentColor"
-    strokeWidth={1.5}
-    strokeLinecap="round"
-    strokeLinejoin="round"
-    {...props}
-  >
-    <path d="M5.5 12.5C5.5 12.5 4.88936 13.6396 4.60178 13.9974C3.32584 13.6396 2.12806 13.0796 1.05872 12.3459C0.813023 9.93224 1.30721 6.33924 3.13319 3.82703C4.05454 3.43555 5.00325 3.15815 6 3C6.1368 3.22555 6.39111 3.76148 6.5 4C7.56375 3.85223 8.43903 3.85223 9.5 4C9.61167 3.76148 9.86319 3.22555 10 3C10.9968 3.15556 11.942 3.43815 12.8605 3.82963C14.4436 5.97887 15.2309 9.55113 14.9406 12.3511C13.8712 13.0848 12.6735 13.6422 11.3975 14C11.11 13.6422 10.5 12.5 10.5 12.5M5.5 12.5C5.14663 12.3965 4.25 12 4.25 12M5.5 12.5C7.12611 12.9761 8.87249 12.9759 10.5 12.5M10.5 12.5C10.854 12.3965 11.75 12 11.75 12M5.66002 10C5.02612 10 4.5 9.44167 4.5 8.75125C4.5 8.06083 5.00558 7.5 5.65746 7.5C6.30934 7.5 6.82775 8.06331 6.81749 8.75125C6.80722 9.43918 6.30677 10 5.66002 10ZM10.3424 10C9.70591 10 9.18493 9.44167 9.18493 8.75125C9.18493 8.06083 9.69052 7.5 10.3424 7.5C10.9943 7.5 11.5101 8.06331 11.4998 8.75125C11.4896 9.43918 10.9891 10 10.3424 10Z" />
-  </svg>
-);
-export default SvgDiscord;
--- a/web/lib/opal/src/icons/gemini.tsx
+++ b/web/lib/opal/src/icons/gemini.tsx
--- a/web/lib/opal/src/icons/icons.stories.tsx
+++ b/web/lib/opal/src/icons/icons.stories.tsx
@@ -1,44 +0,0 @@
-import React from "react";
-import type { Meta, StoryObj } from "@storybook/react";
-import * as Icons from "@opal/icons";
-
-const icons = Object.entries(Icons).map(([name, Component]) => ({
-  name: name.replace(/^Svg/, ""),
-  Component,
-}));
-
-const meta: Meta = {
-  title: "opal/icons/All Icons",
-  tags: ["autodocs"],
-};
-
-export default meta;
-type Story = StoryObj;
-
-export const AllIcons: Story = {
-  render: () => (
-    <div
-      style={{
-        display: "grid",
-        gridTemplateColumns: "repeat(auto-fill, 100px)",
-        gap: 16,
-      }}
-    >
-      {icons.map(({ name, Component }) => (
-        <div
-          key={name}
-          style={{
-            display: "flex",
-            flexDirection: "column",
-            alignItems: "center",
-            gap: 8,
-            padding: 8,
-          }}
-        >
-          <Component size={24} />
-          <span style={{ fontSize: 11, textAlign: "center" }}>{name}</span>
-        </div>
-      ))}
-    </div>
-  ),
-};
--- a/web/lib/opal/src/icons/index.ts
+++ b/web/lib/opal/src/icons/index.ts
@@ -19,9 +19,12 @@ export { default as SvgArrowUpRight } from "@opal/icons/arrow-up-right";
 export { default as SvgArrowWallRight } from "@opal/icons/arrow-wall-right";
 export { default as SvgAudio } from "@opal/icons/audio";
 export { default as SvgAudioEqSmall } from "@opal/icons/audio-eq-small";
+export { default as SvgAws } from "@opal/icons/aws";
+export { default as SvgAzure } from "@opal/icons/azure";
 export { default as SvgBarChart } from "@opal/icons/bar-chart";
 export { default as SvgBarChartSmall } from "@opal/icons/bar-chart-small";
 export { default as SvgBell } from "@opal/icons/bell";
+export { default as SvgBifrost } from "@opal/icons/bifrost";
 export { default as SvgBlocks } from "@opal/icons/blocks";
 export { default as SvgBookOpen } from "@opal/icons/book-open";
 export { default as SvgBookmark } from "@opal/icons/bookmark";
@@ -42,6 +45,7 @@ export { default as SvgChevronRight } from "@opal/icons/chevron-right";
 export { default as SvgChevronUp } from "@opal/icons/chevron-up";
 export { default as SvgChevronUpSmall } from "@opal/icons/chevron-up-small";
 export { default as SvgCircle } from "@opal/icons/circle";
+export { default as SvgClaude } from "@opal/icons/claude";
 export { default as SvgClipboard } from "@opal/icons/clipboard";
 export { default as SvgClock } from "@opal/icons/clock";
 export { default as SvgClockHandsSmall } from "@opal/icons/clock-hands-small";
@@ -51,12 +55,13 @@ export { default as SvgColumn } from "@opal/icons/column";
 export { default as SvgCopy } from "@opal/icons/copy";
 export { default as SvgCornerRightUpDot } from "@opal/icons/corner-right-up-dot";
 export { default as SvgCpu } from "@opal/icons/cpu";
+export { default as SvgCreateAgent } from "@opal/icons/create-agent";
 export { default as SvgCurate } from "@opal/icons/curate";
 export { default as SvgCreditCard } from "@opal/icons/credit-card";
 export { default as SvgDashboard } from "@opal/icons/dashboard";
 export { default as SvgDevKit } from "@opal/icons/dev-kit";
-export { default as SvgDiscord } from "@opal/icons/discord";
 export { default as SvgDownload } from "@opal/icons/download";
+export { default as SvgDiscordMono } from "@opal/icons/DiscordMono";
 export { default as SvgDownloadCloud } from "@opal/icons/download-cloud";
 export { default as SvgEdit } from "@opal/icons/edit";
 export { default as SvgEditBig } from "@opal/icons/edit-big";
@@ -80,6 +85,7 @@ export { default as SvgFolderIn } from "@opal/icons/folder-in";
 export { default as SvgFolderOpen } from "@opal/icons/folder-open";
 export { default as SvgFolderPartialOpen } from "@opal/icons/folder-partial-open";
 export { default as SvgFolderPlus } from "@opal/icons/folder-plus";
+export { default as SvgGemini } from "@opal/icons/gemini";
 export { default as SvgGlobe } from "@opal/icons/globe";
 export { default as SvgHandle } from "@opal/icons/handle";
 export { default as SvgHardDrive } from "@opal/icons/hard-drive";
@@ -100,9 +106,12 @@ export { default as SvgLightbulbSimple } from "@opal/icons/lightbulb-simple";
 export { default as SvgLineChartUp } from "@opal/icons/line-chart-up";
 export { default as SvgLink } from "@opal/icons/link";
 export { default as SvgLinkedDots } from "@opal/icons/linked-dots";
+export { default as SvgLitellm } from "@opal/icons/litellm";
+export { default as SvgLmStudio } from "@opal/icons/lm-studio";
 export { default as SvgLoader } from "@opal/icons/loader";
 export { default as SvgLock } from "@opal/icons/lock";
 export { default as SvgLogOut } from "@opal/icons/log-out";
+export { default as SvgManageAgent } from "@opal/icons/manage-agent";
 export { default as SvgMaximize2 } from "@opal/icons/maximize-2";
 export { default as SvgMcp } from "@opal/icons/mcp";
 export { default as SvgMenu } from "@opal/icons/menu";
@@ -115,7 +124,13 @@ export { default as SvgMoreHorizontal } from "@opal/icons/more-horizontal";
 export { default as SvgMusicSmall } from "@opal/icons/music-small";
 export { default as SvgNetworkGraph } from "@opal/icons/network-graph";
 export { default as SvgNotificationBubble } from "@opal/icons/notification-bubble";
+export { default as SvgOllama } from "@opal/icons/ollama";
+export { default as SvgOnyxLogo } from "@opal/icons/onyx-logo";
+export { default as SvgOnyxLogoTyped } from "@opal/icons/onyx-logo-typed";
 export { default as SvgOnyxOctagon } from "@opal/icons/onyx-octagon";
+export { default as SvgOnyxTyped } from "@opal/icons/onyx-typed";
+export { default as SvgOpenai } from "@opal/icons/openai";
+export { default as SvgOpenrouter } from "@opal/icons/openrouter";
 export { default as SvgOrganization } from "@opal/icons/organization";
 export { default as SvgPaintBrush } from "@opal/icons/paint-brush";
 export { default as SvgPaperclip } from "@opal/icons/paperclip";
@@ -171,7 +186,6 @@ export { default as SvgTrash } from "@opal/icons/trash";
 export { default as SvgTwoLineSmall } from "@opal/icons/two-line-small";
 export { default as SvgUnplug } from "@opal/icons/unplug";
 export { default as SvgUploadCloud } from "@opal/icons/upload-cloud";
-export { default as SvgUploadSquare } from "@opal/icons/upload-square";
 export { default as SvgUser } from "@opal/icons/user";
 export { default as SvgUserCheck } from "@opal/icons/user-check";
 export { default as SvgUserEdit } from "@opal/icons/user-edit";
--- a/web/lib/opal/src/icons/litellm.tsx
+++ b/web/lib/opal/src/icons/litellm.tsx
--- a/web/lib/opal/src/icons/lm-studio.tsx
+++ b/web/lib/opal/src/icons/lm-studio.tsx
--- a/web/lib/opal/src/icons/manage-agent.tsx
+++ b/web/lib/opal/src/icons/manage-agent.tsx
@@ -0,0 +1,27 @@
+import type { IconProps } from "@opal/types";
+
+const SvgManageAgent = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M4.5 2.5L8 1L11.5 2.5M13.5 4.5L15 8L13.5 11.5M11.5 13.5L8 15L4.5 13.5M2.5 11.5L1 7.99999L2.5 4.5"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+    <path
+      d="M6 11V8.75M6 6.75V5M6 6.75H4.75M6 6.75H7.25M10 11V9.25M10 9.25H8.75M10 9.25H11.25M10 7.25V5"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgManageAgent;
--- a/web/lib/opal/src/icons/ollama.tsx
+++ b/web/lib/opal/src/icons/ollama.tsx
--- a/web/lib/opal/src/icons/onyx-logo-typed.tsx
+++ b/web/lib/opal/src/icons/onyx-logo-typed.tsx
@@ -1,5 +1,5 @@
-import SvgOnyxLogo from "@opal/logos/onyx-logo";
-import SvgOnyxTyped from "@opal/logos/onyx-typed";
+import SvgOnyxLogo from "@opal/icons/onyx-logo";
+import SvgOnyxTyped from "@opal/icons/onyx-typed";
 import { cn } from "@opal/utils";

