.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jamison Lahman <jamison@lahman.dev>

.devcontainer/Dockerfile

@@ -0,0 +1,64 @@
+FROM ubuntu:26.04@sha256:cc925e589b7543b910fea57a240468940003fbfc0515245a495dd0ad8fe7cef1
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  curl \
+  fd-find \
+  fzf \
+  git \
+  jq \
+  less \
+  make \
+  neovim \
+  openssh-client \
+  python3-venv \
+  ripgrep \
+  sudo \
+  ca-certificates \
+  iptables \
+  ipset \
+  iproute2 \
+  dnsutils \
+  unzip \
+  wget \
+  zsh \
+  && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+  && apt-get install -y nodejs \
+  && install -m 0755 -d /etc/apt/keyrings \
+  && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
+  && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" > /etc/apt/sources.list.d/docker.list \
+  && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg -o /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+  && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+  && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends docker-ce-cli docker-compose-plugin gh \
+  && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# fd-find installs as fdfind on Debian/Ubuntu — symlink to fd
+RUN ln -sf "$(which fdfind)" /usr/local/bin/fd
+
+# Install uv (Python package manager)
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
+
+# Create non-root dev user with passwordless sudo
+RUN useradd -m -s /bin/zsh dev && \
+  echo "dev ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/dev && \
+  chmod 0440 /etc/sudoers.d/dev
+
+ENV DEVCONTAINER=true
+
+RUN mkdir -p /workspace && \
+  chown -R dev:dev /workspace
+
+WORKDIR /workspace
+
+# Install Claude Code
+ARG CLAUDE_CODE_VERSION=latest
+RUN npm install -g @anthropic-ai/claude-code@${CLAUDE_CODE_VERSION}
+
+# Configure zsh — source the repo-local zshrc so shell customization
+# doesn't require an image rebuild.
+RUN chsh -s /bin/zsh root && \
+  for rc in /root/.zshrc /home/dev/.zshrc; do \
+    echo '[ -f /workspace/.devcontainer/zshrc ] && . /workspace/.devcontainer/zshrc' >> "$rc"; \
+  done && \
+  chown dev:dev /home/dev/.zshrc

.devcontainer/README.md

@@ -0,0 +1,99 @@
+# Onyx Dev Container
+
+A containerized development environment for working on Onyx.
+
+## What's included
+
+- Ubuntu 26.04 base image
+- Node.js 20, uv, Claude Code
+- Docker CLI, GitHub CLI (`gh`)
+- Neovim, ripgrep, fd, fzf, jq, make, wget, unzip
+- Zsh as default shell (sources host `~/.zshrc` if available)
+- Python venv auto-activation
+- Network firewall (default-deny, whitelists npm, GitHub, Anthropic APIs, Sentry, and VS Code update servers)
+
+## Usage
+
+### CLI (`ods dev`)
+
+The [`ods` devtools CLI](../tools/ods/README.md) provides workspace-aware wrappers
+for all devcontainer operations (also available as `ods dc`):
+
+```bash
+# Start the container
+ods dev up
+
+# Open a shell
+ods dev into
+
+# Run a command
+ods dev exec npm test
+
+# Stop the container
+ods dev stop
+```
+
+## Restarting the container
+
+```bash
+# Restart the container
+ods dev restart
+
+# Pull the latest published image and recreate
+ods dev rebuild
+```
+
+## Image
+
+The devcontainer uses a prebuilt image published to `onyxdotapp/onyx-devcontainer`.
+The tag is pinned in `devcontainer.json` — no local build is required.
+
+To build the image locally (e.g. while iterating on the Dockerfile):
+
+```bash
+docker buildx bake devcontainer
+```
+
+The `devcontainer` target is defined in `docker-bake.hcl` at the repo root.
+
+## User & permissions
+
+The container runs as the `dev` user by default (`remoteUser` in devcontainer.json).
+An init script (`init-dev-user.sh`) runs at container start to ensure the active
+user has read/write access to the bind-mounted workspace:
+
+- **Standard Docker** — `dev`'s UID/GID is remapped to match the workspace owner,
+  so file permissions work seamlessly.
+- **Rootless Docker** — The workspace appears as root-owned (UID 0) inside the
+  container due to user-namespace mapping. `ods dev up` auto-detects rootless Docker
+  and sets `DEVCONTAINER_REMOTE_USER=root` so the container runs as root — which
+  maps back to your host user via the user namespace. New files are owned by your
+  host UID and no ACL workarounds are needed.
+
+  To override the auto-detection, set `DEVCONTAINER_REMOTE_USER` before running
+  `ods dev up`.
+
+## Docker socket
+
+The container mounts the host's Docker socket so you can run `docker` commands
+from inside. `ods dev` auto-detects the socket path and sets `DOCKER_SOCK`:
+
+| Environment             | Socket path                    |
+| ----------------------- | ------------------------------ |
+| Linux (rootless Docker) | `$XDG_RUNTIME_DIR/docker.sock` |
+| macOS (Docker Desktop)  | `~/.docker/run/docker.sock`    |
+| Linux (standard Docker) | `/var/run/docker.sock`         |
+
+To override, set `DOCKER_SOCK` before running `ods dev up`.
+
+## Firewall
+
+The container starts with a default-deny firewall (`init-firewall.sh`) that only allows outbound traffic to:
+
+- npm registry
+- GitHub
+- Anthropic API
+- Sentry
+- VS Code update servers
+
+This requires the `NET_ADMIN` and `NET_RAW` capabilities, which are added via `runArgs` in `devcontainer.json`.

.devcontainer/devcontainer.json

@@ -0,0 +1,24 @@
+{
+  "name": "Onyx Dev Sandbox",
+  "image": "onyxdotapp/onyx-devcontainer@sha256:12184169c5bcc9cca0388286d5ffe504b569bc9c37bfa631b76ee8eee2064055",
+  "runArgs": ["--cap-add=NET_ADMIN", "--cap-add=NET_RAW"],
+  "mounts": [
+    "source=${localEnv:DOCKER_SOCK},target=/var/run/docker.sock,type=bind",
+    "source=${localEnv:HOME}/.claude,target=/home/dev/.claude,type=bind",
+    "source=${localEnv:HOME}/.claude.json,target=/home/dev/.claude.json,type=bind",
+    "source=${localEnv:HOME}/.zshrc,target=/home/dev/.zshrc.host,type=bind,readonly",
+    "source=${localEnv:HOME}/.gitconfig,target=/home/dev/.gitconfig,type=bind,readonly",
+    "source=${localEnv:HOME}/.config/nvim,target=/home/dev/.config/nvim,type=bind,readonly",
+    "source=onyx-devcontainer-cache,target=/home/dev/.cache,type=volume",
+    "source=onyx-devcontainer-local,target=/home/dev/.local,type=volume"
+  ],
+  "containerEnv": {
+    "SSH_AUTH_SOCK": "/tmp/ssh-agent.sock"
+  },
+  "remoteUser": "${localEnv:DEVCONTAINER_REMOTE_USER:dev}",
+  "updateRemoteUserUID": false,
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
+  "workspaceFolder": "/workspace",
+  "postStartCommand": "sudo bash /workspace/.devcontainer/init-dev-user.sh && sudo bash /workspace/.devcontainer/init-firewall.sh",
+  "waitFor": "postStartCommand"
+}

.devcontainer/init-dev-user.sh

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Remap the dev user's UID/GID to match the workspace owner so that
+# bind-mounted files are accessible without running as root.
+#
+# Standard Docker:   Workspace is owned by the host user's UID (e.g. 1000).
+#                    We remap dev to that UID -- fast and seamless.
+#
+# Rootless Docker:   Workspace appears as root-owned (UID 0) inside the
+#                    container due to user-namespace mapping.  Requires
+#                    DEVCONTAINER_REMOTE_USER=root (set automatically by
+#                    ods dev up).  Container root IS the host user, so
+#                    bind-mounts and named volumes are symlinked into /root.
+
+WORKSPACE=/workspace
+TARGET_USER=dev
+REMOTE_USER="${SUDO_USER:-$TARGET_USER}"
+
+WS_UID=$(stat -c '%u' "$WORKSPACE")
+WS_GID=$(stat -c '%g' "$WORKSPACE")
+DEV_UID=$(id -u "$TARGET_USER")
+DEV_GID=$(id -g "$TARGET_USER")
+
+# devcontainer.json bind-mounts and named volumes target /home/dev regardless
+# of remoteUser.  When running as root ($HOME=/root), Phase 1 bridges the gap
+# with symlinks from ACTIVE_HOME → MOUNT_HOME.
+MOUNT_HOME=/home/"$TARGET_USER"
+
+if [ "$REMOTE_USER" = "root" ]; then
+    ACTIVE_HOME="/root"
+else
+    ACTIVE_HOME="$MOUNT_HOME"
+fi
+
+# ── Phase 1: home directory setup ───────────────────────────────────
+
+# ~/.local and ~/.cache are named Docker volumes mounted under MOUNT_HOME.
+mkdir -p "$MOUNT_HOME"/.local/state "$MOUNT_HOME"/.local/share
+
+# When running as root, symlink bind-mounts and named volumes into /root
+# so that $HOME-relative tools (Claude Code, git, etc.) find them.
+if [ "$ACTIVE_HOME" != "$MOUNT_HOME" ]; then
+    for item in .claude .cache .local; do
+        [ -d "$MOUNT_HOME/$item" ] || continue
+        if [ -e "$ACTIVE_HOME/$item" ] && [ ! -L "$ACTIVE_HOME/$item" ]; then
+            echo "warning: replacing $ACTIVE_HOME/$item with symlink to $MOUNT_HOME/$item" >&2
+            rm -rf "$ACTIVE_HOME/$item"
+        fi
+        ln -sfn "$MOUNT_HOME/$item" "$ACTIVE_HOME/$item"
+    done
+    # Symlink files (not directories).
+    for file in .claude.json .gitconfig .zshrc.host; do
+        [ -f "$MOUNT_HOME/$file" ] && ln -sf "$MOUNT_HOME/$file" "$ACTIVE_HOME/$file"
+    done
+
+    # Nested mount: .config/nvim
+    if [ -d "$MOUNT_HOME/.config/nvim" ]; then
+        mkdir -p "$ACTIVE_HOME/.config"
+        if [ -e "$ACTIVE_HOME/.config/nvim" ] && [ ! -L "$ACTIVE_HOME/.config/nvim" ]; then
+            echo "warning: replacing $ACTIVE_HOME/.config/nvim with symlink" >&2
+            rm -rf "$ACTIVE_HOME/.config/nvim"
+        fi
+        ln -sfn "$MOUNT_HOME/.config/nvim" "$ACTIVE_HOME/.config/nvim"
+    fi
+fi
+
+# ── Phase 2: workspace access ───────────────────────────────────────
+
+# Root always has workspace access; Phase 1 handled home setup.
+if [ "$REMOTE_USER" = "root" ]; then
+    exit 0
+fi
+
+# Already matching -- nothing to do.
+if [ "$WS_UID" = "$DEV_UID" ] && [ "$WS_GID" = "$DEV_GID" ]; then
+    exit 0
+fi
+
+if [ "$WS_UID" != "0" ]; then
+    # ── Standard Docker ──────────────────────────────────────────────
+    # Workspace is owned by a non-root UID (the host user).
+    # Remap dev's UID/GID to match.
+    if [ "$DEV_GID" != "$WS_GID" ]; then
+        if ! groupmod -g "$WS_GID" "$TARGET_USER" 2>&1; then
+            echo "warning: failed to remap $TARGET_USER GID to $WS_GID" >&2
+        fi
+    fi
+    if [ "$DEV_UID" != "$WS_UID" ]; then
+        if ! usermod -u "$WS_UID" -g "$WS_GID" "$TARGET_USER" 2>&1; then
+            echo "warning: failed to remap $TARGET_USER UID to $WS_UID" >&2
+        fi
+    fi
+    if ! chown -R "$TARGET_USER":"$TARGET_USER" "$MOUNT_HOME" 2>&1; then
+        echo "warning: failed to chown $MOUNT_HOME" >&2
+    fi
+else
+    # ── Rootless Docker ──────────────────────────────────────────────
+    # Workspace is root-owned (UID 0) due to user-namespace mapping.
+    # The supported path is remoteUser=root (set DEVCONTAINER_REMOTE_USER=root),
+    # which is handled above.  If we reach here, the user is running as dev
+    # under rootless Docker without the override.
+    echo "error: rootless Docker detected but remoteUser is not root." >&2
+    echo "       Set DEVCONTAINER_REMOTE_USER=root before starting the container," >&2
+    echo "       or use 'ods dev up' which sets it automatically." >&2
+    exit 1
+fi

.devcontainer/init-firewall.sh

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo "Setting up firewall..."
+
+# Preserve docker dns resolution
+DOCKER_DNS_RULES=$(iptables-save | grep -E "^-A.*-d 127.0.0.11/32" || true)
+
+# Flush all rules
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -F
+iptables -X
+
+# Restore docker dns rules
+if [ -n "$DOCKER_DNS_RULES" ]; then
+    echo "$DOCKER_DNS_RULES" | iptables-restore -n
+fi
+
+# Create ipset for allowed destinations
+ipset create allowed-domains hash:net || true
+ipset flush allowed-domains
+
+# Fetch GitHub IP ranges (IPv4 only -- ipset hash:net and iptables are IPv4)
+GITHUB_IPS=$(curl -s https://api.github.com/meta | jq -r '.api[]' 2>/dev/null | grep -v ':' || echo "")
+for ip in $GITHUB_IPS; do
+    if ! ipset add allowed-domains "$ip" -exist 2>&1; then
+        echo "warning: failed to add GitHub IP $ip to allowlist" >&2
+    fi
+done
+
+# Resolve allowed domains
+ALLOWED_DOMAINS=(
+    "registry.npmjs.org"
+    "api.anthropic.com"
+    "api-staging.anthropic.com"
+    "files.anthropic.com"
+    "sentry.io"
+    "update.code.visualstudio.com"
+    "pypi.org"
+    "files.pythonhosted.org"
+    "go.dev"
+    "storage.googleapis.com"
+    "static.rust-lang.org"
+)
+
+for domain in "${ALLOWED_DOMAINS[@]}"; do
+    IPS=$(getent ahosts "$domain" 2>/dev/null | awk '{print $1}' | grep -v ':' | sort -u || echo "")
+    for ip in $IPS; do
+        if ! ipset add allowed-domains "$ip/32" -exist 2>&1; then
+            echo "warning: failed to add $domain ($ip) to allowlist" >&2
+        fi
+    done
+done
+
+# Detect host network
+if [[ "${DOCKER_HOST:-}" == "unix://"* ]]; then
+    DOCKER_GATEWAY=$(ip -4 route show | grep "^default" | awk '{print $3}')
+    if ! ipset add allowed-domains "$DOCKER_GATEWAY/32" -exist 2>&1; then
+        echo "warning: failed to add Docker gateway $DOCKER_GATEWAY to allowlist" >&2
+    fi
+fi
+
+# Set default policies to DROP
+iptables -P FORWARD DROP
+iptables -P INPUT DROP
+iptables -P OUTPUT DROP
+
+# Allow established connections
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# Allow loopback
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# Allow DNS
+iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+
+# Allow outbound to allowed destinations
+iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
+
+# Reject unauthorized outbound
+iptables -A OUTPUT -j REJECT --reject-with icmp-host-unreachable
+
+# Validate firewall configuration
+echo "Validating firewall configuration..."
+
+BLOCKED_SITES=("example.com" "google.com" "facebook.com")
+for site in "${BLOCKED_SITES[@]}"; do
+    if timeout 2 ping -c 1 "$site" &>/dev/null; then
+        echo "Warning: $site is still reachable"
+    fi
+done
+
+if ! timeout 5 curl -s https://api.github.com/meta > /dev/null; then
+    echo "Warning: GitHub API is not accessible"
+fi
+
+echo "Firewall setup complete"

.devcontainer/zshrc

@@ -0,0 +1,10 @@
+# Devcontainer zshrc — sourced automatically for both root and dev users.
+# Edit this file to customize the shell without rebuilding the image.
+
+# Auto-activate Python venv
+if [ -f /workspace/.venv/bin/activate ]; then
+  . /workspace/.venv/bin/activate
+fi
+
+# Source host zshrc if bind-mounted
+[ -f ~/.zshrc.host ] && . ~/.zshrc.host

.github/workflows/deployment.yml

@@ -13,7 +13,7 @@ permissions:
   id-token: write # zizmor: ignore[excessive-permissions]
 
 env:
-  EDGE_TAG: ${{ startsWith(github.ref_name, 'nightly-latest') }}
+  EDGE_TAG: ${{ startsWith(github.ref_name, 'nightly-latest') || github.ref_name == 'edge' }}
 
 jobs:
   # Determine which components to build based on the tag
@@ -156,7 +156,7 @@ jobs:
   check-version-tag:
     runs-on: ubuntu-slim
     timeout-minutes: 10
-    if: ${{ !startsWith(github.ref_name, 'nightly-latest') && github.event_name != 'workflow_dispatch' }}
+    if: ${{ !startsWith(github.ref_name, 'nightly-latest') && github.ref_name != 'edge' && github.event_name != 'workflow_dispatch' }}
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6

.pre-commit-config.yaml

@@ -9,7 +9,6 @@ repos:
     rev: d30b4298e4fb63ce8609e29acdbcf4c9018a483c
     hooks:
       - id: uv-sync
-        args: ["--locked", "--all-extras"]
       - id: uv-lock
       - id: uv-export
         name: uv-export default.txt
@@ -18,7 +17,7 @@ repos:
             "--no-emit-project",
             "--no-default-groups",
             "--no-hashes",
-            "--extra",
+            "--group",
             "backend",
             "-o",
             "backend/requirements/default.txt",
@@ -31,7 +30,7 @@ repos:
             "--no-emit-project",
             "--no-default-groups",
             "--no-hashes",
-            "--extra",
+            "--group",
             "dev",
             "-o",
             "backend/requirements/dev.txt",
@@ -44,7 +43,7 @@ repos:
             "--no-emit-project",
             "--no-default-groups",
             "--no-hashes",
-            "--extra",
+            "--group",
             "ee",
             "-o",
             "backend/requirements/ee.txt",
@@ -57,7 +56,7 @@ repos:
             "--no-emit-project",
             "--no-default-groups",
             "--no-hashes",
-            "--extra",
+            "--group",
             "model_server",
             "-o",
             "backend/requirements/model_server.txt",

.vscode/launch.json

@@ -531,8 +531,7 @@
       "request": "launch",
       "runtimeExecutable": "uv",
       "runtimeArgs": [
-        "sync",
-        "--all-extras"
+        "sync"
       ],
       "cwd": "${workspaceFolder}",
       "console": "integratedTerminal",

CONTRIBUTING.md

@@ -117,7 +117,7 @@ If using PowerShell, the command slightly differs:
 Install the required Python dependencies:
 
 ```bash
-uv sync --all-extras
+uv sync
 ```
 
 Install Playwright for Python (headless browser required by the Web Connector):

backend/ee/onyx/db/license.py

@@ -13,6 +13,7 @@ from ee.onyx.server.license.models import LicenseSource
 from onyx.auth.schemas import UserRole
 from onyx.cache.factory import get_cache_backend
 from onyx.configs.constants import ANONYMOUS_USER_EMAIL
+from onyx.db.enums import AccountType
 from onyx.db.models import License
 from onyx.db.models import User
 from onyx.utils.logger import setup_logger
@@ -107,12 +108,13 @@ def get_used_seats(tenant_id: str | None = None) -> int:
     Get current seat usage directly from database.
 
     For multi-tenant: counts users in UserTenantMapping for this tenant.
-    For self-hosted: counts all active users (excludes EXT_PERM_USER role
-    and the anonymous system user).
+    For self-hosted: counts all active users.
 
-    TODO: Exclude API key dummy users from seat counting. API keys create
-    users with emails like `__DANSWER_API_KEY_*` that should not count toward
-    seat limits. See: https://linear.app/onyx-app/issue/ENG-3518
+    Only human accounts count toward seat limits.
+    SERVICE_ACCOUNT (API key dummy users), EXT_PERM_USER, and the
+    anonymous system user are excluded. BOT (Slack users) ARE counted
+    because they represent real humans and get upgraded to STANDARD
+    when they log in via web.
     """
     if MULTI_TENANT:
         from ee.onyx.server.tenants.user_mapping import get_tenant_count
@@ -129,6 +131,7 @@ def get_used_seats(tenant_id: str | None = None) -> int:
                     User.is_active == True,  # type: ignore  # noqa: E712
                     User.role != UserRole.EXT_PERM_USER,
                     User.email != ANONYMOUS_USER_EMAIL,  # type: ignore
+                    User.account_type != AccountType.SERVICE_ACCOUNT,
                 )
             )
             return result.scalar() or 0

backend/ee/onyx/server/scim/api.py

@@ -11,6 +11,8 @@ require a valid SCIM bearer token.
 
 from __future__ import annotations
 
+import hashlib
+import struct
 from uuid import UUID
 
 from fastapi import APIRouter
@@ -22,6 +24,7 @@ from fastapi import Response
 from fastapi.responses import JSONResponse
 from fastapi_users.password import PasswordHelper
 from sqlalchemy import func
+from sqlalchemy import text
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import Session
 
@@ -65,12 +68,25 @@ from onyx.db.permissions import recompute_user_permissions__no_commit
 from onyx.db.users import assign_user_to_default_groups__no_commit
 from onyx.utils.logger import setup_logger
 from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
+from shared_configs.contextvars import get_current_tenant_id
 
 logger = setup_logger()
 
 # Group names reserved for system default groups (seeded by migration).
 _RESERVED_GROUP_NAMES = frozenset({"Admin", "Basic"})
 
+# Namespace prefix for the seat-allocation advisory lock. Hashed together
+# with the tenant ID so the lock is scoped per-tenant (unrelated tenants
+# never block each other) and cannot collide with unrelated advisory locks.
+_SEAT_LOCK_NAMESPACE = "onyx_scim_seat_lock"
+
+
+def _seat_lock_id_for_tenant(tenant_id: str) -> int:
+    """Derive a stable 64-bit signed int lock id for this tenant's seat lock."""
+    digest = hashlib.sha256(f"{_SEAT_LOCK_NAMESPACE}:{tenant_id}".encode()).digest()
+    # pg_advisory_xact_lock takes a signed 8-byte int; unpack as such.
+    return struct.unpack("q", digest[:8])[0]
+
 
 class ScimJSONResponse(JSONResponse):
     """JSONResponse with Content-Type: application/scim+json (RFC 7644 §3.1)."""
@@ -209,12 +225,37 @@ def _apply_exclusions(
 
 
 def _check_seat_availability(dal: ScimDAL) -> str | None:
-    """Return an error message if seat limit is reached, else None."""
+    """Return an error message if seat limit is reached, else None.
+
+    Acquires a transaction-scoped advisory lock so that concurrent
+    SCIM requests are serialized.  IdPs like Okta send provisioning
+    requests in parallel batches — without serialization the check is
+    vulnerable to a TOCTOU race where N concurrent requests each see
+    "seats available", all insert, and the tenant ends up over its
+    seat limit.
+
+    The lock is held until the caller's next COMMIT or ROLLBACK, which
+    means the seat count cannot change between the check here and the
+    subsequent INSERT/UPDATE.  Each call site in this module follows
+    the pattern: _check_seat_availability → write → dal.commit()
+    (which releases the lock for the next waiting request).
+    """
     check_fn = fetch_ee_implementation_or_noop(
         "onyx.db.license", "check_seat_availability", None
     )
     if check_fn is None:
         return None
+
+    # Transaction-scoped advisory lock — released on dal.commit() / dal.rollback().
+    # The lock id is derived from the tenant so unrelated tenants never block
+    # each other, and from a namespace string so it cannot collide with
+    # unrelated advisory locks elsewhere in the codebase.
+    lock_id = _seat_lock_id_for_tenant(get_current_tenant_id())
+    dal.session.execute(
+        text("SELECT pg_advisory_xact_lock(:lock_id)"),
+        {"lock_id": lock_id},
+    )
+
     result = check_fn(dal.session, seats_needed=1)
     if not result.available:
         return result.error_message or "Seat limit reached"

backend/onyx/background/celery/celery_utils.py

@@ -1,3 +1,4 @@
+import time
 from collections.abc import Generator
 from collections.abc import Iterator
 from collections.abc import Sequence
@@ -30,6 +31,8 @@ from onyx.connectors.models import HierarchyNode
 from onyx.connectors.models import SlimDocument
 from onyx.httpx.httpx_pool import HttpxPool
 from onyx.indexing.indexing_heartbeat import IndexingHeartbeatInterface
+from onyx.server.metrics.pruning_metrics import inc_pruning_rate_limit_error
+from onyx.server.metrics.pruning_metrics import observe_pruning_enumeration_duration
 from onyx.utils.logger import setup_logger
 
 
@@ -130,6 +133,7 @@ def _extract_from_batch(
 def extract_ids_from_runnable_connector(
     runnable_connector: BaseConnector,
     callback: IndexingHeartbeatInterface | None = None,
+    connector_type: str = "unknown",
 ) -> SlimConnectorExtractionResult:
     """
     Extract document IDs and hierarchy nodes from a runnable connector.
@@ -179,21 +183,38 @@ def extract_ids_from_runnable_connector(
     )
 
     # process raw batches to extract both IDs and hierarchy nodes
-    for doc_list in raw_batch_generator:
-        if callback and callback.should_stop():
-            raise RuntimeError(
-                "extract_ids_from_runnable_connector: Stop signal detected"
-            )
+    enumeration_start = time.monotonic()
+    try:
+        for doc_list in raw_batch_generator:
+            if callback and callback.should_stop():
+                raise RuntimeError(
+                    "extract_ids_from_runnable_connector: Stop signal detected"
+                )
 
-        batch_result = _extract_from_batch(doc_list)
-        batch_ids = batch_result.raw_id_to_parent
-        batch_nodes = batch_result.hierarchy_nodes
-        doc_batch_processing_func(batch_ids)
-        all_raw_id_to_parent.update(batch_ids)
-        all_hierarchy_nodes.extend(batch_nodes)
+            batch_result = _extract_from_batch(doc_list)
+            batch_ids = batch_result.raw_id_to_parent
+            batch_nodes = batch_result.hierarchy_nodes
+            doc_batch_processing_func(batch_ids)
+            all_raw_id_to_parent.update(batch_ids)
+            all_hierarchy_nodes.extend(batch_nodes)
 
-        if callback:
-            callback.progress("extract_ids_from_runnable_connector", len(batch_ids))
+            if callback:
+                callback.progress("extract_ids_from_runnable_connector", len(batch_ids))
+    except Exception as e:
+        # Best-effort rate limit detection via string matching.
+        # Connectors surface rate limits inconsistently — some raise HTTP 429,
+        # some use SDK-specific exceptions (e.g. google.api_core.exceptions.ResourceExhausted)
+        # that may or may not include "rate limit" or "429" in the message.
+        # TODO(Bo): replace with a standard ConnectorRateLimitError exception that all
+        # connectors raise when rate limited, making this check precise.
+        error_str = str(e)
+        if "rate limit" in error_str.lower() or "429" in error_str:
+            inc_pruning_rate_limit_error(connector_type)
+        raise
+    finally:
+        observe_pruning_enumeration_duration(
+            time.monotonic() - enumeration_start, connector_type
+        )
 
     return SlimConnectorExtractionResult(
         raw_id_to_parent=all_raw_id_to_parent,

backend/onyx/background/celery/tasks/pruning/tasks.py

@@ -72,6 +72,7 @@ from onyx.redis.redis_hierarchy import get_source_node_id_from_cache
 from onyx.redis.redis_hierarchy import HierarchyNodeCacheEntry
 from onyx.redis.redis_pool import get_redis_client
 from onyx.redis.redis_pool import get_redis_replica_client
+from onyx.server.metrics.pruning_metrics import observe_pruning_diff_duration
 from onyx.server.runtime.onyx_runtime import OnyxRuntime
 from onyx.server.utils import make_short_id
 from onyx.utils.logger import format_error_for_logging
@@ -570,8 +571,9 @@ def connector_pruning_generator_task(
             )
 
             # Extract docs and hierarchy nodes from the source
+            connector_type = cc_pair.connector.source.value
             extraction_result = extract_ids_from_runnable_connector(
-                runnable_connector, callback
+                runnable_connector, callback, connector_type=connector_type
             )
             all_connector_doc_ids = extraction_result.raw_id_to_parent
 
@@ -636,40 +638,46 @@ def connector_pruning_generator_task(
                 commit=True,
             )
 
-            # a list of docs in our local index
-            all_indexed_document_ids = {
-                doc.id
-                for doc in get_documents_for_connector_credential_pair(
-                    db_session=db_session,
-                    connector_id=connector_id,
-                    credential_id=credential_id,
+            diff_start = time.monotonic()
+            try:
+                # a list of docs in our local index
+                all_indexed_document_ids = {
+                    doc.id
+                    for doc in get_documents_for_connector_credential_pair(
+                        db_session=db_session,
+                        connector_id=connector_id,
+                        credential_id=credential_id,
+                    )
+                }
+
+                # generate list of docs to remove (no longer in the source)
+                doc_ids_to_remove = list(
+                    all_indexed_document_ids - all_connector_doc_ids.keys()
                 )
-            }
 
-            # generate list of docs to remove (no longer in the source)
-            doc_ids_to_remove = list(
-                all_indexed_document_ids - all_connector_doc_ids.keys()
-            )
+                task_logger.info(
+                    "Pruning set collected: "
+                    f"cc_pair={cc_pair_id} "
+                    f"connector_source={cc_pair.connector.source} "
+                    f"docs_to_remove={len(doc_ids_to_remove)}"
+                )
 
-            task_logger.info(
-                "Pruning set collected: "
-                f"cc_pair={cc_pair_id} "
-                f"connector_source={cc_pair.connector.source} "
-                f"docs_to_remove={len(doc_ids_to_remove)}"
-            )
+                task_logger.info(
+                    f"RedisConnector.prune.generate_tasks starting. cc_pair={cc_pair_id}"
+                )
+                tasks_generated = redis_connector.prune.generate_tasks(
+                    set(doc_ids_to_remove), self.app, db_session, None
+                )
+                if tasks_generated is None:
+                    return None
 
-            task_logger.info(
-                f"RedisConnector.prune.generate_tasks starting. cc_pair={cc_pair_id}"
-            )
-            tasks_generated = redis_connector.prune.generate_tasks(
-                set(doc_ids_to_remove), self.app, db_session, None
-            )
-            if tasks_generated is None:
-                return None
-
-            task_logger.info(
-                f"RedisConnector.prune.generate_tasks finished. cc_pair={cc_pair_id} tasks_generated={tasks_generated}"
-            )
+                task_logger.info(
+                    f"RedisConnector.prune.generate_tasks finished. cc_pair={cc_pair_id} tasks_generated={tasks_generated}"
+                )
+            finally:
+                observe_pruning_diff_duration(
+                    time.monotonic() - diff_start, connector_type
+                )
 
             redis_connector.prune.generator_complete = tasks_generated
 

backend/onyx/chat/llm_step.py

@@ -818,7 +818,10 @@ def translate_history_to_llm_format(
                     )
                 ]
 
-                # Add image parts
+                # Add image parts. Each image is preceded by a text tag
+                # carrying its file_id so the LLM can reference the image by
+                # ID when calling tools like generate_image (which expects
+                # reference_image_file_ids to edit a specific image).
                 for img_file in msg.image_files:
                     if img_file.file_type == ChatFileType.IMAGE:
                         try:
@@ -826,6 +829,12 @@ def translate_history_to_llm_format(
                             base64_data = img_file.to_base64()
                             image_url = f"data:{image_type};base64,{base64_data}"
 
+                            content_parts.append(
+                                TextContentPart(
+                                    type="text",
+                                    text=f"[attached image — file_id: {img_file.file_id}]",
+                                )
+                            )
                             image_part = ImageContentPart(
                                 type="image_url",
                                 image_url=ImageUrlDetail(

backend/onyx/connectors/google_drive/connector.py

@@ -42,6 +42,9 @@ from onyx.connectors.google_drive.file_retrieval import (
     get_all_files_in_my_drive_and_shared,
 )
 from onyx.connectors.google_drive.file_retrieval import get_external_access_for_folder
+from onyx.connectors.google_drive.file_retrieval import (
+    get_files_by_web_view_links_batch,
+)
 from onyx.connectors.google_drive.file_retrieval import get_files_in_shared_drive
 from onyx.connectors.google_drive.file_retrieval import get_folder_metadata
 from onyx.connectors.google_drive.file_retrieval import get_root_folder_id
@@ -70,11 +73,13 @@ from onyx.connectors.interfaces import CheckpointedConnectorWithPermSync
 from onyx.connectors.interfaces import CheckpointOutput
 from onyx.connectors.interfaces import GenerateSlimDocumentOutput
 from onyx.connectors.interfaces import NormalizationResult
+from onyx.connectors.interfaces import Resolver
 from onyx.connectors.interfaces import SecondsSinceUnixEpoch
 from onyx.connectors.interfaces import SlimConnectorWithPermSync
 from onyx.connectors.models import ConnectorFailure
 from onyx.connectors.models import ConnectorMissingCredentialError
 from onyx.connectors.models import Document
+from onyx.connectors.models import DocumentFailure
 from onyx.connectors.models import EntityFailure
 from onyx.connectors.models import HierarchyNode
 from onyx.connectors.models import SlimDocument
@@ -202,7 +207,9 @@ class DriveIdStatus(Enum):
 
 
 class GoogleDriveConnector(
-    SlimConnectorWithPermSync, CheckpointedConnectorWithPermSync[GoogleDriveCheckpoint]
+    SlimConnectorWithPermSync,
+    CheckpointedConnectorWithPermSync[GoogleDriveCheckpoint],
+    Resolver,
 ):
     def __init__(
         self,
@@ -1665,6 +1672,82 @@ class GoogleDriveConnector(
             start, end, checkpoint, include_permissions=True
         )
 
+    @override
+    def resolve_errors(
+        self,
+        errors: list[ConnectorFailure],
+        include_permissions: bool = False,
+    ) -> Generator[Document | ConnectorFailure | HierarchyNode, None, None]:
+        if self._creds is None or self._primary_admin_email is None:
+            raise RuntimeError(
+                "Credentials missing, should not call this method before calling load_credentials"
+            )
+
+        logger.info(f"Resolving {len(errors)} errors")
+        doc_ids = [
+            failure.failed_document.document_id
+            for failure in errors
+            if failure.failed_document
+        ]
+        service = get_drive_service(self.creds, self.primary_admin_email)
+        field_type = (
+            DriveFileFieldType.WITH_PERMISSIONS
+            if include_permissions or self.exclude_domain_link_only
+            else DriveFileFieldType.STANDARD
+        )
+        batch_result = get_files_by_web_view_links_batch(service, doc_ids, field_type)
+
+        for doc_id, error in batch_result.errors.items():
+            yield ConnectorFailure(
+                failed_document=DocumentFailure(
+                    document_id=doc_id,
+                    document_link=doc_id,
+                ),
+                failure_message=f"Failed to retrieve file during error resolution: {error}",
+                exception=error,
+            )
+
+        permission_sync_context = (
+            PermissionSyncContext(
+                primary_admin_email=self.primary_admin_email,
+                google_domain=self.google_domain,
+            )
+            if include_permissions
+            else None
+        )
+
+        retrieved_files = [
+            RetrievedDriveFile(
+                drive_file=file,
+                user_email=self.primary_admin_email,
+                completion_stage=DriveRetrievalStage.DONE,
+            )
+            for file in batch_result.files.values()
+        ]
+
+        yield from self._get_new_ancestors_for_files(
+            files=retrieved_files,
+            seen_hierarchy_node_raw_ids=ThreadSafeSet(),
+            fully_walked_hierarchy_node_raw_ids=ThreadSafeSet(),
+            permission_sync_context=permission_sync_context,
+            add_prefix=True,
+        )
+
+        func_with_args = [
+            (
+                self._convert_retrieved_file_to_document,
+                (rf, permission_sync_context),
+            )
+            for rf in retrieved_files
+        ]
+        results = cast(
+            list[Document | ConnectorFailure | None],
+            run_functions_tuples_in_parallel(func_with_args, max_workers=8),
+        )
+        for result in results:
+            if result is not None:
+                yield result
+
     def _extract_slim_docs_from_google_drive(
         self,
         checkpoint: GoogleDriveCheckpoint,

backend/onyx/connectors/google_drive/file_retrieval.py

@@ -9,6 +9,7 @@ from urllib.parse import urlparse
 
 from googleapiclient.discovery import Resource  # type: ignore
 from googleapiclient.errors import HttpError  # type: ignore
+from googleapiclient.http import BatchHttpRequest  # type: ignore
 
 from onyx.access.models import ExternalAccess
 from onyx.connectors.google_drive.constants import DRIVE_FOLDER_TYPE
@@ -60,6 +61,8 @@ SLIM_FILE_FIELDS = (
 )
 FOLDER_FIELDS = "nextPageToken, files(id, name, permissions, modifiedTime, webViewLink, shortcutDetails)"
 