 interface OnyxLogoTypedProps {
--- a/web/lib/opal/src/icons/onyx-logo.tsx
+++ b/web/lib/opal/src/icons/onyx-logo.tsx
--- a/web/lib/opal/src/icons/onyx-typed.tsx
+++ b/web/lib/opal/src/icons/onyx-typed.tsx
--- a/web/lib/opal/src/icons/openai.tsx
+++ b/web/lib/opal/src/icons/openai.tsx
--- a/web/lib/opal/src/icons/openrouter.tsx
+++ b/web/lib/opal/src/icons/openrouter.tsx
--- a/web/lib/opal/src/icons/slack.tsx
+++ b/web/lib/opal/src/icons/slack.tsx
@@ -8,19 +8,63 @@ const SvgSlack = ({ size, ...props }: IconProps) => (
    fill="none"
    xmlns="http://www.w3.org/2000/svg"
    stroke="currentColor"
-    strokeWidth={1.5}
-    strokeLinecap="round"
-    strokeLinejoin="round"
    {...props}
  >
-    <path d="M9.66668 6.66671C9.11334 6.66671 8.66668 6.22004 8.66668 5.66671V2.33337C8.66668 1.78004 9.11334 1.33337 9.66668 1.33337C10.22 1.33337 10.6667 1.78004 10.6667 2.33337V5.66671C10.6667 6.22004 10.22 6.66671 9.66668 6.66671Z" />
-    <path d="M13.6667 6.66671H12.6667V5.66671C12.6667 5.11337 13.1133 4.66671 13.6667 4.66671C14.22 4.66671 14.6667 5.11337 14.6667 5.66671C14.6667 6.22004 14.22 6.66671 13.6667 6.66671Z" />
-    <path d="M6.33334 9.33337C6.88668 9.33337 7.33334 9.78004 7.33334 10.3334V13.6667C7.33334 14.22 6.88668 14.6667 6.33334 14.6667C5.78001 14.6667 5.33334 14.22 5.33334 13.6667V10.3334C5.33334 9.78004 5.78001 9.33337 6.33334 9.33337Z" />
-    <path d="M2.33334 9.33337H3.33334V10.3334C3.33334 10.8867 2.88668 11.3334 2.33334 11.3334C1.78001 11.3334 1.33334 10.8867 1.33334 10.3334C1.33334 9.78004 1.78001 9.33337 2.33334 9.33337Z" />
-    <path d="M9.33334 9.66671C9.33334 9.11337 9.78001 8.66671 10.3333 8.66671H13.6667C14.22 8.66671 14.6667 9.11337 14.6667 9.66671C14.6667 10.22 14.22 10.6667 13.6667 10.6667H10.3333C9.78001 10.6667 9.33334 10.22 9.33334 9.66671Z" />
-    <path d="M10.3333 12.6667H9.33334V13.6667C9.33334 14.22 9.78001 14.6667 10.3333 14.6667C10.8867 14.6667 11.3333 14.22 11.3333 13.6667C11.3333 13.1134 10.8867 12.6667 10.3333 12.6667Z" />
-    <path d="M6.66668 6.33337C6.66668 5.78004 6.22001 5.33337 5.66668 5.33337H2.33334C1.78001 5.33337 1.33334 5.78004 1.33334 6.33337C1.33334 6.88671 1.78001 7.33337 2.33334 7.33337H5.66668C6.22001 7.33337 6.66668 6.88671 6.66668 6.33337Z" />
-    <path d="M5.66668 3.33337H6.66668V2.33337C6.66668 1.78004 6.22001 1.33337 5.66668 1.33337C5.11334 1.33337 4.66668 1.78004 4.66668 2.33337C4.66668 2.88671 5.11334 3.33337 5.66668 3.33337Z" />
+    <g clipPath="url(#clip0_259_269)">
+      <path
+        d="M9.66666 6.66665C9.11333 6.66665 8.66666 6.21998 8.66666 5.66665V2.33331C8.66666 1.77998 9.11333 1.33331 9.66666 1.33331C10.22 1.33331 10.6667 1.77998 10.6667 2.33331V5.66665C10.6667 6.21998 10.22 6.66665 9.66666 6.66665Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+      <path
+        d="M13.6667 6.66665H12.6667V5.66665C12.6667 5.11331 13.1133 4.66665 13.6667 4.66665C14.22 4.66665 14.6667 5.11331 14.6667 5.66665C14.6667 6.21998 14.22 6.66665 13.6667 6.66665Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+      <path
+        d="M6.33333 9.33331C6.88666 9.33331 7.33333 9.77998 7.33333 10.3333V13.6666C7.33333 14.22 6.88666 14.6666 6.33333 14.6666C5.78 14.6666 5.33333 14.22 5.33333 13.6666V10.3333C5.33333 9.77998 5.78 9.33331 6.33333 9.33331Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+      <path
+        d="M2.33333 9.33331H3.33333V10.3333C3.33333 10.8866 2.88666 11.3333 2.33333 11.3333C1.77999 11.3333 1.33333 10.8866 1.33333 10.3333C1.33333 9.77998 1.77999 9.33331 2.33333 9.33331Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+      <path
+        d="M9.33333 9.66665C9.33333 9.11331 9.78 8.66665 10.3333 8.66665H13.6667C14.22 8.66665 14.6667 9.11331 14.6667 9.66665C14.6667 10.22 14.22 10.6666 13.6667 10.6666H10.3333C9.78 10.6666 9.33333 10.22 9.33333 9.66665Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+      <path
+        d="M10.3333 12.6666H9.33333V13.6666C9.33333 14.22 9.78 14.6666 10.3333 14.6666C10.8867 14.6666 11.3333 14.22 11.3333 13.6666C11.3333 13.1133 10.8867 12.6666 10.3333 12.6666Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+      <path
+        d="M6.66666 6.33331C6.66666 5.77998 6.22 5.33331 5.66666 5.33331H2.33333C1.77999 5.33331 1.33333 5.77998 1.33333 6.33331C1.33333 6.88665 1.77999 7.33331 2.33333 7.33331H5.66666C6.22 7.33331 6.66666 6.88665 6.66666 6.33331Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+      <path
+        d="M5.66666 3.33331H6.66666V2.33331C6.66666 1.77998 6.22 1.33331 5.66666 1.33331C5.11333 1.33331 4.66666 1.77998 4.66666 2.33331C4.66666 2.88665 5.11333 3.33331 5.66666 3.33331Z"
+        strokeWidth={1.5}
+        strokeLinecap="round"
+        strokeLinejoin="round"
+      />
+    </g>
+    <defs>
+      <clipPath id="clip0_259_269">
+        <rect width={16} height={16} fill="white" />
+      </clipPath>
+    </defs>
  </svg>
 );
 export default SvgSlack;
--- a/web/lib/opal/src/icons/upload-square.tsx
+++ b/web/lib/opal/src/icons/upload-square.tsx
@@ -1,22 +0,0 @@
-import type { IconProps } from "@opal/types";
-
-const SvgUploadSquare = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 16 16"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    stroke="currentColor"
-    {...props}
-  >
-    <path
-      d="M11 14H12.6667C13.3929 14 14 13.3929 14 12.6667V3.33333C14 2.60711 13.3929 2 12.6667 2H3.33333C2.60711 2 2 2.60711 2 3.33333V12.6667C2 13.3929 2.60711 14 3.33333 14H5M10.6666 8.16667L7.99998 5.5M7.99998 5.5L5.33331 8.16667M7.99998 5.5V14"
-      strokeWidth={1.5}
-      strokeLinecap="round"
-      strokeLinejoin="round"
-    />
-  </svg>
-);
-
-export default SvgUploadSquare;
--- a/web/lib/opal/src/illustrations/illustrations.stories.tsx
+++ b/web/lib/opal/src/illustrations/illustrations.stories.tsx
@@ -1,46 +0,0 @@
-import React from "react";
-import type { Meta, StoryObj } from "@storybook/react";
-import * as Illustrations from "@opal/illustrations";
-
-const illustrations = Object.entries(Illustrations).map(
-  ([name, Component]) => ({
-    name: name.replace(/^Svg/, ""),
-    Component,
-  })
-);
-
-const meta: Meta = {
-  title: "opal/illustrations/All Illustrations",
-  tags: ["autodocs"],
-};
-
-export default meta;
-type Story = StoryObj;
-
-export const AllIllustrations: Story = {
-  render: () => (
-    <div
-      style={{
-        display: "grid",
-        gridTemplateColumns: "repeat(auto-fill, 140px)",
-        gap: 24,
-      }}
-    >
-      {illustrations.map(({ name, Component }) => (
-        <div
-          key={name}
-          style={{
-            display: "flex",
-            flexDirection: "column",
-            alignItems: "center",
-            gap: 8,
-            padding: 8,
-          }}
-        >
-          <Component size={80} />
-          <span style={{ fontSize: 11, textAlign: "center" }}>{name}</span>
-        </div>
-      ))}
-    </div>
-  ),
-};
--- a/web/lib/opal/src/logos/anthropic.tsx
+++ b/web/lib/opal/src/logos/anthropic.tsx
@@ -1,17 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgAnthropic = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path
-      d="M36.1779 9.78003H29.1432L41.9653 42.2095H49L36.1779 9.78003ZM15.8221 9.78003L3 42.2095H10.1844L12.8286 35.4243H26.2495L28.8438 42.2095H36.0282L23.2061 9.78003H15.8221ZM15.1236 29.3874L19.5141 18.0121L23.9046 29.3874H15.1236Z"
-      fill="currentColor"
-    />
-  </svg>
-);
-export default SvgAnthropic;
--- a/web/lib/opal/src/logos/deepseek.tsx
+++ b/web/lib/opal/src/logos/deepseek.tsx
@@ -1,17 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgDeepseek = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path
-      d="M50.4754 11.5882C49.9458 11.3287 49.7177 11.8233 49.408 12.0745C49.3021 12.1556 49.2125 12.2609 49.1228 12.3581C48.3487 13.1848 47.4443 13.728 46.2628 13.6631C44.5354 13.5657 43.0605 14.1089 41.7568 15.4302C41.4797 13.801 40.559 12.8281 39.1575 12.2041C38.4243 11.8799 37.6828 11.5556 37.1693 10.8504C36.8108 10.348 36.713 9.78867 36.5338 9.23745C36.4196 8.90517 36.3056 8.56462 35.9226 8.50786C35.507 8.44309 35.3441 8.79147 35.1811 9.08346C34.5292 10.275 34.2767 11.5882 34.301 12.9175C34.3581 15.9085 35.6211 18.2914 38.1307 19.9856C38.4159 20.1801 38.4892 20.3745 38.3996 20.6584C38.2285 21.242 38.0247 21.8093 37.8456 22.3929C37.7314 22.7659 37.5602 22.8469 37.1611 22.6846C35.784 22.1093 34.5943 21.2581 33.5432 20.2288C31.7587 18.5023 30.1454 16.5975 28.1328 15.106C27.6602 14.7574 27.1876 14.4333 26.6986 14.1251C24.6452 12.1313 26.9676 10.4938 27.5053 10.2994C28.0675 10.0968 27.7009 9.39954 25.8838 9.40782C24.0667 9.41582 22.4045 10.0238 20.286 10.8344C19.9764 10.956 19.6503 11.045 19.3163 11.118C17.3933 10.7533 15.397 10.6721 13.311 10.9073C9.38354 11.3449 6.24657 13.2012 3.94062 16.3705C1.17028 20.1801 0.518441 24.5084 1.31698 29.0233C2.15627 33.7812 4.58437 37.7206 8.31632 40.8008C12.1868 43.9943 16.6439 45.5587 21.7284 45.2588C24.8166 45.0806 28.2551 44.6672 32.1337 41.3845C33.1114 41.8708 34.1382 42.0652 35.8412 42.2111C37.1531 42.3327 38.4161 42.1463 39.3938 41.9438C40.9257 41.6195 40.8198 40.201 40.2657 39.9416C35.7761 37.8504 36.7619 38.7015 35.8657 38.0124C38.1471 35.3134 41.5858 32.5087 42.9302 23.4222C43.0361 22.7009 42.9465 22.2469 42.9302 21.6633C42.922 21.3068 43.0035 21.1691 43.411 21.1284C44.5354 20.9987 45.6272 20.6908 46.6295 20.1396C49.5385 18.5509 50.7117 15.9409 50.9888 12.8121C51.0296 12.3338 50.9807 11.8393 50.4754 11.5882ZM25.1262 39.747C20.775 36.3266 18.6647 35.1998 17.7928 35.2484C16.978 35.2971 17.1247 36.2292 17.3038 36.8372C17.4913 37.4369 17.7358 37.8504 18.0779 38.3772C18.3142 38.7258 18.4773 39.2444 17.8417 39.6336C16.4402 40.501 14.0038 39.3418 13.8897 39.2851C11.0542 37.6152 8.68303 35.4104 7.01255 32.3953C5.39919 29.4933 4.46222 26.3809 4.30733 23.0576C4.26659 22.2552 4.50288 21.9713 5.30142 21.8256C6.35253 21.631 7.43629 21.5904 8.4874 21.7444C12.9283 22.3929 16.709 24.3788 19.8786 27.5238C21.6875 29.315 23.0564 31.4551 24.4662 33.5463C25.9654 35.7671 27.5787 37.8828 29.6321 39.6174C30.3573 40.2253 30.9358 40.6872 31.4899 41.0278C29.8196 41.2142 27.0329 41.2548 25.1262 39.747ZM27.2121 26.3323C27.2121 25.9756 27.4973 25.692 27.856 25.692C27.9374 25.692 28.0108 25.708 28.076 25.7323C28.1656 25.7648 28.2471 25.8135 28.3123 25.8863C28.4264 25.9999 28.4915 26.1619 28.4915 26.3322C28.4915 26.6888 28.2064 26.9724 27.8479 26.9724C27.4895 26.9724 27.2121 26.6889 27.2121 26.3323ZM33.69 29.6556C33.2745 29.8259 32.8589 29.9716 32.4597 29.9879C31.8404 30.0203 31.1641 29.7689 30.7975 29.461C30.2271 28.9827 29.8197 28.7153 29.6486 27.8804C29.5752 27.5238 29.6159 26.9725 29.6812 26.6565C29.8278 25.9756 29.6649 25.538 29.1842 25.1407C28.793 24.8164 28.296 24.7273 27.75 24.7273C27.5463 24.7273 27.359 24.6381 27.2204 24.5652C26.9922 24.4517 26.8049 24.168 26.9841 23.8195C27.0411 23.7061 27.3183 23.4304 27.3835 23.3819C28.125 22.9603 28.9805 23.0981 29.7709 23.4142C30.5043 23.7141 31.0584 24.2654 31.8568 25.0434C32.6717 25.9836 32.8183 26.2432 33.2828 26.9482C33.6496 27.4995 33.9836 28.0668 34.2117 28.7153C34.3502 29.1207 34.1708 29.4529 33.69 29.6556Z"
-      fill="#4D6BFE"
-    />
-  </svg>
-);
-export default SvgDeepseek;
--- a/web/lib/opal/src/logos/discord.tsx
+++ b/web/lib/opal/src/logos/discord.tsx
@@ -1,17 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgDiscordMono = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path
-      d="M32.7571 7.80005C32.288 8.63286 31.8668 9.4944 31.4839 10.3751C27.8463 9.82945 24.1417 9.82945 20.4946 10.3751C20.1213 9.4944 19.6905 8.63286 19.2214 7.80005C15.804 8.384 12.4727 9.40825 9.31379 10.8537C3.05329 20.1296 1.35894 29.1661 2.20134 38.0782C5.86763 40.7872 9.97429 42.8549 14.349 44.1759C15.3349 42.8549 16.2061 41.4477 16.9527 39.9831C15.536 39.4566 14.1671 38.7961 12.8556 38.0303C13.2002 37.7814 13.5353 37.523 13.8608 37.2741C21.5476 40.8925 30.4501 40.8925 38.1465 37.2741C38.4719 37.5421 38.807 37.8006 39.1516 38.0303C37.8401 38.8057 36.4713 39.4566 35.0449 39.9927C35.7916 41.4573 36.6627 42.8645 37.6487 44.1855C42.0233 42.8645 46.1299 40.8064 49.7965 38.0973C50.7918 27.7589 48.0924 18.799 42.6646 10.8633C39.5154 9.41784 36.1841 8.39355 32.7666 7.81919L32.7571 7.80005ZM18.0248 32.5931C15.6604 32.5931 13.698 30.4488 13.698 27.7972C13.698 25.1456 15.5838 22.9918 18.0153 22.9918C20.4468 22.9918 22.3804 25.1552 22.3421 27.7972C22.3038 30.4393 20.4372 32.5931 18.0248 32.5931ZM33.9728 32.5931C31.5988 32.5931 29.6556 30.4488 29.6556 27.7972C29.6556 25.1456 31.5414 22.9918 33.9728 22.9918C36.4043 22.9918 38.3284 25.1552 38.29 27.7972C38.2518 30.4393 36.3851 32.5931 33.9728 32.5931Z"
-      fill="#5865F2"
-    />
-  </svg>
-);
-export default SvgDiscordMono;
--- a/web/lib/opal/src/logos/google.tsx
+++ b/web/lib/opal/src/logos/google.tsx
@@ -1,33 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgGoogle = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path
-      d="M26.4758 21.5474H48.9506C49.2333 23.1186 49.4 24.8471 49.4 26.5493C49.4 33.5757 47.0924 39.5382 42.3041 44.2244C38.0758 48.3709 32.7153 50 26.4758 50C19.4411 50 13.3274 47.1642 8.85118 42.6473C4.41266 38.1688 2.6 32.1174 2.6 26C2.6 19.8826 4.41266 13.8312 8.85118 9.35266C13.3274 4.83583 19.4411 2 26.4758 2C32.9333 2 38.3468 4.36633 42.4994 8.27151L35.6726 15.1286C33.0902 12.6396 29.9845 11.5201 26.4871 11.5201C20.2689 11.5201 14.9692 15.7628 13.0825 21.4432C12.6042 22.8835 12.3419 24.4084 12.3419 26.0015C12.3419 27.5946 12.6042 29.1195 13.0825 30.5598C14.9692 36.2402 20.2689 40.4829 26.4871 40.4829C29.6527 40.4829 32.3416 39.7368 34.4897 38.4527C37.0882 36.8883 38.8266 34.4622 39.3995 31.5747H26.4758V21.5474Z"
-      fill="#4285F4"
-    />
-    <path
-      d="M26.4758 21.5474V31.5747H39.3995C38.8266 34.4622 37.0882 36.8883 34.4897 38.4527L34.49 38.4525L42.3041 44.2244C47.0924 39.5382 49.4 33.5757 49.4 26.5493C49.4 24.8471 49.2333 23.1186 48.9506 21.5474H26.4758Z"
-      fill="#4285F4"
-    />
-    <path
-      d="M13.0825 30.5598C12.6042 29.1195 12.3419 27.5946 12.3419 26.0015C12.3419 24.4084 12.6042 22.8835 13.0825 21.4432L5.12352 15.2415C3.49286 18.5013 2.6 22.1138 2.6 26C2.6 29.8862 3.49286 33.4987 5.12352 36.7585L13.0825 30.5598Z"
-      fill="#FBBC05"
-    />
-    <path
-      d="M26.4758 11.5201C29.9845 11.5201 33.0902 12.6396 35.6726 15.1286L42.4994 8.27151C38.3468 4.36633 32.9333 2 26.4758 2C19.4411 2 13.3274 4.83583 8.85118 9.35266C4.41266 13.8312 2.6 19.8826 2.6 26C2.6 22.1138 3.49286 18.5013 5.12352 15.2415L13.0825 21.4432C14.9692 15.7628 20.2689 11.5201 26.4871 11.5201H26.4758Z"
-      fill="#EA4335"
-    />
-    <path
-      d="M13.0825 30.5598L5.12352 36.7585C6.87664 40.2742 9.47433 43.3014 12.6417 45.5624C16.5474 48.3504 21.3134 50 26.4758 50C32.7153 50 38.0758 48.3709 42.3041 44.2244L34.49 38.4525C32.3416 39.7368 29.6527 40.4829 26.4871 40.4829C20.2689 40.4829 14.9692 36.2402 13.0825 30.5598Z"
-      fill="#34A853"
-    />
-  </svg>
-);
-export default SvgGoogle;
--- a/web/lib/opal/src/logos/index.ts
+++ b/web/lib/opal/src/logos/index.ts
@@ -1,21 +0,0 @@
-export { default as SvgAnthropic } from "@opal/logos/anthropic";
-export { default as SvgAws } from "@opal/logos/aws";
-export { default as SvgAzure } from "@opal/logos/azure";
-export { default as SvgBifrost } from "@opal/logos/bifrost";
-export { default as SvgClaude } from "@opal/logos/claude";
-export { default as SvgDeepseek } from "@opal/logos/deepseek";
-export { default as SvgDiscord } from "@opal/logos/discord";
-export { default as SvgGemini } from "@opal/logos/gemini";
-export { default as SvgGoogle } from "@opal/logos/google";
-export { default as SvgLitellm } from "@opal/logos/litellm";
-export { default as SvgLmStudio } from "@opal/logos/lm-studio";
-export { default as SvgMicrosoft } from "@opal/logos/microsoft";
-export { default as SvgMistral } from "@opal/logos/mistral";
-export { default as SvgOllama } from "@opal/logos/ollama";
-export { default as SvgOnyxLogo } from "@opal/logos/onyx-logo";
-export { default as SvgOnyxLogoTyped } from "@opal/logos/onyx-logo-typed";
-export { default as SvgOnyxTyped } from "@opal/logos/onyx-typed";
-export { default as SvgOpenai } from "@opal/logos/openai";
-export { default as SvgOpenrouter } from "@opal/logos/openrouter";
-export { default as SvgQwen } from "@opal/logos/qwen";
-export { default as SvgSlack } from "@opal/logos/slack";
--- a/web/lib/opal/src/logos/logos.stories.tsx
+++ b/web/lib/opal/src/logos/logos.stories.tsx
@@ -1,44 +0,0 @@
-import React from "react";
-import type { Meta, StoryObj } from "@storybook/react";
-import * as Logos from "@opal/logos";
-
-const logos = Object.entries(Logos).map(([name, Component]) => ({
-  name: name.replace(/^Svg/, ""),
-  Component,
-}));
-
-const meta: Meta = {
-  title: "opal/logos/All Logos",
-  tags: ["autodocs"],
-};
-
-export default meta;
-type Story = StoryObj;
-
-export const AllLogos: Story = {
-  render: () => (
-    <div
-      style={{
-        display: "grid",
-        gridTemplateColumns: "repeat(auto-fill, 120px)",
-        gap: 16,
-      }}
-    >
-      {logos.map(({ name, Component }) => (
-        <div
-          key={name}
-          style={{
-            display: "flex",
-            flexDirection: "column",
-            alignItems: "center",
-            gap: 8,
-            padding: 8,
-          }}
-        >
-          <Component size={32} />
-          <span style={{ fontSize: 11, textAlign: "center" }}>{name}</span>
-        </div>
-      ))}
-    </div>
-  ),
-};
--- a/web/lib/opal/src/logos/microsoft.tsx
+++ b/web/lib/opal/src/logos/microsoft.tsx
@@ -1,17 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgMicrosoft = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path d="M5 5H25V25H5V5Z" fill="#F35325" />
-    <path d="M27 5H47V25H27V5Z" fill="#81BC06" />
-    <path d="M5 27H25V47H5V27Z" fill="#05A6F0" />
-    <path d="M27 27H47V47H27V27Z" fill="#FFBA08" />
-  </svg>
-);
-export default SvgMicrosoft;
--- a/web/lib/opal/src/logos/mistral.tsx
+++ b/web/lib/opal/src/logos/mistral.tsx
@@ -1,29 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgMistral = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path d="M15.5004 8H8.50043V15H15.5004V8Z" fill="#FFD800" />
-    <path d="M43.5004 8H36.5004L36.5001 15H43.5004V8Z" fill="#FFD800" />
-    <path d="M22.5004 15H15.5004H8.50043V22H22.5004V15Z" fill="#FFAF00" />
-    <path d="M43.5004 15H36.5001H29.4998V22H43.5004V15Z" fill="#FFAF00" />
-    <path
-      d="M43.5004 22H29.4998H22.5004H8.50043V29H15.5004H22.5004H29.4998H36.5001H43.5004V22Z"
-      fill="#FF8205"
-    />
-    <path d="M15.5004 29H8.50043L8.50021 36H15.5004V29Z" fill="#FA500F" />
-    <path d="M29.4998 29H22.5004V36H29.4998V29Z" fill="#FA500F" />
-    <path
-      d="M43.5004 29H36.5001L36.5004 36H43.5002L43.5004 29Z"
-      fill="#FA500F"
-    />
-    <path d="M22.5004 36H15.5004H8.50021H1.5V43H22.5004V36Z" fill="#E10500" />
-    <path d="M50.5 36H43.5002H36.5004H29.4998V43H50.5V36Z" fill="#E10500" />
-  </svg>
-);
-export default SvgMistral;
--- a/web/lib/opal/src/logos/qwen.tsx
+++ b/web/lib/opal/src/logos/qwen.tsx
@@ -1,36 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgQwen = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path
-      d="M27.3186 2.74182C28.176 4.24727 29.0291 5.75708 29.88 7.26908C29.9488 7.39001 30.0834 7.46804 30.2225 7.46763H42.3358C42.7155 7.46763 43.0384 7.70762 43.3089 8.18108L46.4812 13.7883C46.8958 14.5236 47.0049 14.8312 46.5336 15.6145C45.9663 16.5527 45.4143 17.4996 44.8754 18.4509L44.0747 19.8865C43.8434 20.3141 43.5882 20.4974 43.9874 21.0036L49.7735 31.1207C50.1488 31.7774 50.0157 32.1985 49.6797 32.8007C48.7263 34.5134 47.7554 36.213 46.767 37.9061C46.4201 38.4996 45.999 38.7243 45.2834 38.7134C43.5882 38.6785 41.8973 38.6916 40.2064 38.7483C40.1339 38.752 40.0655 38.7942 40.0297 38.8574C38.0788 42.314 36.1115 45.7613 34.1279 49.1992C33.7592 49.8385 33.2988 49.9912 32.5461 49.9934C30.3709 49.9999 28.1782 50.0021 25.9637 49.9977C25.5513 49.9966 25.1534 49.7647 24.9491 49.4065L22.0364 44.3381C22.0026 44.2718 21.9298 44.2288 21.8554 44.2312H10.689C10.0671 44.2967 9.48242 44.229 8.93261 44.0305L5.4352 37.9868C5.22833 37.629 5.22663 37.1681 5.43084 36.8087L8.06426 32.1832C8.13928 32.0524 8.13928 31.8842 8.06426 31.7534C6.10931 28.3688 4.17585 24.972 2.24979 21.5709C1.9007 20.8945 1.87234 20.4887 2.45706 19.4654C3.47159 17.6916 4.47958 15.92 5.4832 14.1505C5.7712 13.64 6.14647 13.4218 6.75737 13.4196C8.64024 13.4117 10.5231 13.411 12.406 13.4174C12.5011 13.4167 12.5927 13.3628 12.6395 13.28L18.8008 2.53205C18.9864 2.20711 19.3474 2.00139 19.7216 2.00003L25.3549 2C26.0989 1.99996 26.9346 2.06982 27.3186 2.74182ZM19.7172 3.68654L13.4642 14.6283C13.4041 14.7315 13.289 14.798 13.1696 14.7985H6.91664C6.79446 14.7985 6.76391 14.8531 6.82718 14.96L19.5034 37.1185C19.5579 37.2101 19.5317 37.2538 19.4292 37.2559L13.3311 37.2887C13.1528 37.2827 12.9781 37.384 12.8947 37.5418L10.0148 42.5817C9.91878 42.7519 9.96896 42.8392 10.1631 42.8392L22.6343 42.8567C22.7346 42.8567 22.8088 42.9003 22.8612 42.9897L25.9222 48.3439C26.0226 48.5206 26.1229 48.5228 26.2255 48.3439L37.1475 29.2312L38.8559 26.216C38.9007 26.1358 39.0205 26.1358 39.0653 26.216L42.1722 31.7359C42.2188 31.8186 42.3108 31.8718 42.4056 31.8712L48.4339 31.8276C48.4954 31.8281 48.5403 31.7503 48.5103 31.6967L42.1831 20.6C42.1376 20.5258 42.1376 20.4276 42.1831 20.3534L42.8224 19.2472L45.266 14.9338C45.3183 14.8443 45.2921 14.7985 45.1896 14.7985H19.8917C19.763 14.7985 19.7325 14.7418 19.7979 14.6305L22.9266 9.16508C22.9501 9.12783 22.9625 9.08472 22.9625 9.04071C22.9625 8.99671 22.9501 8.95359 22.9266 8.91635L19.9463 3.68872C19.898 3.60117 19.7672 3.60001 19.7172 3.68654ZM33.5564 21.1192C33.6549 21.1199 33.6803 21.1635 33.6283 21.2501L26.112 34.4501C26.1013 34.4696 26.0855 34.4858 26.0663 34.4969C26.0471 34.5081 26.0252 34.5138 26.0029 34.5134C25.9808 34.5133 25.9591 34.5074 25.94 34.4963C25.9208 34.4852 25.9049 34.4693 25.8939 34.4501L18.3601 21.2894C18.3165 21.2152 18.3383 21.176 18.4212 21.1716L33.5564 21.1192Z"
-      fill="url(#paint0_linear_3448_616)"
-    />
-    <path
-      fillRule="evenodd"
-      clipRule="evenodd"
-      d="M19.7172 3.68654L13.4642 14.6283C13.4041 14.7315 13.289 14.798 13.1696 14.7985H6.91664C6.79446 14.7985 6.76391 14.8531 6.82718 14.96L19.5034 37.1185C19.5579 37.2101 19.5317 37.2538 19.4292 37.2559L13.3311 37.2887C13.1528 37.2827 12.9781 37.384 12.8947 37.5418L10.0148 42.5817C9.91878 42.7519 9.96896 42.8392 10.1631 42.8392L22.6343 42.8567C22.7346 42.8567 22.8088 42.9003 22.8612 42.9897L25.9222 48.3439C26.0226 48.5206 26.1229 48.5228 26.2255 48.3439L37.1475 29.2312L38.8559 26.216C38.9007 26.1358 39.0205 26.1358 39.0653 26.216L42.1722 31.7359C42.2188 31.8186 42.3108 31.8718 42.4056 31.8712L48.4339 31.8276C48.4954 31.8281 48.5403 31.7503 48.5103 31.6967L42.1831 20.6C42.1376 20.5258 42.1376 20.4276 42.1831 20.3534L42.8224 19.2472L45.266 14.9338C45.3183 14.8443 45.2921 14.7985 45.1896 14.7985H19.8917C19.763 14.7985 19.7325 14.7418 19.7979 14.6305L22.9266 9.16508C22.9501 9.12783 22.9625 9.08472 22.9625 9.04071C22.9625 8.99671 22.9501 8.95359 22.9266 8.91635L19.9463 3.68872C19.898 3.60117 19.7672 3.60001 19.7172 3.68654ZM33.5564 21.1192C33.5556 21.1192 33.5549 21.1192 33.5541 21.1192L18.4212 21.1716C18.3383 21.176 18.3165 21.2152 18.3601 21.2894L25.8939 34.4501C25.9049 34.4693 25.9208 34.4852 25.94 34.4963C25.9591 34.5074 25.9808 34.5133 26.0029 34.5134C26.0252 34.5138 26.0471 34.5081 26.0663 34.4969C26.0855 34.4858 26.1013 34.4696 26.112 34.4501L33.6283 21.2501C33.6803 21.1635 33.6549 21.1199 33.5564 21.1192Z"
-      fill="white"
-    />
-    <defs>
-      <linearGradient
-        id="paint0_linear_3448_616"
-        x1={2}
-        y1={1.99971}
-        x2={4802}
-        y2={1.99971}
-        gradientUnits="userSpaceOnUse"
-      >
-        <stop stopColor="#6336E7" stopOpacity={0.84} />
-        <stop offset={1} stopColor="#6F69F7" stopOpacity={0.84} />
-      </linearGradient>
-    </defs>
-  </svg>
-);
-export default SvgQwen;
--- a/web/lib/opal/src/logos/slack.tsx
+++ b/web/lib/opal/src/logos/slack.tsx
@@ -1,29 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgSlack = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="none"
-    xmlns="http://www.w3.org/2000/svg"
-    {...props}
-  >
-    <path
-      d="M12.6977 32.0796C12.6977 34.7532 10.5386 36.914 7.86714 36.914C5.1957 36.914 3.0366 34.7532 3.0366 32.0796C3.0366 29.406 5.1957 27.2452 7.86714 27.2452H12.6977V32.0796ZM15.113 32.0796C15.113 29.406 17.2721 27.2452 19.9435 27.2452C22.615 27.2452 24.7741 29.406 24.7741 32.0796V44.1656C24.7741 46.8392 22.615 49 19.9435 49C17.2721 49 15.113 46.8392 15.113 44.1656V32.0796Z"
-      fill="#E01E5A"
-    />
-    <path
-      d="M19.9435 12.6688C17.2721 12.6688 15.113 10.508 15.113 7.83439C15.113 5.16083 17.2721 3 19.9435 3C22.615 3 24.7741 5.16083 24.7741 7.83439V12.6688H19.9435ZM19.9435 15.1226C22.615 15.1226 24.7741 17.2834 24.7741 19.957C24.7741 22.6306 22.615 24.7914 19.9435 24.7914H7.83055C5.15911 24.7914 3 22.6306 3 19.957C3 17.2834 5.15911 15.1226 7.83055 15.1226H19.9435Z"
-      fill="#36C5F0"
-    />
-    <path
-      d="M39.3023 19.957C39.3023 17.2834 41.4614 15.1226 44.1329 15.1226C46.8043 15.1226 48.9634 17.2834 48.9634 19.957C48.9634 22.6306 46.8043 24.7914 44.1329 24.7914H39.3023V19.957ZM36.887 19.957C36.887 22.6306 34.7279 24.7914 32.0565 24.7914C29.385 24.7914 27.2259 22.6306 27.2259 19.957V7.83439C27.2259 5.16083 29.385 3 32.0565 3C34.7279 3 36.887 5.16083 36.887 7.83439V19.957Z"
-      fill="#2EB67D"
-    />
-    <path
-      d="M32.0565 39.3312C34.7279 39.3312 36.887 41.492 36.887 44.1656C36.887 46.8392 34.7279 49 32.0565 49C29.385 49 27.2259 46.8392 27.2259 44.1656V39.3312H32.0565ZM32.0565 36.914C29.385 36.914 27.2259 34.7532 27.2259 32.0796C27.2259 29.406 29.385 27.2452 32.0565 27.2452H44.1694C46.8409 27.2452 49 29.406 49 32.0796C49 34.7532 46.8409 36.914 44.1694 36.914H32.0565Z"
-      fill="#ECB22E"
-    />
-  </svg>
-);
-export default SvgSlack;
--- a/web/src/app/admin/bots/SlackBotCreationForm.tsx
+++ b/web/src/app/admin/bots/SlackBotCreationForm.tsx
@@ -5,7 +5,7 @@ import { useRouter } from "next/navigation";
 import { useState } from "react";
 import { SlackTokensForm } from "./SlackTokensForm";
 import * as SettingsLayouts from "@/layouts/settings-layouts";
-import { SvgSlack } from "@opal/logos";
+import { SvgSlack } from "@opal/icons";