+MAX_BATCH_SIZE = 100
+
 HIERARCHY_FIELDS = "id, name, parents, webViewLink, mimeType, driveId"
 
 HIERARCHY_FIELDS_WITH_PERMISSIONS = (
@@ -216,7 +219,7 @@ def get_external_access_for_folder(
 
 
 def _get_fields_for_file_type(field_type: DriveFileFieldType) -> str:
-    """Get the appropriate fields string based on the field type enum"""
+    """Get the appropriate fields string for files().list() based on the field type enum."""
     if field_type == DriveFileFieldType.SLIM:
         return SLIM_FILE_FIELDS
     elif field_type == DriveFileFieldType.WITH_PERMISSIONS:
@@ -225,6 +228,25 @@ def _get_fields_for_file_type(field_type: DriveFileFieldType) -> str:
         return FILE_FIELDS
 
 
+def _extract_single_file_fields(list_fields: str) -> str:
+    """Convert a files().list() fields string to one suitable for files().get().
+
+    List fields look like "nextPageToken, files(field1, field2, ...)"
+    Single-file fields should be just "field1, field2, ..."
+    """
+    start = list_fields.find("files(")
+    if start == -1:
+        return list_fields
+    inner_start = start + len("files(")
+    inner_end = list_fields.rfind(")")
+    return list_fields[inner_start:inner_end]
+
+
+def _get_single_file_fields(field_type: DriveFileFieldType) -> str:
+    """Get the appropriate fields string for files().get() based on the field type enum."""
+    return _extract_single_file_fields(_get_fields_for_file_type(field_type))
+
+
 def _get_files_in_parent(
     service: Resource,
     parent_id: str,
@@ -536,3 +558,74 @@ def get_file_by_web_view_link(
         )
         .execute()
     )
+
+
+class BatchRetrievalResult:
+    """Result of a batch file retrieval, separating successes from errors."""
+
+    def __init__(self) -> None:
+        self.files: dict[str, GoogleDriveFileType] = {}
+        self.errors: dict[str, Exception] = {}
+
+
+def get_files_by_web_view_links_batch(
+    service: GoogleDriveService,
+    web_view_links: list[str],
+    field_type: DriveFileFieldType,
+) -> BatchRetrievalResult:
+    """Retrieve multiple Google Drive files by webViewLink using the batch API.
+
+    Returns a BatchRetrievalResult containing successful file retrievals
+    and errors for any files that could not be fetched.
+    Automatically splits into chunks of MAX_BATCH_SIZE.
+    """
+    fields = _get_single_file_fields(field_type)
+    if len(web_view_links) <= MAX_BATCH_SIZE:
+        return _get_files_by_web_view_links_batch(service, web_view_links, fields)
+
+    combined = BatchRetrievalResult()
+    for i in range(0, len(web_view_links), MAX_BATCH_SIZE):
+        chunk = web_view_links[i : i + MAX_BATCH_SIZE]
+        chunk_result = _get_files_by_web_view_links_batch(service, chunk, fields)
+        combined.files.update(chunk_result.files)
+        combined.errors.update(chunk_result.errors)
+    return combined
+
+
+def _get_files_by_web_view_links_batch(
+    service: GoogleDriveService,
+    web_view_links: list[str],
+    fields: str,
+) -> BatchRetrievalResult:
+    """Single-batch implementation."""
+
+    result = BatchRetrievalResult()
+
+    def callback(
+        request_id: str,
+        response: GoogleDriveFileType,
+        exception: Exception | None,
+    ) -> None:
+        if exception:
+            logger.warning(f"Error retrieving file {request_id}: {exception}")
+            result.errors[request_id] = exception
+        else:
+            result.files[request_id] = response
+
+    batch = cast(BatchHttpRequest, service.new_batch_http_request(callback=callback))
+
+    for web_view_link in web_view_links:
+        try:
+            file_id = _extract_file_id_from_web_view_link(web_view_link)
+            request = service.files().get(
+                fileId=file_id,
+                supportsAllDrives=True,
+                fields=fields,
+            )
+            batch.add(request, request_id=web_view_link)
+        except ValueError as e:
+            logger.warning(f"Failed to extract file ID from {web_view_link}: {e}")
+            result.errors[web_view_link] = e
+
+    batch.execute()
+    return result

backend/onyx/connectors/interfaces.py

@@ -298,6 +298,22 @@ class CheckpointedConnectorWithPermSync(CheckpointedConnector[CT]):
         raise NotImplementedError
 
 
+class Resolver(BaseConnector):
+    @abc.abstractmethod
+    def resolve_errors(
+        self,
+        errors: list[ConnectorFailure],
+        include_permissions: bool = False,
+    ) -> Generator[Document | ConnectorFailure | HierarchyNode, None, None]:
+        """Attempts to yield back ALL the documents described by the errors, no checkpointing.
+
+        Caller's responsibility is to delete the old ConnectorFailures and replace with the new ones.
+        If include_permissions is True, the documents will have permissions synced.
+        May also yield HierarchyNode objects for ancestor folders of resolved documents.
+        """
+        raise NotImplementedError
+
+
 class HierarchyConnector(BaseConnector):
     @abc.abstractmethod
     def load_hierarchy(

backend/onyx/connectors/jira/connector.py

@@ -60,8 +60,10 @@ logger = setup_logger()
 
 ONE_HOUR = 3600
 
-_MAX_RESULTS_FETCH_IDS = 5000  # 5000
+_MAX_RESULTS_FETCH_IDS = 5000
 _JIRA_FULL_PAGE_SIZE = 50
+# https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/
+_JIRA_BULK_FETCH_LIMIT = 100
 
 # Constants for Jira field names
 _FIELD_REPORTER = "reporter"
@@ -255,15 +257,13 @@ def _bulk_fetch_request(
     return resp.json()["issues"]
 
 
-def bulk_fetch_issues(
-    jira_client: JIRA, issue_ids: list[str], fields: str | None = None
-) -> list[Issue]:
-    # TODO(evan): move away from this jira library if they continue to not support
-    # the endpoints we need. Using private fields is not ideal, but
-    # is likely fine for now since we pin the library version
-
+def _bulk_fetch_batch(
+    jira_client: JIRA, issue_ids: list[str], fields: str | None
+) -> list[dict[str, Any]]:
+    """Fetch a single batch (must be <= _JIRA_BULK_FETCH_LIMIT).
+    On JSONDecodeError, recursively bisects until it succeeds or reaches size 1."""
     try:
-        raw_issues = _bulk_fetch_request(jira_client, issue_ids, fields)
+        return _bulk_fetch_request(jira_client, issue_ids, fields)
     except requests.exceptions.JSONDecodeError:
         if len(issue_ids) <= 1:
             logger.exception(
@@ -277,12 +277,25 @@ def bulk_fetch_issues(
             f"Jira bulk-fetch JSON decode failed for batch of {len(issue_ids)} issues. "
             f"Splitting into sub-batches of {mid} and {len(issue_ids) - mid}."
         )
-        left = bulk_fetch_issues(jira_client, issue_ids[:mid], fields)
-        right = bulk_fetch_issues(jira_client, issue_ids[mid:], fields)
+        left = _bulk_fetch_batch(jira_client, issue_ids[:mid], fields)
+        right = _bulk_fetch_batch(jira_client, issue_ids[mid:], fields)
         return left + right
-    except Exception as e:
-        logger.error(f"Error fetching issues: {e}")
-        raise
+
+
+def bulk_fetch_issues(
+    jira_client: JIRA, issue_ids: list[str], fields: str | None = None
+) -> list[Issue]:
+    # TODO(evan): move away from this jira library if they continue to not support
+    # the endpoints we need. Using private fields is not ideal, but
+    # is likely fine for now since we pin the library version
+
+    raw_issues: list[dict[str, Any]] = []
+    for batch in chunked(issue_ids, _JIRA_BULK_FETCH_LIMIT):
+        try:
+            raw_issues.extend(_bulk_fetch_batch(jira_client, list(batch), fields))
+        except Exception as e:
+            logger.error(f"Error fetching issues: {e}")
+            raise
 
     return [
         Issue(jira_client._options, jira_client._session, raw=issue)

backend/onyx/context/search/federated/models.py

@@ -1,3 +1,4 @@
+from dataclasses import dataclass
 from datetime import datetime
 from typing import TypedDict
 
@@ -6,6 +7,14 @@ from pydantic import BaseModel
 from onyx.onyxbot.slack.models import ChannelType
 
 
+@dataclass(frozen=True)
+class DirectThreadFetch:
+    """Request to fetch a Slack thread directly by channel and timestamp."""
+
+    channel_id: str
+    thread_ts: str
+
+
 class ChannelMetadata(TypedDict):
     """Type definition for cached channel metadata."""
 

backend/onyx/context/search/federated/slack_search.py

@@ -19,6 +19,7 @@ from onyx.configs.chat_configs import DOC_TIME_DECAY
 from onyx.connectors.models import IndexingDocument
 from onyx.connectors.models import TextSection
 from onyx.context.search.federated.models import ChannelMetadata
+from onyx.context.search.federated.models import DirectThreadFetch
 from onyx.context.search.federated.models import SlackMessage
 from onyx.context.search.federated.slack_search_utils import ALL_CHANNEL_TYPES
 from onyx.context.search.federated.slack_search_utils import build_channel_query_filter
@@ -49,7 +50,6 @@ from onyx.server.federated.models import FederatedConnectorDetail
 from onyx.utils.logger import setup_logger
 from onyx.utils.threadpool_concurrency import run_functions_tuples_in_parallel
 from onyx.utils.timing import log_function_time
-from shared_configs.configs import DOC_EMBEDDING_CONTEXT_SIZE
 
 logger = setup_logger()
 
@@ -58,7 +58,6 @@ HIGHLIGHT_END_CHAR = "\ue001"
 
 CHANNEL_METADATA_CACHE_TTL = 60 * 60 * 24  # 24 hours
 USER_PROFILE_CACHE_TTL = 60 * 60 * 24  # 24 hours
-SLACK_THREAD_CONTEXT_WINDOW = 3  # Number of messages before matched message to include
 CHANNEL_METADATA_MAX_RETRIES = 3  # Maximum retry attempts for channel metadata fetching
 CHANNEL_METADATA_RETRY_DELAY = 1  # Initial retry delay in seconds (exponential backoff)
 
@@ -421,6 +420,94 @@ class SlackQueryResult(BaseModel):
     filtered_channels: list[str]  # Channels filtered out during this query
 
 
+def _fetch_thread_from_url(
+    thread_fetch: DirectThreadFetch,
+    access_token: str,
+    channel_metadata_dict: dict[str, ChannelMetadata] | None = None,
+) -> SlackQueryResult:
+    """Fetch a thread directly from a Slack URL via conversations.replies."""
+    channel_id = thread_fetch.channel_id
+    thread_ts = thread_fetch.thread_ts
+
+    slack_client = WebClient(token=access_token)
+    try:
+        response = slack_client.conversations_replies(
+            channel=channel_id,
+            ts=thread_ts,
+        )
+        response.validate()
+        messages: list[dict[str, Any]] = response.get("messages", [])
+    except SlackApiError as e:
+        logger.warning(
+            f"Failed to fetch thread from URL (channel={channel_id}, ts={thread_ts}): {e}"
+        )
+        return SlackQueryResult(messages=[], filtered_channels=[])
+
+    if not messages:
+        logger.warning(
+            f"No messages found for URL override (channel={channel_id}, ts={thread_ts})"
+        )
+        return SlackQueryResult(messages=[], filtered_channels=[])
+
+    # Build thread text from all messages
+    thread_text = _build_thread_text(messages, access_token, None, slack_client)
+
+    # Get channel name from metadata cache or API
+    channel_name = "unknown"
+    if channel_metadata_dict and channel_id in channel_metadata_dict:
+        channel_name = channel_metadata_dict[channel_id].get("name", "unknown")
+    else:
+        try:
+            ch_response = slack_client.conversations_info(channel=channel_id)
+            ch_response.validate()
+            channel_info: dict[str, Any] = ch_response.get("channel", {})
+            channel_name = channel_info.get("name", "unknown")
+        except SlackApiError:
+            pass
+
+    # Build the SlackMessage
+    parent_msg = messages[0]
+    message_ts = parent_msg.get("ts", thread_ts)
+    username = parent_msg.get("user", "unknown_user")
+    parent_text = parent_msg.get("text", "")
+    snippet = (
+        parent_text[:50].rstrip() + "..." if len(parent_text) > 50 else parent_text
+    ).replace("\n", " ")
+
+    doc_time = datetime.fromtimestamp(float(message_ts))
+    decay_factor = DOC_TIME_DECAY
+    doc_age_years = (datetime.now() - doc_time).total_seconds() / (365 * 24 * 60 * 60)
+    recency_bias = max(1 / (1 + decay_factor * doc_age_years), 0.75)
+
+    permalink = (
+        f"https://slack.com/archives/{channel_id}/p{message_ts.replace('.', '')}"
+    )
+
+    slack_message = SlackMessage(
+        document_id=f"{channel_id}_{message_ts}",
+        channel_id=channel_id,
+        message_id=message_ts,
+        thread_id=None,  # Prevent double-enrichment in thread context fetch
+        link=permalink,
+        metadata={
+            "channel": channel_name,
+            "time": doc_time.isoformat(),
+        },
+        timestamp=doc_time,
+        recency_bias=recency_bias,
+        semantic_identifier=f"{username} in #{channel_name}: {snippet}",
+        text=thread_text,
+        highlighted_texts=set(),
+        slack_score=100000.0,  # High priority — user explicitly asked for this thread
+    )
+
+    logger.info(
+        f"URL override: fetched thread from channel={channel_id}, ts={thread_ts}, {len(messages)} messages"
+    )
+
+    return SlackQueryResult(messages=[slack_message], filtered_channels=[])
+
+
 def query_slack(
     query_string: str,
     access_token: str,
@@ -432,7 +519,6 @@ def query_slack(
     available_channels: list[str] | None = None,
     channel_metadata_dict: dict[str, ChannelMetadata] | None = None,
 ) -> SlackQueryResult:
-
     # Check if query has channel override (user specified channels in query)
     has_channel_override = query_string.startswith("__CHANNEL_OVERRIDE__")
 
@@ -662,7 +748,6 @@ def _fetch_thread_context(
     """
     channel_id = message.channel_id
     thread_id = message.thread_id
-    message_id = message.message_id
 
     # If not a thread, return original text as success
     if thread_id is None:
@@ -695,62 +780,37 @@ def _fetch_thread_context(
     if len(messages) <= 1:
         return ThreadContextResult.success(message.text)
 
-    # Build thread text from thread starter + context window around matched message
-    thread_text = _build_thread_text(
-        messages, message_id, thread_id, access_token, team_id, slack_client
-    )
+    # Build thread text from thread starter + all replies
+    thread_text = _build_thread_text(messages, access_token, team_id, slack_client)
     return ThreadContextResult.success(thread_text)
 
 
 def _build_thread_text(
     messages: list[dict[str, Any]],
-    message_id: str,
-    thread_id: str,
     access_token: str,
     team_id: str | None,
     slack_client: WebClient,
 ) -> str:
-    """Build the thread text from messages."""
+    """Build thread text including all replies.
+
+    Includes the thread parent message followed by all replies in order.
+    """
     msg_text = messages[0].get("text", "")
     msg_sender = messages[0].get("user", "")
     thread_text = f"<@{msg_sender}>: {msg_text}"
 
+    # All messages after index 0 are replies
+    replies = messages[1:]
+    if not replies:
+        return thread_text
+
+    logger.debug(f"Thread {messages[0].get('ts')}: {len(replies)} replies included")
     thread_text += "\n\nReplies:"
-    if thread_id == message_id:
-        message_id_idx = 0
-    else:
-        message_id_idx = next(
-            (i for i, msg in enumerate(messages) if msg.get("ts") == message_id), 0
-        )
-        if not message_id_idx:
-            return thread_text
 
-        start_idx = max(1, message_id_idx - SLACK_THREAD_CONTEXT_WINDOW)
-
-        if start_idx > 1:
-            thread_text += "\n..."
-
-        for i in range(start_idx, message_id_idx):
-            msg_text = messages[i].get("text", "")
-            msg_sender = messages[i].get("user", "")
-            thread_text += f"\n\n<@{msg_sender}>: {msg_text}"
-
-        msg_text = messages[message_id_idx].get("text", "")
-        msg_sender = messages[message_id_idx].get("user", "")
-        thread_text += f"\n\n<@{msg_sender}>: {msg_text}"
-
-    # Add following replies
-    len_replies = 0
-    for msg in messages[message_id_idx + 1 :]:
+    for msg in replies:
         msg_text = msg.get("text", "")
         msg_sender = msg.get("user", "")
-        reply = f"\n\n<@{msg_sender}>: {msg_text}"
-        thread_text += reply
-
-        len_replies += len(reply)
-        if len_replies >= DOC_EMBEDDING_CONTEXT_SIZE * 4:
-            thread_text += "\n..."
-            break
+        thread_text += f"\n\n<@{msg_sender}>: {msg_text}"
 
     # Replace user IDs with names using cached lookups
     userids: set[str] = set(re.findall(r"<@([A-Z0-9]+)>", thread_text))
@@ -976,7 +1036,16 @@ def slack_retrieval(
 
     # Query slack with entity filtering
     llm = get_default_llm()
-    query_strings = build_slack_queries(query, llm, entities, available_channels)
+    query_items = build_slack_queries(query, llm, entities, available_channels)
+
+    # Partition into direct thread fetches and search query strings
+    direct_fetches: list[DirectThreadFetch] = []
+    query_strings: list[str] = []
+    for item in query_items:
+        if isinstance(item, DirectThreadFetch):
+            direct_fetches.append(item)
+        else:
+            query_strings.append(item)
 
     # Determine filtering based on entities OR context (bot)
     include_dm = False
@@ -993,8 +1062,16 @@ def slack_retrieval(
                 f"Private channel context: will only allow messages from {allowed_private_channel} + public channels"
             )
 
-    # Build search tasks
-    search_tasks = [
+    # Build search tasks — direct thread fetches + keyword searches
+    search_tasks: list[tuple] = [
+        (
+            _fetch_thread_from_url,
+            (fetch, access_token, channel_metadata_dict),
+        )
+        for fetch in direct_fetches
+    ]
+
+    search_tasks.extend(
         (
             query_slack,
             (
@@ -1010,7 +1087,7 @@ def slack_retrieval(
             ),
         )
         for query_string in query_strings
-    ]
+    )
 
     # If include_dm is True AND we're not already searching all channels,
     # add additional searches without channel filters.

backend/onyx/context/search/federated/slack_search_utils.py

@@ -10,6 +10,7 @@ from pydantic import ValidationError
 
 from onyx.configs.app_configs import MAX_SLACK_QUERY_EXPANSIONS
 from onyx.context.search.federated.models import ChannelMetadata
+from onyx.context.search.federated.models import DirectThreadFetch
 from onyx.context.search.models import ChunkIndexRequest
 from onyx.federated_connectors.slack.models import SlackEntities
 from onyx.llm.interfaces import LLM
@@ -638,12 +639,38 @@ def expand_query_with_llm(query_text: str, llm: LLM) -> list[str]:
         return [query_text]
 
 
+SLACK_URL_PATTERN = re.compile(
+    r"https?://[a-z0-9-]+\.slack\.com/archives/([A-Z0-9]+)/p(\d{16})"
+)
+
+
+def extract_slack_message_urls(
+    query_text: str,
+) -> list[tuple[str, str]]:
+    """Extract Slack message URLs from query text.
+
+    Parses URLs like:
+      https://onyx-company.slack.com/archives/C097NBWMY8Y/p1775491616524769
+
+    Returns list of (channel_id, thread_ts) tuples.
+    The 16-digit timestamp is converted to Slack ts format (with dot).
+    """
+    results = []
+    for match in SLACK_URL_PATTERN.finditer(query_text):
+        channel_id = match.group(1)
+        raw_ts = match.group(2)
+        # Convert p1775491616524769 -> 1775491616.524769
+        thread_ts = f"{raw_ts[:10]}.{raw_ts[10:]}"
+        results.append((channel_id, thread_ts))
+    return results
+
+
 def build_slack_queries(
     query: ChunkIndexRequest,
     llm: LLM,
     entities: dict[str, Any] | None = None,
     available_channels: list[str] | None = None,
-) -> list[str]:
+) -> list[str | DirectThreadFetch]:
     """Build Slack query strings with date filtering and query expansion."""
     default_search_days = 30
     if entities:
@@ -668,6 +695,15 @@ def build_slack_queries(
             cutoff_date = datetime.now(timezone.utc) - timedelta(days=days_back)
             time_filter = f" after:{cutoff_date.strftime('%Y-%m-%d')}"
 
+    # Check for Slack message URLs — if found, add direct fetch requests
+    url_fetches: list[DirectThreadFetch] = []
+    slack_urls = extract_slack_message_urls(query.query)
+    for channel_id, thread_ts in slack_urls:
+        url_fetches.append(
+            DirectThreadFetch(channel_id=channel_id, thread_ts=thread_ts)
+        )
+        logger.info(f"Detected Slack URL: channel={channel_id}, ts={thread_ts}")
+
     # ALWAYS extract channel references from the query (not just for recency queries)
     channel_references = extract_channel_references_from_query(query.query)
 
@@ -684,7 +720,9 @@ def build_slack_queries(
 
             # If valid channels detected, use ONLY those channels with NO keywords
             # Return query with ONLY time filter + channel filter (no keywords)
-            return [build_channel_override_query(channel_references, time_filter)]
+            return url_fetches + [
+                build_channel_override_query(channel_references, time_filter)
+            ]
         except ValueError as e:
             # If validation fails, log the error and continue with normal flow
             logger.warning(f"Channel reference validation failed: {e}")
@@ -702,7 +740,8 @@ def build_slack_queries(
         rephrased_queries = expand_query_with_llm(query.query, llm)
 
     # Build final query strings with time filters
-    return [
+    search_queries = [
         rephrased_query.strip() + time_filter
         for rephrased_query in rephrased_queries[:MAX_SLACK_QUERY_EXPANSIONS]
     ]
+    return url_fetches + search_queries

backend/onyx/llm/constants.py

@@ -66,7 +66,7 @@ PROVIDER_DISPLAY_NAMES: dict[str, str] = {
     LlmProviderNames.LM_STUDIO: "LM Studio",
     LlmProviderNames.LITELLM_PROXY: "LiteLLM Proxy",
     LlmProviderNames.BIFROST: "Bifrost",
-    LlmProviderNames.OPENAI_COMPATIBLE: "OpenAI Compatible",
+    LlmProviderNames.OPENAI_COMPATIBLE: "OpenAI-Compatible",
     "groq": "Groq",
     "anyscale": "Anyscale",
     "deepseek": "DeepSeek",
@@ -87,6 +87,44 @@ PROVIDER_DISPLAY_NAMES: dict[str, str] = {
     "gemini": "Gemini",
     "stability": "Stability",
     "writer": "Writer",
+    # Custom provider display names (used in the custom provider picker)
+    "aiml": "AI/ML",
+    "assemblyai": "AssemblyAI",
+    "aws_polly": "AWS Polly",
+    "azure_ai": "Azure AI",
+    "chatgpt": "ChatGPT",
+    "cohere_chat": "Cohere Chat",
+    "datarobot": "DataRobot",
+    "deepgram": "Deepgram",
+    "deepinfra": "DeepInfra",
+    "elevenlabs": "ElevenLabs",
+    "fal_ai": "fal.ai",
+    "featherless_ai": "Featherless AI",
+    "fireworks_ai": "Fireworks AI",
+    "friendliai": "FriendliAI",
+    "gigachat": "GigaChat",
+    "github_copilot": "GitHub Copilot",
+    "gradient_ai": "Gradient AI",
+    "huggingface": "HuggingFace",
+    "jina_ai": "Jina AI",
+    "lambda_ai": "Lambda AI",
+    "llamagate": "LlamaGate",
+    "meta_llama": "Meta Llama",
+    "minimax": "MiniMax",
+    "nlp_cloud": "NLP Cloud",
+    "nvidia_nim": "NVIDIA NIM",
+    "oci": "OCI",
+    "ovhcloud": "OVHcloud",
+    "palm": "PaLM",
+    "publicai": "PublicAI",
+    "runwayml": "RunwayML",
+    "sambanova": "SambaNova",
+    "together_ai": "Together AI",
+    "vercel_ai_gateway": "Vercel AI Gateway",
+    "volcengine": "Volcengine",
+    "wandb": "W&B",
+    "watsonx": "IBM watsonx",
+    "zai": "ZAI",
 }
 
 # Map vendors to their brand names (used for provider_display_name generation)

backend/onyx/llm/well_known_providers/llm_provider_options.py

@@ -338,7 +338,7 @@ def get_provider_display_name(provider_name: str) -> str:
         VERTEXAI_PROVIDER_NAME: "Google Vertex AI",
         OPENROUTER_PROVIDER_NAME: "OpenRouter",
         LITELLM_PROXY_PROVIDER_NAME: "LiteLLM Proxy",
-        OPENAI_COMPATIBLE_PROVIDER_NAME: "OpenAI Compatible",
+        OPENAI_COMPATIBLE_PROVIDER_NAME: "OpenAI-Compatible",
     }
 
     if provider_name in _ONYX_PROVIDER_DISPLAY_NAMES:

backend/onyx/prompts/tool_prompts.py

@@ -64,9 +64,20 @@ IMPORTANT: each call to this tool is independent. Variables from previous calls
 
 GENERATE_IMAGE_GUIDANCE = """
 ## generate_image
-NEVER use generate_image unless the user specifically requests an image.
-For edits/variations of a previously generated image, pass `reference_image_file_ids` with
-the `file_id` values returned by earlier `generate_image` tool results.
+NEVER use generate_image unless the user specifically requests an image or asks to
+edit/modify an existing image in the conversation.
+To edit, modify, restyle, or create a variation of an image already in the
+conversation, put that image's file_id in `reference_image_file_ids`. File IDs come
+from two places, and both can be passed the same way:
+  - Images the user attached to a message carry a `[attached image — file_id: <id>]`
+    tag immediately before the image content. Copy the id out of that tag.
+  - Images produced by previous `generate_image` calls have their file_id in that
+    call's tool response JSON.
+Only pass file_ids that actually appear in the conversation — never invent or guess
+one. Leave `reference_image_file_ids` unset for a brand-new generation that doesn't
+edit any existing image (for example when the user attached an image for context but
+asked for a completely unrelated new picture). The first file_id in the list is the
+primary edit source; any later file_ids are additional reference context.
 """.lstrip()
 
 MEMORY_GUIDANCE = """

backend/onyx/server/features/build/sandbox/kubernetes/docker/README.md

@@ -58,7 +58,7 @@ docker buildx build --platform linux/amd64,linux/arm64 \
 
 1. **Build and push** the new image (see above)
 
-2. **Update the ConfigMap** in `cloud-deployment-yamls/danswer/configmap/env-configmap.yaml`:
+2. **Update the ConfigMap** in in the internal repo
    ```yaml
    SANDBOX_CONTAINER_IMAGE: "onyxdotapp/sandbox:v0.1.x"
    ```

backend/onyx/server/features/mcp/api.py

@@ -96,6 +96,32 @@ def _truncate_description(description: str | None, max_length: int = 500) -> str
     return description[: max_length - 3] + "..."
 
 
+# TODO: Replace mask-comparison approach with an explicit Unset sentinel from the
+# frontend indicating whether each credential field was actually modified. The current
+# approach is brittle (e.g. short credentials produce a fixed-length mask that could
+# collide) and mutates request values, which is surprising. The frontend should signal
+# "unchanged" vs "new value" directly rather than relying on masked-string equality.
+def _restore_masked_oauth_credentials(
+    request_client_id: str | None,
+    request_client_secret: str | None,
+    existing_client: OAuthClientInformationFull,
+) -> tuple[str | None, str | None]:
+    """If the frontend sent back masked credentials, restore the real stored values."""
+    if (
+        request_client_id
+        and existing_client.client_id
+        and request_client_id == mask_string(existing_client.client_id)
+    ):
+        request_client_id = existing_client.client_id
+    if (
+        request_client_secret
+        and existing_client.client_secret
+        and request_client_secret == mask_string(existing_client.client_secret)
+    ):
+        request_client_secret = existing_client.client_secret
+    return request_client_id, request_client_secret
+
+
 router = APIRouter(prefix="/mcp")
 admin_router = APIRouter(prefix="/admin/mcp")
 STATE_TTL_SECONDS = 60 * 5  # 5 minutes
@@ -392,6 +418,26 @@ async def _connect_oauth(
             detail=f"Server was configured with authentication type {auth_type_str}",
         )
 
+    # If the frontend sent back masked credentials (unchanged by the user),
+    # restore the real stored values so we don't overwrite them with masks.
+    if mcp_server.admin_connection_config:
+        existing_data = extract_connection_data(
+            mcp_server.admin_connection_config, apply_mask=False
+        )
+        existing_client_raw = existing_data.get(MCPOAuthKeys.CLIENT_INFO.value)
+        if existing_client_raw:
+            existing_client = OAuthClientInformationFull.model_validate(
+                existing_client_raw
+            )
+            (
+                request.oauth_client_id,
+                request.oauth_client_secret,
+            ) = _restore_masked_oauth_credentials(
+                request.oauth_client_id,
+                request.oauth_client_secret,
+                existing_client,
+            )
+
     # Create admin config with client info if provided
     config_data = MCPConnectionData(headers={})
     if request.oauth_client_id and request.oauth_client_secret:
@@ -1356,6 +1402,19 @@ def _upsert_mcp_server(
             if client_info_raw:
                 client_info = OAuthClientInformationFull.model_validate(client_info_raw)
 
+        # If the frontend sent back masked credentials (unchanged by the user),
+        # restore the real stored values so the comparison below sees no change
+        # and the credentials aren't overwritten with masked strings.
+        if client_info and request.auth_type == MCPAuthenticationType.OAUTH:
+            (
+                request.oauth_client_id,
+                request.oauth_client_secret,
+            ) = _restore_masked_oauth_credentials(
+                request.oauth_client_id,
+                request.oauth_client_secret,
+                client_info,
+            )
+
         changing_connection_config = (
             not mcp_server.admin_connection_config
             or (

backend/onyx/server/manage/llm/api.py

@@ -40,6 +40,8 @@ from onyx.db.models import User
 from onyx.db.persona import user_can_access_persona
 from onyx.error_handling.error_codes import OnyxErrorCode
 from onyx.error_handling.exceptions import OnyxError
+from onyx.llm.constants import PROVIDER_DISPLAY_NAMES
+from onyx.llm.constants import WELL_KNOWN_PROVIDER_NAMES
 from onyx.llm.factory import get_default_llm
 from onyx.llm.factory import get_llm
 from onyx.llm.factory import get_max_input_tokens_from_llm_provider
@@ -60,6 +62,7 @@ from onyx.server.manage.llm.models import BedrockFinalModelResponse
 from onyx.server.manage.llm.models import BedrockModelsRequest
 from onyx.server.manage.llm.models import BifrostFinalModelResponse
 from onyx.server.manage.llm.models import BifrostModelsRequest
+from onyx.server.manage.llm.models import CustomProviderOption
 from onyx.server.manage.llm.models import DefaultModel
 from onyx.server.manage.llm.models import LitellmFinalModelResponse
 from onyx.server.manage.llm.models import LitellmModelDetails
@@ -108,6 +111,43 @@ def _mask_string(value: str) -> str:
     return value[:4] + "****" + value[-4:]
 
 
+def _resolve_api_key(
+    api_key: str | None,
+    provider_name: str | None,
+    api_base: str | None,
+    db_session: Session,
+) -> str | None:
+    """Return the real API key for model-fetch endpoints.
+
+    When editing an existing provider the form value is masked (e.g.
+    ``sk-a****b1c2``).  If *provider_name* is supplied we can look up
+    the unmasked key from the database so the external request succeeds.
+
+    The stored key is only returned when the request's *api_base*
+    matches the value stored in the database.
+    """
+    if not provider_name:
+        return api_key
+
+    existing_provider = fetch_existing_llm_provider(
+        name=provider_name, db_session=db_session
+    )
+    if existing_provider and existing_provider.api_key:
+        # Normalise both URLs before comparing so trailing-slash
+        # differences don't cause a false mismatch.
+        stored_base = (existing_provider.api_base or "").strip().rstrip("/")
+        request_base = (api_base or "").strip().rstrip("/")
+        if stored_base != request_base:
+            return api_key
+
+        stored_key = existing_provider.api_key.get_value(apply_mask=False)
+        # Only resolve when the incoming value is the masked form of the
+        # stored key — i.e. the user hasn't typed a new key.
+        if api_key and api_key == _mask_string(stored_key):
+            return stored_key
+    return api_key
+
+
 def _sync_fetched_models(
     db_session: Session,
     provider_name: str,
@@ -250,6 +290,29 @@ def _validate_llm_provider_change(
         )
 
 
+@admin_router.get("/custom-provider-names")
+def fetch_custom_provider_names(
+    _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
+) -> list[CustomProviderOption]:
+    """Returns the sorted list of LiteLLM provider names that can be used
+    with the custom provider modal (i.e. everything that is not already
+    covered by a well-known provider modal)."""
+    import litellm
+
+    well_known = {p.value for p in WELL_KNOWN_PROVIDER_NAMES}
+    return sorted(
+        (
+            CustomProviderOption(
+                value=name,
+                label=PROVIDER_DISPLAY_NAMES.get(name, name.replace("_", " ").title()),
+            )
+            for name in litellm.models_by_provider.keys()
+            if name not in well_known
+        ),
+        key=lambda o: o.label.lower(),
+    )
+
+
 @admin_router.get("/built-in/options")
 def fetch_llm_options(
     _: User = Depends(require_permission(Permission.FULL_ADMIN_PANEL_ACCESS)),
@@ -1148,16 +1211,17 @@ def get_ollama_available_models(
     return sorted_results
 
 
-def _get_openrouter_models_response(api_base: str, api_key: str) -> dict:
+def _get_openrouter_models_response(api_base: str, api_key: str | None) -> dict:
     """Perform GET to OpenRouter /models and return parsed JSON."""
     cleaned_api_base = api_base.strip().rstrip("/")
     url = f"{cleaned_api_base}/models"
-    headers = {
-        "Authorization": f"Bearer {api_key}",
+    headers: dict[str, str] = {
         # Optional headers recommended by OpenRouter for attribution
         "HTTP-Referer": "https://onyx.app",
         "X-Title": "Onyx",
     }
+    if api_key:
+        headers["Authorization"] = f"Bearer {api_key}"
     try:
         response = httpx.get(url, headers=headers, timeout=10.0)
         response.raise_for_status()
@@ -1180,8 +1244,12 @@ def get_openrouter_available_models(
     Parses id, name (display), context_length, and architecture.input_modalities.
     """
 
+    api_key = _resolve_api_key(
+        request.api_key, request.provider_name, request.api_base, db_session
+    )
+
     response_json = _get_openrouter_models_response(
-        api_base=request.api_base, api_key=request.api_key
+        api_base=request.api_base, api_key=api_key
     )
 
     data = response_json.get("data", [])
@@ -1274,13 +1342,18 @@ def get_lm_studio_available_models(
 
     # If provider_name is given and the api_key hasn't been changed by the user,
     # fall back to the stored API key from the database (the form value is masked).
+    # Only do so when the api_base matches what is stored.
     api_key = request.api_key
     if request.provider_name and not request.api_key_changed:
         existing_provider = fetch_existing_llm_provider(
             name=request.provider_name, db_session=db_session
         )
         if existing_provider and existing_provider.custom_config:
-            api_key = existing_provider.custom_config.get(LM_STUDIO_API_KEY_CONFIG_KEY)
+            stored_base = (existing_provider.api_base or "").strip().rstrip("/")
+            if stored_base == cleaned_api_base:
+                api_key = existing_provider.custom_config.get(
+                    LM_STUDIO_API_KEY_CONFIG_KEY
+                )
 
     url = f"{cleaned_api_base}/api/v1/models"
     headers: dict[str, str] = {}
@@ -1364,8 +1437,12 @@ def get_litellm_available_models(
     db_session: Session = Depends(get_session),
 ) -> list[LitellmFinalModelResponse]:
     """Fetch available models from Litellm proxy /v1/models endpoint."""
+    api_key = _resolve_api_key(
+        request.api_key, request.provider_name, request.api_base, db_session
+    )
+
     response_json = _get_litellm_models_response(
-        api_key=request.api_key, api_base=request.api_base
+        api_key=api_key, api_base=request.api_base
     )
 
     models = response_json.get("data", [])
@@ -1422,7 +1499,7 @@ def get_litellm_available_models(
     return sorted_results
 
 
-def _get_litellm_models_response(api_key: str, api_base: str) -> dict:
+def _get_litellm_models_response(api_key: str | None, api_base: str) -> dict:
     """Perform GET to Litellm proxy /api/v1/models and return parsed JSON."""
     cleaned_api_base = api_base.strip().rstrip("/")
     url = f"{cleaned_api_base}/v1/models"
@@ -1497,8 +1574,12 @@ def get_bifrost_available_models(
     db_session: Session = Depends(get_session),
 ) -> list[BifrostFinalModelResponse]:
     """Fetch available models from Bifrost gateway /v1/models endpoint."""
+    api_key = _resolve_api_key(
+        request.api_key, request.provider_name, request.api_base, db_session
+    )
+
     response_json = _get_bifrost_models_response(
-        api_base=request.api_base, api_key=request.api_key
+        api_base=request.api_base, api_key=api_key
     )
 
     models = response_json.get("data", [])
@@ -1587,8 +1668,12 @@ def get_openai_compatible_server_available_models(
     db_session: Session = Depends(get_session),
 ) -> list[OpenAICompatibleFinalModelResponse]:
     """Fetch available models from a generic OpenAI-compatible /v1/models endpoint."""
+    api_key = _resolve_api_key(
+        request.api_key, request.provider_name, request.api_base, db_session
+    )
+
     response_json = _get_openai_compatible_server_response(
-        api_base=request.api_base, api_key=request.api_key
+        api_base=request.api_base, api_key=api_key
     )
 
     models = response_json.get("data", [])
@@ -1648,7 +1733,7 @@ def get_openai_compatible_server_available_models(
                 )
                 for r in sorted_results
             ],
-            source_label="OpenAI Compatible",
+            source_label="OpenAI-Compatible",
         )
 
     return sorted_results
@@ -1667,6 +1752,6 @@ def _get_openai_compatible_server_response(
 
     return _get_openai_compatible_models_response(
         url=url,
-        source_name="OpenAI Compatible",
+        source_name="OpenAI-Compatible",
         api_key=api_key,
     )

backend/onyx/server/manage/llm/models.py

@@ -28,6 +28,13 @@ if TYPE_CHECKING:
 T = TypeVar("T", "LLMProviderDescriptor", "LLMProviderView", "VisionProviderResponse")
 
 
+class CustomProviderOption(BaseModel):
+    """A provider slug + human-friendly label for the custom-provider picker."""
+
+    value: str
+    label: str
+
+
 class TestLLMRequest(BaseModel):
     # provider level
     id: int | None = None

backend/onyx/server/metrics/pruning_metrics.py

@@ -0,0 +1,72 @@
+"""Pruning-specific Prometheus metrics.
+
+Tracks three pruning pipeline phases for connector_pruning_generator_task:
+  1. Document ID enumeration duration (extract_ids_from_runnable_connector)
+  2. Diff + dispatch duration (DB lookup, set diff, generate_tasks)
+  3. Rate limit errors during enumeration
+
+All metrics are labeled by connector_type to identify which connector sources
+are the most expensive to prune. cc_pair_id is intentionally excluded to avoid
+unbounded cardinality.
+
+Usage:
+    from onyx.server.metrics.pruning_metrics import (
+        observe_pruning_enumeration_duration,
+        observe_pruning_diff_duration,
+        inc_pruning_rate_limit_error,
+    )
+"""
+
+from prometheus_client import Counter
+from prometheus_client import Histogram
+
+from onyx.utils.logger import setup_logger
+
+logger = setup_logger()
+
+PRUNING_ENUMERATION_DURATION = Histogram(
+    "onyx_pruning_enumeration_duration_seconds",
+    "Duration of document ID enumeration from the source connector during pruning",
+    ["connector_type"],
+    buckets=[1, 5, 15, 30, 60, 120, 300, 600, 1800, 3600],
+)
+
+PRUNING_DIFF_DURATION = Histogram(
+    "onyx_pruning_diff_duration_seconds",
+    "Duration of diff computation and subtask dispatch during pruning",
+    ["connector_type"],
+    buckets=[1, 5, 15, 30, 60, 120, 300, 600, 1800, 3600],
+)
+
+PRUNING_RATE_LIMIT_ERRORS = Counter(
+    "onyx_pruning_rate_limit_errors_total",
+    "Total rate limit errors encountered during pruning document ID enumeration",
+    ["connector_type"],
+)
+
+
+def observe_pruning_enumeration_duration(
+    duration_seconds: float, connector_type: str
+) -> None:
+    try:
+        PRUNING_ENUMERATION_DURATION.labels(connector_type=connector_type).observe(
+            duration_seconds
+        )
+    except Exception:
+        logger.debug("Failed to record pruning enumeration duration", exc_info=True)
+
+
+def observe_pruning_diff_duration(duration_seconds: float, connector_type: str) -> None:
+    try:
+        PRUNING_DIFF_DURATION.labels(connector_type=connector_type).observe(
+            duration_seconds
+        )
+    except Exception:
+        logger.debug("Failed to record pruning diff duration", exc_info=True)
+
+
+def inc_pruning_rate_limit_error(connector_type: str) -> None:
+    try:
+        PRUNING_RATE_LIMIT_ERRORS.labels(connector_type=connector_type).inc()
+    except Exception:
+        logger.debug("Failed to record pruning rate limit error", exc_info=True)

backend/onyx/tools/models.py

@@ -208,12 +208,6 @@ class PythonToolOverrideKwargs(BaseModel):
     chat_files: list[ChatFile] = []
 
 
-class ImageGenerationToolOverrideKwargs(BaseModel):
-    """Override kwargs for image generation tool calls."""
-
-    recent_generated_image_file_ids: list[str] = []
-
-
 class SearchToolRunContext(BaseModel):
     emitter: Emitter
 

backend/onyx/tools/tool_implementations/images/image_generation_tool.py

@@ -26,7 +26,6 @@ from onyx.server.query_and_chat.streaming_models import ImageGenerationToolHeart
 from onyx.server.query_and_chat.streaming_models import ImageGenerationToolStart
 from onyx.server.query_and_chat.streaming_models import Packet
 from onyx.tools.interface import Tool
-from onyx.tools.models import ImageGenerationToolOverrideKwargs
 from onyx.tools.models import ToolCallException
 from onyx.tools.models import ToolExecutionException
 from onyx.tools.models import ToolResponse
@@ -48,9 +47,16 @@ PROMPT_FIELD = "prompt"
 REFERENCE_IMAGE_FILE_IDS_FIELD = "reference_image_file_ids"
 
 
-class ImageGenerationTool(Tool[ImageGenerationToolOverrideKwargs | None]):
+class ImageGenerationTool(Tool[None]):
     NAME = "generate_image"
-    DESCRIPTION = "Generate an image based on a prompt. Do not use unless the user specifically requests an image."
+    DESCRIPTION = (
+        "Generate a new image from a prompt, or edit/modify existing images"
+        " from this conversation. To edit existing images — whether the user"
+        " attached them or they were produced by a previous generate_image"
+        " call — pass their file_id values in `reference_image_file_ids`."
+        " Do not use unless the user specifically requests an image or asks"
+        " to edit an image."
+    )
     DISPLAY_NAME = "Image Generation"
 
     def __init__(
@@ -142,8 +148,14 @@ class ImageGenerationTool(Tool[ImageGenerationToolOverrideKwargs | None]):
                         REFERENCE_IMAGE_FILE_IDS_FIELD: {
                             "type": "array",
                             "description": (
-                                "Optional image file IDs to use as reference context for edits/variations. "
-                                "Use the file_id values returned by previous generate_image calls."
+                                "Optional list of image file_id values to edit/modify/use as reference."
+                                " Accepts file_ids from two sources, with the same mechanics for both:"
+                                " (1) images the user attached to a user message — their file_id appears"
+                                " in the tag `[attached image — file_id: <id>]` right before the image"
+                                " in that message; (2) images returned by previous generate_image tool"
+                                " calls — their file_id appears in that call's response JSON. Leave"
+                                " unset/empty for a brand-new generation unrelated to any existing image."
+                                " The first file_id in the list is treated as the primary edit source."
                             ),
                             "items": {
                                 "type": "string",
@@ -254,41 +266,31 @@ class ImageGenerationTool(Tool[ImageGenerationToolOverrideKwargs | None]):
     def _resolve_reference_image_file_ids(
         self,
         llm_kwargs: dict[str, Any],
-        override_kwargs: ImageGenerationToolOverrideKwargs | None,
     ) -> list[str]:
         raw_reference_ids = llm_kwargs.get(REFERENCE_IMAGE_FILE_IDS_FIELD)
-        if raw_reference_ids is not None:
-            if not isinstance(raw_reference_ids, list) or not all(
-                isinstance(file_id, str) for file_id in raw_reference_ids
-            ):
-                raise ToolCallException(
-                    message=(
-                        f"Invalid {REFERENCE_IMAGE_FILE_IDS_FIELD}: expected array of strings, got {type(raw_reference_ids)}"
-                    ),
-                    llm_facing_message=(
-                        f"The '{REFERENCE_IMAGE_FILE_IDS_FIELD}' field must be an array of file_id strings."
-                    ),
-                )
-            reference_image_file_ids = [
-                file_id.strip() for file_id in raw_reference_ids if file_id.strip()
-            ]
-        elif (
-            override_kwargs
-            and override_kwargs.recent_generated_image_file_ids
-            and self.img_provider.supports_reference_images
-        ):
-            # If no explicit reference was provided, default to the most recently generated image.
-            reference_image_file_ids = [
-                override_kwargs.recent_generated_image_file_ids[-1]
-            ]
-        else:
-            reference_image_file_ids = []
+        if raw_reference_ids is None:
+            # No references requested — plain generation.
+            return []
 
-        # Deduplicate while preserving order.
+        if not isinstance(raw_reference_ids, list) or not all(
+            isinstance(file_id, str) for file_id in raw_reference_ids
+        ):
+            raise ToolCallException(
+                message=(
+                    f"Invalid {REFERENCE_IMAGE_FILE_IDS_FIELD}: expected array of strings, got {type(raw_reference_ids)}"
+                ),
+                llm_facing_message=(
+                    f"The '{REFERENCE_IMAGE_FILE_IDS_FIELD}' field must be an array of file_id strings."
+                ),
+            )
+
+        # Deduplicate while preserving order (first occurrence wins, so the
+        # LLM's intended "primary edit source" stays at index 0).
         deduped_reference_image_ids: list[str] = []
         seen_ids: set[str] = set()
-        for file_id in reference_image_file_ids:
-            if file_id in seen_ids:
+        for file_id in raw_reference_ids:
+            file_id = file_id.strip()
+            if not file_id or file_id in seen_ids:
                 continue
             seen_ids.add(file_id)
             deduped_reference_image_ids.append(file_id)
@@ -302,14 +304,14 @@ class ImageGenerationTool(Tool[ImageGenerationToolOverrideKwargs | None]):
                     f"Reference images requested but provider '{self.provider}' does not support image-editing context."
                 ),
                 llm_facing_message=(
-                    "This image provider does not support editing from previous image context. "
+                    "This image provider does not support editing from existing images. "
                     "Try text-only generation, or switch to a provider/model that supports image edits."
                 ),
             )
 
         max_reference_images = self.img_provider.max_reference_images
         if max_reference_images > 0:
-            return deduped_reference_image_ids[-max_reference_images:]
+            return deduped_reference_image_ids[:max_reference_images]
         return deduped_reference_image_ids
 
     def _load_reference_images(
@@ -358,7 +360,7 @@ class ImageGenerationTool(Tool[ImageGenerationToolOverrideKwargs | None]):
     def run(
         self,
         placement: Placement,
-        override_kwargs: ImageGenerationToolOverrideKwargs | None = None,
+        override_kwargs: None = None,  # noqa: ARG002
         **llm_kwargs: Any,
     ) -> ToolResponse:
         if PROMPT_FIELD not in llm_kwargs:
@@ -373,7 +375,6 @@ class ImageGenerationTool(Tool[ImageGenerationToolOverrideKwargs | None]):
         shape = ImageShape(llm_kwargs.get("shape", ImageShape.SQUARE.value))
         reference_image_file_ids = self._resolve_reference_image_file_ids(
             llm_kwargs=llm_kwargs,
-            override_kwargs=override_kwargs,
         )
         reference_images = self._load_reference_images(reference_image_file_ids)
 

backend/onyx/tools/tool_runner.py

@@ -1,4 +1,3 @@
-import json
 import traceback
 from collections import defaultdict
 from typing import Any
@@ -14,7 +13,6 @@ from onyx.server.query_and_chat.streaming_models import SectionEnd
 from onyx.tools.interface import Tool
 from onyx.tools.models import ChatFile
 from onyx.tools.models import ChatMinimalTextMessage
-from onyx.tools.models import ImageGenerationToolOverrideKwargs
 from onyx.tools.models import OpenURLToolOverrideKwargs
 from onyx.tools.models import ParallelToolCallResponse
 from onyx.tools.models import PythonToolOverrideKwargs
@@ -24,9 +22,6 @@ from onyx.tools.models import ToolCallKickoff
 from onyx.tools.models import ToolExecutionException
 from onyx.tools.models import ToolResponse
 from onyx.tools.models import WebSearchToolOverrideKwargs
-from onyx.tools.tool_implementations.images.image_generation_tool import (
-    ImageGenerationTool,
-)
 from onyx.tools.tool_implementations.memory.memory_tool import MemoryTool
 from onyx.tools.tool_implementations.memory.memory_tool import MemoryToolOverrideKwargs
 from onyx.tools.tool_implementations.open_url.open_url_tool import OpenURLTool
@@ -110,63 +105,6 @@ def _merge_tool_calls(tool_calls: list[ToolCallKickoff]) -> list[ToolCallKickoff
     return merged_calls
 
 
-def _extract_image_file_ids_from_tool_response_message(
-    message: str,
-) -> list[str]:
-    try:
-        parsed_message = json.loads(message)
-    except json.JSONDecodeError:
-        return []
-
-    parsed_items: list[Any] = (
-        parsed_message if isinstance(parsed_message, list) else [parsed_message]
-    )
-    file_ids: list[str] = []
-    for item in parsed_items:
-        if not isinstance(item, dict):
-            continue
-
-        file_id = item.get("file_id")
-        if isinstance(file_id, str):
-            file_ids.append(file_id)
-
-    return file_ids
-
-
-def _extract_recent_generated_image_file_ids(
-    message_history: list[ChatMessageSimple],
-) -> list[str]:
-    tool_name_by_tool_call_id: dict[str, str] = {}
-    recent_image_file_ids: list[str] = []
-    seen_file_ids: set[str] = set()
-
-    for message in message_history:
-        if message.message_type == MessageType.ASSISTANT and message.tool_calls:
-            for tool_call in message.tool_calls:
-                tool_name_by_tool_call_id[tool_call.tool_call_id] = tool_call.tool_name
-            continue
-
-        if (
-            message.message_type != MessageType.TOOL_CALL_RESPONSE
-            or not message.tool_call_id
-        ):
-            continue
-
-        tool_name = tool_name_by_tool_call_id.get(message.tool_call_id)
-        if tool_name != ImageGenerationTool.NAME:
-            continue
-
-        for file_id in _extract_image_file_ids_from_tool_response_message(
-            message.message
-        ):
-            if file_id in seen_file_ids:
-                continue
-            seen_file_ids.add(file_id)
-            recent_image_file_ids.append(file_id)
-
-    return recent_image_file_ids
-
-
 def _safe_run_single_tool(
     tool: Tool,
     tool_call: ToolCallKickoff,
@@ -386,9 +324,6 @@ def run_tool_calls(
     url_to_citation: dict[str, int] = {
         url: citation_num for citation_num, url in citation_mapping.items()
     }
-    recent_generated_image_file_ids = _extract_recent_generated_image_file_ids(
-        message_history
-    )
 
     # Prepare all tool calls with their override_kwargs
     # Each tool gets a unique starting citation number to avoid conflicts when running in parallel
@@ -405,7 +340,6 @@ def run_tool_calls(
             | WebSearchToolOverrideKwargs
             | OpenURLToolOverrideKwargs
             | PythonToolOverrideKwargs
-            | ImageGenerationToolOverrideKwargs
             | MemoryToolOverrideKwargs
             | None
         ) = None
@@ -454,10 +388,6 @@ def run_tool_calls(
             override_kwargs = PythonToolOverrideKwargs(
                 chat_files=chat_files or [],
             )
-        elif isinstance(tool, ImageGenerationTool):
-            override_kwargs = ImageGenerationToolOverrideKwargs(
-                recent_generated_image_file_ids=recent_generated_image_file_ids
-            )
         elif isinstance(tool, MemoryTool):
             override_kwargs = MemoryToolOverrideKwargs(
                 user_name=(

backend/pyproject.toml

@@ -1,10 +0,0 @@
-[project]
-name = "onyx-backend"
-version = "0.0.0"
-requires-python = ">=3.11"
-dependencies = [
-    "onyx[backend,dev,ee]",
-]
-
-[tool.uv.sources]
-onyx = { workspace = true }

backend/requirements/README.md

@@ -46,11 +46,11 @@ curl -LsSf https://astral.py/uv/install.sh | sh
 
 1. Edit `pyproject.toml`
 2. Add/update/remove dependencies in the appropriate section:
-   - `[dependency-groups]` for dev tools
    - `[project.dependencies]` for **shared** dependencies (used by both backend and model_server)
-   - `[project.optional-dependencies.backend]` for backend-only dependencies
-   - `[project.optional-dependencies.model_server]` for model_server-only dependencies (ML packages)
-   - `[project.optional-dependencies.ee]` for EE features
+   - `[dependency-groups.backend]` for backend-only dependencies
+   - `[dependency-groups.dev]` for dev tools
+   - `[dependency-groups.ee]` for EE features
+   - `[dependency-groups.model_server]` for model_server-only dependencies (ML packages)
 3. Commit your changes - pre-commit hooks will automatically regenerate the lock file and requirements
 
 ### 3. Generating Lock File and Requirements
@@ -64,10 +64,10 @@ To manually regenerate:
 
 ```bash
 uv lock
-uv export --no-emit-project --no-default-groups --no-hashes --extra backend -o backend/requirements/default.txt
+uv export --no-emit-project --no-default-groups --no-hashes --group backend -o backend/requirements/default.txt
 uv export --no-emit-project --no-default-groups --no-hashes --group dev -o backend/requirements/dev.txt
-uv export --no-emit-project --no-default-groups --no-hashes --extra ee -o backend/requirements/ee.txt
-uv export --no-emit-project --no-default-groups --no-hashes --extra model_server -o backend/requirements/model_server.txt
+uv export --no-emit-project --no-default-groups --no-hashes --group ee -o backend/requirements/ee.txt
+uv export --no-emit-project --no-default-groups --no-hashes --group model_server -o backend/requirements/model_server.txt
 ```
 
 ### 4. Installing Dependencies
@@ -76,30 +76,14 @@ If enabled, all packages are installed automatically by the `uv-sync` pre-commit
 branches or pulling new changes.
 
 ```bash
-# For everything (most common)
-uv sync --all-extras
+# For development (most common) — installs shared + backend + dev + ee
+uv sync
 
-# For backend production (shared + backend dependencies)
-uv sync --extra backend
-
-# For backend development (shared + backend + dev tools)
-uv sync --extra backend --extra dev
-
-# For backend with EE (shared + backend + ee)
-uv sync --extra backend --extra ee
+# For backend production only (shared + backend dependencies)
+uv sync --no-default-groups --group backend
 
 # For model server (shared + model_server, NO backend deps!)
-uv sync --extra model_server
-```
-
-`uv` aggressively [ignores active virtual environments](https://docs.astral.sh/uv/concepts/projects/config/#project-environment-path) and prefers the root virtual environment.
-When working in workspace packages, be sure to pass `--active` when syncing the virtual environment:
-
-```bash
-cd backend/
-source .venv/bin/activate
-uv sync --active
-uv run --active ...
+uv sync --no-default-groups --group model_server
 ```
 
 ### 5. Upgrading Dependencies

backend/requirements/default.txt

@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv export --no-emit-project --no-default-groups --no-hashes --extra backend -o backend/requirements/default.txt
+#    uv export --no-emit-project --no-default-groups --no-hashes --group backend -o backend/requirements/default.txt
 agent-client-protocol==0.7.1
     # via onyx
 aioboto3==15.1.0
@@ -19,7 +19,6 @@ aiohttp==3.13.4
     #   aiobotocore
     #   discord-py
     #   litellm
-    #   onyx
     #   voyageai
 aioitertools==0.13.0
     # via aiobotocore
@@ -28,7 +27,6 @@ aiolimiter==1.2.1
 aiosignal==1.4.0
     # via aiohttp
 alembic==1.10.4
-    # via onyx
 amqp==5.3.1
     # via kombu
 annotated-doc==0.0.4
@@ -51,13 +49,10 @@ argon2-cffi==23.1.0
 argon2-cffi-bindings==25.1.0
     # via argon2-cffi
 asana==5.0.8
-    # via onyx
 async-timeout==5.0.1 ; python_full_version < '3.11.3'
     # via redis
 asyncpg==0.30.0
-    # via onyx
 atlassian-python-api==3.41.16
-    # via onyx
 attrs==25.4.0
     # via
     #   aiohttp
@@ -68,7 +63,6 @@ attrs==25.4.0
 authlib==1.6.9
     # via fastmcp
 azure-cognitiveservices-speech==1.38.0
-    # via onyx
 babel==2.17.0
     # via courlan
 backoff==2.2.1
@@ -86,7 +80,6 @@ beautifulsoup4==4.12.3
     #   atlassian-python-api
     #   markdownify
     #   markitdown
-    #   onyx
     #   unstructured
 billiard==4.2.3
     # via celery
@@ -94,9 +87,7 @@ boto3==1.39.11
     # via
     #   aiobotocore
     #   cohere
-    #   onyx
 boto3-stubs==1.39.11
-    # via onyx
 botocore==1.39.11
     # via
     #   aiobotocore
@@ -105,7 +96,6 @@ botocore==1.39.11
 botocore-stubs==1.40.74
     # via boto3-stubs
 braintrust==0.3.9
-    # via onyx
 brotli==1.2.0
     # via onyx
 bytecode==0.17.0
@@ -115,7 +105,6 @@ cachetools==6.2.2
 caio==0.9.25
     # via aiofile
 celery==5.5.1
-    # via onyx
 certifi==2025.11.12
     # via
     #   asana
@@ -134,7 +123,6 @@ cffi==2.0.0
     #   pynacl
     #   zstandard
 chardet==5.2.0
-    # via onyx
 charset-normalizer==3.4.4
     # via
     #   htmldate
@@ -146,7 +134,6 @@ charset-normalizer==3.4.4
 chevron==0.14.0
     # via braintrust
 chonkie==1.0.10
-    # via onyx
 claude-agent-sdk==0.1.19
     # via onyx
 click==8.3.1
@@ -201,15 +188,12 @@ cryptography==46.0.6
 cyclopts==4.2.4
     # via fastmcp
 dask==2026.1.1
-    # via
-    #   distributed
-    #   onyx
+    # via distributed
 dataclasses-json==0.6.7
     # via unstructured
 dateparser==1.2.2
     # via htmldate
 ddtrace==3.10.0
-    # via onyx
 decorator==5.2.1
     # via retry
 defusedxml==0.7.1
@@ -223,7 +207,6 @@ deprecated==1.3.1
 discord-py==2.4.0
     # via onyx
 distributed==2026.1.1
-    # via onyx
 distro==1.9.0
     # via
     #   openai
@@ -235,7 +218,6 @@ docstring-parser==0.17.0
 docutils==0.22.3
     # via rich-rst
 dropbox==12.0.2
-    # via onyx
 durationpy==0.10
     # via kubernetes
 email-validator==2.2.0
@@ -251,7 +233,6 @@ et-xmlfile==2.0.0
 events==0.5
     # via opensearch-py
 exa-py==1.15.4
-    # via onyx
 exceptiongroup==1.3.0
     # via
     #   braintrust
@@ -262,23 +243,16 @@ fastapi==0.133.1
     #   fastapi-users
     #   onyx
 fastapi-limiter==0.1.6
-    # via onyx
 fastapi-users==15.0.4
-    # via
-    #   fastapi-users-db-sqlalchemy
-    #   onyx
+    # via fastapi-users-db-sqlalchemy
 fastapi-users-db-sqlalchemy==7.0.0
-    # via onyx
 fastavro==1.12.1
     # via cohere
 fastmcp==3.2.0
-    # via onyx
 fastuuid==0.14.0
     # via litellm
 filelock==3.20.3
-    # via
-    #   huggingface-hub
-    #   onyx
+    # via huggingface-hub
 filetype==1.2.0
     # via unstructured
 flatbuffers==25.9.23
@@ -298,7 +272,6 @@ gitpython==3.1.45
 google-api-core==2.28.1
     # via google-api-python-client
 google-api-python-client==2.86.0
-    # via onyx
 google-auth==2.48.0
     # via
     #   google-api-core
@@ -308,11 +281,8 @@ google-auth==2.48.0
     #   google-genai
     #   kubernetes
 google-auth-httplib2==0.1.0
-    # via
-    #   google-api-python-client
-    #   onyx
+    # via google-api-python-client
 google-auth-oauthlib==1.0.0
-    # via onyx
 google-genai==1.52.0
     # via onyx
 googleapis-common-protos==1.72.0
@@ -340,7 +310,6 @@ htmldate==1.9.1
 httpcore==1.0.9
     # via
     #   httpx
-    #   onyx
     #   unstructured-client
 httplib2==0.31.0
     # via
@@ -357,21 +326,16 @@ httpx==0.28.1
     #   langsmith
     #   litellm
     #   mcp
-    #   onyx
     #   openai
     #   unstructured-client
 httpx-oauth==0.15.1
-    # via onyx
 httpx-sse==0.4.3
     # via
     #   cohere
     #   mcp
 hubspot-api-client==11.1.0
-    # via onyx
 huggingface-hub==0.35.3
-    # via
-    #   onyx
-    #   tokenizers
+    # via tokenizers
 humanfriendly==10.0
     # via coloredlogs
 hyperframe==6.1.0
@@ -390,9 +354,7 @@ importlib-metadata==8.7.0
     #   litellm
     #   opentelemetry-api
 inflection==0.5.1
-    # via
-    #   onyx
-    #   pyairtable
+    # via pyairtable
 iniconfig==2.3.0
     # via pytest
 isodate==0.7.2
@@ -414,7 +376,6 @@ jinja2==3.1.6
     #   distributed
     #   litellm
 jira==3.10.5
-    # via onyx
 jiter==0.12.0
     # via openai
 jmespath==1.0.1
@@ -430,9 +391,7 @@ jsonpatch==1.33
 jsonpointer==3.0.0
     # via jsonpatch
 jsonref==1.1.0
-    # via
-    #   fastmcp
-    #   onyx
+    # via fastmcp
 jsonschema==4.25.1
     # via
     #   litellm
@@ -450,15 +409,12 @@ kombu==5.5.4
 kubernetes==31.0.0
     # via onyx
 langchain-core==1.2.22
-    # via onyx
 langdetect==1.0.9
     # via unstructured
 langfuse==3.10.0
-    # via onyx
 langsmith==0.3.45
     # via langchain-core
 lazy-imports==1.0.1
-    # via onyx
 legacy-cgi==2.6.4 ; python_full_version >= '3.13'
     # via ddtrace
 litellm==1.81.6
@@ -473,7 +429,6 @@ lxml==5.3.0
     #   justext
     #   lxml-html-clean
     #   markitdown
-    #   onyx
     #   python-docx
     #   python-pptx
     #   python3-saml
@@ -488,9 +443,7 @@ magika==0.6.3
 makefun==1.16.0
     # via fastapi-users
 mako==1.2.4
-    # via
-    #   alembic
-    #   onyx
+    # via alembic
 mammoth==1.11.0
     # via markitdown
 markdown-it-py==4.0.0
@@ -498,7 +451,6 @@ markdown-it-py==4.0.0
 markdownify==1.2.2
     # via markitdown
 markitdown==0.1.2
-    # via onyx
 markupsafe==3.0.3
     # via
     #   jinja2
@@ -512,11 +464,9 @@ mcp==1.26.0
     # via
     #   claude-agent-sdk
     #   fastmcp
-    #   onyx
 mdurl==0.1.2
     # via markdown-it-py
 mistune==3.2.0
-    # via onyx
 more-itertools==10.8.0
     # via
     #   jaraco-classes
@@ -525,13 +475,10 @@ more-itertools==10.8.0
 mpmath==1.3.0
     # via sympy
 msal==1.34.0
-    # via
-    #   office365-rest-python-client
-    #   onyx
+    # via office365-rest-python-client
 msgpack==1.1.2
     # via distributed
 msoffcrypto-tool==5.4.2
-    # via onyx
 multidict==6.7.0
     # via
     #   aiobotocore
@@ -548,7 +495,6 @@ mypy-extensions==1.0.0
     #   mypy
     #   typing-inspect
 nest-asyncio==1.6.0
-    # via onyx
 nltk==3.9.4
     # via unstructured
 numpy==2.4.1
@@ -563,10 +509,8 @@ oauthlib==3.2.2
     # via
     #   atlassian-python-api
     #   kubernetes
-    #   onyx
     #   requests-oauthlib
 office365-rest-python-client==2.6.2
-    # via onyx
 olefile==0.47
     # via
     #   msoffcrypto-tool
@@ -582,15 +526,11 @@ openai==2.14.0
 openapi-pydantic==0.5.1
     # via fastmcp
 openinference-instrumentation==0.1.42
-    # via onyx
 openinference-semantic-conventions==0.1.25
     # via openinference-instrumentation
 openpyxl==3.0.10
-    # via
-    #   markitdown
-    #   onyx
+    # via markitdown
 opensearch-py==3.0.0
-    # via onyx
 opentelemetry-api==1.39.1
     # via
     #   ddtrace
@@ -606,7 +546,6 @@ opentelemetry-exporter-otlp-proto-http==1.39.1
     # via langfuse
 opentelemetry-proto==1.39.1
     # via
-    #   onyx
     #   opentelemetry-exporter-otlp-proto-common
     #   opentelemetry-exporter-otlp-proto-http
 opentelemetry-sdk==1.39.1
@@ -640,7 +579,6 @@ parameterized==0.9.0
 partd==1.4.2
     # via dask
 passlib==1.7.4
-    # via onyx
 pathable==0.4.4
     # via jsonschema-path
 pdfminer-six==20251107
@@ -652,9 +590,7 @@ platformdirs==4.5.0
     #   fastmcp
     #   zeep
 playwright==1.55.0
-    # via
-    #   onyx
-    #   pytest-playwright
+    # via pytest-playwright
 pluggy==1.6.0
     # via pytest
 ply==3.11
@@ -684,12 +620,9 @@ protobuf==6.33.5
 psutil==7.1.3
     # via
     #   distributed
-    #   onyx
     #   unstructured
 psycopg2-binary==2.9.9
-    # via onyx
 puremagic==1.28
-    # via onyx
 pwdlib==0.3.0
     # via fastapi-users
 py==1.11.0
@@ -697,7 +630,6 @@ py==1.11.0
 py-key-value-aio==0.4.4
     # via fastmcp
 pyairtable==3.0.1
-    # via onyx
 pyasn1==0.6.3
     # via
     #   pyasn1-modules
@@ -707,7 +639,6 @@ pyasn1-modules==0.4.2
 pycparser==2.23 ; implementation_name != 'PyPy'
     # via cffi
 pycryptodome==3.19.1
-    # via onyx
 pydantic==2.11.7
     # via
     #   agent-client-protocol
@@ -734,7 +665,6 @@ pydantic-settings==2.12.0
 pyee==13.0.0
     # via playwright
 pygithub==2.5.0
-    # via onyx
 pygments==2.20.0
     # via rich
 pyjwt==2.12.0
@@ -745,17 +675,13 @@ pyjwt==2.12.0
     #   pygithub
     #   simple-salesforce
 pympler==1.1
-    # via onyx
 pynacl==1.6.2
     # via pygithub
 pypandoc-binary==1.16.2
-    # via onyx
 pyparsing==3.2.5
     # via httplib2
 pypdf==6.9.2
-    # via
-    #   onyx
-    #   unstructured-client
+    # via unstructured-client
 pyperclip==1.11.0
     # via fastmcp
 pyreadline3==3.5.4 ; sys_platform == 'win32'
@@ -768,9 +694,7 @@ pytest==8.3.5
 pytest-base-url==2.1.0
     # via pytest-playwright
 pytest-mock==3.12.0
-    # via onyx
 pytest-playwright==0.7.0
-    # via onyx
 python-dateutil==2.8.2
     # via
     #   aiobotocore
@@ -781,11 +705,9 @@ python-dateutil==2.8.2
     #   htmldate
     #   hubspot-api-client
     #   kubernetes
-    #   onyx
     #   opensearch-py
     #   pandas
 python-docx==1.1.2
-    # via onyx
 python-dotenv==1.1.1
     # via
     #   braintrust
@@ -793,10 +715,8 @@ python-dotenv==1.1.1
     #   litellm
     #   magika
     #   mcp
-    #   onyx
     #   pydantic-settings
 python-gitlab==5.6.0
-    # via onyx
 python-http-client==3.3.7
     # via sendgrid
 python-iso639==2025.11.16
@@ -807,19 +727,15 @@ python-multipart==0.0.22
     # via
     #   fastapi-users
     #   mcp
-    #   onyx
 python-oxmsg==0.0.2
     # via unstructured
 python-pptx==0.6.23
-    # via
-    #   markitdown
-    #   onyx
+    # via markitdown
 python-slugify==8.0.4
     # via
     #   braintrust
     #   pytest-playwright
 python3-saml==1.15.0
-    # via onyx
 pytz==2025.2
     # via
     #   dateparser
@@ -827,7 +743,6 @@ pytz==2025.2
     #   pandas
     #   zeep
 pywikibot==9.0.0
-    # via onyx
 pywin32==311 ; sys_platform == 'win32'
     # via
     #   mcp
@@ -844,13 +759,9 @@ pyyaml==6.0.3
     #   kubernetes
     #   langchain-core
 rapidfuzz==3.13.0
-    # via
-    #   onyx
-    #   unstructured
+    # via unstructured
 redis==5.0.8
-    # via
-    #   fastapi-limiter
-    #   onyx
+    # via fastapi-limiter
 referencing==0.36.2
     # via
     #   jsonschema
@@ -881,7 +792,6 @@ requests==2.33.0
     #   matrix-client
     #   msal
     #   office365-rest-python-client
-    #   onyx
     #   opensearch-py
     #   opentelemetry-exporter-otlp-proto-http
     #   pyairtable
@@ -907,7 +817,6 @@ requests-oauthlib==1.3.1
     #   google-auth-oauthlib
     #   jira
     #   kubernetes
-    #   onyx
 requests-toolbelt==1.0.0
     # via
     #   jira
@@ -918,7 +827,6 @@ requests-toolbelt==1.0.0
 retry==0.9.2
     # via onyx
 rfc3986==1.5.0
-    # via onyx
 rich==14.2.0
     # via
     #   cyclopts
@@ -938,15 +846,12 @@ s3transfer==0.13.1
 secretstorage==3.5.0 ; sys_platform == 'linux'
     # via keyring
 sendgrid==6.12.5
-    # via onyx
 sentry-sdk==2.14.0
     # via onyx
 shapely==2.0.6
-    # via onyx
 shellingham==1.5.4
     # via typer
 simple-salesforce==1.12.6
-    # via onyx
 six==1.17.0
     # via
     #   asana
@@ -961,7 +866,6 @@ six==1.17.0
     #   python-dateutil
     #   stone
 slack-sdk==3.20.2
-    # via onyx
 smmap==5.0.2
     # via gitdb
 sniffio==1.3.1
@@ -976,7 +880,6 @@ sqlalchemy==2.0.15
     # via
     #   alembic
     #   fastapi-users-db-sqlalchemy
-    #   onyx
 sse-starlette==3.0.3
     # via mcp
 sseclient-py==1.8.0
@@ -985,14 +888,11 @@ starlette==0.49.3
     # via
     #   fastapi
     #   mcp
-    #   onyx
     #   prometheus-fastapi-instrumentator
 stone==3.3.1
     # via dropbox
 stripe==10.12.0
-    # via onyx
 supervisor==4.3.0
-    # via onyx
 sympy==1.14.0
     # via onnxruntime
 tblib==3.2.2
@@ -1005,11 +905,8 @@ tenacity==9.1.2
 text-unidecode==1.3
     # via python-slugify
 tiktoken==0.7.0
-    # via
-    #   litellm
-    #   onyx
+    # via litellm
 timeago==1.0.16
-    # via onyx
 tld==0.13.1
     # via courlan
 tokenizers==0.21.4
@@ -1033,13 +930,11 @@ tqdm==4.67.1
     #   openai
     #   unstructured
 trafilatura==1.12.2
-    # via onyx
 typer==0.20.0
     # via mcp
 types-awscrt==0.28.4
     # via botocore-stubs
 types-openpyxl==3.0.4.7
-    # via onyx
 types-requests==2.32.0.20250328
     # via cohere
 types-s3transfer==0.14.0
@@ -1105,11 +1000,8 @@ tzlocal==5.3.1
 uncalled-for==0.2.0
     # via fastmcp
 unstructured==0.18.27
-    # via onyx
 unstructured-client==0.42.6
-    # via
-    #   onyx
-    #   unstructured
+    # via unstructured
 uritemplate==4.2.0
     # via google-api-python-client
 urllib3==2.6.3
@@ -1121,7 +1013,6 @@ urllib3==2.6.3
     #   htmldate
     #   hubspot-api-client
     #   kubernetes
-    #   onyx
     #   opensearch-py
     #   pyairtable
     #   pygithub
@@ -1171,9 +1062,7 @@ xlrd==2.0.2
 xlsxwriter==3.2.9
     # via python-pptx
 xmlsec==1.3.14
-    # via
-    #   onyx
-    #   python3-saml
+    # via python3-saml
 xmltodict==1.0.2
     # via ddtrace
 yarl==1.22.0
@@ -1187,4 +1076,3 @@ zipp==3.23.0
 zstandard==0.23.0
     # via langsmith
 zulip==0.8.2
-    # via onyx