 export function NewSlackBotForm() {
  const [formValues] = useState({
--- a/web/src/app/admin/bots/[bot-id]/channels/[id]/page.tsx
+++ b/web/src/app/admin/bots/[bot-id]/channels/[id]/page.tsx
@@ -5,7 +5,7 @@ import { SlackChannelConfigCreationForm } from "@/app/admin/bots/[bot-id]/channe
 import { ErrorCallout } from "@/components/ErrorCallout";
 import SimpleLoader from "@/refresh-components/loaders/SimpleLoader";
 import * as SettingsLayouts from "@/layouts/settings-layouts";
-import { SvgSlack } from "@opal/logos";
+import { SvgSlack } from "@opal/icons";
 import { useSlackChannelConfigs } from "@/app/admin/bots/[bot-id]/hooks";
 import { useDocumentSets } from "@/app/admin/documents/sets/hooks";
 import { useAgents } from "@/hooks/useAgents";
--- a/web/src/app/admin/bots/[bot-id]/channels/new/page.tsx
+++ b/web/src/app/admin/bots/[bot-id]/channels/new/page.tsx
@@ -5,7 +5,7 @@ import { SlackChannelConfigCreationForm } from "@/app/admin/bots/[bot-id]/channe
 import { ErrorCallout } from "@/components/ErrorCallout";
 import SimpleLoader from "@/refresh-components/loaders/SimpleLoader";
 import * as SettingsLayouts from "@/layouts/settings-layouts";
-import { SvgSlack } from "@opal/logos";
+import { SvgSlack } from "@opal/icons";
 import { useDocumentSets } from "@/app/admin/documents/sets/hooks";
 import { useAgents } from "@/hooks/useAgents";
 import { useStandardAnswerCategories } from "@/app/ee/admin/standard-answer/hooks";
--- a/web/src/app/admin/bots/[bot-id]/page.tsx
+++ b/web/src/app/admin/bots/[bot-id]/page.tsx
@@ -7,7 +7,7 @@ import SlackChannelConfigsTable from "./SlackChannelConfigsTable";
 import { useSlackBot, useSlackChannelConfigsByBot } from "./hooks";
 import { ExistingSlackBotForm } from "../SlackBotUpdateForm";
 import * as SettingsLayouts from "@/layouts/settings-layouts";
-import { SvgSlack } from "@opal/logos";
+import { SvgSlack } from "@opal/icons";
 import { getErrorMsg } from "@/lib/error";