backend/requirements/dev.txt

@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv export --no-emit-project --no-default-groups --no-hashes --extra dev -o backend/requirements/dev.txt
+#    uv export --no-emit-project --no-default-groups --no-hashes --group dev -o backend/requirements/dev.txt
 agent-client-protocol==0.7.1
     # via onyx
 aioboto3==15.1.0
@@ -47,7 +47,6 @@ attrs==25.4.0
     #   jsonschema
     #   referencing
 black==25.1.0
-    # via onyx
 boto3==1.39.11
     # via
     #   aiobotocore
@@ -60,7 +59,6 @@ botocore==1.39.11
 brotli==1.2.0
     # via onyx
 celery-types==0.19.0
-    # via onyx
 certifi==2025.11.12
     # via
     #   httpcore
@@ -122,7 +120,6 @@ execnet==2.1.2
 executing==2.2.1
     # via stack-data
 faker==40.1.2
-    # via onyx
 fastapi==0.133.1
     # via
     #   onyx
@@ -156,7 +153,6 @@ h11==0.16.0
     #   httpcore
     #   uvicorn
 hatchling==1.28.0
-    # via onyx
 hf-xet==1.2.0 ; platform_machine == 'aarch64' or platform_machine == 'amd64' or platform_machine == 'arm64' or platform_machine == 'x86_64'
     # via huggingface-hub
 httpcore==1.0.9
@@ -187,7 +183,6 @@ importlib-metadata==8.7.0
 iniconfig==2.3.0
     # via pytest
 ipykernel==6.29.5
-    # via onyx
 ipython==9.7.0
     # via ipykernel
 ipython-pygments-lexers==1.1.1
@@ -224,13 +219,11 @@ litellm==1.81.6
 mako==1.2.4
     # via alembic
 manygo==0.2.0
-    # via onyx
 markupsafe==3.0.3
     # via
     #   jinja2
     #   mako
 matplotlib==3.10.8
-    # via onyx
 matplotlib-inline==0.2.1
     # via
     #   ipykernel
@@ -243,12 +236,10 @@ multidict==6.7.0
     #   aiohttp
     #   yarl
 mypy==1.13.0
-    # via onyx
 mypy-extensions==1.0.0
     # via
     #   black
     #   mypy
-    #   onyx
 nest-asyncio==1.6.0
     # via ipykernel
 nodeenv==1.9.1
@@ -263,16 +254,13 @@ oauthlib==3.2.2
     # via
     #   kubernetes
     #   requests-oauthlib
-onyx-devtools==0.7.2
-    # via onyx
+onyx-devtools==0.7.5
 openai==2.14.0
     # via
     #   litellm
     #   onyx
 openapi-generator-cli==7.17.0
-    # via
-    #   onyx
-    #   onyx-devtools
+    # via onyx-devtools
 packaging==24.2
     # via
     #   black
@@ -282,7 +270,6 @@ packaging==24.2
     #   matplotlib
     #   pytest
 pandas-stubs==2.3.3.251201
-    # via onyx
 parameterized==0.9.0
     # via cohere
 parso==0.8.5
@@ -305,7 +292,6 @@ pluggy==1.6.0
     #   hatchling
     #   pytest
 pre-commit==3.2.2
-    # via onyx
 prometheus-client==0.23.1
     # via
     #   onyx
@@ -359,22 +345,16 @@ pyparsing==3.2.5
     # via matplotlib
 pytest==8.3.5
     # via
-    #   onyx
     #   pytest-alembic
     #   pytest-asyncio
     #   pytest-dotenv
     #   pytest-repeat
     #   pytest-xdist
 pytest-alembic==0.12.1
-    # via onyx
 pytest-asyncio==1.3.0
-    # via onyx
 pytest-dotenv==0.5.2
-    # via onyx
 pytest-repeat==0.9.4
-    # via onyx
 pytest-xdist==3.8.0
-    # via onyx
 python-dateutil==2.8.2
     # via
     #   aiobotocore
@@ -407,9 +387,7 @@ referencing==0.36.2
 regex==2025.11.3
     # via tiktoken
 release-tag==0.5.2
-    # via onyx
 reorder-python-imports-black==3.14.0
-    # via onyx
 requests==2.33.0
     # via
     #   cohere
@@ -430,7 +408,6 @@ rpds-py==0.29.0
 rsa==4.9.1
     # via google-auth
 ruff==0.12.0
-    # via onyx
 s3transfer==0.13.1
     # via boto3
 sentry-sdk==2.14.0
@@ -484,39 +461,22 @@ traitlets==5.14.3
 trove-classifiers==2025.12.1.14
     # via hatchling
 types-beautifulsoup4==4.12.0.3
-    # via onyx
 types-html5lib==1.1.11.13
-    # via
-    #   onyx
-    #   types-beautifulsoup4
+    # via types-beautifulsoup4
 types-oauthlib==3.2.0.9
-    # via onyx
 types-passlib==1.7.7.20240106
-    # via onyx
 types-pillow==10.2.0.20240822
-    # via onyx
 types-psutil==7.1.3.20251125
-    # via onyx
 types-psycopg2==2.9.21.10
-    # via onyx
 types-python-dateutil==2.8.19.13
-    # via onyx
 types-pytz==2023.3.1.1
-    # via
-    #   onyx
-    #   pandas-stubs
+    # via pandas-stubs
 types-pyyaml==6.0.12.11
-    # via onyx
 types-regex==2023.3.23.1
-    # via onyx
 types-requests==2.32.0.20250328
-    # via
-    #   cohere
-    #   onyx
+    # via cohere
 types-retry==0.9.9.3
-    # via onyx
 types-setuptools==68.0.0.3
-    # via onyx
 typing-extensions==4.15.0
     # via
     #   aiosignal
@@ -574,4 +534,3 @@ yarl==1.22.0
 zipp==3.23.0
     # via importlib-metadata
 zizmor==1.18.0
-    # via onyx

backend/requirements/ee.txt

@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv export --no-emit-project --no-default-groups --no-hashes --extra ee -o backend/requirements/ee.txt
+#    uv export --no-emit-project --no-default-groups --no-hashes --group ee -o backend/requirements/ee.txt
 agent-client-protocol==0.7.1
     # via onyx
 aioboto3==15.1.0
@@ -182,7 +182,6 @@ packaging==24.2
 parameterized==0.9.0
     # via cohere
 posthog==3.7.4
-    # via onyx
 prometheus-client==0.23.1
     # via
     #   onyx

backend/requirements/model_server.txt

@@ -1,7 +1,6 @@
 # This file was autogenerated by uv via the following command:
-#    uv export --no-emit-project --no-default-groups --no-hashes --extra model_server -o backend/requirements/model_server.txt
+#    uv export --no-emit-project --no-default-groups --no-hashes --group model_server -o backend/requirements/model_server.txt
 accelerate==1.6.0
-    # via onyx
 agent-client-protocol==0.7.1
     # via onyx
 aioboto3==15.1.0
@@ -105,7 +104,6 @@ distro==1.9.0
 durationpy==0.10
     # via kubernetes
 einops==0.8.1
-    # via onyx
 fastapi==0.133.1
     # via
     #   onyx
@@ -207,7 +205,6 @@ networkx==3.5
 numpy==2.4.1
     # via
     #   accelerate
-    #   onyx
     #   scikit-learn
     #   scipy
     #   transformers
@@ -363,7 +360,6 @@ s3transfer==0.13.1
 safetensors==0.5.3
     # via
     #   accelerate
-    #   onyx
     #   transformers
 scikit-learn==1.7.2
     # via sentence-transformers
@@ -372,7 +368,6 @@ scipy==1.16.3
     #   scikit-learn
     #   sentence-transformers
 sentence-transformers==4.0.2
-    # via onyx
 sentry-sdk==2.14.0
     # via onyx
 setuptools==80.9.0 ; python_full_version >= '3.12'
@@ -411,7 +406,6 @@ tokenizers==0.21.4
 torch==2.9.1
     # via
     #   accelerate
-    #   onyx
     #   sentence-transformers
 tqdm==4.67.1
     # via
@@ -420,9 +414,7 @@ tqdm==4.67.1
     #   sentence-transformers
     #   transformers
 transformers==4.53.0
-    # via
-    #   onyx
-    #   sentence-transformers
+    # via sentence-transformers
 triton==3.5.1 ; platform_machine == 'x86_64' and sys_platform == 'linux'
     # via torch
 types-requests==2.32.0.20250328

backend/tests/daily/connectors/google_drive/test_resolver.py

@@ -0,0 +1,239 @@
+"""Tests for GoogleDriveConnector.resolve_errors against real Google Drive."""
+
+import json
+import os
+from collections.abc import Callable
+from unittest.mock import patch
+
+from onyx.connectors.google_drive.connector import GoogleDriveConnector
+from onyx.connectors.models import ConnectorFailure
+from onyx.connectors.models import Document
+from onyx.connectors.models import DocumentFailure
+from onyx.connectors.models import HierarchyNode
+from tests.daily.connectors.google_drive.consts_and_utils import ADMIN_EMAIL
+from tests.daily.connectors.google_drive.consts_and_utils import (
+    ALL_EXPECTED_HIERARCHY_NODES,
+)
+from tests.daily.connectors.google_drive.consts_and_utils import FOLDER_1_ID
+from tests.daily.connectors.google_drive.consts_and_utils import SHARED_DRIVE_1_ID
+
+_DRIVE_ID_MAPPING_PATH = os.path.join(
+    os.path.dirname(__file__), "drive_id_mapping.json"
+)
+
+
+def _load_web_view_links(file_ids: list[int]) -> list[str]:
+    with open(_DRIVE_ID_MAPPING_PATH) as f:
+        mapping: dict[str, str] = json.load(f)
+    return [mapping[str(fid)] for fid in file_ids]
+
+
+def _build_failures(web_view_links: list[str]) -> list[ConnectorFailure]:
+    return [
+        ConnectorFailure(
+            failed_document=DocumentFailure(
+                document_id=link,
+                document_link=link,
+            ),
+            failure_message=f"Synthetic failure for {link}",
+        )
+        for link in web_view_links
+    ]
+
+
+@patch("onyx.file_processing.extract_file_text.get_unstructured_api_key")
+def test_resolve_single_file(
+    mock_api_key: None,  # noqa: ARG001
+    google_drive_service_acct_connector_factory: Callable[..., GoogleDriveConnector],
+) -> None:
+    """Resolve a single known file and verify we get back exactly one Document."""
+    connector = google_drive_service_acct_connector_factory(
+        primary_admin_email=ADMIN_EMAIL,
+        include_shared_drives=True,
+        shared_drive_urls=None,
+        include_my_drives=True,
+        my_drive_emails=None,
+        shared_folder_urls=None,
+        include_files_shared_with_me=False,
+    )
+
+    web_view_links = _load_web_view_links([0])
+    failures = _build_failures(web_view_links)
+
+    results = list(connector.resolve_errors(failures))
+
+    docs = [r for r in results if isinstance(r, Document)]
+    new_failures = [r for r in results if isinstance(r, ConnectorFailure)]
+    hierarchy_nodes = [r for r in results if isinstance(r, HierarchyNode)]
+
+    assert len(docs) == 1
+    assert len(new_failures) == 0
+    assert docs[0].semantic_identifier == "file_0.txt"
+
+    # Should yield at least one hierarchy node (the file's parent folder chain)
+    assert len(hierarchy_nodes) > 0
+
+
+@patch("onyx.file_processing.extract_file_text.get_unstructured_api_key")
+def test_resolve_multiple_files(
+    mock_api_key: None,  # noqa: ARG001
+    google_drive_service_acct_connector_factory: Callable[..., GoogleDriveConnector],
+) -> None:
+    """Resolve multiple files across different folders via batch API."""
+    connector = google_drive_service_acct_connector_factory(
+        primary_admin_email=ADMIN_EMAIL,
+        include_shared_drives=True,
+        shared_drive_urls=None,
+        include_my_drives=True,
+        my_drive_emails=None,
+        shared_folder_urls=None,
+        include_files_shared_with_me=False,
+    )
+
+    # Pick files from different folders: admin files (0-4), shared drive 1 (20-24), folder_2 (45-49)
+    file_ids = [0, 1, 20, 21, 45]
+    web_view_links = _load_web_view_links(file_ids)
+    failures = _build_failures(web_view_links)
+
+    results = list(connector.resolve_errors(failures))
+
+    docs = [r for r in results if isinstance(r, Document)]
+    new_failures = [r for r in results if isinstance(r, ConnectorFailure)]
+    hierarchy_nodes = [r for r in results if isinstance(r, HierarchyNode)]
+
+    assert len(new_failures) == 0
+    retrieved_names = {doc.semantic_identifier for doc in docs}
+    expected_names = {f"file_{fid}.txt" for fid in file_ids}
+    assert expected_names == retrieved_names
+
+    # Files span multiple folders, so we should get hierarchy nodes
+    assert len(hierarchy_nodes) > 0
+
+
+@patch("onyx.file_processing.extract_file_text.get_unstructured_api_key")
+def test_resolve_hierarchy_nodes_are_valid(
+    mock_api_key: None,  # noqa: ARG001
+    google_drive_service_acct_connector_factory: Callable[..., GoogleDriveConnector],
+) -> None:
+    """Verify that hierarchy nodes from resolve_errors match expected structure."""
+    connector = google_drive_service_acct_connector_factory(
+        primary_admin_email=ADMIN_EMAIL,
+        include_shared_drives=True,
+        shared_drive_urls=None,
+        include_my_drives=True,
+        my_drive_emails=None,
+        shared_folder_urls=None,
+        include_files_shared_with_me=False,
+    )
+
+    # File in folder_1 (inside shared_drive_1) — should walk up to shared_drive_1 root
+    web_view_links = _load_web_view_links([25])
+    failures = _build_failures(web_view_links)
+
+    results = list(connector.resolve_errors(failures))
+
+    hierarchy_nodes = [r for r in results if isinstance(r, HierarchyNode)]
+    node_ids = {node.raw_node_id for node in hierarchy_nodes}
+
+    # File 25 is in folder_1 which is inside shared_drive_1.
+    # The parent walk must yield at least these two ancestors.
+    assert (
+        FOLDER_1_ID in node_ids
+    ), f"Expected folder_1 ({FOLDER_1_ID}) in hierarchy nodes, got: {node_ids}"
+    assert (
+        SHARED_DRIVE_1_ID in node_ids
+    ), f"Expected shared_drive_1 ({SHARED_DRIVE_1_ID}) in hierarchy nodes, got: {node_ids}"
+
+    for node in hierarchy_nodes:
+        if node.raw_node_id not in ALL_EXPECTED_HIERARCHY_NODES:
+            continue
+        expected = ALL_EXPECTED_HIERARCHY_NODES[node.raw_node_id]
+        assert node.display_name == expected.display_name, (
+            f"Display name mismatch for {node.raw_node_id}: "
+            f"expected '{expected.display_name}', got '{node.display_name}'"
+        )
+        assert node.node_type == expected.node_type, (
+            f"Node type mismatch for {node.raw_node_id}: "
+            f"expected '{expected.node_type}', got '{node.node_type}'"
+        )
+
+
+@patch("onyx.file_processing.extract_file_text.get_unstructured_api_key")
+def test_resolve_with_invalid_link(
+    mock_api_key: None,  # noqa: ARG001
+    google_drive_service_acct_connector_factory: Callable[..., GoogleDriveConnector],
+) -> None:
+    """Resolve with a mix of valid and invalid links — invalid ones yield ConnectorFailure."""
+    connector = google_drive_service_acct_connector_factory(
+        primary_admin_email=ADMIN_EMAIL,
+        include_shared_drives=True,
+        shared_drive_urls=None,
+        include_my_drives=True,
+        my_drive_emails=None,
+        shared_folder_urls=None,
+        include_files_shared_with_me=False,
+    )
+
+    valid_links = _load_web_view_links([0])
+    invalid_link = "https://drive.google.com/file/d/NONEXISTENT_FILE_ID_12345"
+    failures = _build_failures(valid_links + [invalid_link])
+
+    results = list(connector.resolve_errors(failures))
+
+    docs = [r for r in results if isinstance(r, Document)]
+    new_failures = [r for r in results if isinstance(r, ConnectorFailure)]
+
+    assert len(docs) == 1
+    assert docs[0].semantic_identifier == "file_0.txt"
+    assert len(new_failures) == 1
+    assert new_failures[0].failed_document is not None
+    assert new_failures[0].failed_document.document_id == invalid_link
+
+
+@patch("onyx.file_processing.extract_file_text.get_unstructured_api_key")
+def test_resolve_empty_errors(
+    mock_api_key: None,  # noqa: ARG001
+    google_drive_service_acct_connector_factory: Callable[..., GoogleDriveConnector],
+) -> None:
+    """Resolving an empty error list should yield nothing."""
+    connector = google_drive_service_acct_connector_factory(
+        primary_admin_email=ADMIN_EMAIL,
+        include_shared_drives=True,
+        shared_drive_urls=None,
+        include_my_drives=True,
+        my_drive_emails=None,
+        shared_folder_urls=None,
+        include_files_shared_with_me=False,
+    )
+
+    results = list(connector.resolve_errors([]))
+
+    assert len(results) == 0
+
+
+@patch("onyx.file_processing.extract_file_text.get_unstructured_api_key")
+def test_resolve_entity_failures_are_skipped(
+    mock_api_key: None,  # noqa: ARG001
+    google_drive_service_acct_connector_factory: Callable[..., GoogleDriveConnector],
+) -> None:
+    """Entity failures (not document failures) should be skipped by resolve_errors."""
+    from onyx.connectors.models import EntityFailure
+
+    connector = google_drive_service_acct_connector_factory(
+        primary_admin_email=ADMIN_EMAIL,
+        include_shared_drives=True,
+        shared_drive_urls=None,
+        include_my_drives=True,
+        my_drive_emails=None,
+        shared_folder_urls=None,
+        include_files_shared_with_me=False,
+    )
+
+    entity_failure = ConnectorFailure(
+        failed_entity=EntityFailure(entity_id="some_stage"),
+        failure_message="retrieval failure",
+    )
+
+    results = list(connector.resolve_errors([entity_failure]))
+
+    assert len(results) == 0

backend/tests/unit/background/celery/test_celery_utils.py

@@ -0,0 +1,149 @@
+"""Unit tests for extract_ids_from_runnable_connector metrics instrumentation."""
+
+from collections.abc import Iterator
+from unittest.mock import MagicMock
+
+import pytest
+
+from onyx.background.celery.celery_utils import extract_ids_from_runnable_connector
+from onyx.connectors.interfaces import SlimConnector
+from onyx.connectors.models import SlimDocument
+from onyx.server.metrics.pruning_metrics import PRUNING_ENUMERATION_DURATION
+from onyx.server.metrics.pruning_metrics import PRUNING_RATE_LIMIT_ERRORS
+
+
+def _make_slim_connector(doc_ids: list[str]) -> SlimConnector:
+    """Mock SlimConnector that yields the given doc IDs in one batch."""
+    connector = MagicMock(spec=SlimConnector)
+    docs = [
+        MagicMock(spec=SlimDocument, id=doc_id, parent_hierarchy_raw_node_id=None)
+        for doc_id in doc_ids
+    ]
+    connector.retrieve_all_slim_docs.return_value = iter([docs])
+    return connector
+
+
+def _raising_connector(message: str) -> SlimConnector:
+    """Mock SlimConnector whose generator raises with the given message."""
+    connector = MagicMock(spec=SlimConnector)
+
+    def raising_iter() -> Iterator:
+        raise Exception(message)
+        yield
+
+    connector.retrieve_all_slim_docs.return_value = raising_iter()
+    return connector
+
+
+class TestEnumerationDuration:
+    def test_recorded_on_success(self) -> None:
+        connector = _make_slim_connector(["doc1"])
+        before = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="google_drive"
+        )._sum.get()
+
+        extract_ids_from_runnable_connector(connector, connector_type="google_drive")
+
+        after = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="google_drive"
+        )._sum.get()
+        assert after >= before  # duration observed (non-negative)
+
+    def test_recorded_on_exception(self) -> None:
+        connector = _raising_connector("unexpected error")
+        before = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="confluence"
+        )._sum.get()
+
+        with pytest.raises(Exception):
+            extract_ids_from_runnable_connector(connector, connector_type="confluence")
+
+        after = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="confluence"
+        )._sum.get()
+        assert after >= before  # duration observed even on exception
+
+
+class TestRateLimitDetection:
+    def test_increments_on_rate_limit_message(self) -> None:
+        connector = _raising_connector("rate limit exceeded")
+        before = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="google_drive"
+        )._value.get()
+
+        with pytest.raises(Exception, match="rate limit exceeded"):
+            extract_ids_from_runnable_connector(
+                connector, connector_type="google_drive"
+            )
+
+        after = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="google_drive"
+        )._value.get()
+        assert after == before + 1
+
+    def test_increments_on_429_in_message(self) -> None:
+        connector = _raising_connector("HTTP 429 Too Many Requests")
+        before = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="confluence"
+        )._value.get()
+
+        with pytest.raises(Exception, match="429"):
+            extract_ids_from_runnable_connector(connector, connector_type="confluence")
+
+        after = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="confluence"
+        )._value.get()
+        assert after == before + 1
+
+    def test_does_not_increment_on_non_rate_limit_exception(self) -> None:
+        connector = _raising_connector("connection timeout")
+        before = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="slack")._value.get()
+
+        with pytest.raises(Exception, match="connection timeout"):
+            extract_ids_from_runnable_connector(connector, connector_type="slack")
+
+        after = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="slack")._value.get()
+        assert after == before
+
+    def test_rate_limit_detection_is_case_insensitive(self) -> None:
+        connector = _raising_connector("RATE LIMIT exceeded")
+        before = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="jira")._value.get()
+
+        with pytest.raises(Exception):
+            extract_ids_from_runnable_connector(connector, connector_type="jira")
+
+        after = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="jira")._value.get()
+        assert after == before + 1
+
+    def test_connector_type_label_matches_input(self) -> None:
+        connector = _raising_connector("rate limit exceeded")
+        before_gd = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="google_drive"
+        )._value.get()
+        before_jira = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="jira"
+        )._value.get()
+
+        with pytest.raises(Exception):
+            extract_ids_from_runnable_connector(
+                connector, connector_type="google_drive"
+            )
+
+        assert (
+            PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="google_drive")._value.get()
+            == before_gd + 1
+        )
+        assert (
+            PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="jira")._value.get()
+            == before_jira
+        )
+
+    def test_defaults_to_unknown_connector_type(self) -> None:
+        connector = _raising_connector("rate limit exceeded")
+        before = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="unknown")._value.get()
+
+        with pytest.raises(Exception):
+            extract_ids_from_runnable_connector(connector)
+
+        after = PRUNING_RATE_LIMIT_ERRORS.labels(connector_type="unknown")._value.get()
+        assert after == before + 1

backend/tests/unit/ee/onyx/db/test_license.py

@@ -9,6 +9,7 @@ from unittest.mock import patch
 from ee.onyx.db.license import check_seat_availability
 from ee.onyx.db.license import delete_license
 from ee.onyx.db.license import get_license
+from ee.onyx.db.license import get_used_seats
 from ee.onyx.db.license import upsert_license
 from ee.onyx.server.license.models import LicenseMetadata
 from ee.onyx.server.license.models import LicenseSource
@@ -214,3 +215,43 @@ class TestCheckSeatAvailabilityMultiTenant:
         assert result.available is False
         assert result.error_message is not None
         mock_tenant_count.assert_called_once_with("tenant-abc")
+
+
+class TestGetUsedSeatsAccountTypeFiltering:
+    """Verify get_used_seats query excludes SERVICE_ACCOUNT but includes BOT."""
+
+    @patch("ee.onyx.db.license.MULTI_TENANT", False)
+    @patch("onyx.db.engine.sql_engine.get_session_with_current_tenant")
+    def test_excludes_service_accounts(self, mock_get_session: MagicMock) -> None:
+        """SERVICE_ACCOUNT users should not count toward seats."""
+        mock_session = MagicMock()
+        mock_get_session.return_value.__enter__ = MagicMock(return_value=mock_session)
+        mock_get_session.return_value.__exit__ = MagicMock(return_value=False)
+        mock_session.execute.return_value.scalar.return_value = 5
+
+        result = get_used_seats()
+
+        assert result == 5
+        # Inspect the compiled query to verify account_type filter
+        call_args = mock_session.execute.call_args
+        query = call_args[0][0]
+        compiled = str(query.compile(compile_kwargs={"literal_binds": True}))
+        assert "SERVICE_ACCOUNT" in compiled
+        # BOT should NOT be excluded
+        assert "BOT" not in compiled
+
+    @patch("ee.onyx.db.license.MULTI_TENANT", False)
+    @patch("onyx.db.engine.sql_engine.get_session_with_current_tenant")
+    def test_still_excludes_ext_perm_user(self, mock_get_session: MagicMock) -> None:
+        """EXT_PERM_USER exclusion should still be present."""
+        mock_session = MagicMock()
+        mock_get_session.return_value.__enter__ = MagicMock(return_value=mock_session)
+        mock_get_session.return_value.__exit__ = MagicMock(return_value=False)
+        mock_session.execute.return_value.scalar.return_value = 3
+
+        get_used_seats()
+
+        call_args = mock_session.execute.call_args
+        query = call_args[0][0]
+        compiled = str(query.compile(compile_kwargs={"literal_binds": True}))
+        assert "EXT_PERM_USER" in compiled

backend/tests/unit/onyx/connectors/jira/test_jira_bulk_fetch.py

@@ -6,6 +6,7 @@ import requests
 from jira import JIRA
 from jira.resources import Issue
 
+from onyx.connectors.jira.connector import _JIRA_BULK_FETCH_LIMIT
 from onyx.connectors.jira.connector import bulk_fetch_issues
 
 
@@ -145,3 +146,29 @@ def test_bulk_fetch_recursive_splitting_raises_on_bad_issue() -> None:
 
     with pytest.raises(requests.exceptions.JSONDecodeError):
         bulk_fetch_issues(client, ["1", "2", bad_id, "3", "4", "5"])
+
+
+def test_bulk_fetch_respects_api_batch_limit() -> None:
+    """Requests to the bulkfetch endpoint never exceed _JIRA_BULK_FETCH_LIMIT IDs."""
+    client = _mock_jira_client()
+    total_issues = _JIRA_BULK_FETCH_LIMIT * 3 + 7
+    all_ids = [str(i) for i in range(total_issues)]
+
+    batch_sizes: list[int] = []
+
+    def _post_side_effect(url: str, json: dict[str, Any]) -> MagicMock:  # noqa: ARG001
+        ids = json["issueIdsOrKeys"]
+        batch_sizes.append(len(ids))
+        resp = MagicMock()
+        resp.json.return_value = {"issues": [_make_raw_issue(i) for i in ids]}
+        return resp
+
+    client._session.post.side_effect = _post_side_effect
+
+    result = bulk_fetch_issues(client, all_ids)
+
+    assert len(result) == total_issues
+    # keeping this hardcoded because it's the documented limit
+    # https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/
+    assert all(size <= 100 for size in batch_sizes)
+    assert len(batch_sizes) == 4

backend/tests/unit/onyx/context/search/federated/test_build_thread_text.py

@@ -0,0 +1,67 @@
+"""Tests for _build_thread_text function."""
+
+from unittest.mock import MagicMock
+from unittest.mock import patch
+
+from onyx.context.search.federated.slack_search import _build_thread_text
+
+
+def _make_msg(user: str, text: str, ts: str) -> dict[str, str]:
+    return {"user": user, "text": text, "ts": ts}
+
+
+class TestBuildThreadText:
+    """Verify _build_thread_text includes full thread replies up to cap."""
+
+    @patch("onyx.context.search.federated.slack_search.batch_get_user_profiles")
+    def test_includes_all_replies(self, mock_profiles: MagicMock) -> None:
+        """All replies within cap are included in output."""
+        mock_profiles.return_value = {}
+        messages = [
+            _make_msg("U1", "parent msg", "1000.0"),
+            _make_msg("U2", "reply 1", "1001.0"),
+            _make_msg("U3", "reply 2", "1002.0"),
+            _make_msg("U4", "reply 3", "1003.0"),
+        ]
+        result = _build_thread_text(messages, "token", "T123", MagicMock())
+        assert "parent msg" in result
+        assert "reply 1" in result
+        assert "reply 2" in result
+        assert "reply 3" in result
+        assert "..." not in result
+
+    @patch("onyx.context.search.federated.slack_search.batch_get_user_profiles")
+    def test_non_thread_returns_parent_only(self, mock_profiles: MagicMock) -> None:
+        """Single message (no replies) returns just the parent text."""
+        mock_profiles.return_value = {}
+        messages = [_make_msg("U1", "just a message", "1000.0")]
+        result = _build_thread_text(messages, "token", "T123", MagicMock())
+        assert "just a message" in result
+        assert "Replies:" not in result
+
+    @patch("onyx.context.search.federated.slack_search.batch_get_user_profiles")
+    def test_parent_always_first(self, mock_profiles: MagicMock) -> None:
+        """Thread parent message is always the first line of output."""
+        mock_profiles.return_value = {}
+        messages = [
+            _make_msg("U1", "I am the parent", "1000.0"),
+            _make_msg("U2", "I am a reply", "1001.0"),
+        ]
+        result = _build_thread_text(messages, "token", "T123", MagicMock())
+        parent_pos = result.index("I am the parent")
+        reply_pos = result.index("I am a reply")
+        assert parent_pos < reply_pos
+
+    @patch("onyx.context.search.federated.slack_search.batch_get_user_profiles")
+    def test_user_profiles_resolved(self, mock_profiles: MagicMock) -> None:
+        """User IDs in thread text are replaced with display names."""
+        mock_profiles.return_value = {"U1": "Alice", "U2": "Bob"}
+        messages = [
+            _make_msg("U1", "hello", "1000.0"),
+            _make_msg("U2", "world", "1001.0"),
+        ]
+        result = _build_thread_text(messages, "token", "T123", MagicMock())
+        assert "Alice" in result
+        assert "Bob" in result
+        assert "<@U1>" not in result
+        assert "<@U2>" not in result

backend/tests/unit/onyx/context/search/federated/test_url_override.py

@@ -0,0 +1,108 @@
+"""Tests for Slack URL parsing and direct thread fetch via URL override."""
+
+from unittest.mock import MagicMock
+from unittest.mock import patch
+
+from onyx.context.search.federated.models import DirectThreadFetch
+from onyx.context.search.federated.slack_search import _fetch_thread_from_url
+from onyx.context.search.federated.slack_search_utils import extract_slack_message_urls
+
+
+class TestExtractSlackMessageUrls:
+    """Verify URL parsing extracts channel_id and timestamp correctly."""
+
+    def test_standard_url(self) -> None:
+        query = "summarize https://mycompany.slack.com/archives/C097NBWMY8Y/p1775491616524769"
+        results = extract_slack_message_urls(query)
+        assert len(results) == 1
+        assert results[0] == ("C097NBWMY8Y", "1775491616.524769")
+
+    def test_multiple_urls(self) -> None:
+        query = (
+            "compare https://co.slack.com/archives/C111/p1234567890123456 "
+            "and https://co.slack.com/archives/C222/p9876543210987654"
+        )
+        results = extract_slack_message_urls(query)
+        assert len(results) == 2
+        assert results[0] == ("C111", "1234567890.123456")
+        assert results[1] == ("C222", "9876543210.987654")
+
+    def test_no_urls(self) -> None:
+        query = "what happened in #general last week?"
+        results = extract_slack_message_urls(query)
+        assert len(results) == 0
+
+    def test_non_slack_url_ignored(self) -> None:
+        query = "check https://google.com/archives/C111/p1234567890123456"
+        results = extract_slack_message_urls(query)
+        assert len(results) == 0
+
+    def test_timestamp_conversion(self) -> None:
+        """p prefix removed, dot inserted after 10th digit."""
+        query = "https://x.slack.com/archives/CABC123/p1775491616524769"
+        results = extract_slack_message_urls(query)
+        channel_id, ts = results[0]
+        assert channel_id == "CABC123"
+        assert ts == "1775491616.524769"
+        assert not ts.startswith("p")
+        assert "." in ts
+
+
+class TestFetchThreadFromUrl:
+    """Verify _fetch_thread_from_url calls conversations.replies and returns SlackMessage."""
+
+    @patch("onyx.context.search.federated.slack_search._build_thread_text")
+    @patch("onyx.context.search.federated.slack_search.WebClient")
+    def test_successful_fetch(
+        self, mock_webclient_cls: MagicMock, mock_build_thread: MagicMock
+    ) -> None:
+        mock_client = MagicMock()
+        mock_webclient_cls.return_value = mock_client
+
+        # Mock conversations_replies
+        mock_response = MagicMock()
+        mock_response.get.return_value = [
+            {"user": "U1", "text": "parent", "ts": "1775491616.524769"},
+            {"user": "U2", "text": "reply 1", "ts": "1775491617.000000"},
+            {"user": "U3", "text": "reply 2", "ts": "1775491618.000000"},
+        ]
+        mock_client.conversations_replies.return_value = mock_response
+
+        # Mock channel info
+        mock_ch_response = MagicMock()
+        mock_ch_response.get.return_value = {"name": "general"}
+        mock_client.conversations_info.return_value = mock_ch_response
+
+        mock_build_thread.return_value = (
+            "U1: parent\n\nReplies:\n\nU2: reply 1\n\nU3: reply 2"
+        )
+
+        fetch = DirectThreadFetch(
+            channel_id="C097NBWMY8Y", thread_ts="1775491616.524769"
+        )
+        result = _fetch_thread_from_url(fetch, "xoxp-token")
+
+        assert len(result.messages) == 1
+        msg = result.messages[0]
+        assert msg.channel_id == "C097NBWMY8Y"
+        assert msg.thread_id is None  # Prevents double-enrichment
+        assert msg.slack_score == 100000.0
+        assert "parent" in msg.text
+        mock_client.conversations_replies.assert_called_once_with(
+            channel="C097NBWMY8Y", ts="1775491616.524769"
+        )
+
+    @patch("onyx.context.search.federated.slack_search.WebClient")
+    def test_api_error_returns_empty(self, mock_webclient_cls: MagicMock) -> None:
+        from slack_sdk.errors import SlackApiError
+
+        mock_client = MagicMock()
+        mock_webclient_cls.return_value = mock_client
+        mock_client.conversations_replies.side_effect = SlackApiError(
+            message="channel_not_found",
+            response=MagicMock(status_code=404),
+        )
+
+        fetch = DirectThreadFetch(channel_id="CBAD", thread_ts="1234567890.123456")
+        result = _fetch_thread_from_url(fetch, "xoxp-token")
+        assert len(result.messages) == 0

backend/tests/unit/onyx/server/manage/llm/test_fetch_models_api.py

@@ -505,6 +505,7 @@ class TestGetLMStudioAvailableModels:
 
         mock_session = MagicMock()
         mock_provider = MagicMock()
+        mock_provider.api_base = "http://localhost:1234"
         mock_provider.custom_config = {"LM_STUDIO_API_KEY": "stored-secret"}
 
         response = {

backend/tests/unit/onyx/server/scim/test_user_endpoints.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+from typing import Any
 from unittest.mock import MagicMock
 from unittest.mock import patch
 from uuid import uuid4
@@ -9,7 +10,9 @@ from uuid import uuid4
 from fastapi import Response
 from sqlalchemy.exc import IntegrityError
 
+from ee.onyx.server.scim.api import _check_seat_availability
 from ee.onyx.server.scim.api import _scim_name_to_str
+from ee.onyx.server.scim.api import _seat_lock_id_for_tenant
 from ee.onyx.server.scim.api import create_user
 from ee.onyx.server.scim.api import delete_user
 from ee.onyx.server.scim.api import get_user
@@ -741,3 +744,80 @@ class TestEmailCasePreservation:
         resource = parse_scim_user(result)
         assert resource.userName == "Alice@Example.COM"
         assert resource.emails[0].value == "Alice@Example.COM"
+
+
+class TestSeatLock:
+    """Tests for the advisory lock in _check_seat_availability."""
+
+    @patch("ee.onyx.server.scim.api.get_current_tenant_id", return_value="tenant_abc")
+    def test_acquires_advisory_lock_before_checking(
+        self,
+        _mock_tenant: MagicMock,
+        mock_dal: MagicMock,
+    ) -> None:
+        """The advisory lock must be acquired before the seat check runs."""
+        call_order: list[str] = []
+
+        def track_execute(stmt: Any, _params: Any = None) -> None:
+            if "pg_advisory_xact_lock" in str(stmt):
+                call_order.append("lock")
+
+        mock_dal.session.execute.side_effect = track_execute
+
+        with patch(
+            "ee.onyx.server.scim.api.fetch_ee_implementation_or_noop"
+        ) as mock_fetch:
+            mock_result = MagicMock()
+            mock_result.available = True
+            mock_fn = MagicMock(return_value=mock_result)
+            mock_fetch.return_value = mock_fn
+
+            def track_check(*_args: Any, **_kwargs: Any) -> Any:
+                call_order.append("check")
+                return mock_result
+
+            mock_fn.side_effect = track_check
+
+            _check_seat_availability(mock_dal)
+
+        assert call_order == ["lock", "check"]
+
+    @patch("ee.onyx.server.scim.api.get_current_tenant_id", return_value="tenant_xyz")
+    def test_lock_uses_tenant_scoped_key(
+        self,
+        _mock_tenant: MagicMock,
+        mock_dal: MagicMock,
+    ) -> None:
+        """The lock id must be derived from the tenant via _seat_lock_id_for_tenant."""
+        mock_result = MagicMock()
+        mock_result.available = True
+        mock_check = MagicMock(return_value=mock_result)
+
+        with patch(
+            "ee.onyx.server.scim.api.fetch_ee_implementation_or_noop",
+            return_value=mock_check,
+        ):
+            _check_seat_availability(mock_dal)
+
+        mock_dal.session.execute.assert_called_once()
+        params = mock_dal.session.execute.call_args[0][1]
+        assert params["lock_id"] == _seat_lock_id_for_tenant("tenant_xyz")
+
+    def test_seat_lock_id_is_stable_and_tenant_scoped(self) -> None:
+        """Lock id must be deterministic and differ across tenants."""
+        assert _seat_lock_id_for_tenant("t1") == _seat_lock_id_for_tenant("t1")
+        assert _seat_lock_id_for_tenant("t1") != _seat_lock_id_for_tenant("t2")
+
+    def test_no_lock_when_ee_absent(
+        self,
+        mock_dal: MagicMock,
+    ) -> None:
+        """No advisory lock should be acquired when the EE check is absent."""
+        with patch(
+            "ee.onyx.server.scim.api.fetch_ee_implementation_or_noop",
+            return_value=None,
+        ):
+            result = _check_seat_availability(mock_dal)
+
+        assert result is None
+        mock_dal.session.execute.assert_not_called()

backend/tests/unit/onyx/tools/test_image_generation_reference_resolution.py

@@ -0,0 +1,115 @@
+"""Tests for ``ImageGenerationTool._resolve_reference_image_file_ids``.
+
+The resolver turns the LLM's ``reference_image_file_ids`` argument into a
+cleaned list of file IDs to hand to ``_load_reference_images``. It trusts
+the LLM's picks — the LLM can only see file IDs that actually appear in
+the conversation (via ``[attached image — file_id: <id>]`` tags on user
+messages and the JSON returned by prior generate_image calls), so we
+don't re-validate against an allow-list in the tool itself.
+"""
+from unittest.mock import MagicMock
+from unittest.mock import patch
+
+import pytest
+
+from onyx.tools.models import ToolCallException
+from onyx.tools.tool_implementations.images.image_generation_tool import (
+    ImageGenerationTool,
+)
+from onyx.tools.tool_implementations.images.image_generation_tool import (
+    REFERENCE_IMAGE_FILE_IDS_FIELD,
+)
+
+
+def _make_tool(
+    supports_reference_images: bool = True,
+    max_reference_images: int = 16,
+) -> ImageGenerationTool:
+    """Construct a tool with a mock provider so no credentials/network are needed."""
+    with patch(
+        "onyx.tools.tool_implementations.images.image_generation_tool.get_image_generation_provider"
+    ) as mock_get_provider:
+        mock_provider = MagicMock()
+        mock_provider.supports_reference_images = supports_reference_images
+        mock_provider.max_reference_images = max_reference_images
+        mock_get_provider.return_value = mock_provider
+
+        return ImageGenerationTool(
+            image_generation_credentials=MagicMock(),
+            tool_id=1,
+            emitter=MagicMock(),
+            model="gpt-image-1",
+            provider="openai",
+        )
+
+
+class TestResolveReferenceImageFileIds:
+    def test_unset_returns_empty_plain_generation(self) -> None:
+        tool = _make_tool()
+        assert tool._resolve_reference_image_file_ids(llm_kwargs={}) == []
+
+    def test_empty_list_is_treated_like_unset(self) -> None:
+        tool = _make_tool()
+        result = tool._resolve_reference_image_file_ids(
+            llm_kwargs={REFERENCE_IMAGE_FILE_IDS_FIELD: []},
+        )
+        assert result == []
+
+    def test_passes_llm_supplied_ids_through(self) -> None:
+        tool = _make_tool()
+        result = tool._resolve_reference_image_file_ids(
+            llm_kwargs={REFERENCE_IMAGE_FILE_IDS_FIELD: ["upload-1", "gen-1"]},
+        )
+        # Order preserved — first entry is the primary edit source.
+        assert result == ["upload-1", "gen-1"]
+
+    def test_invalid_shape_raises(self) -> None:
+        tool = _make_tool()
+        with pytest.raises(ToolCallException):
+            tool._resolve_reference_image_file_ids(
+                llm_kwargs={REFERENCE_IMAGE_FILE_IDS_FIELD: "not-a-list"},
+            )
+
+    def test_non_string_element_raises(self) -> None:
+        tool = _make_tool()
+        with pytest.raises(ToolCallException):
+            tool._resolve_reference_image_file_ids(
+                llm_kwargs={REFERENCE_IMAGE_FILE_IDS_FIELD: ["ok", 123]},
+            )
+
+    def test_deduplicates_preserving_first_occurrence(self) -> None:
+        tool = _make_tool()
+        result = tool._resolve_reference_image_file_ids(
+            llm_kwargs={
+                REFERENCE_IMAGE_FILE_IDS_FIELD: ["gen-1", "gen-2", "gen-1"]
+            },
+        )
+        assert result == ["gen-1", "gen-2"]
+
+    def test_strips_whitespace_and_skips_empty_strings(self) -> None:
+        tool = _make_tool()
+        result = tool._resolve_reference_image_file_ids(
+            llm_kwargs={
+                REFERENCE_IMAGE_FILE_IDS_FIELD: ["  gen-1  ", "", "   "]
+            },
+        )
+        assert result == ["gen-1"]
+
+    def test_provider_without_reference_support_raises(self) -> None:
+        tool = _make_tool(supports_reference_images=False)
+        with pytest.raises(ToolCallException):
+            tool._resolve_reference_image_file_ids(
+                llm_kwargs={REFERENCE_IMAGE_FILE_IDS_FIELD: ["gen-1"]},
+            )
+
+    def test_truncates_to_provider_max_preserving_head(self) -> None:
+        """When the LLM lists more images than the provider allows, keep the
+        HEAD of the list (the primary edit source + earliest extras) rather
+        than the tail, since the LLM put the most important one first."""
+        tool = _make_tool(max_reference_images=2)
+        result = tool._resolve_reference_image_file_ids(
+            llm_kwargs={
+                REFERENCE_IMAGE_FILE_IDS_FIELD: ["a", "b", "c", "d"]
+            },
+        )
+        assert result == ["a", "b"]

backend/tests/unit/onyx/tools/test_tool_runner.py

@@ -1,10 +1,5 @@
-from onyx.chat.models import ChatMessageSimple
-from onyx.chat.models import ToolCallSimple
-from onyx.configs.constants import MessageType
 from onyx.server.query_and_chat.placement import Placement
 from onyx.tools.models import ToolCallKickoff
-from onyx.tools.tool_runner import _extract_image_file_ids_from_tool_response_message
-from onyx.tools.tool_runner import _extract_recent_generated_image_file_ids
 from onyx.tools.tool_runner import _merge_tool_calls
 
 
@@ -313,61 +308,3 @@ class TestMergeToolCalls:
         # String should be converted to list item
         assert result[0].tool_args["queries"] == ["single_query", "q2"]
 
-
-class TestImageHistoryExtraction:
-    def test_extracts_image_file_ids_from_json_response(self) -> None:
-        msg = '[{"file_id":"img-1","revised_prompt":"v1"},{"file_id":"img-2","revised_prompt":"v2"}]'
-        assert _extract_image_file_ids_from_tool_response_message(msg) == [
-            "img-1",
-            "img-2",
-        ]
-
-    def test_extracts_recent_generated_image_ids_from_history(self) -> None:
-        history = [
-            ChatMessageSimple(
-                message="",
-                token_count=1,
-                message_type=MessageType.ASSISTANT,
-                tool_calls=[
-                    ToolCallSimple(
-                        tool_call_id="call_1",
-                        tool_name="generate_image",
-                        tool_arguments={"prompt": "test"},
-                        token_count=1,
-                    )
-                ],
-            ),
-            ChatMessageSimple(
-                message='[{"file_id":"img-1","revised_prompt":"r1"}]',
-                token_count=1,
-                message_type=MessageType.TOOL_CALL_RESPONSE,
-                tool_call_id="call_1",
-            ),
-        ]
-
-        assert _extract_recent_generated_image_file_ids(history) == ["img-1"]
-
-    def test_ignores_non_image_tool_responses(self) -> None:
-        history = [
-            ChatMessageSimple(
-                message="",
-                token_count=1,
-                message_type=MessageType.ASSISTANT,
-                tool_calls=[
-                    ToolCallSimple(
-                        tool_call_id="call_1",
-                        tool_name="web_search",
-                        tool_arguments={"queries": ["q"]},
-                        token_count=1,
-                    )
-                ],
-            ),
-            ChatMessageSimple(
-                message='[{"file_id":"img-1","revised_prompt":"r1"}]',
-                token_count=1,
-                message_type=MessageType.TOOL_CALL_RESPONSE,
-                tool_call_id="call_1",
-            ),
-        ]
-
-        assert _extract_recent_generated_image_file_ids(history) == []

backend/tests/unit/server/metrics/test_pruning_metrics.py

@@ -0,0 +1,128 @@
+"""Tests for pruning-specific Prometheus metrics."""
+
+import pytest
+
+from onyx.server.metrics.pruning_metrics import inc_pruning_rate_limit_error
+from onyx.server.metrics.pruning_metrics import observe_pruning_diff_duration
+from onyx.server.metrics.pruning_metrics import observe_pruning_enumeration_duration
+from onyx.server.metrics.pruning_metrics import PRUNING_DIFF_DURATION
+from onyx.server.metrics.pruning_metrics import PRUNING_ENUMERATION_DURATION
+from onyx.server.metrics.pruning_metrics import PRUNING_RATE_LIMIT_ERRORS
+
+
+class TestObservePruningEnumerationDuration:
+    def test_observes_duration(self) -> None:
+        before = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="google_drive"
+        )._sum.get()
+
+        observe_pruning_enumeration_duration(10.0, "google_drive")
+
+        after = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="google_drive"
+        )._sum.get()
+        assert after == pytest.approx(before + 10.0)
+
+    def test_labels_by_connector_type(self) -> None:
+        before_gd = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="google_drive"
+        )._sum.get()
+        before_conf = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="confluence"
+        )._sum.get()
+
+        observe_pruning_enumeration_duration(5.0, "google_drive")
+
+        after_gd = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="google_drive"
+        )._sum.get()
+        after_conf = PRUNING_ENUMERATION_DURATION.labels(
+            connector_type="confluence"
+        )._sum.get()
+
+        assert after_gd == pytest.approx(before_gd + 5.0)
+        assert after_conf == pytest.approx(before_conf)
+
+    def test_does_not_raise_on_exception(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        monkeypatch.setattr(
+            PRUNING_ENUMERATION_DURATION,
+            "labels",
+            lambda **_: (_ for _ in ()).throw(RuntimeError("boom")),
+        )
+        observe_pruning_enumeration_duration(1.0, "google_drive")
+
+
+class TestObservePruningDiffDuration:
+    def test_observes_duration(self) -> None:
+        before = PRUNING_DIFF_DURATION.labels(connector_type="confluence")._sum.get()
+
+        observe_pruning_diff_duration(3.0, "confluence")
+
+        after = PRUNING_DIFF_DURATION.labels(connector_type="confluence")._sum.get()
+        assert after == pytest.approx(before + 3.0)
+
+    def test_labels_by_connector_type(self) -> None:
+        before_conf = PRUNING_DIFF_DURATION.labels(
+            connector_type="confluence"
+        )._sum.get()
+        before_slack = PRUNING_DIFF_DURATION.labels(connector_type="slack")._sum.get()
+
+        observe_pruning_diff_duration(2.0, "confluence")
+
+        after_conf = PRUNING_DIFF_DURATION.labels(
+            connector_type="confluence"
+        )._sum.get()
+        after_slack = PRUNING_DIFF_DURATION.labels(connector_type="slack")._sum.get()
+
+        assert after_conf == pytest.approx(before_conf + 2.0)
+        assert after_slack == pytest.approx(before_slack)
+
+    def test_does_not_raise_on_exception(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        monkeypatch.setattr(
+            PRUNING_DIFF_DURATION,
+            "labels",
+            lambda **_: (_ for _ in ()).throw(RuntimeError("boom")),
+        )
+        observe_pruning_diff_duration(1.0, "confluence")
+
+
+class TestIncPruningRateLimitError:
+    def test_increments_counter(self) -> None:
+        before = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="google_drive"
+        )._value.get()
+
+        inc_pruning_rate_limit_error("google_drive")
+
+        after = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="google_drive"
+        )._value.get()
+        assert after == before + 1
+
+    def test_labels_by_connector_type(self) -> None:
+        before_gd = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="google_drive"
+        )._value.get()
+        before_jira = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="jira"
+        )._value.get()
+
+        inc_pruning_rate_limit_error("google_drive")
+
+        after_gd = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="google_drive"
+        )._value.get()
+        after_jira = PRUNING_RATE_LIMIT_ERRORS.labels(
+            connector_type="jira"
+        )._value.get()
+
+        assert after_gd == before_gd + 1
+        assert after_jira == before_jira
+
+    def test_does_not_raise_on_exception(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        monkeypatch.setattr(
+            PRUNING_RATE_LIMIT_ERRORS,
+            "labels",
+            lambda **_: (_ for _ in ()).throw(RuntimeError("boom")),
+        )
+        inc_pruning_rate_limit_error("google_drive")

deployment/data/nginx/mcp.conf.inc.template

@@ -1,3 +1,17 @@
+# OAuth callback page must be served by the web server (Next.js),
+# not the MCP server. Exact match takes priority over the regex below.
+location = /mcp/oauth/callback {
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Port $server_port;
+    proxy_set_header Host $host;
+    proxy_http_version 1.1;
+    proxy_redirect off;
+    proxy_pass http://web_server;
+}
+
 # MCP Server - Model Context Protocol for LLM integrations
 # Match /mcp, /mcp/, or /mcp/* but NOT /mcpserver, /mcpapi, etc.
 location ~ ^/mcp(/.*)?$ {

deployment/helm/charts/onyx/Chart.lock

@@ -19,6 +19,6 @@ dependencies:
   version: 5.4.0
 - name: code-interpreter
   repository: https://onyx-dot-app.github.io/python-sandbox/
-  version: 0.3.2
-digest: sha256:74908ea45ace2b4be913ff762772e6d87e40bab64e92c6662aa51730eaeb9d87
-generated: "2026-04-06T15:34:02.597166-07:00"
+  version: 0.3.3
+digest: sha256:a57f29088b1624a72f6c70e4c3ccc2f2aad675e4624278c4e9be92083d6d5dad
+generated: "2026-04-08T16:47:29.33368-07:00"

deployment/helm/charts/onyx/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
   - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.4.40
+version: 0.4.43
 appVersion: latest
 annotations:
   category: Productivity
@@ -45,6 +45,6 @@ dependencies:
     repository: https://charts.min.io/
     condition: minio.enabled
   - name: code-interpreter
-    version: 0.3.2
+    version: 0.3.3
     repository: https://onyx-dot-app.github.io/python-sandbox/
     condition: codeInterpreter.enabled

deployment/helm/charts/onyx/dashboards/opensearch-search-latency.json

@@ -0,0 +1,349 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": { "type": "grafana", "uid": "-- Grafana --" },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 1,
+  "id": null,
+  "links": [],
+  "liveNow": true,
+  "panels": [
+    {
+      "title": "Client-Side Search Latency (P50 / P95 / P99)",
+      "description": "End-to-end latency as measured by the Python client, including network round-trip and serialization overhead.",
+      "type": "timeseries",
+      "gridPos": { "h": 10, "w": 12, "x": 0, "y": 0 },
+      "id": 1,
+      "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+      "fieldConfig": {
+        "defaults": {
+          "color": { "mode": "palette-classic" },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisLabel": "seconds",
+            "axisPlacement": "auto",
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "lineInterpolation": "smooth",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": { "type": "linear" },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": { "group": "A", "mode": "none" },
+            "thresholdsStyle": { "mode": "dashed" }
+          },
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              { "color": "green", "value": null },
+              { "color": "yellow", "value": 0.5 },
+              { "color": "red", "value": 2.0 }
+            ]
+          },
+          "unit": "s",
+          "min": 0
+        },
+        "overrides": []
+      },
+      "targets": [
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.5, sum by (le) (rate(onyx_opensearch_search_client_duration_seconds_bucket[5m])))",
+          "legendFormat": "P50",
+          "refId": "A"
+        },
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.95, sum by (le) (rate(onyx_opensearch_search_client_duration_seconds_bucket[5m])))",
+          "legendFormat": "P95",
+          "refId": "B"
+        },
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.99, sum by (le) (rate(onyx_opensearch_search_client_duration_seconds_bucket[5m])))",
+          "legendFormat": "P99",
+          "refId": "C"
+        }
+      ]
+    },
+    {
+      "title": "Server-Side Search Latency (P50 / P95 / P99)",
+      "description": "OpenSearch server-side execution time from the 'took' field in the response. Does not include network or client-side overhead.",
+      "type": "timeseries",
+      "gridPos": { "h": 10, "w": 12, "x": 12, "y": 0 },
+      "id": 2,
+      "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+      "fieldConfig": {
+        "defaults": {
+          "color": { "mode": "palette-classic" },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisLabel": "seconds",
+            "axisPlacement": "auto",
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "lineInterpolation": "smooth",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": { "type": "linear" },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": { "group": "A", "mode": "none" },
+            "thresholdsStyle": { "mode": "dashed" }
+          },
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              { "color": "green", "value": null },
+              { "color": "yellow", "value": 0.5 },
+              { "color": "red", "value": 2.0 }
+            ]
+          },
+          "unit": "s",
+          "min": 0
+        },
+        "overrides": []
+      },
+      "targets": [
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.5, sum by (le) (rate(onyx_opensearch_search_server_duration_seconds_bucket[5m])))",
+          "legendFormat": "P50",
+          "refId": "A"
+        },
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.95, sum by (le) (rate(onyx_opensearch_search_server_duration_seconds_bucket[5m])))",
+          "legendFormat": "P95",
+          "refId": "B"
+        },
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.99, sum by (le) (rate(onyx_opensearch_search_server_duration_seconds_bucket[5m])))",
+          "legendFormat": "P99",
+          "refId": "C"
+        }
+      ]
+    },
+    {
+      "title": "Client-Side Latency by Search Type (P95)",
+      "description": "P95 client-side latency broken down by search type (hybrid, keyword, semantic, random, doc_id_retrieval).",
+      "type": "timeseries",
+      "gridPos": { "h": 10, "w": 12, "x": 0, "y": 10 },
+      "id": 3,
+      "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+      "fieldConfig": {
+        "defaults": {
+          "color": { "mode": "palette-classic" },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisLabel": "seconds",
+            "axisPlacement": "auto",
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "lineInterpolation": "smooth",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": { "type": "linear" },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": { "group": "A", "mode": "none" },
+            "thresholdsStyle": { "mode": "off" }
+          },
+          "unit": "s",
+          "min": 0
+        },
+        "overrides": []
+      },
+      "targets": [
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.95, sum by (search_type, le) (rate(onyx_opensearch_search_client_duration_seconds_bucket[5m])))",
+          "legendFormat": "{{ search_type }}",
+          "refId": "A"
+        }
+      ]
+    },
+    {
+      "title": "Search Throughput by Type",
+      "description": "Searches per second broken down by search type.",
+      "type": "timeseries",
+      "gridPos": { "h": 10, "w": 12, "x": 12, "y": 10 },
+      "id": 4,
+      "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+      "fieldConfig": {
+        "defaults": {
+          "color": { "mode": "palette-classic" },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisLabel": "searches/s",
+            "axisPlacement": "auto",
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "lineInterpolation": "smooth",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": { "type": "linear" },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": { "group": "A", "mode": "normal" },
+            "thresholdsStyle": { "mode": "off" }
+          },
+          "unit": "ops",
+          "min": 0
+        },
+        "overrides": []
+      },
+      "targets": [
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "sum by (search_type) (rate(onyx_opensearch_search_total[5m]))",
+          "legendFormat": "{{ search_type }}",
+          "refId": "A"
+        }
+      ]
+    },
+    {
+      "title": "Concurrent Searches In Progress",
+      "description": "Number of OpenSearch searches currently in flight, broken down by search type. Summed across all instances.",
+      "type": "timeseries",
+      "gridPos": { "h": 10, "w": 12, "x": 0, "y": 20 },
+      "id": 5,
+      "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+      "fieldConfig": {
+        "defaults": {
+          "color": { "mode": "palette-classic" },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisLabel": "searches",
+            "axisPlacement": "auto",
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "lineInterpolation": "smooth",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": { "type": "linear" },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": { "group": "A", "mode": "normal" },
+            "thresholdsStyle": { "mode": "off" }
+          },
+          "min": 0
+        },
+        "overrides": []
+      },
+      "targets": [
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "sum by (search_type) (onyx_opensearch_searches_in_progress)",
+          "legendFormat": "{{ search_type }}",
+          "refId": "A"
+        }
+      ]
+    },
+    {
+      "title": "Client vs Server Latency Overhead (P50)",
+      "description": "Difference between client-side and server-side P50 latency. Reveals network, serialization, and untracked OpenSearch overhead.",
+      "type": "timeseries",
+      "gridPos": { "h": 10, "w": 12, "x": 12, "y": 20 },
+      "id": 6,
+      "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+      "fieldConfig": {
+        "defaults": {
+          "color": { "mode": "palette-classic" },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisLabel": "seconds",
+            "axisPlacement": "auto",
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "lineInterpolation": "smooth",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": { "type": "linear" },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": { "group": "A", "mode": "none" },
+            "thresholdsStyle": { "mode": "off" }
+          },
+          "unit": "s",
+          "min": 0
+        },
+        "overrides": []
+      },
+      "targets": [
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.5, sum by (le) (rate(onyx_opensearch_search_client_duration_seconds_bucket[5m]))) - histogram_quantile(0.5, sum by (le) (rate(onyx_opensearch_search_server_duration_seconds_bucket[5m])))",
+          "legendFormat": "Client - Server overhead (P50)",
+          "refId": "A"
+        },
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.5, sum by (le) (rate(onyx_opensearch_search_client_duration_seconds_bucket[5m])))",
+          "legendFormat": "Client P50",
+          "refId": "B"
+        },
+        {
+          "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" },
+          "expr": "histogram_quantile(0.5, sum by (le) (rate(onyx_opensearch_search_server_duration_seconds_bucket[5m])))",
+          "legendFormat": "Server P50",
+          "refId": "C"
+        }
+      ]
+    }
+  ],
+  "refresh": "5s",
+  "schemaVersion": 37,
+  "style": "dark",
+  "tags": ["onyx", "opensearch", "search", "latency"],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "Prometheus",
+          "value": "prometheus"
+        },
+        "includeAll": false,
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "refresh": 1,
+        "type": "datasource"
+      }
+    ]
+  },
+  "time": { "from": "now-60m", "to": "now" },
+  "timepicker": {
+    "refresh_intervals": ["5s", "10s", "30s", "1m"]
+  },
+  "timezone": "",
+  "title": "Onyx OpenSearch Search Latency",
+  "uid": "onyx-opensearch-search-latency",
+  "version": 0,
+  "weekStart": ""
+}

deployment/helm/charts/onyx/dashboards/redis-queues.json

@@ -0,0 +1,606 @@
+{
+  "id": null,
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 18,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 2,
+            "pointSize": 4,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "orange",
+                "value": 10
+              },
+              {
+                "color": "red",
+                "value": 50
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "calcs": ["lastNotNull", "max"],
+          "displayMode": "table",
+          "placement": "right",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "onyx_celery_queue_depth{queue=~\"$queue\"}",
+          "legendFormat": "{{queue}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Queue Depth by Queue",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "orange",
+                "value": 20
+              },
+              {
+                "color": "red",
+                "value": 100
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 0,
+        "y": 10
+      },
+      "id": 2,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "sum(onyx_celery_queue_depth)",
+          "refId": "A"
+        }
+      ],
+      "title": "Total Queued Tasks",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "orange",
+                "value": 20
+              },
+              {
+                "color": "red",
+                "value": 100
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 6,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "onyx_celery_unacked_tasks",
+          "refId": "A"
+        }
+      ],
+      "title": "Unacked Tasks",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "orange",
+                "value": 10
+              },
+              {
+                "color": "red",
+                "value": 50
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 12,
+        "y": 10
+      },
+      "id": 4,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "onyx_celery_queue_depth{queue=\"docprocessing\"}",
+          "refId": "A"
+        }
+      ],
+      "title": "Docprocessing Queue",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "orange",
+                "value": 10
+              },
+              {
+                "color": "red",
+                "value": 50
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 18,
+        "y": 10
+      },
+      "id": 5,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "onyx_celery_queue_depth{queue=\"connector_doc_fetching\"}",
+          "refId": "A"
+        }
+      ],
+      "title": "Docfetching Queue",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "bars",
+            "fillOpacity": 80,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineWidth": 1,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "orange",
+                "value": 10
+              },
+              {
+                "color": "red",
+                "value": 50
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 14
+      },
+      "id": 6,
+      "options": {
+        "legend": {
+          "calcs": ["lastNotNull"],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": false
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "topk(10, onyx_celery_queue_depth)",
+          "legendFormat": "{{queue}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Top 10 Queue Backlogs",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "align": "auto",
+            "cellOptions": {
+              "type": "auto"
+            },
+            "inspect": false
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "orange",
+                "value": 10
+              },
+              {
+                "color": "red",
+                "value": 50
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 14
+      },
+      "id": 7,
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "countRows": false,
+          "fields": "",
+          "reducer": ["sum"],
+          "show": false
+        },
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "expr": "sort_desc(onyx_celery_queue_depth)",
+          "format": "table",
+          "instant": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Current Queue Depth",
+      "transformations": [
+        {
+          "id": "labelsToFields",
+          "options": {
+            "mode": "columns"
+          }
+        }
+      ],
+      "type": "table"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": ["onyx", "redis", "celery"],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "selected": true,
+          "text": "Prometheus",
+          "value": "Prometheus"
+        },
+        "hide": 0,
+        "includeAll": false,
+        "label": "Datasource",
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "refresh": 1,
+        "regex": "",
+        "type": "datasource"
+      },
+      {
+        "allValue": ".*",
+        "current": {
+          "selected": true,
+          "text": "All",
+          "value": ".*"
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_PROMETHEUS}"
+        },
+        "definition": "label_values(onyx_celery_queue_depth, queue)",
+        "hide": 0,
+        "includeAll": true,
+        "label": "Queue",
+        "multi": true,
+        "name": "queue",
+        "options": [],
+        "query": {
+          "query": "label_values(onyx_celery_queue_depth, queue)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 2,
+        "regex": "",
+        "sort": 1,
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-6h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Onyx Redis Queues",
+  "uid": "onyx-redis-queues",
+  "version": 1,
+  "weekStart": ""
+}

deployment/helm/charts/onyx/templates/api-servicemonitor.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.monitoring.serviceMonitors.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "onyx.fullname" . }}-api
+  labels:
+    {{- include "onyx.labels" . | nindent 4 }}
+    {{- with .Values.monitoring.serviceMonitors.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: {{ .Values.api.deploymentLabels.app }}
+  endpoints:
+    - port: api-server-port
+      path: /metrics
+      interval: 30s
+      scrapeTimeout: 10s
+{{- end }}

deployment/helm/charts/onyx/templates/celery-worker-heavy-metrics-service.yaml

@@ -0,0 +1,26 @@
+{{- /* Metrics port must match the default in metrics_server.py (_DEFAULT_PORTS).
+       Do NOT use PROMETHEUS_METRICS_PORT env var in Helm — each worker needs its own port. */ -}}
+{{- if gt (int .Values.celery_worker_heavy.replicaCount) 0 }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "onyx.fullname" . }}-celery-worker-heavy-metrics
+  labels:
+    {{- include "onyx.labels" . | nindent 4 }}
+    {{- if .Values.celery_worker_heavy.deploymentLabels }}
+    {{- toYaml .Values.celery_worker_heavy.deploymentLabels | nindent 4 }}
+    {{- end }}
+    metrics: "true"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9094
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    {{- include "onyx.selectorLabels" . | nindent 4 }}
+    {{- if .Values.celery_worker_heavy.deploymentLabels }}
+    {{- toYaml .Values.celery_worker_heavy.deploymentLabels | nindent 4 }}
+    {{- end }}
+{{- end }}

deployment/helm/charts/onyx/templates/celery-worker-heavy.yaml

@@ -70,6 +70,10 @@ spec:
               "-Q",
               "connector_pruning,connector_doc_permissions_sync,connector_external_group_sync,csv_generation,sandbox",
             ]
+          ports:
+            - name: metrics
+              containerPort: 9094
+              protocol: TCP
           resources:
             {{- toYaml .Values.celery_worker_heavy.resources | nindent 12 }}
           envFrom:

deployment/helm/charts/onyx/templates/celery-worker-servicemonitors.yaml

@@ -74,4 +74,29 @@ spec:
       interval: 30s
       scrapeTimeout: 10s
 {{- end }}
+{{- if gt (int .Values.celery_worker_heavy.replicaCount) 0 }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "onyx.fullname" . }}-celery-worker-heavy
+  labels:
+    {{- include "onyx.labels" . | nindent 4 }}
+    {{- with .Values.monitoring.serviceMonitors.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: {{ .Values.celery_worker_heavy.deploymentLabels.app }}
+      metrics: "true"
+  endpoints:
+    - port: metrics
+      path: /metrics
+      interval: 30s
+      scrapeTimeout: 10s
+{{- end }}
 {{- end }}

deployment/helm/charts/onyx/templates/grafana-dashboards.yaml

@@ -12,4 +12,30 @@ metadata:
 data:
   onyx-indexing-pipeline.json: |
     {{- .Files.Get "dashboards/indexing-pipeline.json" | nindent 4 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "onyx.fullname" . }}-opensearch-search-latency-dashboard
+  labels:
+    {{- include "onyx.labels" . | nindent 4 }}
+    grafana_dashboard: "1"
+  annotations:
+    grafana_folder: "Onyx"
+data:
+  onyx-opensearch-search-latency.json: |
+    {{- .Files.Get "dashboards/opensearch-search-latency.json" | nindent 4 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "onyx.fullname" . }}-redis-queues-dashboard
+  labels:
+    {{- include "onyx.labels" . | nindent 4 }}
+    grafana_dashboard: "1"
+  annotations:
+    grafana_folder: "Onyx"
+data:
+  onyx-redis-queues.json: |
+    {{- .Files.Get "dashboards/redis-queues.json" | nindent 4 }}
 {{- end }}

deployment/helm/charts/onyx/templates/nginx-conf.yaml

@@ -42,6 +42,22 @@ data:
         client_max_body_size 5G;
         {{- if .Values.mcpServer.enabled }}
 
+        # OAuth callback page must be served by the web server (Next.js),
+        # not the MCP server. Exact match takes priority over the regex below.
+        location = /mcp/oauth/callback {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header Host $host;
+            proxy_http_version 1.1;
+            proxy_redirect off;
+            proxy_connect_timeout {{ .Values.nginx.timeouts.connect }}s;
+            proxy_send_timeout {{ .Values.nginx.timeouts.send }}s;
+            proxy_read_timeout {{ .Values.nginx.timeouts.read }}s;
+            proxy_pass http://web_server;
+        }
+
         # MCP Server - Model Context Protocol for LLM integrations
         # Match /mcp, /mcp/, or /mcp/* but NOT /mcpserver, /mcpapi, etc.
         location ~ ^/mcp(/.*)?$ {

deployment/helm/charts/onyx/values.yaml

@@ -264,7 +264,7 @@ monitoring:
       # The sidecar must be configured with label selector: grafana_dashboard=1
       enabled: false
   serviceMonitors:
-    # -- Set to true to deploy ServiceMonitor resources for Celery worker metrics endpoints.
+    # -- Set to true to deploy ServiceMonitor resources for API server and Celery worker metrics endpoints.
     # Requires the Prometheus Operator CRDs (included in kube-prometheus-stack).
     # Use `labels` to match your Prometheus CR's serviceMonitorSelector (e.g. release: onyx-monitoring).
     enabled: false
@@ -296,7 +296,7 @@ nginx:
     # The ingress-nginx subchart doesn't auto-detect our custom ConfigMap changes.
     # Workaround: Helm upgrade will restart if the following annotation value changes.
     podAnnotations:
-      onyx.app/nginx-config-version: "3"
+      onyx.app/nginx-config-version: "4"
 
     # Propagate DOMAIN into nginx so server_name continues to use the same env var
     extraEnvs:

docker-bake.hcl

@@ -22,6 +22,10 @@ variable "CLI_REPOSITORY" {
   default = "onyxdotapp/onyx-cli"
 }
 