 function SlackBotEditContent({ botId }: { botId: string }) {
--- a/web/src/app/admin/configuration/llm/ModelConfigurationField.tsx
+++ b/web/src/app/admin/configuration/llm/ModelConfigurationField.tsx
@@ -0,0 +1,163 @@
+"use client";
+
+import { ArrayHelpers, FieldArray, FormikProps, useField } from "formik";
+import { ModelConfiguration } from "@/interfaces/llm";
+import { ManualErrorMessage, TextFormField } from "@/components/Field";
+import { useEffect, useState } from "react";
+import CreateButton from "@/refresh-components/buttons/CreateButton";
+import { Button } from "@opal/components";
+import { SvgX } from "@opal/icons";
+import Text from "@/refresh-components/texts/Text";
+
+function ModelConfigurationRow({
+  name,
+  index,
+  arrayHelpers,
+  formikProps,
+  setError,
+}: {
+  name: string;
+  index: number;
+  arrayHelpers: ArrayHelpers;
+  formikProps: FormikProps<{ model_configurations: ModelConfiguration[] }>;
+  setError: (value: string | null) => void;
+}) {
+  const [, input] = useField(`${name}[${index}]`);
+  useEffect(() => {
+    if (!input.touched) return;
+    setError((input.error as { name: string } | undefined)?.name ?? null);
+  }, [input.touched, input.error]);
+
+  return (
+    <div key={index} className="flex flex-row w-full gap-4">
+      <div
+        className={`flex flex-[2] ${
+          input.touched && input.error ? "border-2 border-error rounded-lg" : ""
+        }`}
+      >
+        <TextFormField
+          name={`${name}[${index}].name`}
+          label=""
+          placeholder={`model-name-${index + 1}`}
+          removeLabel
+          hideError
+        />
+      </div>
+      <div className="flex flex-[1]">
+        <TextFormField
+          name={`${name}[${index}].max_input_tokens`}
+          label=""
+          placeholder="Default"
+          removeLabel
+          hideError
+          type="number"
+          min={1}
+        />
+      </div>
+      <div className="flex flex-col justify-center">
+        <Button
+          disabled={formikProps.values.model_configurations.length <= 1}
+          onClick={() => {
+            if (formikProps.values.model_configurations.length > 1) {
+              setError(null);
+              arrayHelpers.remove(index);
+            }
+          }}
+          icon={SvgX}
+          prominence="secondary"
+        />
+      </div>
+    </div>
+  );
+}
+
+export function ModelConfigurationField({
+  name,
+  formikProps,
+}: {
+  name: string;
+  formikProps: FormikProps<{ model_configurations: ModelConfiguration[] }>;
+}) {
+  const [errorMap, setErrorMap] = useState<{ [index: number]: string }>({});
+  const [finalError, setFinalError] = useState<string | undefined>();
+
+  return (
+    <div className="pb-5 flex flex-col w-full">
+      <div className="flex flex-col">
+        <Text as="p" mainUiAction>
+          Model Configurations
+        </Text>
+        <Text as="p" secondaryBody text03>
+          Add models and customize the number of input tokens that they accept.
+        </Text>
+      </div>
+      <FieldArray
+        name={name}
+        render={(arrayHelpers: ArrayHelpers) => (
+          <div className="flex flex-col">
+            <div className="flex flex-col gap-4 py-4">
+              <div className="flex">
+                <Text as="p" secondaryBody className="flex flex-[2]">
+                  Model Name
+                </Text>
+                <Text as="p" secondaryBody className="flex flex-[1]">
+                  Max Input Tokens
+                </Text>
+                <div className="w-10" />
+              </div>
+              {formikProps.values.model_configurations.map((_, index) => (
+                <ModelConfigurationRow
+                  key={index}
+                  name={name}
+                  formikProps={formikProps}
+                  arrayHelpers={arrayHelpers}
+                  index={index}
+                  setError={(message: string | null) => {
+                    const newErrors = { ...errorMap };
+                    if (message) {
+                      newErrors[index] = message;
+                    } else {
+                      delete newErrors[index];
+                      for (const key in newErrors) {
+                        const numKey = Number(key);
+                        if (numKey > index) {
+                          const errorValue = newErrors[key];
+                          if (errorValue !== undefined) {
+                            // Ensure the value is not undefined
+                            newErrors[numKey - 1] = errorValue;
+                            delete newErrors[numKey];
+                          }
+                        }
+                      }
+                    }
+                    setErrorMap(newErrors);
+                    setFinalError(
+                      Object.values(newErrors).filter((item) => item)[0]
+                    );
+                  }}
+                />
+              ))}
+            </div>
+            {finalError && (
+              <ManualErrorMessage>{finalError}</ManualErrorMessage>
+            )}
+            <div className="mt-3">
+              <CreateButton
+                onClick={() => {
+                  arrayHelpers.push({
+                    name: "",
+                    is_visible: true,
+                    // Use null so Yup.number().nullable() accepts empty inputs
+                    max_input_tokens: null,
+                  });
+                }}
+              >
+                Add New
+              </CreateButton>
+            </div>
+          </div>
+        )}
+      />
+    </div>
+  );
+}
--- a/web/src/app/admin/configuration/llm/ModelIcon.tsx
+++ b/web/src/app/admin/configuration/llm/ModelIcon.tsx
@@ -1,18 +0,0 @@
-import { defaultTailwindCSS } from "@/components/icons/icons";
-import { getModelIcon } from "@/lib/llmConfig/providers";
-import { IconProps } from "@opal/types";
-
-export interface ModelIconProps extends IconProps {
-  provider: string;
-  modelName?: string;
-}
-
-export default function ModelIcon({
-  provider,
-  modelName,
-  size = 16,
-  className = defaultTailwindCSS,
-}: ModelIconProps) {
-  const Icon = getModelIcon(provider, modelName);
-  return <Icon size={size} className={className} />;
-}
--- a/web/src/app/admin/configuration/llm/ProviderIcon.tsx
+++ b/web/src/app/admin/configuration/llm/ProviderIcon.tsx
@@ -0,0 +1,17 @@
+import { defaultTailwindCSS, IconProps } from "@/components/icons/icons";
+import { getProviderIcon } from "@/app/admin/configuration/llm/utils";
+
+export interface ProviderIconProps extends IconProps {
+  provider: string;
+  modelName?: string;
+}
+
+export const ProviderIcon = ({
+  provider,
+  modelName,
+  size = 16,
+  className = defaultTailwindCSS,
+}: ProviderIconProps) => {
+  const Icon = getProviderIcon(provider, modelName);
+  return <Icon size={size} className={className} />;
+};
--- a/web/src/app/admin/configuration/llm/page.tsx
+++ b/web/src/app/admin/configuration/llm/page.tsx
@@ -1 +1 @@
-export { default } from "@/refresh-pages/admin/LLMProviderConfigurationPage";
+export { default } from "@/refresh-pages/admin/LLMConfigurationPage";
--- a/web/src/app/admin/configuration/llm/utils.ts
+++ b/web/src/app/admin/configuration/llm/utils.ts
@@ -0,0 +1,622 @@
+import { JSX } from "react";
+import {
+  AnthropicIcon,
+  AmazonIcon,
+  AzureIcon,
+  CPUIcon,
+  MicrosoftIconSVG,
+  MistralIcon,
+  MetaIcon,
+  GeminiIcon,
+  IconProps,
+  DeepseekIcon,
+  OpenAISVG,
+  QwenIcon,
+  OllamaIcon,
+  LMStudioIcon,
+  LiteLLMIcon,
+  ZAIIcon,
+} from "@/components/icons/icons";
+import {
+  OllamaModelResponse,
+  OpenRouterModelResponse,
+  BedrockModelResponse,
+  LMStudioModelResponse,
+  LiteLLMProxyModelResponse,
+  BifrostModelResponse,
+  ModelConfiguration,
+  LLMProviderName,
+  BedrockFetchParams,
+  OllamaFetchParams,
+  LMStudioFetchParams,
+  OpenRouterFetchParams,
+  LiteLLMProxyFetchParams,
+  BifrostFetchParams,
+  OpenAICompatibleFetchParams,
+  OpenAICompatibleModelResponse,
+} from "@/interfaces/llm";
+import { SvgAws, SvgBifrost, SvgOpenrouter, SvgPlug } from "@opal/icons";
+
+// Aggregator providers that host models from multiple vendors
+export const AGGREGATOR_PROVIDERS = new Set([
+  "bedrock",
+  "bedrock_converse",
+  "openrouter",
+  "ollama_chat",
+  "lm_studio",
+  "litellm_proxy",
+  "bifrost",
+  "openai_compatible",
+  "vertex_ai",
+]);
+
+export const getProviderIcon = (
+  providerName: string,
+  modelName?: string
+): (({ size, className }: IconProps) => JSX.Element) => {
+  const iconMap: Record<
+    string,
+    ({ size, className }: IconProps) => JSX.Element
+  > = {
+    amazon: AmazonIcon,
+    phi: MicrosoftIconSVG,
+    mistral: MistralIcon,
+    ministral: MistralIcon,
+    llama: MetaIcon,
+    ollama_chat: OllamaIcon,
+    ollama: OllamaIcon,
+    lm_studio: LMStudioIcon,
+    gemini: GeminiIcon,
+    deepseek: DeepseekIcon,
+    claude: AnthropicIcon,
+    anthropic: AnthropicIcon,
+    openai: OpenAISVG,
+    // Azure OpenAI should display the Azure logo
+    azure: AzureIcon,
+    microsoft: MicrosoftIconSVG,
+    meta: MetaIcon,
+    google: GeminiIcon,
+    qwen: QwenIcon,
+    qwq: QwenIcon,
+    zai: ZAIIcon,
+    // Cloud providers - use AWS icon for Bedrock
+    bedrock: SvgAws,
+    bedrock_converse: SvgAws,
+    openrouter: SvgOpenrouter,
+    litellm_proxy: LiteLLMIcon,
+    bifrost: SvgBifrost,
+    openai_compatible: SvgPlug,
+    vertex_ai: GeminiIcon,
+  };
+
+  const lowerProviderName = providerName.toLowerCase();
+
+  // For aggregator providers (bedrock, openrouter, vertex_ai), prioritize showing
+  // the vendor icon based on model name (e.g., show Claude icon for Bedrock Claude models)
+  if (AGGREGATOR_PROVIDERS.has(lowerProviderName) && modelName) {
+    const lowerModelName = modelName.toLowerCase();
+    for (const [key, icon] of Object.entries(iconMap)) {
+      if (lowerModelName.includes(key)) {
+        return icon;
+      }
+    }
+  }
+
+  // Check if provider name directly matches an icon
+  if (lowerProviderName in iconMap) {
+    const icon = iconMap[lowerProviderName];
+    if (icon) {
+      return icon;
+    }
+  }
+
+  // For non-aggregator providers, check if model name contains any of the keys
+  if (modelName) {
+    const lowerModelName = modelName.toLowerCase();
+    for (const [key, icon] of Object.entries(iconMap)) {
+      if (lowerModelName.includes(key)) {
+        return icon;
+      }
+    }
+  }
+
+  // Fallback to CPU icon if no matches
+  return CPUIcon;
+};
+
+export const isAnthropic = (provider: string, modelName?: string) =>
+  provider === LLMProviderName.ANTHROPIC ||
+  !!modelName?.toLowerCase().includes("claude");
+
+/**
+ * Fetches Bedrock models directly without any form state dependencies.
+ * Uses snake_case params to match API structure.
+ */
+export const fetchBedrockModels = async (
+  params: BedrockFetchParams
+): Promise<{ models: ModelConfiguration[]; error?: string }> => {
+  if (!params.aws_region_name) {
+    return { models: [], error: "AWS region is required" };
+  }
+
+  try {
+    const response = await fetch("/api/admin/llm/bedrock/available-models", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        aws_region_name: params.aws_region_name,
+        aws_access_key_id: params.aws_access_key_id,
+        aws_secret_access_key: params.aws_secret_access_key,
+        aws_bearer_token_bedrock: params.aws_bearer_token_bedrock,
+        provider_name: params.provider_name,
+      }),
+    });
+
+    if (!response.ok) {
+      let errorMessage = "Failed to fetch models";
+      try {
+        const errorData = await response.json();
+        errorMessage = errorData.detail || errorData.message || errorMessage;
+      } catch {
+        // ignore JSON parsing errors
+      }
+      return { models: [], error: errorMessage };
+    }
+
+    const data: BedrockModelResponse[] = await response.json();
+    const models: ModelConfiguration[] = data.map((modelData) => ({
+      name: modelData.name,
+      display_name: modelData.display_name,
+      is_visible: false,
+      max_input_tokens: modelData.max_input_tokens,
+      supports_image_input: modelData.supports_image_input,
+      supports_reasoning: false,
+    }));
+
+    return { models };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : "Unknown error";
+    return { models: [], error: errorMessage };
+  }
+};
+
+/**
+ * Fetches Ollama models directly without any form state dependencies.
+ * Uses snake_case params to match API structure.
+ */
+export const fetchOllamaModels = async (
+  params: OllamaFetchParams
+): Promise<{ models: ModelConfiguration[]; error?: string }> => {
+  const apiBase = params.api_base;
+  if (!apiBase) {
+    return { models: [], error: "API Base is required" };
+  }
+
+  try {
+    const response = await fetch("/api/admin/llm/ollama/available-models", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        api_base: apiBase,
+        provider_name: params.provider_name,
+      }),
+      signal: params.signal,
+    });
+
+    if (!response.ok) {
+      let errorMessage = "Failed to fetch models";
+      try {
+        const errorData = await response.json();
+        errorMessage = errorData.detail || errorData.message || errorMessage;
+      } catch {
+        // ignore JSON parsing errors
+      }
+      return { models: [], error: errorMessage };
+    }
+
+    const data: OllamaModelResponse[] = await response.json();
+    const models: ModelConfiguration[] = data.map((modelData) => ({
+      name: modelData.name,
+      display_name: modelData.display_name,
+      is_visible: true,
+      max_input_tokens: modelData.max_input_tokens,
+      supports_image_input: modelData.supports_image_input,
+      supports_reasoning: false,
+    }));
+
+    return { models };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : "Unknown error";
+    return { models: [], error: errorMessage };
+  }
+};
+
+/**
+ * Fetches OpenRouter models directly without any form state dependencies.
+ * Uses snake_case params to match API structure.
+ */
+export const fetchOpenRouterModels = async (
+  params: OpenRouterFetchParams
+): Promise<{ models: ModelConfiguration[]; error?: string }> => {
+  const apiBase = params.api_base;
+  const apiKey = params.api_key;
+  if (!apiBase) {
+    return { models: [], error: "API Base is required" };
+  }
+  if (!apiKey) {
+    return { models: [], error: "API Key is required" };
+  }
+
+  try {
+    const response = await fetch("/api/admin/llm/openrouter/available-models", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        api_base: apiBase,
+        api_key: apiKey,
+        provider_name: params.provider_name,
+      }),
+    });
+
+    if (!response.ok) {
+      let errorMessage = "Failed to fetch models";
+      try {
+        const errorData = await response.json();
+        errorMessage = errorData.detail || errorData.message || errorMessage;
+      } catch (jsonError) {
+        console.warn(
+          "Failed to parse OpenRouter model fetch error response",
+          jsonError
+        );
+      }
+      return { models: [], error: errorMessage };
+    }
+
+    const data: OpenRouterModelResponse[] = await response.json();
+    const models: ModelConfiguration[] = data.map((modelData) => ({
+      name: modelData.name,
+      display_name: modelData.display_name,
+      is_visible: true,
+      max_input_tokens: modelData.max_input_tokens,
+      supports_image_input: modelData.supports_image_input,
+      supports_reasoning: false,
+    }));
+
+    return { models };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : "Unknown error";
+    return { models: [], error: errorMessage };
+  }
+};
+
+/**
+ * Fetches LM Studio models directly without any form state dependencies.
+ * Uses snake_case params to match API structure.
+ */
+export const fetchLMStudioModels = async (
+  params: LMStudioFetchParams
+): Promise<{ models: ModelConfiguration[]; error?: string }> => {
+  const apiBase = params.api_base;
+  if (!apiBase) {
+    return { models: [], error: "API Base is required" };
+  }
+
+  try {
+    const response = await fetch("/api/admin/llm/lm-studio/available-models", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        api_base: apiBase,
+        api_key: params.api_key,
+        api_key_changed: params.api_key_changed ?? false,
+        provider_name: params.provider_name,
+      }),
+      signal: params.signal,
+    });
+
+    if (!response.ok) {
+      let errorMessage = "Failed to fetch models";
+      try {
+        const errorData = await response.json();
+        errorMessage = errorData.detail || errorData.message || errorMessage;
+      } catch (jsonError) {
+        console.warn(
+          "Failed to parse LM Studio model fetch error response",
+          jsonError
+        );
+      }
+      return { models: [], error: errorMessage };
+    }
+
+    const data: LMStudioModelResponse[] = await response.json();
+    const models: ModelConfiguration[] = data.map((modelData) => ({
+      name: modelData.name,
+      display_name: modelData.display_name,
+      is_visible: true,
+      max_input_tokens: modelData.max_input_tokens,
+      supports_image_input: modelData.supports_image_input,
+      supports_reasoning: modelData.supports_reasoning,
+    }));
+
+    return { models };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : "Unknown error";
+    return { models: [], error: errorMessage };
+  }
+};
+
+/**
+ * Fetches Bifrost models directly without any form state dependencies.
+ * Uses snake_case params to match API structure.
+ */
+export const fetchBifrostModels = async (
+  params: BifrostFetchParams
+): Promise<{ models: ModelConfiguration[]; error?: string }> => {
+  const apiBase = params.api_base;
+  if (!apiBase) {
+    return { models: [], error: "API Base is required" };
+  }
+
+  try {
+    const response = await fetch("/api/admin/llm/bifrost/available-models", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        api_base: apiBase,
+        api_key: params.api_key,
+        provider_name: params.provider_name,
+      }),
+      signal: params.signal,
+    });
+
+    if (!response.ok) {
+      let errorMessage = "Failed to fetch models";
+      try {
+        const errorData = await response.json();
+        errorMessage = errorData.detail || errorData.message || errorMessage;
+      } catch (jsonError) {
+        console.warn(
+          "Failed to parse Bifrost model fetch error response",
+          jsonError
+        );
+      }
+      return { models: [], error: errorMessage };
+    }
+
+    const data: BifrostModelResponse[] = await response.json();
+    const models: ModelConfiguration[] = data.map((modelData) => ({
+      name: modelData.name,
+      display_name: modelData.display_name,
+      is_visible: true,
+      max_input_tokens: modelData.max_input_tokens,
+      supports_image_input: modelData.supports_image_input,
+      supports_reasoning: modelData.supports_reasoning,
+    }));
+
+    return { models };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : "Unknown error";
+    return { models: [], error: errorMessage };
+  }
+};
+
+/**
+ * Fetches models from a generic OpenAI-compatible server.
+ * Uses snake_case params to match API structure.
+ */
+export const fetchOpenAICompatibleModels = async (
+  params: OpenAICompatibleFetchParams
+): Promise<{ models: ModelConfiguration[]; error?: string }> => {
+  const apiBase = params.api_base;
+  if (!apiBase) {
+    return { models: [], error: "API Base is required" };
+  }
+
+  try {
+    const response = await fetch(
+      "/api/admin/llm/openai-compatible/available-models",
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          api_base: apiBase,
+          api_key: params.api_key,
+          provider_name: params.provider_name,
+        }),
+        signal: params.signal,
+      }
+    );
+
+    if (!response.ok) {
+      let errorMessage = "Failed to fetch models";
+      try {
+        const errorData = await response.json();
+        errorMessage = errorData.detail || errorData.message || errorMessage;
+      } catch {
+        // ignore JSON parsing errors
+      }
+      return { models: [], error: errorMessage };
+    }
+
+    const data: OpenAICompatibleModelResponse[] = await response.json();
+    const models: ModelConfiguration[] = data.map((modelData) => ({
+      name: modelData.name,
+      display_name: modelData.display_name,
+      is_visible: true,
+      max_input_tokens: modelData.max_input_tokens,
+      supports_image_input: modelData.supports_image_input,
+      supports_reasoning: modelData.supports_reasoning,
+    }));
+
+    return { models };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : "Unknown error";
+    return { models: [], error: errorMessage };
+  }
+};
+
+/**
+ * Fetches LiteLLM Proxy models directly without any form state dependencies.
+ * Uses snake_case params to match API structure.
+ */
+export const fetchLiteLLMProxyModels = async (
+  params: LiteLLMProxyFetchParams
+): Promise<{ models: ModelConfiguration[]; error?: string }> => {
+  const apiBase = params.api_base;
+  const apiKey = params.api_key;
+  if (!apiBase) {
+    return { models: [], error: "API Base is required" };
+  }
+  if (!apiKey) {
+    return { models: [], error: "API Key is required" };
+  }
+
+  try {
+    const response = await fetch("/api/admin/llm/litellm/available-models", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        api_base: apiBase,
+        api_key: apiKey,
+        provider_name: params.provider_name,
+      }),
+      signal: params.signal,
+    });
+
+    if (!response.ok) {
+      let errorMessage = "Failed to fetch models";
+      try {
+        const errorData = await response.json();
+        errorMessage = errorData.detail || errorData.message || errorMessage;
+      } catch {
+        // ignore JSON parsing errors
+      }
+      return { models: [], error: errorMessage };
+    }
+
+    const data: LiteLLMProxyModelResponse[] = await response.json();
+    const models: ModelConfiguration[] = data.map((modelData) => ({
+      name: modelData.model_name,
+      display_name: modelData.model_name,
+      is_visible: true,
+      max_input_tokens: null,
+      supports_image_input: false,
+      supports_reasoning: false,
+    }));
+
+    return { models };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : "Unknown error";
+    return { models: [], error: errorMessage };
+  }
+};
+
+/**
+ * Fetches models for a provider. Accepts form values directly and maps them
+ * to the expected fetch params format internally.
+ */
+export const fetchModels = async (
+  providerName: string,
+  formValues: {
+    api_base?: string;
+    api_key?: string;
+    api_key_changed?: boolean;
+    name?: string;
+    custom_config?: Record<string, string>;
+    model_configurations?: ModelConfiguration[];
+  },
+  signal?: AbortSignal
+) => {
+  const customConfig = formValues.custom_config || {};
+
+  switch (providerName) {
+    case LLMProviderName.BEDROCK:
+      return fetchBedrockModels({
+        aws_region_name: customConfig.AWS_REGION_NAME || "",
+        aws_access_key_id: customConfig.AWS_ACCESS_KEY_ID,
+        aws_secret_access_key: customConfig.AWS_SECRET_ACCESS_KEY,
+        aws_bearer_token_bedrock: customConfig.AWS_BEARER_TOKEN_BEDROCK,
+        provider_name: formValues.name,
+      });
+    case LLMProviderName.OLLAMA_CHAT:
+      return fetchOllamaModels({
+        api_base: formValues.api_base,
+        provider_name: formValues.name,
+        signal,
+      });
+    case LLMProviderName.LM_STUDIO:
+      return fetchLMStudioModels({
+        api_base: formValues.api_base,
+        api_key: formValues.custom_config?.LM_STUDIO_API_KEY,
+        api_key_changed: formValues.api_key_changed ?? false,
+        provider_name: formValues.name,
+        signal,
+      });
+    case LLMProviderName.OPENROUTER:
+      return fetchOpenRouterModels({
+        api_base: formValues.api_base,
+        api_key: formValues.api_key,
+        provider_name: formValues.name,
+      });
+    case LLMProviderName.LITELLM_PROXY:
+      return fetchLiteLLMProxyModels({
+        api_base: formValues.api_base,
+        api_key: formValues.api_key,
+        provider_name: formValues.name,
+        signal,
+      });
+    case LLMProviderName.BIFROST:
+      return fetchBifrostModels({
+        api_base: formValues.api_base,
+        api_key: formValues.api_key,
+        provider_name: formValues.name,
+        signal,
+      });
+    case LLMProviderName.OPENAI_COMPATIBLE:
+      return fetchOpenAICompatibleModels({
+        api_base: formValues.api_base,
+        api_key: formValues.api_key,
+        provider_name: formValues.name,
+        signal,
+      });
+    default:
+      return { models: [], error: `Unknown provider: ${providerName}` };
+  }
+};
+
+export function canProviderFetchModels(providerName?: string) {
+  if (!providerName) return false;
+  switch (providerName) {
+    case LLMProviderName.BEDROCK:
+    case LLMProviderName.OLLAMA_CHAT:
+    case LLMProviderName.LM_STUDIO:
+    case LLMProviderName.OPENROUTER:
+    case LLMProviderName.LITELLM_PROXY:
+    case LLMProviderName.BIFROST:
+    case LLMProviderName.OPENAI_COMPATIBLE:
+      return true;
+    default:
+      return false;
+  }
+}
--- a/web/src/app/admin/configuration/voice/VoiceProviderSetupModal.tsx
+++ b/web/src/app/admin/configuration/voice/VoiceProviderSetupModal.tsx
@@ -17,8 +17,7 @@ import InputComboBox from "@/refresh-components/inputs/InputComboBox";
 import { FormField } from "@/refresh-components/form/FormField";
 import { Vertical, Horizontal } from "@/layouts/input-layouts";
 import { Section } from "@/layouts/general-layouts";
-import { SvgArrowExchange } from "@opal/icons";
-import { SvgOnyxLogo } from "@opal/logos";
+import { SvgArrowExchange, SvgOnyxLogo } from "@opal/icons";
 import { Disabled } from "@opal/core";
 import type { IconProps } from "@opal/types";
 import { VoiceProviderView } from "@/hooks/useVoiceProviders";
@@ -402,7 +401,7 @@ export default function VoiceProviderSetupModal({
                    options={existingApiKeyOptions}
                    separatorLabel="Reuse OpenAI API Keys"
                    strict={false}
-                    createPrefix="Add"
+                    showAddPrefix
                  />
                ) : (
                  <PasswordInputTypeIn
--- a/web/src/app/app/message/MultiModelPanel.tsx
+++ b/web/src/app/app/message/MultiModelPanel.tsx
@@ -5,7 +5,7 @@ import { Button } from "@opal/components";
 import { Text } from "@opal/components";
 import { ContentAction } from "@opal/layouts";
 import { SvgEyeOff, SvgX } from "@opal/icons";
-import { getModelIcon } from "@/lib/llmConfig/providers";
+import { getProviderIcon } from "@/app/admin/configuration/llm/utils";
 import AgentMessage, {
  AgentMessageProps,
 } from "@/app/app/message/messageComponents/AgentMessage";
@@ -71,7 +71,7 @@ export default function MultiModelPanel({
  errorStackTrace,
  errorDetails,
 }: MultiModelPanelProps) {
-  const ModelIcon = getModelIcon(provider, modelName);
+  const ProviderIcon = getProviderIcon(provider, modelName);