+variable "DEVCONTAINER_REPOSITORY" {
+  default = "onyxdotapp/onyx-devcontainer"
+}
+
 variable "TAG" {
   default = "latest"
 }
@@ -90,3 +94,16 @@ target "cli" {
 
   tags      = ["${CLI_REPOSITORY}:${TAG}"]
 }
+
+target "devcontainer" {
+  context    = ".devcontainer"
+  dockerfile = "Dockerfile"
+
+  cache-from = [
+    "type=registry,ref=${DEVCONTAINER_REPOSITORY}:latest",
+    "type=registry,ref=${DEVCONTAINER_REPOSITORY}:edge",
+  ]
+  cache-to   = ["type=inline"]
+
+  tags      = ["${DEVCONTAINER_REPOSITORY}:${TAG}"]
+}

pyproject.toml

@@ -28,7 +28,7 @@ dependencies = [
     "kubernetes>=31.0.0",
 ]
 
-[project.optional-dependencies]
+[dependency-groups]
 # Main backend application dependencies
 backend = [
     "aiohttp==3.13.4",
@@ -148,7 +148,7 @@ dev = [
     "matplotlib==3.10.8",
     "mypy-extensions==1.0.0",
     "mypy==1.13.0",
-    "onyx-devtools==0.7.2",
+    "onyx-devtools==0.7.5",
     "openapi-generator-cli==7.17.0",
     "pandas-stubs~=2.3.3",
     "pre-commit==3.2.2",
@@ -195,6 +195,9 @@ model_server = [
     "sentry-sdk[fastapi,celery,starlette]==2.14.0",
 ]
 
+[tool.uv]
+default-groups = ["backend", "dev", "ee", "model_server"]
+
 [tool.mypy]
 plugins = "sqlalchemy.ext.mypy.plugin"
 mypy_path = "backend"
@@ -230,7 +233,7 @@ follow_imports = "skip"
 ignore_errors = true
 
 [tool.uv.workspace]
-members = ["backend", "tools/ods"]
+members = ["tools/ods"]
 
 [tool.basedpyright]
 include = ["backend"]

tools/ods/README.md

@@ -244,6 +244,54 @@ ods web lint
 ods web test --watch
 ```
 
+### `dev` - Devcontainer Management
+
+Manage the Onyx devcontainer. Also available as `ods dc`.
+
+Requires the [devcontainer CLI](https://github.com/devcontainers/cli) (`npm install -g @devcontainers/cli`).
+
+```shell
+ods dev <subcommand>
+```
+
+**Subcommands:**
+
+- `up` - Start the devcontainer (pulls the image if needed)
+- `into` - Open a zsh shell inside the running devcontainer
+- `exec` - Run an arbitrary command inside the devcontainer
+- `restart` - Remove and recreate the devcontainer
+- `rebuild` - Pull the latest published image and recreate
+- `stop` - Stop the running devcontainer
+
+The devcontainer image is published to `onyxdotapp/onyx-devcontainer` and
+referenced by tag in `.devcontainer/devcontainer.json` — no local build needed.
+
+**Examples:**
+
+```shell
+# Start the devcontainer
+ods dev up
+
+# Open a shell
+ods dev into
+
+# Run a command
+ods dev exec -- npm test
+
+# Restart the container
+ods dev restart
+
+# Pull latest image and recreate
+ods dev rebuild
+
+# Stop the container
+ods dev stop
+
+# Same commands work with the dc alias
+ods dc up
+ods dc into
+```
+
 ### `db` - Database Administration
 
 Manage PostgreSQL database dumps, restores, and migrations.

tools/ods/cmd/deploy.go

@@ -0,0 +1,19 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// NewDeployCommand creates the parent `ods deploy` command. Subcommands hang
+// off it (e.g. `ods deploy edge`) and represent ad-hoc deployment workflows.
+func NewDeployCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "deploy",
+		Short: "Trigger ad-hoc deployments",
+		Long:  "Trigger ad-hoc deployments to Onyx-managed environments.",
+	}
+
+	cmd.AddCommand(NewDeployEdgeCommand())
+
+	return cmd
+}

tools/ods/cmd/deploy_edge.go

@@ -0,0 +1,353 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"os/exec"
+	"sort"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/config"
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/git"
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/paths"
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/prompt"
+)
+
+const (
+	onyxRepo               = "onyx-dot-app/onyx"
+	deploymentWorkflowFile = "deployment.yml"
+	edgeTagName            = "edge"
+
+	// Polling configuration. Build runs typically take 20-30 minutes; deploys
+	// are much shorter. The "discover" phase polls fast for a short window
+	// because the run usually appears within seconds of pushing the tag /
+	// dispatching the workflow.
+	runDiscoveryInterval = 5 * time.Second
+	runDiscoveryTimeout  = 2 * time.Minute
+	runProgressInterval  = 30 * time.Second
+	buildPollTimeout     = 60 * time.Minute
+	deployPollTimeout    = 30 * time.Minute
+)
+
+// DeployEdgeOptions holds options for the deploy edge command.
+type DeployEdgeOptions struct {
+	TargetRepo     string
+	TargetWorkflow string
+	DryRun         bool
+	Yes            bool
+	NoWaitDeploy   bool
+}
+
+// NewDeployEdgeCommand creates the `ods deploy edge` command.
+func NewDeployEdgeCommand() *cobra.Command {
+	opts := &DeployEdgeOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "edge",
+		Short: "Build edge images off main and deploy to the configured target",
+		Long: `Build edge images off origin/main and dispatch the configured deploy workflow.
+
+This command will:
+  1. Force-push the 'edge' tag to origin/main, triggering the build
+  2. Wait for the build workflow to finish
+  3. Dispatch the configured deploy workflow with version_tag=edge
+  4. Wait for the deploy workflow to finish
+
+All GitHub operations run through the gh CLI, so authorization is enforced
+by your gh credentials and GitHub's repo/workflow permissions.
+
+On first run, you'll be prompted for the deploy target repo and workflow
+filename. These are saved to the ods config file (~/.config/onyx-dev/config.json
+on Linux/macOS) and reused on subsequent runs. Pass --target-repo or
+--target-workflow to override the saved values.
+
+Example usage:
+
+    $ ods deploy edge`,
+		Args: cobra.NoArgs,
+		Run: func(cmd *cobra.Command, args []string) {
+			deployEdge(opts)
+		},
+	}
+
+	cmd.Flags().StringVar(&opts.TargetRepo, "target-repo", "", "GitHub repo (owner/name) hosting the deploy workflow; overrides saved config")
+	cmd.Flags().StringVar(&opts.TargetWorkflow, "target-workflow", "", "Filename of the deploy workflow within the target repo; overrides saved config")
+	cmd.Flags().BoolVar(&opts.DryRun, "dry-run", false, "Perform local operations only; skip pushing the tag and dispatching workflows")
+	cmd.Flags().BoolVar(&opts.Yes, "yes", false, "Skip the confirmation prompt")
+	cmd.Flags().BoolVar(&opts.NoWaitDeploy, "no-wait-deploy", false, "Do not wait for the deploy workflow to finish after dispatching it")
+
+	return cmd
+}
+
+func deployEdge(opts *DeployEdgeOptions) {
+	git.CheckGitHubCLI()
+
+	deployRepo, deployWorkflow := resolveDeployTarget(opts)
+
+	if opts.DryRun {
+		log.Warning("=== DRY RUN MODE: tag push and workflow dispatch will be skipped (read-only gh and git fetch still run) ===")
+	}
+
+	if !opts.Yes {
+		msg := "About to force-push tag 'edge' to origin/main and trigger an ad-hoc deploy. Continue? (Y/n): "
+		if !prompt.Confirm(msg) {
+			log.Info("Exiting...")
+			return
+		}
+	}
+
+	// Capture the most recent existing edge build run id BEFORE pushing, so we
+	// can reliably identify the new run we trigger and not pick up a stale one.
+	priorBuildRunID, err := latestWorkflowRunID(onyxRepo, deploymentWorkflowFile, "push", edgeTagName)
+	if err != nil {
+		log.Fatalf("Failed to query existing deployment runs: %v", err)
+	}
+	log.Debugf("Most recent prior edge build run id: %d", priorBuildRunID)
+
+	log.Info("Fetching origin/main...")
+	if err := git.RunCommand("fetch", "origin", "main"); err != nil {
+		log.Fatalf("Failed to fetch origin/main: %v", err)
+	}
+
+	if opts.DryRun {
+		log.Warnf("[DRY RUN] Would move local '%s' tag to origin/main", edgeTagName)
+		log.Warnf("[DRY RUN] Would force-push tag '%s' to origin", edgeTagName)
+		log.Warn("[DRY RUN] Would wait for build then dispatch the configured deploy workflow")
+		return
+	}
+
+	log.Infof("Moving local '%s' tag to origin/main...", edgeTagName)
+	if err := git.RunCommand("tag", "-f", edgeTagName, "origin/main"); err != nil {
+		log.Fatalf("Failed to move local tag: %v", err)
+	}
+
+	log.Infof("Force-pushing tag '%s' to origin...", edgeTagName)
+	if err := git.RunCommand("push", "-f", "origin", edgeTagName); err != nil {
+		log.Fatalf("Failed to push edge tag: %v", err)
+	}
+
+	// Find the new build run, then poll it to completion.
+	log.Info("Waiting for build workflow to start...")
+	buildRun, err := waitForNewRun(onyxRepo, deploymentWorkflowFile, "push", edgeTagName, priorBuildRunID)
+	if err != nil {
+		log.Fatalf("Failed to find triggered build run: %v", err)
+	}
+	log.Infof("Build run started: %s", buildRun.URL)
+
+	if err := waitForRunCompletion(onyxRepo, buildRun.DatabaseID, buildPollTimeout, "build"); err != nil {
+		log.Fatalf("Build did not complete successfully: %v", err)
+	}
+	log.Info("Build completed successfully.")
+
+	// Dispatch the deploy workflow.
+	priorDeployRunID, err := latestWorkflowRunID(deployRepo, deployWorkflow, "workflow_dispatch", "")
+	if err != nil {
+		log.Fatalf("Failed to query existing deploy runs: %v", err)
+	}
+	log.Debugf("Most recent prior deploy run id: %d", priorDeployRunID)
+
+	log.Info("Dispatching deploy workflow with version_tag=edge...")
+	if err := dispatchWorkflow(deployRepo, deployWorkflow, map[string]string{"version_tag": edgeTagName}); err != nil {
+		log.Fatalf("Failed to dispatch deploy workflow: %v", err)
+	}
+
+	deployRun, err := waitForNewRun(deployRepo, deployWorkflow, "workflow_dispatch", "", priorDeployRunID)
+	if err != nil {
+		log.Fatalf("Failed to find dispatched deploy run: %v", err)
+	}
+	log.Infof("Deploy run started: %s", deployRun.URL)
+	log.Info("A kickoff Slack message will appear in #monitor-deployments.")
+
+	if opts.NoWaitDeploy {
+		log.Info("--no-wait-deploy set; not waiting for deploy completion.")
+		return
+	}
+
+	if err := waitForRunCompletion(deployRepo, deployRun.DatabaseID, deployPollTimeout, "deploy"); err != nil {
+		log.Fatalf("Deploy did not complete successfully: %v", err)
+	}
+	log.Info("Deploy completed successfully.")
+}
+
+// resolveDeployTarget returns the deploy target repo and workflow to use,
+// preferring explicit flags, then saved config, then prompting the user on
+// first-time setup. Any newly-prompted values are persisted back to the
+// config file so subsequent runs are non-interactive.
+func resolveDeployTarget(opts *DeployEdgeOptions) (string, string) {
+	cfg, err := config.Load()
+	if err != nil {
+		log.Fatalf("Failed to load ods config: %v", err)
+	}
+
+	repo := opts.TargetRepo
+	if repo == "" {
+		repo = cfg.DeployEdge.TargetRepo
+	}
+	workflow := opts.TargetWorkflow
+	if workflow == "" {
+		workflow = cfg.DeployEdge.TargetWorkflow
+	}
+
+	prompted := false
+	if repo == "" {
+		log.Infof("First-time setup: ods will save your deploy target to %s", paths.ConfigFilePath())
+		repo = prompt.String("Deploy target repo (owner/name): ")
+		prompted = true
+	}
+	if workflow == "" {
+		workflow = prompt.String("Deploy workflow filename (e.g. some-workflow.yml): ")
+		prompted = true
+	}
+
+	if prompted {
+		cfg.DeployEdge.TargetRepo = repo
+		cfg.DeployEdge.TargetWorkflow = workflow
+		if err := config.Save(cfg); err != nil {
+			log.Fatalf("Failed to save ods config: %v", err)
+		}
+		log.Infof("Saved deploy target to %s", paths.ConfigFilePath())
+	}
+
+	return repo, workflow
+}
+
+// workflowRun is a partial representation of a `gh run list` JSON entry.
+type workflowRun struct {
+	DatabaseID int64  `json:"databaseId"`
+	Status     string `json:"status"`
+	Conclusion string `json:"conclusion"`
+	URL        string `json:"url"`
+	Event      string `json:"event"`
+	HeadBranch string `json:"headBranch"`
+}
+
+// latestWorkflowRunID returns the highest databaseId for runs of the given
+// workflow filtered by event (and optional branch). Returns 0 if no runs
+// exist yet, which is a valid state.
+func latestWorkflowRunID(repo, workflowFile, event, branch string) (int64, error) {
+	runs, err := listWorkflowRuns(repo, workflowFile, event, branch, 10)
+	if err != nil {
+		return 0, err
+	}
+	var maxID int64
+	for _, r := range runs {
+		if r.DatabaseID > maxID {
+			maxID = r.DatabaseID
+		}
+	}
+	return maxID, nil
+}
+
+func listWorkflowRuns(repo, workflowFile, event, branch string, limit int) ([]workflowRun, error) {
+	args := []string{
+		"run", "list",
+		"-R", repo,
+		"--workflow", workflowFile,
+		"--limit", fmt.Sprintf("%d", limit),
+		"--json", "databaseId,status,conclusion,url,event,headBranch",
+	}
+	if event != "" {
+		args = append(args, "--event", event)
+	}
+	if branch != "" {
+		args = append(args, "--branch", branch)
+	}
+	cmd := exec.Command("gh", args...)
+	output, err := cmd.Output()
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			return nil, fmt.Errorf("gh run list failed: %w: %s", err, string(exitErr.Stderr))
+		}
+		return nil, fmt.Errorf("gh run list failed: %w", err)
+	}
+	var runs []workflowRun
+	if err := json.Unmarshal(output, &runs); err != nil {
+		return nil, fmt.Errorf("failed to parse gh run list output: %w", err)
+	}
+	// Sort newest-first by databaseId for predictable iteration.
+	sort.Slice(runs, func(i, j int) bool { return runs[i].DatabaseID > runs[j].DatabaseID })
+	return runs, nil
+}
+
+// waitForNewRun polls until a workflow run with databaseId > priorRunID
+// appears, or the discovery timeout fires.
+func waitForNewRun(repo, workflowFile, event, branch string, priorRunID int64) (*workflowRun, error) {
+	deadline := time.Now().Add(runDiscoveryTimeout)
+	for {
+		runs, err := listWorkflowRuns(repo, workflowFile, event, branch, 5)
+		if err != nil {
+			return nil, err
+		}
+		for _, r := range runs {
+			if r.DatabaseID > priorRunID {
+				return &r, nil
+			}
+		}
+		if time.Now().After(deadline) {
+			return nil, fmt.Errorf("no new run appeared within %s", runDiscoveryTimeout)
+		}
+		time.Sleep(runDiscoveryInterval)
+	}
+}
+
+// waitForRunCompletion polls a specific run until it reaches a terminal
+// status. Returns an error if the run does not conclude with success or the
+// timeout fires.
+func waitForRunCompletion(repo string, runID int64, timeout time.Duration, label string) error {
+	deadline := time.Now().Add(timeout)
+	for {
+		run, err := getRun(repo, runID)
+		if err != nil {
+			return err
+		}
+		log.Infof("[%s] run %d status=%s conclusion=%s", label, runID, run.Status, run.Conclusion)
+		if run.Status == "completed" {
+			if run.Conclusion == "success" {
+				return nil
+			}
+			return fmt.Errorf("%s run %d concluded with status %q (see %s)", label, runID, run.Conclusion, run.URL)
+		}
+		if time.Now().After(deadline) {
+			return fmt.Errorf("%s run %d did not complete within %s (see %s)", label, runID, timeout, run.URL)
+		}
+		time.Sleep(runProgressInterval)
+	}
+}
+
+func getRun(repo string, runID int64) (*workflowRun, error) {
+	cmd := exec.Command(
+		"gh", "run", "view", fmt.Sprintf("%d", runID),
+		"-R", repo,
+		"--json", "databaseId,status,conclusion,url,event,headBranch",
+	)
+	output, err := cmd.Output()
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			return nil, fmt.Errorf("gh run view failed: %w: %s", err, string(exitErr.Stderr))
+		}
+		return nil, fmt.Errorf("gh run view failed: %w", err)
+	}
+	var run workflowRun
+	if err := json.Unmarshal(output, &run); err != nil {
+		return nil, fmt.Errorf("failed to parse gh run view output: %w", err)
+	}
+	return &run, nil
+}
+
+// dispatchWorkflow fires a workflow_dispatch event for the given workflow with
+// the supplied string inputs.
+func dispatchWorkflow(repo, workflowFile string, inputs map[string]string) error {
+	args := []string{"workflow", "run", workflowFile, "-R", repo}
+	for k, v := range inputs {
+		args = append(args, "-f", fmt.Sprintf("%s=%s", k, v))
+	}
+	cmd := exec.Command("gh", args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("gh workflow run failed: %w: %s", err, string(output))
+	}
+	return nil
+}

tools/ods/cmd/dev.go

@@ -0,0 +1,34 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// NewDevCommand creates the parent dev command for devcontainer operations.
+func NewDevCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "dev",
+		Aliases: []string{"dc"},
+		Short:   "Manage the devcontainer",
+		Long: `Manage the Onyx devcontainer.
+
+Wraps the devcontainer CLI with workspace-aware defaults.
+
+Commands:
+  up        Start the devcontainer
+  into      Open a shell inside the running devcontainer
+  exec      Run a command inside the devcontainer
+  restart   Remove and recreate the devcontainer
+  rebuild   Pull the latest image and recreate
+  stop      Stop the running devcontainer`,
+	}
+
+	cmd.AddCommand(newDevUpCommand())
+	cmd.AddCommand(newDevIntoCommand())
+	cmd.AddCommand(newDevExecCommand())
+	cmd.AddCommand(newDevRestartCommand())
+	cmd.AddCommand(newDevRebuildCommand())
+	cmd.AddCommand(newDevStopCommand())
+
+	return cmd
+}

tools/ods/cmd/dev_exec.go

@@ -0,0 +1,29 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newDevExecCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "exec [--] <command> [args...]",
+		Short: "Run a command inside the devcontainer",
+		Long: `Run an arbitrary command inside the running devcontainer.
+All arguments are treated as positional (flags like -it are passed through).
+
+Examples:
+  ods dev exec npm test
+  ods dev exec -- ls -la
+  ods dev exec -it echo hello`,
+		Args:               cobra.MinimumNArgs(1),
+		DisableFlagParsing: true,
+		Run: func(cmd *cobra.Command, args []string) {
+			if len(args) > 0 && args[0] == "--" {
+				args = args[1:]
+			}
+			runDevExec(args)
+		},
+	}
+
+	return cmd
+}

tools/ods/cmd/dev_into.go

@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	"os"
+	"os/exec"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/paths"
+)
+
+func newDevIntoCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "into",
+		Short: "Open a shell inside the running devcontainer",
+		Long: `Open an interactive zsh shell inside the running devcontainer.
+
+Examples:
+  ods dev into`,
+		Run: func(cmd *cobra.Command, args []string) {
+			runDevExec([]string{"zsh"})
+		},
+	}
+
+	return cmd
+}
+
+// runDevExec executes "devcontainer exec --workspace-folder <root> <command...>".
+func runDevExec(command []string) {
+	checkDevcontainerCLI()
+	ensureDockerSock()
+	ensureRemoteUser()
+
+	root, err := paths.GitRoot()
+	if err != nil {
+		log.Fatalf("Failed to find git root: %v", err)
+	}
+
+	args := []string{"exec", "--workspace-folder", root}
+	args = append(args, command...)
+
+	log.Debugf("Running: devcontainer %v", args)
+
+	c := exec.Command("devcontainer", args...)
+	c.Stdout = os.Stdout
+	c.Stderr = os.Stderr
+	c.Stdin = os.Stdin
+
+	if err := c.Run(); err != nil {
+		log.Fatalf("devcontainer exec failed: %v", err)
+	}
+}

tools/ods/cmd/dev_rebuild.go

@@ -0,0 +1,41 @@
+package cmd
+
+import (
+	"os"
+	"os/exec"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func newDevRebuildCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "rebuild",
+		Short: "Pull the latest devcontainer image and recreate",
+		Long: `Pull the latest devcontainer image and recreate the container.
+
+Use after the published image has been updated or after changing devcontainer.json.
+
+Examples:
+  ods dev rebuild`,
+		Run: func(cmd *cobra.Command, args []string) {
+			runDevRebuild()
+		},
+	}
+
+	return cmd
+}
+
+func runDevRebuild() {
+	image := devcontainerImage()
+
+	log.Infof("Pulling %s...", image)
+	pull := exec.Command("docker", "pull", image)
+	pull.Stdout = os.Stdout
+	pull.Stderr = os.Stderr
+	if err := pull.Run(); err != nil {
+		log.Warnf("Failed to pull image (continuing with local copy): %v", err)
+	}
+
+	runDevcontainer("up", []string{"--remove-existing-container"})
+}

tools/ods/cmd/dev_restart.go

@@ -0,0 +1,23 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newDevRestartCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "restart",
+		Short: "Remove and recreate the devcontainer",
+		Long: `Remove the existing devcontainer and recreate it.
+
+Uses the cached image — for a full image rebuild, use "ods dev rebuild".
+
+Examples:
+  ods dev restart`,
+		Run: func(cmd *cobra.Command, args []string) {
+			runDevcontainer("up", []string{"--remove-existing-container"})
+		},
+	}
+
+	return cmd
+}

tools/ods/cmd/dev_stop.go

@@ -0,0 +1,56 @@
+package cmd
+
+import (
+	"os/exec"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/paths"
+)
+
+func newDevStopCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "stop",
+		Short: "Stop the running devcontainer",
+		Long: `Stop the running devcontainer.
+
+Examples:
+  ods dev stop`,
+		Run: func(cmd *cobra.Command, args []string) {
+			runDevStop()
+		},
+	}
+
+	return cmd
+}
+
+func runDevStop() {
+	root, err := paths.GitRoot()
+	if err != nil {
+		log.Fatalf("Failed to find git root: %v", err)
+	}
+
+	// Find the container by the devcontainer label
+	out, err := exec.Command(
+		"docker", "ps", "-q",
+		"--filter", "label=devcontainer.local_folder="+root,
+	).Output()
+	if err != nil {
+		log.Fatalf("Failed to find devcontainer: %v", err)
+	}
+
+	containerID := strings.TrimSpace(string(out))
+	if containerID == "" {
+		log.Info("No running devcontainer found")
+		return
+	}
+
+	log.Infof("Stopping devcontainer %s...", containerID)
+	c := exec.Command("docker", "stop", containerID)
+	if err := c.Run(); err != nil {
+		log.Fatalf("Failed to stop devcontainer: %v", err)
+	}
+	log.Info("Devcontainer stopped")
+}

tools/ods/cmd/dev_up.go

@@ -0,0 +1,223 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/paths"
+)
+
+func newDevUpCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "up",
+		Short: "Start the devcontainer",
+		Long: `Start the devcontainer, pulling the image if needed.
+
+Examples:
+  ods dev up`,
+		Run: func(cmd *cobra.Command, args []string) {
+			runDevcontainer("up", nil)
+		},
+	}
+
+	return cmd
+}
+
+// devcontainerImage reads the image field from .devcontainer/devcontainer.json.
+func devcontainerImage() string {
+	root, err := paths.GitRoot()
+	if err != nil {
+		log.Fatalf("Failed to find git root: %v", err)
+	}
+
+	data, err := os.ReadFile(filepath.Join(root, ".devcontainer", "devcontainer.json"))
+	if err != nil {
+		log.Fatalf("Failed to read devcontainer.json: %v", err)
+	}
+
+	var cfg struct {
+		Image string `json:"image"`
+	}
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		log.Fatalf("Failed to parse devcontainer.json: %v", err)
+	}
+	if cfg.Image == "" {
+		log.Fatal("No image field in devcontainer.json")
+	}
+	return cfg.Image
+}
+
+// checkDevcontainerCLI ensures the devcontainer CLI is installed.
+func checkDevcontainerCLI() {
+	if _, err := exec.LookPath("devcontainer"); err != nil {
+		log.Fatal("devcontainer CLI is not installed. Install it with: npm install -g @devcontainers/cli")
+	}
+}
+
+// ensureDockerSock sets the DOCKER_SOCK environment variable if not already set.
+// devcontainer.json references ${localEnv:DOCKER_SOCK} for the socket mount.
+func ensureDockerSock() {
+	if os.Getenv("DOCKER_SOCK") != "" {
+		return
+	}
+
+	sock := detectDockerSock()
+	if err := os.Setenv("DOCKER_SOCK", sock); err != nil {
+		log.Fatalf("Failed to set DOCKER_SOCK: %v", err)
+	}
+}
+
+// detectDockerSock returns the path to the Docker socket on the host.
+func detectDockerSock() string {
+	// Prefer explicit DOCKER_HOST (strip unix:// prefix if present).
+	if dh := os.Getenv("DOCKER_HOST"); dh != "" {
+		const prefix = "unix://"
+		if len(dh) > len(prefix) && dh[:len(prefix)] == prefix {
+			return dh[len(prefix):]
+		}
+		// Only bare paths (starting with /) are valid socket paths.
+		// Non-unix schemes (e.g. tcp://) can't be bind-mounted.
+		if len(dh) > 0 && dh[0] == '/' {
+			return dh
+		}
+		log.Warnf("DOCKER_HOST=%q is not a unix socket path; falling back to local socket detection", dh)
+	}
+
+	// Linux rootless Docker: $XDG_RUNTIME_DIR/docker.sock
+	if runtime.GOOS == "linux" {
+		if xdg := os.Getenv("XDG_RUNTIME_DIR"); xdg != "" {
+			sock := filepath.Join(xdg, "docker.sock")
+			if _, err := os.Stat(sock); err == nil {
+				return sock
+			}
+		}
+	}
+
+	// macOS Docker Desktop: ~/.docker/run/docker.sock
+	if runtime.GOOS == "darwin" {
+		if home, err := os.UserHomeDir(); err == nil {
+			sock := filepath.Join(home, ".docker", "run", "docker.sock")
+			if _, err := os.Stat(sock); err == nil {
+				return sock
+			}
+		}
+	}
+
+	// Fallback: standard socket path (Linux with standard Docker, macOS symlink)
+	return "/var/run/docker.sock"
+}
+
+// worktreeGitMount returns a --mount flag value that makes a git worktree's
+// .git reference resolve inside the container. In a worktree, .git is a file
+// containing "gitdir: /path/to/main/.git/worktrees/<name>", so we need the
+// main repo's .git directory to exist at the same absolute host path inside
+// the container.
+//
+// Returns ("", false) when the workspace is not a worktree.
+func worktreeGitMount(root string) (string, bool) {
+	dotgit := filepath.Join(root, ".git")
+	info, err := os.Lstat(dotgit)
+	if err != nil || info.IsDir() {
+		return "", false // regular repo or no .git
+	}
+
+	// .git is a file — parse the gitdir path.
+	out, err := exec.Command("git", "-C", root, "rev-parse", "--git-common-dir").Output()
+	if err != nil {
+		log.Warnf("Failed to detect git common dir: %v", err)
+		return "", false
+	}
+	commonDir := strings.TrimSpace(string(out))
+
+	// Resolve to absolute path.
+	if !filepath.IsAbs(commonDir) {
+		commonDir = filepath.Join(root, commonDir)
+	}
+	commonDir, _ = filepath.EvalSymlinks(commonDir)
+
+	mount := fmt.Sprintf("type=bind,source=%s,target=%s", commonDir, commonDir)
+	log.Debugf("Worktree detected — mounting main .git: %s", commonDir)
+	return mount, true
+}
+
+// sshAgentMount returns a --mount flag value that forwards the host's SSH agent
+// socket into the container.  Returns ("", false) when SSH_AUTH_SOCK is unset or
+// the socket is not accessible.
+func sshAgentMount() (string, bool) {
+	sock := os.Getenv("SSH_AUTH_SOCK")
+	if sock == "" {
+		log.Debug("SSH_AUTH_SOCK not set — skipping SSH agent forwarding")
+		return "", false
+	}
+	if _, err := os.Stat(sock); err != nil {
+		log.Debugf("SSH_AUTH_SOCK=%s not accessible: %v", sock, err)
+		return "", false
+	}
+	mount := fmt.Sprintf("type=bind,source=%s,target=/tmp/ssh-agent.sock", sock)
+	log.Debugf("Forwarding SSH agent: %s", sock)
+	return mount, true
+}
+
+// ensureRemoteUser sets DEVCONTAINER_REMOTE_USER when rootless Docker is
+// detected.  Container root maps to the host user in rootless mode, so running
+// as root inside the container avoids the UID mismatch on new files.
+// Must be called after ensureDockerSock.
+func ensureRemoteUser() {
+	if os.Getenv("DEVCONTAINER_REMOTE_USER") != "" {
+		return
+	}
+
+	if runtime.GOOS == "linux" {
+		sock := os.Getenv("DOCKER_SOCK")
+		xdg := os.Getenv("XDG_RUNTIME_DIR")
+		// Heuristic: rootless Docker on Linux typically places its socket
+		// under $XDG_RUNTIME_DIR. If DOCKER_SOCK was set to a custom path
+		// outside XDG_RUNTIME_DIR, set DEVCONTAINER_REMOTE_USER=root manually.
+		if xdg != "" && strings.HasPrefix(sock, xdg) {
+			log.Debug("Rootless Docker detected — setting DEVCONTAINER_REMOTE_USER=root")
+			if err := os.Setenv("DEVCONTAINER_REMOTE_USER", "root"); err != nil {
+				log.Warnf("Failed to set DEVCONTAINER_REMOTE_USER: %v", err)
+			}
+		}
+	}
+}
+
+// runDevcontainer executes "devcontainer <action> --workspace-folder <root> [extraArgs...]".
+func runDevcontainer(action string, extraArgs []string) {
+	checkDevcontainerCLI()
+	ensureDockerSock()
+	ensureRemoteUser()
+
+	root, err := paths.GitRoot()
+	if err != nil {
+		log.Fatalf("Failed to find git root: %v", err)
+	}
+
+	args := []string{action, "--workspace-folder", root}
+	if mount, ok := worktreeGitMount(root); ok {
+		args = append(args, "--mount", mount)
+	}
+	if mount, ok := sshAgentMount(); ok {
+		args = append(args, "--mount", mount)
+	}
+	args = append(args, extraArgs...)
+
+	log.Debugf("Running: devcontainer %v", args)
+
+	c := exec.Command("devcontainer", args...)
+	c.Stdout = os.Stdout
+	c.Stderr = os.Stderr
+	c.Stdin = os.Stdin
+
+	if err := c.Run(); err != nil {
+		log.Fatalf("devcontainer %s failed: %v", action, err)
+	}
+}

tools/ods/cmd/root.go

@@ -45,6 +45,7 @@ func NewRootCommand() *cobra.Command {
 	cmd.AddCommand(NewCheckLazyImportsCommand())
 	cmd.AddCommand(NewCherryPickCommand())
 	cmd.AddCommand(NewDBCommand())
+	cmd.AddCommand(NewDeployCommand())
 	cmd.AddCommand(NewOpenAPICommand())
 	cmd.AddCommand(NewComposeCommand())
 	cmd.AddCommand(NewLogsCommand())
@@ -52,6 +53,7 @@ func NewRootCommand() *cobra.Command {
 	cmd.AddCommand(NewRunCICommand())
 	cmd.AddCommand(NewScreenshotDiffCommand())
 	cmd.AddCommand(NewDesktopCommand())
+	cmd.AddCommand(NewDevCommand())
 	cmd.AddCommand(NewWebCommand())
 	cmd.AddCommand(NewLatestStableTagCommand())
 	cmd.AddCommand(NewWhoisCommand())

tools/ods/internal/config/config.go

@@ -0,0 +1,56 @@
+package config
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/onyx-dot-app/onyx/tools/ods/internal/paths"
+)
+
+// DeployEdgeConfig holds the persisted settings for `ods deploy edge`.
+type DeployEdgeConfig struct {
+	TargetRepo     string `json:"target_repo,omitempty"`
+	TargetWorkflow string `json:"target_workflow,omitempty"`
+}
+
+// Config is the top-level on-disk schema for ~/.config/onyx-dev/config.json.
+// New per-command sections should be added as additional fields.
+type Config struct {
+	DeployEdge DeployEdgeConfig `json:"deploy_edge,omitempty"`
+}
+
+// Load reads the config file. Returns a zero-valued Config if the file does
+// not exist (a fresh first-run state, not an error).
+func Load() (*Config, error) {
+	path := paths.ConfigFilePath()
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return &Config{}, nil
+		}
+		return nil, fmt.Errorf("failed to read config file %s: %w", path, err)
+	}
+	var cfg Config
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("failed to parse config file %s: %w", path, err)
+	}
+	return &cfg, nil
+}
+
+// Save persists the config to disk, creating the parent directory if needed.
+func Save(cfg *Config) error {
+	if err := paths.EnsureConfigDir(); err != nil {
+		return fmt.Errorf("failed to create config directory: %w", err)
+	}
+	data, err := json.MarshalIndent(cfg, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal config: %w", err)
+	}
+	path := paths.ConfigFilePath()
+	if err := os.WriteFile(path, data, 0644); err != nil {
+		return fmt.Errorf("failed to write config file %s: %w", path, err)
+	}
+	return nil
+}

tools/ods/internal/paths/paths.go

@@ -47,6 +47,43 @@ func DataDir() string {
 	return filepath.Join(base, "onyx-dev")
 }
 
+// ConfigDir returns the per-user config directory for onyx-dev tools.
+// On Linux/macOS: ~/.config/onyx-dev/ (respects XDG_CONFIG_HOME)
+// On Windows:    %APPDATA%/onyx-dev/
+func ConfigDir() string {
+	var base string
+	if runtime.GOOS == "windows" {
+		base = os.Getenv("APPDATA")
+		if base == "" {
+			base = os.Getenv("USERPROFILE")
+			if base == "" {
+				log.Fatalf("Cannot determine config directory: APPDATA and USERPROFILE are not set")
+			}
+			base = filepath.Join(base, "AppData", "Roaming")
+		}
+	} else {
+		base = os.Getenv("XDG_CONFIG_HOME")
+		if base == "" {
+			home, err := os.UserHomeDir()
+			if err != nil || home == "" {
+				log.Fatalf("Cannot determine config directory: XDG_CONFIG_HOME not set and home directory unknown: %v", err)
+			}
+			base = filepath.Join(home, ".config")
+		}
+	}
+	return filepath.Join(base, "onyx-dev")
+}
+
+// ConfigFilePath returns the path to the ods config file.
+func ConfigFilePath() string {
+	return filepath.Join(ConfigDir(), "config.json")
+}
+
+// EnsureConfigDir creates the config directory if it doesn't exist.
+func EnsureConfigDir() error {
+	return os.MkdirAll(ConfigDir(), 0755)
+}
+
 // SnapshotsDir returns the directory for database snapshots.
 func SnapshotsDir() string {
 	return filepath.Join(DataDir(), "snapshots")

tools/ods/internal/prompt/prompt.go

@@ -12,6 +12,23 @@ import (
 // reader is the input reader, can be replaced for testing
 var reader = bufio.NewReader(os.Stdin)
 
+// String prompts the user for a free-form line of input. Re-prompts until a
+// non-empty value is entered.
+func String(prompt string) string {
+	for {
+		fmt.Print(prompt)
+		response, err := reader.ReadString('\n')
+		if err != nil {
+			log.Fatalf("Failed to read input: %v", err)
+		}
+		response = strings.TrimSpace(response)
+		if response != "" {
+			return response
+		}
+		fmt.Println("Value cannot be empty.")
+	}
+}
+
 // Confirm prompts the user with a yes/no question and returns true for yes, false for no.
 // It will keep prompting until a valid response is given.
 // Empty input (just pressing Enter) defaults to yes.

uv.lock

@@ -14,12 +14,6 @@ resolution-markers = [
     "python_full_version < '3.12' and sys_platform != 'win32'",
 ]
 
-[manifest]
-members = [
-    "onyx",
-    "onyx-backend",
-]
-
 [[package]]
 name = "accelerate"
 version = "1.6.0"
@@ -4234,7 +4228,7 @@ dependencies = [
     { name = "voyageai" },
 ]
 
-[package.optional-dependencies]
+[package.dev-dependencies]
 backend = [
     { name = "aiohttp" },
     { name = "alembic" },
@@ -4388,195 +4382,191 @@ model-server = [
 
 [package.metadata]
 requires-dist = [
-    { name = "accelerate", marker = "extra == 'model-server'", specifier = "==1.6.0" },
     { name = "agent-client-protocol", specifier = ">=0.7.1" },
     { name = "aioboto3", specifier = "==15.1.0" },
-    { name = "aiohttp", marker = "extra == 'backend'", specifier = "==3.13.4" },
-    { name = "alembic", marker = "extra == 'backend'", specifier = "==1.10.4" },
-    { name = "asana", marker = "extra == 'backend'", specifier = "==5.0.8" },
-    { name = "asyncpg", marker = "extra == 'backend'", specifier = "==0.30.0" },
-    { name = "atlassian-python-api", marker = "extra == 'backend'", specifier = "==3.41.16" },
-    { name = "azure-cognitiveservices-speech", marker = "extra == 'backend'", specifier = "==1.38.0" },
-    { name = "beautifulsoup4", marker = "extra == 'backend'", specifier = "==4.12.3" },
-    { name = "black", marker = "extra == 'dev'", specifier = "==25.1.0" },
-    { name = "boto3", marker = "extra == 'backend'", specifier = "==1.39.11" },
-    { name = "boto3-stubs", extras = ["s3"], marker = "extra == 'backend'", specifier = "==1.39.11" },
-    { name = "braintrust", marker = "extra == 'backend'", specifier = "==0.3.9" },
     { name = "brotli", specifier = ">=1.2.0" },
-    { name = "celery", marker = "extra == 'backend'", specifier = "==5.5.1" },
-    { name = "celery-types", marker = "extra == 'dev'", specifier = "==0.19.0" },
-    { name = "chardet", marker = "extra == 'backend'", specifier = "==5.2.0" },
-    { name = "chonkie", marker = "extra == 'backend'", specifier = "==1.0.10" },
     { name = "claude-agent-sdk", specifier = ">=0.1.19" },
     { name = "cohere", specifier = "==5.6.1" },
-    { name = "dask", marker = "extra == 'backend'", specifier = "==2026.1.1" },
-    { name = "ddtrace", marker = "extra == 'backend'", specifier = "==3.10.0" },
     { name = "discord-py", specifier = "==2.4.0" },
-    { name = "discord-py", marker = "extra == 'backend'", specifier = "==2.4.0" },
-    { name = "distributed", marker = "extra == 'backend'", specifier = "==2026.1.1" },
-    { name = "dropbox", marker = "extra == 'backend'", specifier = "==12.0.2" },
-    { name = "einops", marker = "extra == 'model-server'", specifier = "==0.8.1" },
-    { name = "exa-py", marker = "extra == 'backend'", specifier = "==1.15.4" },
-    { name = "faker", marker = "extra == 'dev'", specifier = "==40.1.2" },
     { name = "fastapi", specifier = "==0.133.1" },
-    { name = "fastapi-limiter", marker = "extra == 'backend'", specifier = "==0.1.6" },
-    { name = "fastapi-users", marker = "extra == 'backend'", specifier = "==15.0.4" },
-    { name = "fastapi-users-db-sqlalchemy", marker = "extra == 'backend'", specifier = "==7.0.0" },
-    { name = "fastmcp", marker = "extra == 'backend'", specifier = "==3.2.0" },
-    { name = "filelock", marker = "extra == 'backend'", specifier = "==3.20.3" },
-    { name = "google-api-python-client", marker = "extra == 'backend'", specifier = "==2.86.0" },
-    { name = "google-auth-httplib2", marker = "extra == 'backend'", specifier = "==0.1.0" },
-    { name = "google-auth-oauthlib", marker = "extra == 'backend'", specifier = "==1.0.0" },
     { name = "google-genai", specifier = "==1.52.0" },
-    { name = "hatchling", marker = "extra == 'dev'", specifier = "==1.28.0" },
-    { name = "httpcore", marker = "extra == 'backend'", specifier = "==1.0.9" },
-    { name = "httpx", extras = ["http2"], marker = "extra == 'backend'", specifier = "==0.28.1" },
-    { name = "httpx-oauth", marker = "extra == 'backend'", specifier = "==0.15.1" },
-    { name = "hubspot-api-client", marker = "extra == 'backend'", specifier = "==11.1.0" },
-    { name = "huggingface-hub", marker = "extra == 'backend'", specifier = "==0.35.3" },
-    { name = "inflection", marker = "extra == 'backend'", specifier = "==0.5.1" },
-    { name = "ipykernel", marker = "extra == 'dev'", specifier = "==6.29.5" },
-    { name = "jira", marker = "extra == 'backend'", specifier = "==3.10.5" },
-    { name = "jsonref", marker = "extra == 'backend'", specifier = "==1.1.0" },
     { name = "kubernetes", specifier = ">=31.0.0" },
-    { name = "kubernetes", marker = "extra == 'backend'", specifier = "==31.0.0" },
-    { name = "langchain-core", marker = "extra == 'backend'", specifier = "==1.2.22" },
-    { name = "langfuse", marker = "extra == 'backend'", specifier = "==3.10.0" },
-    { name = "lazy-imports", marker = "extra == 'backend'", specifier = "==1.0.1" },
     { name = "litellm", specifier = "==1.81.6" },
-    { name = "lxml", marker = "extra == 'backend'", specifier = "==5.3.0" },
-    { name = "mako", marker = "extra == 'backend'", specifier = "==1.2.4" },
-    { name = "manygo", marker = "extra == 'dev'", specifier = "==0.2.0" },
-    { name = "markitdown", extras = ["pdf", "docx", "pptx", "xlsx", "xls"], marker = "extra == 'backend'", specifier = "==0.1.2" },
-    { name = "matplotlib", marker = "extra == 'dev'", specifier = "==3.10.8" },
-    { name = "mcp", extras = ["cli"], marker = "extra == 'backend'", specifier = "==1.26.0" },
-    { name = "mistune", marker = "extra == 'backend'", specifier = "==3.2.0" },
-    { name = "msal", marker = "extra == 'backend'", specifier = "==1.34.0" },
-    { name = "msoffcrypto-tool", marker = "extra == 'backend'", specifier = "==5.4.2" },
-    { name = "mypy", marker = "extra == 'dev'", specifier = "==1.13.0" },
-    { name = "mypy-extensions", marker = "extra == 'dev'", specifier = "==1.0.0" },
-    { name = "nest-asyncio", marker = "extra == 'backend'", specifier = "==1.6.0" },
-    { name = "numpy", marker = "extra == 'model-server'", specifier = "==2.4.1" },
-    { name = "oauthlib", marker = "extra == 'backend'", specifier = "==3.2.2" },
-    { name = "office365-rest-python-client", marker = "extra == 'backend'", specifier = "==2.6.2" },
-    { name = "onyx-devtools", marker = "extra == 'dev'", specifier = "==0.7.2" },
     { name = "openai", specifier = "==2.14.0" },
-    { name = "openapi-generator-cli", marker = "extra == 'dev'", specifier = "==7.17.0" },
-    { name = "openinference-instrumentation", marker = "extra == 'backend'", specifier = "==0.1.42" },
-    { name = "openpyxl", marker = "extra == 'backend'", specifier = "==3.0.10" },
-    { name = "opensearch-py", marker = "extra == 'backend'", specifier = "==3.0.0" },
-    { name = "opentelemetry-proto", marker = "extra == 'backend'", specifier = ">=1.39.0" },
-    { name = "pandas-stubs", marker = "extra == 'dev'", specifier = "~=2.3.3" },
-    { name = "passlib", marker = "extra == 'backend'", specifier = "==1.7.4" },
-    { name = "playwright", marker = "extra == 'backend'", specifier = "==1.55.0" },
-    { name = "posthog", marker = "extra == 'ee'", specifier = "==3.7.4" },
-    { name = "pre-commit", marker = "extra == 'dev'", specifier = "==3.2.2" },
     { name = "prometheus-client", specifier = ">=0.21.1" },
     { name = "prometheus-fastapi-instrumentator", specifier = "==7.1.0" },
-    { name = "psutil", marker = "extra == 'backend'", specifier = "==7.1.3" },
-    { name = "psycopg2-binary", marker = "extra == 'backend'", specifier = "==2.9.9" },
-    { name = "puremagic", marker = "extra == 'backend'", specifier = "==1.28" },
-    { name = "pyairtable", marker = "extra == 'backend'", specifier = "==3.0.1" },
-    { name = "pycryptodome", marker = "extra == 'backend'", specifier = "==3.19.1" },
     { name = "pydantic", specifier = "==2.11.7" },
-    { name = "pygithub", marker = "extra == 'backend'", specifier = "==2.5.0" },
-    { name = "pympler", marker = "extra == 'backend'", specifier = "==1.1" },
-    { name = "pypandoc-binary", marker = "extra == 'backend'", specifier = "==1.16.2" },
-    { name = "pypdf", marker = "extra == 'backend'", specifier = "==6.9.2" },
-    { name = "pytest", marker = "extra == 'dev'", specifier = "==8.3.5" },
-    { name = "pytest-alembic", marker = "extra == 'dev'", specifier = "==0.12.1" },
-    { name = "pytest-asyncio", marker = "extra == 'dev'", specifier = "==1.3.0" },
-    { name = "pytest-dotenv", marker = "extra == 'dev'", specifier = "==0.5.2" },
-    { name = "pytest-mock", marker = "extra == 'backend'", specifier = "==3.12.0" },
-    { name = "pytest-playwright", marker = "extra == 'backend'", specifier = "==0.7.0" },
-    { name = "pytest-repeat", marker = "extra == 'dev'", specifier = "==0.9.4" },
-    { name = "pytest-xdist", marker = "extra == 'dev'", specifier = "==3.8.0" },
-    { name = "python-dateutil", marker = "extra == 'backend'", specifier = "==2.8.2" },
-    { name = "python-docx", marker = "extra == 'backend'", specifier = "==1.1.2" },
-    { name = "python-dotenv", marker = "extra == 'backend'", specifier = "==1.1.1" },
-    { name = "python-gitlab", marker = "extra == 'backend'", specifier = "==5.6.0" },
-    { name = "python-multipart", marker = "extra == 'backend'", specifier = "==0.0.22" },
-    { name = "python-pptx", marker = "extra == 'backend'", specifier = "==0.6.23" },
-    { name = "python3-saml", marker = "extra == 'backend'", specifier = "==1.15.0" },
-    { name = "pywikibot", marker = "extra == 'backend'", specifier = "==9.0.0" },
-    { name = "rapidfuzz", marker = "extra == 'backend'", specifier = "==3.13.0" },
-    { name = "redis", marker = "extra == 'backend'", specifier = "==5.0.8" },
-    { name = "release-tag", marker = "extra == 'dev'", specifier = "==0.5.2" },
-    { name = "reorder-python-imports-black", marker = "extra == 'dev'", specifier = "==3.14.0" },
-    { name = "requests", marker = "extra == 'backend'", specifier = "==2.33.0" },
-    { name = "requests-oauthlib", marker = "extra == 'backend'", specifier = "==1.3.1" },
     { name = "retry", specifier = "==0.9.2" },
-    { name = "rfc3986", marker = "extra == 'backend'", specifier = "==1.5.0" },
-    { name = "ruff", marker = "extra == 'dev'", specifier = "==0.12.0" },
-    { name = "safetensors", marker = "extra == 'model-server'", specifier = "==0.5.3" },
-    { name = "sendgrid", marker = "extra == 'backend'", specifier = "==6.12.5" },
-    { name = "sentence-transformers", marker = "extra == 'model-server'", specifier = "==4.0.2" },
     { name = "sentry-sdk", specifier = "==2.14.0" },
-    { name = "sentry-sdk", extras = ["fastapi", "celery", "starlette"], marker = "extra == 'model-server'", specifier = "==2.14.0" },
-    { name = "shapely", marker = "extra == 'backend'", specifier = "==2.0.6" },
-    { name = "simple-salesforce", marker = "extra == 'backend'", specifier = "==1.12.6" },
-    { name = "slack-sdk", marker = "extra == 'backend'", specifier = "==3.20.2" },
-    { name = "sqlalchemy", extras = ["mypy"], marker = "extra == 'backend'", specifier = "==2.0.15" },
-    { name = "starlette", marker = "extra == 'backend'", specifier = "==0.49.3" },
-    { name = "stripe", marker = "extra == 'backend'", specifier = "==10.12.0" },
-    { name = "supervisor", marker = "extra == 'backend'", specifier = "==4.3.0" },
-    { name = "tiktoken", marker = "extra == 'backend'", specifier = "==0.7.0" },
-    { name = "timeago", marker = "extra == 'backend'", specifier = "==1.0.16" },
-    { name = "torch", marker = "extra == 'model-server'", specifier = "==2.9.1" },
-    { name = "trafilatura", marker = "extra == 'backend'", specifier = "==1.12.2" },
-    { name = "transformers", marker = "extra == 'model-server'", specifier = "==4.53.0" },
-    { name = "types-beautifulsoup4", marker = "extra == 'dev'", specifier = "==4.12.0.3" },
-    { name = "types-html5lib", marker = "extra == 'dev'", specifier = "==1.1.11.13" },
-    { name = "types-oauthlib", marker = "extra == 'dev'", specifier = "==3.2.0.9" },
-    { name = "types-openpyxl", marker = "extra == 'backend'", specifier = "==3.0.4.7" },
-    { name = "types-passlib", marker = "extra == 'dev'", specifier = "==1.7.7.20240106" },
-    { name = "types-pillow", marker = "extra == 'dev'", specifier = "==10.2.0.20240822" },
-    { name = "types-psutil", marker = "extra == 'dev'", specifier = "==7.1.3.20251125" },
-    { name = "types-psycopg2", marker = "extra == 'dev'", specifier = "==2.9.21.10" },
-    { name = "types-python-dateutil", marker = "extra == 'dev'", specifier = "==2.8.19.13" },
-    { name = "types-pytz", marker = "extra == 'dev'", specifier = "==2023.3.1.1" },
-    { name = "types-pyyaml", marker = "extra == 'dev'", specifier = "==6.0.12.11" },
-    { name = "types-regex", marker = "extra == 'dev'", specifier = "==2023.3.23.1" },
-    { name = "types-requests", marker = "extra == 'dev'", specifier = "==2.32.0.20250328" },
-    { name = "types-retry", marker = "extra == 'dev'", specifier = "==0.9.9.3" },
-    { name = "types-setuptools", marker = "extra == 'dev'", specifier = "==68.0.0.3" },
-    { name = "unstructured", marker = "extra == 'backend'", specifier = "==0.18.27" },
-    { name = "unstructured-client", marker = "extra == 'backend'", specifier = "==0.42.6" },
-    { name = "urllib3", marker = "extra == 'backend'", specifier = "==2.6.3" },
     { name = "uvicorn", specifier = "==0.35.0" },
     { name = "voyageai", specifier = "==0.2.3" },
-    { name = "xmlsec", marker = "extra == 'backend'", specifier = "==1.3.14" },
-    { name = "zizmor", marker = "extra == 'dev'", specifier = "==1.18.0" },
-    { name = "zulip", marker = "extra == 'backend'", specifier = "==0.8.2" },
-]
-provides-extras = ["backend", "dev", "ee", "model-server"]
-
-[[package]]
-name = "onyx-backend"
-version = "0.0.0"
-source = { virtual = "backend" }
-dependencies = [
-    { name = "onyx", extra = ["backend", "dev", "ee"] },
 ]
 
-[package.metadata]
-requires-dist = [{ name = "onyx", extras = ["backend", "dev", "ee"], editable = "." }]
+[package.metadata.requires-dev]
+backend = [
+    { name = "aiohttp", specifier = "==3.13.4" },
+    { name = "alembic", specifier = "==1.10.4" },
+    { name = "asana", specifier = "==5.0.8" },
+    { name = "asyncpg", specifier = "==0.30.0" },
+    { name = "atlassian-python-api", specifier = "==3.41.16" },
+    { name = "azure-cognitiveservices-speech", specifier = "==1.38.0" },
+    { name = "beautifulsoup4", specifier = "==4.12.3" },
+    { name = "boto3", specifier = "==1.39.11" },
+    { name = "boto3-stubs", extras = ["s3"], specifier = "==1.39.11" },
+    { name = "braintrust", specifier = "==0.3.9" },
+    { name = "celery", specifier = "==5.5.1" },
+    { name = "chardet", specifier = "==5.2.0" },
+    { name = "chonkie", specifier = "==1.0.10" },
+    { name = "dask", specifier = "==2026.1.1" },
+    { name = "ddtrace", specifier = "==3.10.0" },
+    { name = "discord-py", specifier = "==2.4.0" },
+    { name = "distributed", specifier = "==2026.1.1" },
+    { name = "dropbox", specifier = "==12.0.2" },
+    { name = "exa-py", specifier = "==1.15.4" },
+    { name = "fastapi-limiter", specifier = "==0.1.6" },
+    { name = "fastapi-users", specifier = "==15.0.4" },
+    { name = "fastapi-users-db-sqlalchemy", specifier = "==7.0.0" },
+    { name = "fastmcp", specifier = "==3.2.0" },
+    { name = "filelock", specifier = "==3.20.3" },
+    { name = "google-api-python-client", specifier = "==2.86.0" },
+    { name = "google-auth-httplib2", specifier = "==0.1.0" },
+    { name = "google-auth-oauthlib", specifier = "==1.0.0" },
+    { name = "httpcore", specifier = "==1.0.9" },
+    { name = "httpx", extras = ["http2"], specifier = "==0.28.1" },
+    { name = "httpx-oauth", specifier = "==0.15.1" },
+    { name = "hubspot-api-client", specifier = "==11.1.0" },
+    { name = "huggingface-hub", specifier = "==0.35.3" },
+    { name = "inflection", specifier = "==0.5.1" },
+    { name = "jira", specifier = "==3.10.5" },
+    { name = "jsonref", specifier = "==1.1.0" },
+    { name = "kubernetes", specifier = "==31.0.0" },
+    { name = "langchain-core", specifier = "==1.2.22" },
+    { name = "langfuse", specifier = "==3.10.0" },
+    { name = "lazy-imports", specifier = "==1.0.1" },
+    { name = "lxml", specifier = "==5.3.0" },
+    { name = "mako", specifier = "==1.2.4" },
+    { name = "markitdown", extras = ["pdf", "docx", "pptx", "xlsx", "xls"], specifier = "==0.1.2" },
+    { name = "mcp", extras = ["cli"], specifier = "==1.26.0" },
+    { name = "mistune", specifier = "==3.2.0" },
+    { name = "msal", specifier = "==1.34.0" },
+    { name = "msoffcrypto-tool", specifier = "==5.4.2" },
+    { name = "nest-asyncio", specifier = "==1.6.0" },
+    { name = "oauthlib", specifier = "==3.2.2" },
+    { name = "office365-rest-python-client", specifier = "==2.6.2" },
+    { name = "openinference-instrumentation", specifier = "==0.1.42" },
+    { name = "openpyxl", specifier = "==3.0.10" },
+    { name = "opensearch-py", specifier = "==3.0.0" },
+    { name = "opentelemetry-proto", specifier = ">=1.39.0" },
+    { name = "passlib", specifier = "==1.7.4" },
+    { name = "playwright", specifier = "==1.55.0" },
+    { name = "psutil", specifier = "==7.1.3" },
+    { name = "psycopg2-binary", specifier = "==2.9.9" },
+    { name = "puremagic", specifier = "==1.28" },
+    { name = "pyairtable", specifier = "==3.0.1" },
+    { name = "pycryptodome", specifier = "==3.19.1" },
+    { name = "pygithub", specifier = "==2.5.0" },
+    { name = "pympler", specifier = "==1.1" },
+    { name = "pypandoc-binary", specifier = "==1.16.2" },
+    { name = "pypdf", specifier = "==6.9.2" },
+    { name = "pytest-mock", specifier = "==3.12.0" },
+    { name = "pytest-playwright", specifier = "==0.7.0" },
+    { name = "python-dateutil", specifier = "==2.8.2" },
+    { name = "python-docx", specifier = "==1.1.2" },
+    { name = "python-dotenv", specifier = "==1.1.1" },
+    { name = "python-gitlab", specifier = "==5.6.0" },
+    { name = "python-multipart", specifier = "==0.0.22" },
+    { name = "python-pptx", specifier = "==0.6.23" },
+    { name = "python3-saml", specifier = "==1.15.0" },
+    { name = "pywikibot", specifier = "==9.0.0" },
+    { name = "rapidfuzz", specifier = "==3.13.0" },
+    { name = "redis", specifier = "==5.0.8" },
+    { name = "requests", specifier = "==2.33.0" },
+    { name = "requests-oauthlib", specifier = "==1.3.1" },
+    { name = "rfc3986", specifier = "==1.5.0" },
+    { name = "sendgrid", specifier = "==6.12.5" },
+    { name = "shapely", specifier = "==2.0.6" },
+    { name = "simple-salesforce", specifier = "==1.12.6" },
+    { name = "slack-sdk", specifier = "==3.20.2" },
+    { name = "sqlalchemy", extras = ["mypy"], specifier = "==2.0.15" },
+    { name = "starlette", specifier = "==0.49.3" },
+    { name = "stripe", specifier = "==10.12.0" },
+    { name = "supervisor", specifier = "==4.3.0" },
+    { name = "tiktoken", specifier = "==0.7.0" },
+    { name = "timeago", specifier = "==1.0.16" },
+    { name = "trafilatura", specifier = "==1.12.2" },
+    { name = "types-openpyxl", specifier = "==3.0.4.7" },
+    { name = "unstructured", specifier = "==0.18.27" },
+    { name = "unstructured-client", specifier = "==0.42.6" },
+    { name = "urllib3", specifier = "==2.6.3" },
+    { name = "xmlsec", specifier = "==1.3.14" },
+    { name = "zulip", specifier = "==0.8.2" },
+]
+dev = [
+    { name = "black", specifier = "==25.1.0" },
+    { name = "celery-types", specifier = "==0.19.0" },
+    { name = "faker", specifier = "==40.1.2" },
+    { name = "hatchling", specifier = "==1.28.0" },
+    { name = "ipykernel", specifier = "==6.29.5" },
+    { name = "manygo", specifier = "==0.2.0" },
+    { name = "matplotlib", specifier = "==3.10.8" },
+    { name = "mypy", specifier = "==1.13.0" },
+    { name = "mypy-extensions", specifier = "==1.0.0" },
+    { name = "onyx-devtools", specifier = "==0.7.5" },
+    { name = "openapi-generator-cli", specifier = "==7.17.0" },
+    { name = "pandas-stubs", specifier = "~=2.3.3" },
+    { name = "pre-commit", specifier = "==3.2.2" },
+    { name = "pytest", specifier = "==8.3.5" },
+    { name = "pytest-alembic", specifier = "==0.12.1" },
+    { name = "pytest-asyncio", specifier = "==1.3.0" },
+    { name = "pytest-dotenv", specifier = "==0.5.2" },
+    { name = "pytest-repeat", specifier = "==0.9.4" },
+    { name = "pytest-xdist", specifier = "==3.8.0" },
+    { name = "release-tag", specifier = "==0.5.2" },
+    { name = "reorder-python-imports-black", specifier = "==3.14.0" },
+    { name = "ruff", specifier = "==0.12.0" },
+    { name = "types-beautifulsoup4", specifier = "==4.12.0.3" },
+    { name = "types-html5lib", specifier = "==1.1.11.13" },
+    { name = "types-oauthlib", specifier = "==3.2.0.9" },
+    { name = "types-passlib", specifier = "==1.7.7.20240106" },
+    { name = "types-pillow", specifier = "==10.2.0.20240822" },
+    { name = "types-psutil", specifier = "==7.1.3.20251125" },
+    { name = "types-psycopg2", specifier = "==2.9.21.10" },
+    { name = "types-python-dateutil", specifier = "==2.8.19.13" },
+    { name = "types-pytz", specifier = "==2023.3.1.1" },
+    { name = "types-pyyaml", specifier = "==6.0.12.11" },
+    { name = "types-regex", specifier = "==2023.3.23.1" },
+    { name = "types-requests", specifier = "==2.32.0.20250328" },
+    { name = "types-retry", specifier = "==0.9.9.3" },
+    { name = "types-setuptools", specifier = "==68.0.0.3" },
+    { name = "zizmor", specifier = "==1.18.0" },
+]
+ee = [{ name = "posthog", specifier = "==3.7.4" }]
+model-server = [
+    { name = "accelerate", specifier = "==1.6.0" },
+    { name = "einops", specifier = "==0.8.1" },
+    { name = "numpy", specifier = "==2.4.1" },
+    { name = "safetensors", specifier = "==0.5.3" },
+    { name = "sentence-transformers", specifier = "==4.0.2" },
+    { name = "sentry-sdk", extras = ["fastapi", "celery", "starlette"], specifier = "==2.14.0" },
+    { name = "torch", specifier = "==2.9.1" },
+    { name = "transformers", specifier = "==4.53.0" },
+]
 
 [[package]]
 name = "onyx-devtools"
-version = "0.7.2"
+version = "0.7.5"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "fastapi" },
     { name = "openapi-generator-cli" },
 ]
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/22/b0/765ed49157470e8ccc8ab89e6a896ade50cde3aa2a494662ad4db92a48c4/onyx_devtools-0.7.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:553a2b5e61b29b7913c991c8d5aed78f930f0f81a0f42229c6a8de2b1e8ff57e", size = 4203859, upload-time = "2026-03-27T15:09:49.63Z" },
-    { url = "https://files.pythonhosted.org/packages/f7/9d/bba0a44a16d2fc27e5441aaf10727e10514e7a49bce70eca02bced566eb9/onyx_devtools-0.7.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:5cf0782dca8b3d861de9e18e65e990cfce5161cd559df44d8fabd3fefd54fdcd", size = 3879750, upload-time = "2026-03-27T15:09:42.413Z" },
-    { url = "https://files.pythonhosted.org/packages/4d/d8/c5725e8af14c74fe0aeed29e4746400bb3c0a078fd1240df729dc6432b84/onyx_devtools-0.7.2-py3-none-manylinux_2_17_aarch64.whl", hash = "sha256:9a0d67373e16b4fbb38a5290c0d9dfd4cfa837e5da0c165b32841b9d37f7455b", size = 3743529, upload-time = "2026-03-27T15:09:44.546Z" },
-    { url = "https://files.pythonhosted.org/packages/1a/82/b7c398a21dbc3e14fd7a29e49caa86b1bc0f8d7c75c051514785441ab779/onyx_devtools-0.7.2-py3-none-manylinux_2_17_x86_64.whl", hash = "sha256:794af14b2de575d0ae41b94551399eca8f8ba9b950c5db7acb7612767fd228f9", size = 4166562, upload-time = "2026-03-27T15:09:49.471Z" },
-    { url = "https://files.pythonhosted.org/packages/26/76/be129e2baafc91fe792d919b1f4d73fc943ba9c2b728a60f1fb98e0c115a/onyx_devtools-0.7.2-py3-none-win_amd64.whl", hash = "sha256:83b3eb84df58d865e4f714222a5fab3ea464836e2c8690569454a940bbb651ff", size = 4282270, upload-time = "2026-03-27T15:09:44.676Z" },
-    { url = "https://files.pythonhosted.org/packages/3b/72/29b8c8dbcf069c56475f00511f04c4aaa5ba3faba1dfc8276107d4b3ef7f/onyx_devtools-0.7.2-py3-none-win_arm64.whl", hash = "sha256:62f0836624ee6a5b31e64fd93162e7fce142ac8a4f959607e411824bc2b88174", size = 3823053, upload-time = "2026-03-27T15:09:43.546Z" },
+    { url = "https://files.pythonhosted.org/packages/cb/f8/844e34f5126ae40fff0d012bba0b28f031f8871062759bb3789eae4f5e0a/onyx_devtools-0.7.5-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:b3cd434c722ae48a1f651748a9f094711b29d1a9f37fbbadef3144f2cdb0f16d", size = 4238900, upload-time = "2026-04-10T07:02:16.382Z" },
+    { url = "https://files.pythonhosted.org/packages/2d/97/d1db725f900b199fa3f7a7a7c9b51ae75d4b18755c924f00f06a7703e552/onyx_devtools-0.7.5-py3-none-macosx_11_0_arm64.whl", hash = "sha256:c50e3d76d4f8cc4faa6250e758d42f0249067f0e17bc82b99c6c00dd48114393", size = 3913672, upload-time = "2026-04-10T07:02:17.46Z" },
+    { url = "https://files.pythonhosted.org/packages/31/83/e11bedb0a1321b63c844a418be1990c172ed363c6ee612978c3a38df71f1/onyx_devtools-0.7.5-py3-none-manylinux_2_17_aarch64.whl", hash = "sha256:ec01aeaaa14854b0933bb85bbfc51184599d3dbf1c0097ff59c1c72db8222a5a", size = 3779585, upload-time = "2026-04-10T07:02:16.31Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/85/128d25cd35c1adc436dcff9ab4f2c20cf29528d09415280c1230ff0ca993/onyx_devtools-0.7.5-py3-none-manylinux_2_17_x86_64.whl", hash = "sha256:586d50ecb6dcea95611135e4cd4529ebedd8ab84a41b1adf3be1280a48dc52af", size = 4201962, upload-time = "2026-04-10T07:02:14.466Z" },
+    { url = "https://files.pythonhosted.org/packages/99/5d/83c80f918b399fea998cd41bfe90bda733eda77e133ca4dc1e9ce18a9b4a/onyx_devtools-0.7.5-py3-none-win_amd64.whl", hash = "sha256:c45d80f0093ba738120b77c4c0bde13843e33d786ae8608eb10490f06183d89b", size = 4320088, upload-time = "2026-04-10T07:02:17.09Z" },
+    { url = "https://files.pythonhosted.org/packages/26/bf/b9c85cc61981bd71c0f1cbb50192763b11788a7c8636b1e01f750251c92c/onyx_devtools-0.7.5-py3-none-win_arm64.whl", hash = "sha256:9852a7cc29939371e016b794f2cffdb88680280d857d24c191c5188884416a3d", size = 3858839, upload-time = "2026-04-10T07:02:20.098Z" },
 ]
 
 [[package]]

web/lib/opal/scripts/README.md

@@ -14,21 +14,23 @@ All scripts in this directory should be run from the **opal package root** (`web
 web/lib/opal/
 ├── scripts/                          # SVG conversion tooling (this directory)
 │   ├── convert-svg.sh                # Converts SVGs into React components
-│   └── icon-template.js              # Shared SVGR template (used for both icons and illustrations)
+│   └── icon-template.js              # Shared SVGR template (used for icons, logos, and illustrations)
 ├── src/
 │   ├── icons/                        # Small, single-colour icons (stroke = currentColor)
+│   ├── logos/                        # Brand/vendor logos (original colours preserved)
 │   └── illustrations/                # Larger, multi-colour illustrations (colours preserved)
 └── package.json
 ```
 