  const handlePanelClick = useCallback(() => {
    if (!isHidden && !isPreferred) onSelect();
@@ -88,7 +88,7 @@ export default function MultiModelPanel({
        sizePreset="main-ui"
        variant="body"
        paddingVariant="lg"
-        icon={ModelIcon}
+        icon={ProviderIcon}
        title={isHidden ? markdown(`~~${displayName}~~`) : displayName}
        rightChildren={
          <div className="flex items-center gap-1 px-2">
--- a/web/src/app/craft/components/BuildLLMPopover.tsx
+++ b/web/src/app/craft/components/BuildLLMPopover.tsx
@@ -18,7 +18,7 @@ import {
  isRecommendedModel,
 } from "@/app/craft/onboarding/constants";
 import { ToggleWarningModal } from "./ToggleWarningModal";
-import { getModelIcon } from "@/lib/llmConfig/providers";
+import { getProviderIcon } from "@/app/admin/configuration/llm/utils";
 import { Section } from "@/layouts/general-layouts";
 import {
  Accordion,
@@ -365,7 +365,9 @@ export function BuildLLMPopover({
                            const isExpanded = expandedGroups.includes(
                              group.providerKey
                            );
-                            const ModelIcon = getModelIcon(group.providerKey);
+                            const ProviderIcon = getProviderIcon(
+                              group.providerKey
+                            );

                            return (
                              <AccordionItem
@@ -377,7 +379,7 @@ export function BuildLLMPopover({
                                <AccordionTrigger className="flex items-center rounded-08 hover:no-underline hover:bg-background-tint-02 group [&>svg]:hidden w-full py-1">
                                  <div className="flex items-center gap-1 shrink-0">
                                    <div className="flex items-center justify-center size-5 shrink-0">
-                                      <ModelIcon size={16} />
+                                      <ProviderIcon size={16} />
                                    </div>
                                    <Text
                                      secondaryBody
--- a/web/src/app/craft/onboarding/components/BuildOnboardingModal.tsx
+++ b/web/src/app/craft/onboarding/components/BuildOnboardingModal.tsx
@@ -24,6 +24,7 @@ import {
 } from "@/app/craft/onboarding/constants";
 import { LLMProviderDescriptor } from "@/interfaces/llm";
 import { LLM_PROVIDERS_ADMIN_URL } from "@/lib/llmConfig/constants";
+import { buildOnboardingInitialValues as buildInitialValues } from "@/sections/modals/llmConfig/utils";
 import { testApiKeyHelper } from "@/sections/modals/llmConfig/svc";
 import OnboardingInfoPages from "@/app/craft/onboarding/components/OnboardingInfoPages";
 import OnboardingUserInfo from "@/app/craft/onboarding/components/OnboardingUserInfo";
@@ -220,8 +221,10 @@ export default function BuildOnboardingModal({
    setConnectionStatus("testing");
    setErrorMessage("");