-## Icons vs Illustrations
+## Icons vs Logos vs Illustrations
 
-| | Icons | Illustrations |
-|---|---|---|
-| **Import path** | `@opal/icons` | `@opal/illustrations` |
-| **Location** | `src/icons/` | `src/illustrations/` |
-| **Colour** | Overridable via `currentColor` | Fixed — original SVG colours preserved |
-| **Script flag** | (none) | `--illustration` |
+| | Icons | Logos | Illustrations |
+|---|---|---|---|
+| **Import path** | `@opal/icons` | `@opal/logos` | `@opal/illustrations` |
+| **Location** | `src/icons/` | `src/logos/` | `src/illustrations/` |
+| **Colour** | Overridable via `currentColor` | Fixed — original brand colours preserved | Fixed — original SVG colours preserved |
+| **Script flag** | (none) | `--logo` | `--illustration` |
+| **Use case** | UI elements, actions, navigation | Provider logos, platform logos, brand marks | Empty states, error pages, placeholders |
 
 ## Files in This Directory
 
@@ -49,12 +51,19 @@ Converts an SVG into a React component. Behaviour depends on the mode:
 - Adds `width={size}`, `height={size}`, and `stroke="currentColor"`
 - Result is colour-overridable via CSS `color` property
 
+**Logo mode** (`--logo`):
+- Strips only `width` and `height` attributes (all colours preserved)
+- Adds `width={size}` and `height={size}`
+- Does **not** add `stroke="currentColor"` — logos keep their original brand colours
+
 **Illustration mode** (`--illustration`):
 - Strips only `width` and `height` attributes (all colours preserved)
 - Adds `width={size}` and `height={size}`
 - Does **not** add `stroke="currentColor"` — illustrations keep their original colours
 
-Both modes automatically delete the source SVG file after successful conversion.
+Both `--logo` and `--illustration` produce the same output — the distinction is purely organizational (different directories, different barrel exports).
+
+All modes automatically delete the source SVG file after successful conversion.
 