+    const baseValues = buildInitialValues();
    const providerName = `build-mode-${currentProviderConfig.providerName}`;
    const payload = {
+      ...baseValues,
      name: providerName,
      provider: currentProviderConfig.providerName,
      api_key: apiKey,
--- a/web/src/app/craft/v1/configure/page.tsx
+++ b/web/src/app/craft/v1/configure/page.tsx
@@ -48,7 +48,7 @@ import NotAllowedModal from "@/app/craft/onboarding/components/NotAllowedModal";
 import { useOnboarding } from "@/app/craft/onboarding/BuildOnboardingProvider";
 import { useLLMProviders } from "@/hooks/useLLMProviders";
 import { useUser } from "@/providers/UserProvider";
-import { getModelIcon } from "@/lib/llmConfig/providers";
+import { getProviderIcon } from "@/app/admin/configuration/llm/utils";
 import {
  getBuildUserPersona,
  getPersonaInfo,
@@ -475,10 +475,10 @@ export default function BuildConfigPage() {
                        >
                          {pendingLlmSelection?.provider &&
                            (() => {
-                              const ModelIcon = getModelIcon(
+                              const ProviderIcon = getProviderIcon(
                                pendingLlmSelection.provider
                              );
-                              return <ModelIcon className="w-4 h-4" />;
+                              return <ProviderIcon className="w-4 h-4" />;
                            })()}
                          <Text mainUiAction>{pendingLlmDisplayName}</Text>
                          <SvgChevronDown className="w-4 h-4 text-text-03" />
--- a/web/src/components/admin/ClientLayout.tsx
+++ b/web/src/components/admin/ClientLayout.tsx
@@ -1,15 +1,19 @@
 "use client";

+import type { Route } from "next";
 import AdminSidebar from "@/sections/sidebar/AdminSidebar";
-import { usePathname } from "next/navigation";
+import { usePathname, useRouter } from "next/navigation";
 import { useSettingsContext } from "@/providers/SettingsProvider";
+import { useUser } from "@/providers/UserProvider";
 import { ApplicationStatus } from "@/interfaces/settings";
 import { Button } from "@opal/components";
 import { cn } from "@/lib/utils";
-import { ADMIN_ROUTES } from "@/lib/admin-routes";
+import { ADMIN_ROUTES, AdminRouteEntry } from "@/lib/admin-routes";
+import { hasPermission, getFirstPermittedAdminRoute } from "@/lib/permissions";
 import useScreenSize from "@/hooks/useScreenSize";
 import { SvgSidebar } from "@opal/icons";
 import { useSidebarState } from "@/layouts/sidebar-layouts";
+import { useEffect } from "react";

 export interface ClientLayoutProps {
  children: React.ReactNode;
@@ -56,7 +60,35 @@ export function ClientLayout({ children, enableCloud }: ClientLayoutProps) {
    useSidebarState();
  const { isMobile } = useScreenSize();
  const pathname = usePathname();
+  const router = useRouter();
  const settings = useSettingsContext();
+  const { user, permissions } = useUser();
+
+  // Enforce per-page permission: find the route that matches the current
+  // pathname and verify the user holds its requiredPermission.
+  useEffect(() => {
+    // Wait for user data to load before checking permissions —
+    // permissions default to [] while loading, which would cause a
+    // spurious redirect on every admin page.
+    if (!user) return;
+
+    const matchedRoute = Object.values(ADMIN_ROUTES).find(
+      (route: AdminRouteEntry) =>
+        route.sidebarLabel && pathname.startsWith(route.path)
+    );
+    if (
+      matchedRoute &&
+      !hasPermission(permissions, matchedRoute.requiredPermission)
+    ) {
+      const fallback = getFirstPermittedAdminRoute(permissions);
+      // Avoid redirect loop: if the fallback is the same page, go to /app
+      if (pathname.startsWith(fallback)) {
+        router.replace("/app" as Route);
+      } else {
+        router.replace(fallback as Route);
+      }
+    }
+  }, [user, pathname, permissions, router]);

  // Certain admin panels have their own custom sidebar.
  // For those pages, we skip rendering the default `AdminSidebar` and let those individual pages render their own.
--- a/web/src/components/icons/icons.test.tsx
+++ b/web/src/components/icons/icons.test.tsx
@@ -4,7 +4,7 @@
 * Tests logo icons to ensure they render correctly with proper accessibility
 * and support various display sizes.
 */
-import { SvgBifrost } from "@opal/logos";
+import { SvgBifrost } from "@opal/icons";
 import { render } from "@tests/setup/test-utils";
 import { GithubIcon, GitbookIcon, ConfluenceIcon } from "./icons";

--- a/web/src/components/llm/LLMSelector.tsx
+++ b/web/src/components/llm/LLMSelector.tsx
@@ -3,14 +3,14 @@
 import { useMemo } from "react";
 import { parseLlmDescriptor, structureValue } from "@/lib/llmConfig/utils";
 import { DefaultModel, LLMProviderDescriptor } from "@/interfaces/llm";
-import { getModelIcon } from "@/lib/llmConfig/providers";
+import { getProviderIcon } from "@/app/admin/configuration/llm/utils";
 import InputSelect from "@/refresh-components/inputs/InputSelect";
 import { createIcon } from "@/components/icons/icons";

 interface LLMOption {
  name: string;
  value: string;
-  icon: ReturnType<typeof getModelIcon>;
+  icon: ReturnType<typeof getProviderIcon>;
  modelName: string;
  providerName: string;
  provider: string;
@@ -85,7 +85,7 @@ export default function LLMSelector({
            provider.provider,
            modelConfiguration.name
          ),
-          icon: getModelIcon(provider.provider, modelConfiguration.name),
+          icon: getProviderIcon(provider.provider, modelConfiguration.name),
          modelName: modelConfiguration.name,
          providerName: provider.name,
          provider: provider.provider,
--- a/web/src/hooks/useLLMProviders.ts
+++ b/web/src/hooks/useLLMProviders.ts
@@ -5,7 +5,6 @@ import { errorHandlingFetcher } from "@/lib/fetcher";
 import { SWR_KEYS } from "@/lib/swr-keys";
 import {
  LLMProviderDescriptor,
-  LLMProviderName,
  LLMProviderResponse,
  LLMProviderView,
  WellKnownLLMProviderDescriptor,
@@ -139,14 +138,12 @@ export function useAdminLLMProviders() {
 * Used inside individual provider modals to pre-populate model lists
 * before the user has entered credentials.
 *
- * @param providerName - The provider's API endpoint name (e.g. "openai", "anthropic").
+ * @param providerEndpoint - The provider's API endpoint name (e.g. "openai", "anthropic").
 *   Pass `null` to suppress the request.
 */
-export function useWellKnownLLMProvider(providerName: LLMProviderName) {
+export function useWellKnownLLMProvider(providerEndpoint: string | null) {
  const { data, error, isLoading } = useSWR<WellKnownLLMProviderDescriptor>(
-    providerName && providerName !== LLMProviderName.CUSTOM
-      ? SWR_KEYS.wellKnownLlmProvider(providerName)
-      : null,
+    providerEndpoint ? SWR_KEYS.wellKnownLlmProvider(providerEndpoint) : null,
    errorHandlingFetcher,
    {
      revalidateOnFocus: false,
@@ -162,35 +159,6 @@ export function useWellKnownLLMProvider(providerName: LLMProviderName) {
  };
 }

-export interface CustomProviderOption {
-  value: string;
-  label: string;
-}
-
-/**
- * Fetches the list of LiteLLM provider names available for custom provider
- * configuration (i.e. providers that don't have a dedicated well-known modal).
- *
- * Hits `GET /api/admin/llm/custom-provider-names`.
- */
-export function useCustomProviderNames() {
-  const { data, error, isLoading } = useSWR<CustomProviderOption[]>(
-    SWR_KEYS.customProviderNames,
-    errorHandlingFetcher,
-    {
-      revalidateOnFocus: false,
-      revalidateIfStale: false,
-      dedupingInterval: 60000,
-    }
-  );
-
-  return {
-    customProviderNames: data ?? null,
-    isLoading,
-    error,
-  };
-}
-
 export function useWellKnownLLMProviders() {
  const {
    data: wellKnownLLMProviders,
--- a/web/src/hooks/useMultiModelChat.ts
+++ b/web/src/hooks/useMultiModelChat.ts
@@ -1,6 +1,6 @@
 "use client";

-import { useState, useCallback, useMemo } from "react";
+import { useState, useCallback, useEffect, useMemo, useRef } from "react";
 import {
  MAX_MODELS,
  SelectedModel,
@@ -40,6 +40,7 @@ export default function useMultiModelChat(
  llmManager: LlmManager
 ): UseMultiModelChatReturn {
  const [selectedModels, setSelectedModels] = useState<SelectedModel[]>([]);
+  const [defaultInitialized, setDefaultInitialized] = useState(false);

  // Initialize with the default model from llmManager once providers load
  const llmOptions = useMemo(
@@ -48,99 +49,89 @@ export default function useMultiModelChat(
    [llmManager.llmProviders]
  );

-  // In single-model mode, derive the displayed model directly from
-  // llmManager.currentLlm so it always stays in sync (no stale state).
-  // Only use the selectedModels state array when the user has manually
-  // added multiple models (multi-model mode).
-  const currentLlmModel = useMemo((): SelectedModel | null => {
-    if (llmOptions.length === 0) return null;
+  // Sync selectedModels[0] with llmManager.currentLlm when in single-model
+  // mode. This handles both initial load and session override changes (e.g.
+  // page reload restores the persisted model after providers load).
+  // Skip when user has manually added multiple models (multi-model mode).
+  const selectedModelsRef = useRef(selectedModels);
+  selectedModelsRef.current = selectedModels;
+
+  useEffect(() => {
+    if (llmOptions.length === 0) return;
    const { currentLlm } = llmManager;
-    if (!currentLlm.modelName) return null;
+    if (!currentLlm.modelName) return;
+
+    const current = selectedModelsRef.current;
+
+    // Don't override multi-model selections
+    if (current.length > 1) return;
+
+    // Skip if already showing the correct model
+    if (
+      current.length === 1 &&
+      current[0]!.provider === currentLlm.provider &&
+      current[0]!.modelName === currentLlm.modelName
+    ) {
+      return;
+    }
+
    const match = llmOptions.find(
      (opt) =>
        opt.provider === currentLlm.provider &&
        opt.modelName === currentLlm.modelName
    );
-    if (!match) return null;
-    return {
-      name: match.name,
-      provider: match.provider,
-      modelName: match.modelName,
-      displayName: match.displayName,
-    };
+    if (match) {
+      setSelectedModels([
+        {
+          name: match.name,
+          provider: match.provider,
+          modelName: match.modelName,
+          displayName: match.displayName,
+        },
+      ]);
+      setDefaultInitialized(true);
+    }
  }, [llmOptions, llmManager.currentLlm]);

  const isMultiModelActive = selectedModels.length > 1;

-  // Expose the effective selection: multi-model state when active,
-  // otherwise the single model derived from llmManager.
-  const effectiveSelectedModels = useMemo(
-    () =>
-      isMultiModelActive
-        ? selectedModels
-        : currentLlmModel
-          ? [currentLlmModel]
-          : [],
-    [isMultiModelActive, selectedModels, currentLlmModel]
-  );
-
-  const addModel = useCallback(
-    (model: SelectedModel) => {
-      setSelectedModels((prev) => {
-        // When in effective single-model mode (prev <= 1), always re-seed from
-        // the current derived model so stale state from a prior remove doesn't persist.
-        const base =
-          prev.length <= 1 && currentLlmModel ? [currentLlmModel] : prev;
-        if (base.length >= MAX_MODELS) return base;
-        if (
-          base.some(
-            (m) =>
-              m.provider === model.provider && m.modelName === model.modelName
-          )
-        ) {
-          return base;
-        }
-        return [...base, model];
-      });
-    },
-    [currentLlmModel]
-  );
+  const addModel = useCallback((model: SelectedModel) => {
+    setSelectedModels((prev) => {
+      if (prev.length >= MAX_MODELS) return prev;
+      if (
+        prev.some(
+          (m) =>
+            m.provider === model.provider && m.modelName === model.modelName
+        )
+      ) {
+        return prev;
+      }
+      return [...prev, model];
+    });
+  }, []);

  const removeModel = useCallback((index: number) => {
    setSelectedModels((prev) => prev.filter((_, i) => i !== index));
  }, []);

-  const replaceModel = useCallback(
-    (index: number, model: SelectedModel) => {
-      // In single-model mode, update llmManager directly so currentLlm
-      // (and thus effectiveSelectedModels) reflects the change immediately.
-      if (!isMultiModelActive) {
-        llmManager.updateCurrentLlm({
-          name: model.name,
-          provider: model.provider,
-          modelName: model.modelName,
-        });
-        return;
+  const replaceModel = useCallback((index: number, model: SelectedModel) => {
+    setSelectedModels((prev) => {
+      // Don't replace with a model that's already selected elsewhere
+      if (
+        prev.some(
+          (m, i) =>
+            i !== index &&
+            m.provider === model.provider &&
+            m.modelName === model.modelName
+        )
+      ) {
+        return prev;
      }
-      setSelectedModels((prev) => {
-        // Don't replace with a model that's already selected elsewhere
-        if (
-          prev.some(
-            (m, i) =>
-              i !== index &&
-              m.provider === model.provider &&
-              m.modelName === model.modelName
-          )
-        ) {
-          return prev;
-        }
-        const next = [...prev];
-        next[index] = model;
-        return next;
-      });
-    },
-    [isMultiModelActive, llmManager]
-  );
+      const next = [...prev];
+      next[index] = model;
+      return next;
+    });
+  }, []);

  const clearModels = useCallback(() => {
    setSelectedModels([]);
@@ -170,6 +161,7 @@ export default function useMultiModelChat(
      }
      if (restored.length >= 2) {
        setSelectedModels(restored.slice(0, MAX_MODELS));
+        setDefaultInitialized(true);
      }
    },
    [llmOptions]
@@ -199,15 +191,15 @@ export default function useMultiModelChat(
  );

  const buildLlmOverrides = useCallback((): LLMOverride[] => {
-    return effectiveSelectedModels.map((m) => ({
+    return selectedModels.map((m) => ({
      model_provider: m.name,
      model_version: m.modelName,
      display_name: m.displayName,
    }));
-  }, [effectiveSelectedModels]);
+  }, [selectedModels]);

  return {
-    selectedModels: effectiveSelectedModels,
+    selectedModels,
    isMultiModelActive,
    addModel,
    removeModel,
--- a/web/src/interfaces/llm.ts
+++ b/web/src/interfaces/llm.ts
@@ -1,4 +1,7 @@
-import type { OnboardingActions } from "@/interfaces/onboarding";
+import type {
+  OnboardingState,
+  OnboardingActions,
+} from "@/interfaces/onboarding";

 export enum LLMProviderName {
  OPENAI = "openai",
@@ -121,11 +124,14 @@ export interface LLMProviderFormProps {
  existingLlmProvider?: LLMProviderView;
  shouldMarkAsDefault?: boolean;
  onOpenChange?: (open: boolean) => void;
-  /** Called after successful provider creation/update. */
-  onSuccess?: () => void | Promise<void>;
+
+  /** The current default model name for this provider (from the global default). */
+  defaultModelName?: string;

  // Onboarding-specific (only when variant === "onboarding")
+  onboardingState?: OnboardingState;
  onboardingActions?: OnboardingActions;
+  llmDescriptor?: WellKnownLLMProviderDescriptor;
 }

 // Param types for model fetching functions - use snake_case to match API structure
--- a/web/src/layouts/input-layouts.tsx
+++ b/web/src/layouts/input-layouts.tsx
@@ -1,9 +1,8 @@
 "use client";

-import type { RichStr, WithoutStyles } from "@opal/types";
+import type { RichStr } from "@opal/types";
 import { resolveStr } from "@opal/components/text/InlineMarkdown";
 import Text from "@/refresh-components/texts/Text";
-import Separator from "@/refresh-components/Separator";
 import { SvgXOctagon, SvgAlertCircle } from "@opal/icons";
 import { useField, useFormikContext } from "formik";
 import { Section } from "@/layouts/general-layouts";
@@ -230,27 +229,9 @@ function ErrorTextLayout({ children, type = "error" }: ErrorTextLayoutProps) {
  );
 }

-/**
- * FieldSeparator - A horizontal rule with inline padding, used to visually separate field groups.
- */
-function FieldSeparator() {
-  return <Separator noPadding className="p-2" />;
-}
-
-/**
- * FieldPadder -  Wraps a field in standard horizontal + vertical padding (`p-2 w-full`).
- */
-type FieldPadderProps = WithoutStyles<React.HTMLAttributes<HTMLDivElement>>;
-function FieldPadder(props: FieldPadderProps) {
-  return <div {...props} className="p-2 w-full" />;
-}
-
 export {
  VerticalInputLayout as Vertical,
  HorizontalInputLayout as Horizontal,
  ErrorLayout as Error,
  ErrorTextLayout,
-  FieldSeparator,
-  FieldPadder,
-  type FieldPadderProps,
 };
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
SubashMohan	acfa30f865	feat(permissions): update permission checks for creating personal access tokens and enhance UI with permission validation	2026-04-11 18:15:42 +05:30
SubashMohan	606ab55d73	feat(permissions): update permission identifiers for service accounts and bots management	2026-04-11 17:51:50 +05:30
SubashMohan	6223ba531b	feat(permissions): update permission checks for query history access	2026-04-11 17:45:41 +05:30
SubashMohan	6f6e64ad63	feat(permissions): enhance document set management with refined error handling and permission checks	2026-04-10 10:35:29 +05:30
SubashMohan	a05f09faa2	feat(permissions): update permission checks to use ADD_AGENTS for user actions and enhance agent creation button with permission validation	2026-04-09 17:56:13 +05:30
SubashMohan	5912f632a3	feat(permissions): add READ_DOCUMENT_SETS permission and update permission checks for document sets and personas	2026-04-09 17:15:32 +05:30
SubashMohan	3e5cfa66d1	refactor(permissions): remove admin role check from effective permissions function	2026-04-09 15:25:09 +05:30
SubashMohan	b2f5eb3ec7	feat(permissions): add READ_USER_GROUPS permission and update user group access checks	2026-04-09 15:19:57 +05:30
SubashMohan	0ab2b8065d	feat(permissions): enhance permission handling with effective permissions and admin checks	2026-04-09 13:16:22 +05:30
SubashMohan	4c304bf393	feat(permissions): add has_permission function and update permission checks to use MANAGE_LLMS	2026-04-09 11:56:27 +05:30
SubashMohan	cef5caa8b1	feat(icons): add SvgCreateAgent and SvgManageAgent components and update icon mapping	2026-04-08 18:16:47 +05:30
SubashMohan	f7b8650d5c	feat(permissions): implement permission registry endpoint and update related models	2026-04-08 17:58:00 +05:30
SubashMohan	df532aa87d	feat(user-group): implement bulk permission setting for user groups	2026-04-08 17:38:09 +05:30