 ## Adding New SVGs
 
@@ -70,6 +79,18 @@ Then add the export to `src/icons/index.ts`:
 export { default as SvgMyIcon } from "@opal/icons/my-icon";
 ```
 
+### Logos
+
+```sh
+# From web/lib/opal/
+./scripts/convert-svg.sh --logo src/logos/my-logo.svg
+```
+
+Then add the export to `src/logos/index.ts`:
+```ts
+export { default as SvgMyLogo } from "@opal/logos/my-logo";
+```
+
 ### Illustrations
 
 ```sh
@@ -91,7 +112,7 @@ If you prefer to run the SVGR command directly:
 bunx @svgr/cli <file>.svg --typescript --svgo-config '{"plugins":[{"name":"removeAttrs","params":{"attrs":["stroke","stroke-opacity","width","height"]}}]}' --template scripts/icon-template.js > <file>.tsx
 ```
 
-**For illustrations** (preserves colours):
+**For logos and illustrations** (preserves colours):
 ```sh
 bunx @svgr/cli <file>.svg --typescript --svgo-config '{"plugins":[{"name":"removeAttrs","params":{"attrs":["width","height"]}}]}' --template scripts/icon-template.js > <file>.tsx
 ```

web/lib/opal/scripts/convert-svg.sh

@@ -4,30 +4,36 @@
 #
 # By default, converts to a colour-overridable icon (stroke colours stripped, replaced with currentColor).
 # With --illustration, converts to a fixed-colour illustration (all original colours preserved).
+# With --logo, converts to a fixed-colour logo (all original colours preserved, same as illustration).
 #
 # Usage (from the opal package root — web/lib/opal/):
 #   ./scripts/convert-svg.sh src/icons/<filename.svg>
 #   ./scripts/convert-svg.sh --illustration src/illustrations/<filename.svg>
+#   ./scripts/convert-svg.sh --logo src/logos/<filename.svg>
 
-ILLUSTRATION=false
+MODE="icon"
 
 # Parse flags
 while [[ "$1" == --* ]]; do
   case "$1" in
     --illustration)
-      ILLUSTRATION=true
+      MODE="illustration"
+      shift
+      ;;
+    --logo)
+      MODE="logo"
       shift
       ;;
     *)
       echo "Unknown flag: $1" >&2
-      echo "Usage: ./scripts/convert-svg.sh [--illustration] <filename.svg>" >&2
+      echo "Usage: ./scripts/convert-svg.sh [--illustration | --logo] <filename.svg>" >&2
       exit 1
       ;;
   esac
 done
 
 if [ -z "$1" ]; then
-  echo "Usage: ./scripts/convert-svg.sh [--illustration] <filename.svg>" >&2
+  echo "Usage: ./scripts/convert-svg.sh [--illustration | --logo] <filename.svg>" >&2
   exit 1
 fi
 
@@ -49,12 +55,12 @@ fi
 BASE_NAME="${SVG_FILE%.svg}"
 
 # Build the SVGO config based on mode
-if [ "$ILLUSTRATION" = true ]; then
-  # Illustrations: only strip width and height (preserve all colours)
-  SVGO_CONFIG='{"plugins":[{"name":"removeAttrs","params":{"attrs":["width","height"]}}]}'
-else
+if [ "$MODE" = "icon" ]; then
   # Icons: strip stroke, stroke-opacity, width, and height
   SVGO_CONFIG='{"plugins":[{"name":"removeAttrs","params":{"attrs":["stroke","stroke-opacity","width","height"]}}]}'
+else
+  # Illustrations and logos: only strip width and height (preserve all colours)
+  SVGO_CONFIG='{"plugins":[{"name":"removeAttrs","params":{"attrs":["width","height"]}}]}'
 fi
 
 # Resolve the template path relative to this script (not the caller's CWD)
@@ -85,7 +91,7 @@ if [ $? -eq 0 ]; then
   fi
 
   # Icons additionally get stroke="currentColor"
-  if [ "$ILLUSTRATION" = false ]; then
+  if [ "$MODE" = "icon" ]; then
     perl -i -pe 's/\{\.\.\.props\}/stroke="currentColor" {...props}/g' "${BASE_NAME}.tsx"
     if [ $? -ne 0 ]; then
       echo "Error: Failed to add stroke attribute" >&2
@@ -106,7 +112,7 @@ if [ $? -eq 0 ]; then
   fi
 
   # For icons, also verify stroke="currentColor" was added
-  if [ "$ILLUSTRATION" = false ]; then
+  if [ "$MODE" = "icon" ]; then
     if ! grep -q 'stroke="currentColor"' "${BASE_NAME}.tsx"; then
       echo "Error: Post-processing did not add stroke=\"currentColor\"" >&2
       exit 1

web/lib/opal/src/components/divider/Divider.stories.tsx

@@ -0,0 +1,46 @@
+import React from "react";
+import type { Meta, StoryObj } from "@storybook/react";
+import { Divider } from "@opal/components/divider/components";
+
+const meta: Meta<typeof Divider> = {
+  title: "opal/components/Divider",
+  component: Divider,
+  tags: ["autodocs"],
+};
+
+export default meta;
+type Story = StoryObj<typeof Divider>;
+
+export const Plain: Story = {
+  render: () => <Divider />,
+};
+
+export const WithTitle: Story = {
+  render: () => <Divider title="Section" />,
+};
+
+export const WithDescription: Story = {
+  render: () => (
+    <Divider description="Additional configuration options for power users." />
+  ),
+};
+
+export const Foldable: Story = {
+  render: () => (
+    <Divider title="Advanced Options" foldable defaultOpen={false}>
+      <div style={{ padding: "0.5rem 0" }}>
+        <p>This content is revealed when the divider is expanded.</p>
+      </div>
+    </Divider>
+  ),
+};
+
+export const FoldableDefaultOpen: Story = {
+  render: () => (
+    <Divider title="Details" foldable defaultOpen>
+      <div style={{ padding: "0.5rem 0" }}>
+        <p>This starts open by default.</p>
+      </div>
+    </Divider>
+  ),
+};

web/lib/opal/src/components/divider/README.md

@@ -0,0 +1,62 @@
+# Divider
+
+**Import:** `import { Divider } from "@opal/components";`
+
+A horizontal rule that optionally displays a title, description, or foldable content section.
+
+## Props
+
+The component uses a discriminated union with four variants. `title` and `description` are mutually exclusive; `foldable` requires `title`.
+
+### Bare divider
+
+No props — renders a plain horizontal line.
+
+### Titled divider
+
+| Prop | Type | Default | Description |
+|---|---|---|---|
+| `title` | `string \| RichStr` | **(required)** | Label to the left of the line |
+
+### Described divider
+
+| Prop | Type | Default | Description |
+|---|---|---|---|
+| `description` | `string \| RichStr` | **(required)** | Text below the line |
+
+### Foldable divider
+
+| Prop | Type | Default | Description |
+|---|---|---|---|
+| `title` | `string \| RichStr` | **(required)** | Label to the left of the line |
+| `foldable` | `true` | **(required)** | Enables fold/expand behavior |
+| `open` | `boolean` | — | Controlled open state |
+| `defaultOpen` | `boolean` | `false` | Uncontrolled initial open state |
+| `onOpenChange` | `(open: boolean) => void` | — | Callback when toggled |
+| `children` | `ReactNode` | — | Content revealed when open |
+
+## Usage Examples
+
+```tsx
+import { Divider } from "@opal/components";
+
+// Plain line
+<Divider />
+
+// With title
+<Divider title="Advanced" />
+
+// With description
+<Divider description="Additional configuration options." />
+
+// Foldable
+<Divider title="Advanced Options" foldable>
+  <p>Hidden content here</p>
+</Divider>
+
+// Controlled foldable
+const [open, setOpen] = useState(false);
+<Divider title="Details" foldable open={open} onOpenChange={setOpen}>
+  <p>Controlled content</p>
+</Divider>
+```

web/lib/opal/src/components/divider/components.tsx

@@ -0,0 +1,163 @@
+"use client";
+
+import "@opal/components/divider/styles.css";
+import { useState, useCallback } from "react";
+import type { RichStr } from "@opal/types";
+import { Button, Text } from "@opal/components";
+import { SvgChevronRight } from "@opal/icons";
+import { Interactive } from "@opal/core";
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+interface DividerNeverFields {
+  open?: never;
+  defaultOpen?: never;
+  onOpenChange?: never;
+  children?: never;
+}
+
+/** Plain line — no title, no description. */
+interface DividerBareProps extends DividerNeverFields {
+  title?: never;
+  description?: never;
+  foldable?: false;
+  ref?: React.Ref<HTMLDivElement>;
+}
+
+/** Line with a title to the left. */
+interface DividerTitledProps extends DividerNeverFields {
+  title: string | RichStr;
+  description?: never;
+  foldable?: false;
+  ref?: React.Ref<HTMLDivElement>;
+}
+
+/** Line with a description below. */
+interface DividerDescribedProps extends DividerNeverFields {
+  title?: never;
+  /** Description rendered below the divider line. */
+  description: string | RichStr;
+  foldable?: false;
+  ref?: React.Ref<HTMLDivElement>;
+}
+
+/** Foldable — requires title, reveals children. */
+interface DividerFoldableProps {
+  /** Title is required when foldable. */
+  title: string | RichStr;
+  foldable: true;
+  description?: never;
+  /** Controlled open state. */
+  open?: boolean;
+  /** Uncontrolled default open state. */
+  defaultOpen?: boolean;
+  /** Callback when open state changes. */
+  onOpenChange?: (open: boolean) => void;
+  /** Content revealed when open. */
+  children?: React.ReactNode;
+  ref?: React.Ref<HTMLDivElement>;
+}
+
+type DividerProps =
+  | DividerBareProps
+  | DividerTitledProps
+  | DividerDescribedProps
+  | DividerFoldableProps;
+
+// ---------------------------------------------------------------------------
+// Divider
+// ---------------------------------------------------------------------------
+
+function Divider(props: DividerProps) {
+  if (props.foldable) {
+    return <FoldableDivider {...props} />;
+  }
+
+  const { ref } = props;
+  const title = "title" in props ? props.title : undefined;
+  const description = "description" in props ? props.description : undefined;
+
+  return (
+    <div ref={ref} className="opal-divider">
+      <div className="opal-divider-row">
+        {title && (
+          <div className="opal-divider-title">
+            <Text font="secondary-body" color="text-03" nowrap>
+              {title}
+            </Text>
+          </div>
+        )}
+        <div className="opal-divider-line" />
+      </div>
+      {description && (
+        <div className="opal-divider-description">
+          <Text font="secondary-body" color="text-03">
+            {description}
+          </Text>
+        </div>
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// FoldableDivider (internal)
+// ---------------------------------------------------------------------------
+
+function FoldableDivider({
+  title,
+  open: controlledOpen,
+  defaultOpen = false,
+  onOpenChange,
+  children,
+}: DividerFoldableProps) {
+  const [internalOpen, setInternalOpen] = useState(defaultOpen);
+  const isControlled = controlledOpen !== undefined;
+  const isOpen = isControlled ? controlledOpen : internalOpen;
+
+  const toggle = useCallback(() => {
+    const next = !isOpen;
+    if (!isControlled) setInternalOpen(next);
+    onOpenChange?.(next);
+  }, [isOpen, isControlled, onOpenChange]);
+
+  return (
+    <>
+      <Interactive.Stateless
+        variant="default"
+        prominence="tertiary"
+        interaction={isOpen ? "hover" : "rest"}
+        onClick={toggle}
+      >
+        <Interactive.Container
+          roundingVariant="sm"
+          heightVariant="fit"
+          widthVariant="full"
+        >
+          <div className="opal-divider">
+            <div className="opal-divider-row">
+              <div className="opal-divider-title">
+                <Text font="secondary-body" color="inherit" nowrap>
+                  {title}
+                </Text>
+              </div>
+              <div className="opal-divider-line" />
+              <div className="opal-divider-chevron" data-open={isOpen}>
+                <Button
+                  icon={SvgChevronRight}
+                  size="sm"
+                  prominence="tertiary"
+                />
+              </div>
+            </div>
+          </div>
+        </Interactive.Container>
+      </Interactive.Stateless>
+      {isOpen && children}
+    </>
+  );
+}
+
+export { Divider, type DividerProps };

web/lib/opal/src/components/divider/styles.css

@@ -0,0 +1,38 @@
+/* ---------------------------------------------------------------------------
+   Divider
+
+   A horizontal rule with optional title, foldable chevron, or description.
+   --------------------------------------------------------------------------- */
+
+.opal-divider {
+  @apply flex flex-col w-full;
+  padding: 0.25rem 0.5rem;
+  gap: 0.75rem;
+}
+
+.opal-divider-row {
+  @apply flex flex-row items-center w-full;
+  gap: 2px;
+  padding: 0px;
+}
+
+.opal-divider-title {
+  @apply flex flex-col justify-center;
+  padding: 0px 2px;
+}
+
+.opal-divider-line {
+  @apply flex-1 h-px bg-border-01;
+}
+
+.opal-divider-description {
+  padding: 0px 2px;
+}
+
+.opal-divider-chevron {
+  @apply transition-transform duration-200 ease-in-out;
+}
+
+.opal-divider-chevron[data-open="true"] {
+  transform: rotate(90deg);
+}

web/lib/opal/src/components/index.ts

@@ -54,6 +54,12 @@ export {
   type TagColor,
 } from "@opal/components/tag/components";
 
+/* Divider */
+export {
+  Divider,
+  type DividerProps,
+} from "@opal/components/divider/components";
+
 /* Card */
 export {
   Card,

web/lib/opal/src/icons/DiscordMono.tsx

@@ -1,15 +0,0 @@
-import type { IconProps } from "@opal/types";
-const SvgDiscordMono = ({ size, ...props }: IconProps) => (
-  <svg
-    width={size}
-    height={size}
-    viewBox="0 0 52 52"
-    fill="currentColor"
-    xmlns="http://www.w3.org/2000/svg"
-    stroke="currentColor"
-    {...props}
-  >
-    <path d="M32.7571 7.80005C32.288 8.63286 31.8668 9.4944 31.4839 10.3751C27.8463 9.82945 24.1417 9.82945 20.4946 10.3751C20.1213 9.4944 19.6905 8.63286 19.2214 7.80005C15.804 8.384 12.4727 9.40825 9.31379 10.8537C3.05329 20.1296 1.35894 29.1661 2.20134 38.0782C5.86763 40.7872 9.97429 42.8549 14.349 44.1759C15.3349 42.8549 16.2061 41.4477 16.9527 39.9831C15.536 39.4566 14.1671 38.7961 12.8556 38.0303C13.2002 37.7814 13.5353 37.523 13.8608 37.2741C21.5476 40.8925 30.4501 40.8925 38.1465 37.2741C38.4719 37.5421 38.807 37.8006 39.1516 38.0303C37.8401 38.8057 36.4713 39.4566 35.0449 39.9927C35.7916 41.4573 36.6627 42.8645 37.6487 44.1855C42.0233 42.8645 46.1299 40.8064 49.7965 38.0973C50.7918 27.7589 48.0924 18.799 42.6646 10.8633C39.5154 9.41784 36.1841 8.39355 32.7666 7.81919L32.7571 7.80005ZM18.0248 32.5931C15.6604 32.5931 13.698 30.4488 13.698 27.7972C13.698 25.1456 15.5838 22.9918 18.0153 22.9918C20.4468 22.9918 22.3804 25.1552 22.3421 27.7972C22.3038 30.4393 20.4372 32.5931 18.0248 32.5931ZM33.9728 32.5931C31.5988 32.5931 29.6556 30.4488 29.6556 27.7972C29.6556 25.1456 31.5414 22.9918 33.9728 22.9918C36.4043 22.9918 38.3284 25.1552 38.29 27.7972C38.2518 30.4393 36.3851 32.5931 33.9728 32.5931Z" />
-  </svg>
-);
-export default SvgDiscordMono;

web/lib/opal/src/icons/discord.tsx

@@ -0,0 +1,19 @@
+import type { IconProps } from "@opal/types";
+
+const SvgDiscord = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    strokeWidth={1.5}
+    strokeLinecap="round"
+    strokeLinejoin="round"
+    {...props}
+  >
+    <path d="M5.5 12.5C5.5 12.5 4.88936 13.6396 4.60178 13.9974C3.32584 13.6396 2.12806 13.0796 1.05872 12.3459C0.813023 9.93224 1.30721 6.33924 3.13319 3.82703C4.05454 3.43555 5.00325 3.15815 6 3C6.1368 3.22555 6.39111 3.76148 6.5 4C7.56375 3.85223 8.43903 3.85223 9.5 4C9.61167 3.76148 9.86319 3.22555 10 3C10.9968 3.15556 11.942 3.43815 12.8605 3.82963C14.4436 5.97887 15.2309 9.55113 14.9406 12.3511C13.8712 13.0848 12.6735 13.6422 11.3975 14C11.11 13.6422 10.5 12.5 10.5 12.5M5.5 12.5C5.14663 12.3965 4.25 12 4.25 12M5.5 12.5C7.12611 12.9761 8.87249 12.9759 10.5 12.5M10.5 12.5C10.854 12.3965 11.75 12 11.75 12M5.66002 10C5.02612 10 4.5 9.44167 4.5 8.75125C4.5 8.06083 5.00558 7.5 5.65746 7.5C6.30934 7.5 6.82775 8.06331 6.81749 8.75125C6.80722 9.43918 6.30677 10 5.66002 10ZM10.3424 10C9.70591 10 9.18493 9.44167 9.18493 8.75125C9.18493 8.06083 9.69052 7.5 10.3424 7.5C10.9943 7.5 11.5101 8.06331 11.4998 8.75125C11.4896 9.43918 10.9891 10 10.3424 10Z" />
+  </svg>
+);
+export default SvgDiscord;

web/lib/opal/src/icons/icons.stories.tsx

@@ -0,0 +1,44 @@
+import React from "react";
+import type { Meta, StoryObj } from "@storybook/react";
+import * as Icons from "@opal/icons";
+
+const icons = Object.entries(Icons).map(([name, Component]) => ({
+  name: name.replace(/^Svg/, ""),
+  Component,
+}));
+
+const meta: Meta = {
+  title: "opal/icons/All Icons",
+  tags: ["autodocs"],
+};
+
+export default meta;
+type Story = StoryObj;
+
+export const AllIcons: Story = {
+  render: () => (
+    <div
+      style={{
+        display: "grid",
+        gridTemplateColumns: "repeat(auto-fill, 100px)",
+        gap: 16,
+      }}
+    >
+      {icons.map(({ name, Component }) => (
+        <div
+          key={name}
+          style={{
+            display: "flex",
+            flexDirection: "column",
+            alignItems: "center",
+            gap: 8,
+            padding: 8,
+          }}
+        >
+          <Component size={24} />
+          <span style={{ fontSize: 11, textAlign: "center" }}>{name}</span>
+        </div>
+      ))}
+    </div>
+  ),
+};

web/lib/opal/src/icons/index.ts

@@ -19,12 +19,9 @@ export { default as SvgArrowUpRight } from "@opal/icons/arrow-up-right";
 export { default as SvgArrowWallRight } from "@opal/icons/arrow-wall-right";
 export { default as SvgAudio } from "@opal/icons/audio";
 export { default as SvgAudioEqSmall } from "@opal/icons/audio-eq-small";
-export { default as SvgAws } from "@opal/icons/aws";
-export { default as SvgAzure } from "@opal/icons/azure";
 export { default as SvgBarChart } from "@opal/icons/bar-chart";
 export { default as SvgBarChartSmall } from "@opal/icons/bar-chart-small";
 export { default as SvgBell } from "@opal/icons/bell";
-export { default as SvgBifrost } from "@opal/icons/bifrost";
 export { default as SvgBlocks } from "@opal/icons/blocks";
 export { default as SvgBookOpen } from "@opal/icons/book-open";
 export { default as SvgBookmark } from "@opal/icons/bookmark";
@@ -45,7 +42,6 @@ export { default as SvgChevronRight } from "@opal/icons/chevron-right";
 export { default as SvgChevronUp } from "@opal/icons/chevron-up";
 export { default as SvgChevronUpSmall } from "@opal/icons/chevron-up-small";
 export { default as SvgCircle } from "@opal/icons/circle";
-export { default as SvgClaude } from "@opal/icons/claude";
 export { default as SvgClipboard } from "@opal/icons/clipboard";
 export { default as SvgClock } from "@opal/icons/clock";
 export { default as SvgClockHandsSmall } from "@opal/icons/clock-hands-small";
@@ -59,8 +55,8 @@ export { default as SvgCurate } from "@opal/icons/curate";
 export { default as SvgCreditCard } from "@opal/icons/credit-card";
 export { default as SvgDashboard } from "@opal/icons/dashboard";
 export { default as SvgDevKit } from "@opal/icons/dev-kit";
+export { default as SvgDiscord } from "@opal/icons/discord";
 export { default as SvgDownload } from "@opal/icons/download";
-export { default as SvgDiscordMono } from "@opal/icons/DiscordMono";
 export { default as SvgDownloadCloud } from "@opal/icons/download-cloud";
 export { default as SvgEdit } from "@opal/icons/edit";
 export { default as SvgEditBig } from "@opal/icons/edit-big";
@@ -84,7 +80,6 @@ export { default as SvgFolderIn } from "@opal/icons/folder-in";
 export { default as SvgFolderOpen } from "@opal/icons/folder-open";
 export { default as SvgFolderPartialOpen } from "@opal/icons/folder-partial-open";
 export { default as SvgFolderPlus } from "@opal/icons/folder-plus";
-export { default as SvgGemini } from "@opal/icons/gemini";
 export { default as SvgGlobe } from "@opal/icons/globe";
 export { default as SvgHandle } from "@opal/icons/handle";
 export { default as SvgHardDrive } from "@opal/icons/hard-drive";
@@ -105,8 +100,6 @@ export { default as SvgLightbulbSimple } from "@opal/icons/lightbulb-simple";
 export { default as SvgLineChartUp } from "@opal/icons/line-chart-up";
 export { default as SvgLink } from "@opal/icons/link";
 export { default as SvgLinkedDots } from "@opal/icons/linked-dots";
-export { default as SvgLitellm } from "@opal/icons/litellm";
-export { default as SvgLmStudio } from "@opal/icons/lm-studio";
 export { default as SvgLoader } from "@opal/icons/loader";
 export { default as SvgLock } from "@opal/icons/lock";
 export { default as SvgLogOut } from "@opal/icons/log-out";
@@ -122,13 +115,7 @@ export { default as SvgMoreHorizontal } from "@opal/icons/more-horizontal";
 export { default as SvgMusicSmall } from "@opal/icons/music-small";
 export { default as SvgNetworkGraph } from "@opal/icons/network-graph";
 export { default as SvgNotificationBubble } from "@opal/icons/notification-bubble";
-export { default as SvgOllama } from "@opal/icons/ollama";
-export { default as SvgOnyxLogo } from "@opal/icons/onyx-logo";
-export { default as SvgOnyxLogoTyped } from "@opal/icons/onyx-logo-typed";
 export { default as SvgOnyxOctagon } from "@opal/icons/onyx-octagon";
-export { default as SvgOnyxTyped } from "@opal/icons/onyx-typed";
-export { default as SvgOpenai } from "@opal/icons/openai";
-export { default as SvgOpenrouter } from "@opal/icons/openrouter";
 export { default as SvgOrganization } from "@opal/icons/organization";
 export { default as SvgPaintBrush } from "@opal/icons/paint-brush";
 export { default as SvgPaperclip } from "@opal/icons/paperclip";
@@ -184,6 +171,7 @@ export { default as SvgTrash } from "@opal/icons/trash";
 export { default as SvgTwoLineSmall } from "@opal/icons/two-line-small";
 export { default as SvgUnplug } from "@opal/icons/unplug";
 export { default as SvgUploadCloud } from "@opal/icons/upload-cloud";
+export { default as SvgUploadSquare } from "@opal/icons/upload-square";
 export { default as SvgUser } from "@opal/icons/user";
 export { default as SvgUserCheck } from "@opal/icons/user-check";
 export { default as SvgUserEdit } from "@opal/icons/user-edit";

web/lib/opal/src/icons/slack.tsx

@@ -8,63 +8,19 @@ const SvgSlack = ({ size, ...props }: IconProps) => (
     fill="none"
     xmlns="http://www.w3.org/2000/svg"
     stroke="currentColor"
+    strokeWidth={1.5}
+    strokeLinecap="round"
+    strokeLinejoin="round"
     {...props}
   >
-    <g clipPath="url(#clip0_259_269)">
-      <path
-        d="M9.66666 6.66665C9.11333 6.66665 8.66666 6.21998 8.66666 5.66665V2.33331C8.66666 1.77998 9.11333 1.33331 9.66666 1.33331C10.22 1.33331 10.6667 1.77998 10.6667 2.33331V5.66665C10.6667 6.21998 10.22 6.66665 9.66666 6.66665Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M13.6667 6.66665H12.6667V5.66665C12.6667 5.11331 13.1133 4.66665 13.6667 4.66665C14.22 4.66665 14.6667 5.11331 14.6667 5.66665C14.6667 6.21998 14.22 6.66665 13.6667 6.66665Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M6.33333 9.33331C6.88666 9.33331 7.33333 9.77998 7.33333 10.3333V13.6666C7.33333 14.22 6.88666 14.6666 6.33333 14.6666C5.78 14.6666 5.33333 14.22 5.33333 13.6666V10.3333C5.33333 9.77998 5.78 9.33331 6.33333 9.33331Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M2.33333 9.33331H3.33333V10.3333C3.33333 10.8866 2.88666 11.3333 2.33333 11.3333C1.77999 11.3333 1.33333 10.8866 1.33333 10.3333C1.33333 9.77998 1.77999 9.33331 2.33333 9.33331Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M9.33333 9.66665C9.33333 9.11331 9.78 8.66665 10.3333 8.66665H13.6667C14.22 8.66665 14.6667 9.11331 14.6667 9.66665C14.6667 10.22 14.22 10.6666 13.6667 10.6666H10.3333C9.78 10.6666 9.33333 10.22 9.33333 9.66665Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M10.3333 12.6666H9.33333V13.6666C9.33333 14.22 9.78 14.6666 10.3333 14.6666C10.8867 14.6666 11.3333 14.22 11.3333 13.6666C11.3333 13.1133 10.8867 12.6666 10.3333 12.6666Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M6.66666 6.33331C6.66666 5.77998 6.22 5.33331 5.66666 5.33331H2.33333C1.77999 5.33331 1.33333 5.77998 1.33333 6.33331C1.33333 6.88665 1.77999 7.33331 2.33333 7.33331H5.66666C6.22 7.33331 6.66666 6.88665 6.66666 6.33331Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-      <path
-        d="M5.66666 3.33331H6.66666V2.33331C6.66666 1.77998 6.22 1.33331 5.66666 1.33331C5.11333 1.33331 4.66666 1.77998 4.66666 2.33331C4.66666 2.88665 5.11333 3.33331 5.66666 3.33331Z"
-        strokeWidth={1.5}
-        strokeLinecap="round"
-        strokeLinejoin="round"
-      />
-    </g>
-    <defs>
-      <clipPath id="clip0_259_269">
-        <rect width={16} height={16} fill="white" />
-      </clipPath>
-    </defs>
+    <path d="M9.66668 6.66671C9.11334 6.66671 8.66668 6.22004 8.66668 5.66671V2.33337C8.66668 1.78004 9.11334 1.33337 9.66668 1.33337C10.22 1.33337 10.6667 1.78004 10.6667 2.33337V5.66671C10.6667 6.22004 10.22 6.66671 9.66668 6.66671Z" />
+    <path d="M13.6667 6.66671H12.6667V5.66671C12.6667 5.11337 13.1133 4.66671 13.6667 4.66671C14.22 4.66671 14.6667 5.11337 14.6667 5.66671C14.6667 6.22004 14.22 6.66671 13.6667 6.66671Z" />
+    <path d="M6.33334 9.33337C6.88668 9.33337 7.33334 9.78004 7.33334 10.3334V13.6667C7.33334 14.22 6.88668 14.6667 6.33334 14.6667C5.78001 14.6667 5.33334 14.22 5.33334 13.6667V10.3334C5.33334 9.78004 5.78001 9.33337 6.33334 9.33337Z" />
+    <path d="M2.33334 9.33337H3.33334V10.3334C3.33334 10.8867 2.88668 11.3334 2.33334 11.3334C1.78001 11.3334 1.33334 10.8867 1.33334 10.3334C1.33334 9.78004 1.78001 9.33337 2.33334 9.33337Z" />
+    <path d="M9.33334 9.66671C9.33334 9.11337 9.78001 8.66671 10.3333 8.66671H13.6667C14.22 8.66671 14.6667 9.11337 14.6667 9.66671C14.6667 10.22 14.22 10.6667 13.6667 10.6667H10.3333C9.78001 10.6667 9.33334 10.22 9.33334 9.66671Z" />
+    <path d="M10.3333 12.6667H9.33334V13.6667C9.33334 14.22 9.78001 14.6667 10.3333 14.6667C10.8867 14.6667 11.3333 14.22 11.3333 13.6667C11.3333 13.1134 10.8867 12.6667 10.3333 12.6667Z" />
+    <path d="M6.66668 6.33337C6.66668 5.78004 6.22001 5.33337 5.66668 5.33337H2.33334C1.78001 5.33337 1.33334 5.78004 1.33334 6.33337C1.33334 6.88671 1.78001 7.33337 2.33334 7.33337H5.66668C6.22001 7.33337 6.66668 6.88671 6.66668 6.33337Z" />
+    <path d="M5.66668 3.33337H6.66668V2.33337C6.66668 1.78004 6.22001 1.33337 5.66668 1.33337C5.11334 1.33337 4.66668 1.78004 4.66668 2.33337C4.66668 2.88671 5.11334 3.33337 5.66668 3.33337Z" />
   </svg>
 );
 export default SvgSlack;

web/lib/opal/src/icons/upload-square.tsx

@@ -0,0 +1,22 @@
+import type { IconProps } from "@opal/types";
+
+const SvgUploadSquare = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M11 14H12.6667C13.3929 14 14 13.3929 14 12.6667V3.33333C14 2.60711 13.3929 2 12.6667 2H3.33333C2.60711 2 2 2.60711 2 3.33333V12.6667C2 13.3929 2.60711 14 3.33333 14H5M10.6666 8.16667L7.99998 5.5M7.99998 5.5L5.33331 8.16667M7.99998 5.5V14"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+
+export default SvgUploadSquare;

web/lib/opal/src/illustrations/illustrations.stories.tsx

@@ -0,0 +1,46 @@
+import React from "react";
+import type { Meta, StoryObj } from "@storybook/react";
+import * as Illustrations from "@opal/illustrations";
+
+const illustrations = Object.entries(Illustrations).map(
+  ([name, Component]) => ({
+    name: name.replace(/^Svg/, ""),
+    Component,
+  })
+);
+
+const meta: Meta = {
+  title: "opal/illustrations/All Illustrations",
+  tags: ["autodocs"],
+};
+
+export default meta;
+type Story = StoryObj;
+
+export const AllIllustrations: Story = {
+  render: () => (
+    <div
+      style={{
+        display: "grid",
+        gridTemplateColumns: "repeat(auto-fill, 140px)",
+        gap: 24,
+      }}
+    >
+      {illustrations.map(({ name, Component }) => (
+        <div
+          key={name}
+          style={{
+            display: "flex",
+            flexDirection: "column",
+            alignItems: "center",
+            gap: 8,
+            padding: 8,
+          }}
+        >
+          <Component size={80} />
+          <span style={{ fontSize: 11, textAlign: "center" }}>{name}</span>
+        </div>
+      ))}
+    </div>
+  ),
+};

web/lib/opal/src/logos/anthropic.tsx

@@ -0,0 +1,17 @@
+import type { IconProps } from "@opal/types";
+const SvgAnthropic = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 52 52"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    {...props}
+  >
+    <path
+      d="M36.1779 9.78003H29.1432L41.9653 42.2095H49L36.1779 9.78003ZM15.8221 9.78003L3 42.2095H10.1844L12.8286 35.4243H26.2495L28.8438 42.2095H36.0282L23.2061 9.78003H15.8221ZM15.1236 29.3874L19.5141 18.0121L23.9046 29.3874H15.1236Z"
+      fill="var(--text-05)"
+    />
+  </svg>
+);
+export default SvgAnthropic;

web/lib/opal/src/logos/aws.tsx

@@ -12,7 +12,7 @@ const SvgAws = ({ size, ...props }: IconProps) => (
     <title>AWS</title>
     <path
       d="M14.6195 23.2934C14.6195 23.9333 14.7233 24.4522 14.8443 24.8326C14.9827 25.2131 15.1556 25.6282 15.3978 26.0778C15.4842 26.2162 15.5188 26.3546 15.5188 26.4756C15.5188 26.6486 15.4151 26.8215 15.1902 26.9945L14.1007 27.7208C13.945 27.8246 13.7894 27.8765 13.651 27.8765C13.4781 27.8765 13.3051 27.79 13.1322 27.6344C12.89 27.3749 12.6825 27.0982 12.5096 26.8215C12.3366 26.5275 12.1637 26.1989 11.9734 25.8011C10.6245 27.3922 8.92958 28.1878 6.88881 28.1878C5.43606 28.1878 4.27731 27.7727 3.42988 26.9426C2.58244 26.1124 2.15007 25.0056 2.15007 23.622C2.15007 22.152 2.66891 20.9586 3.72389 20.0593C4.77886 19.16 6.17973 18.7103 7.96108 18.7103C8.54909 18.7103 9.15441 18.7622 9.79431 18.8487C10.4342 18.9352 11.0914 19.0735 11.7832 19.2292V17.9667C11.7832 16.6523 11.5065 15.7356 10.9703 15.1995C10.4169 14.6634 9.483 14.404 8.15132 14.404C7.546 14.404 6.9234 14.4731 6.28349 14.6288C5.64359 14.7844 5.02098 14.9747 4.41567 15.2168C4.13896 15.3379 3.93142 15.407 3.81036 15.4416C3.6893 15.4762 3.60282 15.4935 3.53364 15.4935C3.29152 15.4935 3.17046 15.3206 3.17046 14.9574V14.1099C3.17046 13.8332 3.20505 13.6257 3.29152 13.5046C3.37799 13.3836 3.53364 13.2625 3.77577 13.1414C4.38108 12.8301 5.10746 12.5707 5.9549 12.3632C6.80233 12.1384 7.70165 12.0346 8.65286 12.0346C10.7109 12.0346 12.2156 12.5015 13.1841 13.4355C14.1353 14.3694 14.6195 15.7875 14.6195 17.6899V23.2934ZM7.63248 25.9222C8.2032 25.9222 8.79122 25.8184 9.41383 25.6109C10.0364 25.4034 10.5899 25.0229 11.0568 24.504C11.3335 24.1754 11.5411 23.8122 11.6448 23.3972C11.7486 22.9821 11.8178 22.4806 11.8178 21.8925V21.1662C11.3162 21.0451 10.7801 20.9413 10.2267 20.8722C9.67325 20.803 9.13711 20.7684 8.60098 20.7684C7.44224 20.7684 6.5948 20.9932 6.02407 21.4602C5.45335 21.9271 5.17664 22.5843 5.17664 23.4491C5.17664 24.2619 5.38417 24.8672 5.81654 25.2823C6.23161 25.7147 6.83692 25.9222 7.63248 25.9222ZM21.5201 27.79C21.2088 27.79 21.0012 27.7381 20.8629 27.6171C20.7245 27.5133 20.6035 27.2712 20.4997 26.9426L16.4355 13.5738C16.3317 13.2279 16.2798 13.0031 16.2798 12.882C16.2798 12.6053 16.4182 12.4497 16.6949 12.4497H18.3897C18.7183 12.4497 18.9432 12.5015 19.0642 12.6226C19.2026 12.7264 19.3064 12.9685 19.4101 13.2971L22.3156 24.7462L25.0136 13.2971C25.1001 12.9512 25.2038 12.7264 25.3422 12.6226C25.4806 12.5188 25.7227 12.4497 26.034 12.4497H27.4176C27.7462 12.4497 27.971 12.5015 28.1093 12.6226C28.2477 12.7264 28.3688 12.9685 28.4379 13.2971L31.1705 24.8845L34.1625 13.2971C34.2662 12.9512 34.3873 12.7264 34.5084 12.6226C34.6467 12.5188 34.8716 12.4497 35.1829 12.4497H36.7913C37.068 12.4497 37.2236 12.588 37.2236 12.882C37.2236 12.9685 37.2063 13.055 37.189 13.1587C37.1717 13.2625 37.1372 13.4009 37.068 13.5911L32.9 26.9599C32.7962 27.3058 32.6751 27.5306 32.5368 27.6344C32.3984 27.7381 32.1736 27.8073 31.8796 27.8073H30.3922C30.0636 27.8073 29.8388 27.7554 29.7004 27.6344C29.5621 27.5133 29.441 27.2885 29.3719 26.9426L26.6912 15.7875L24.0278 26.9253C23.9413 27.2712 23.8376 27.496 23.6992 27.6171C23.5609 27.7381 23.3187 27.79 23.0074 27.79H21.5201ZM43.7437 28.257C42.8444 28.257 41.9451 28.1532 41.0803 27.9457C40.2156 27.7381 39.5411 27.5133 39.0914 27.2539C38.8147 27.0982 38.6245 26.9253 38.5553 26.7696C38.4861 26.614 38.4515 26.441 38.4515 26.2854V25.4034C38.4515 25.0402 38.5899 24.8672 38.8493 24.8672C38.9531 24.8672 39.0569 24.8845 39.1606 24.9191C39.2644 24.9537 39.42 25.0229 39.593 25.0921C40.181 25.3515 40.8209 25.559 41.4954 25.6974C42.1872 25.8357 42.8617 25.9049 43.5535 25.9049C44.643 25.9049 45.4905 25.7147 46.0785 25.3342C46.6665 24.9537 46.9778 24.4003 46.9778 23.6912C46.9778 23.2069 46.8222 22.8092 46.5109 22.4806C46.1996 22.152 45.6115 21.858 44.7641 21.5812L42.2564 20.803C40.9939 20.4052 40.0599 19.8172 39.4892 19.0389C38.9185 18.278 38.6245 17.4305 38.6245 16.5312C38.6245 15.8048 38.7801 15.1649 39.0914 14.6115C39.4027 14.0581 39.8178 13.5738 40.3367 13.1933C40.8555 12.7956 41.4435 12.5015 42.1353 12.294C42.8271 12.0865 43.5535 12 44.3144 12C44.6949 12 45.0927 12.0173 45.4732 12.0692C45.871 12.1211 46.2341 12.1902 46.5973 12.2594C46.9432 12.3459 47.2718 12.4324 47.5831 12.5361C47.8944 12.6399 48.1366 12.7437 48.3095 12.8474C48.5516 12.9858 48.7246 13.1242 48.8283 13.2798C48.9321 13.4182 48.984 13.6084 48.984 13.8505V14.6634C48.984 15.0266 48.8456 15.2168 48.5862 15.2168C48.4479 15.2168 48.223 15.1476 47.929 15.0093C46.9432 14.5596 45.8364 14.3348 44.6084 14.3348C43.6227 14.3348 42.8444 14.4904 42.3083 14.819C41.7721 15.1476 41.4954 15.6492 41.4954 16.3583C41.4954 16.8425 41.6684 17.2576 42.0142 17.5862C42.3601 17.9148 43 18.2434 43.9167 18.5374L46.3725 19.3156C47.6177 19.7134 48.517 20.2668 49.0532 20.9759C49.5893 21.685 49.8487 22.4979 49.8487 23.3972C49.8487 24.1408 49.6931 24.8153 49.3991 25.4034C49.0878 25.9914 48.6727 26.5102 48.1366 26.9253C47.6004 27.3577 46.9605 27.669 46.2168 27.8938C45.4386 28.1359 44.6257 28.257 43.7437 28.257Z"
-      fill="#252F3E"
+      className="fill-[#252F3E] dark:fill-text-05"
     />
     <path
       fillRule="evenodd"