feat(fe): increase preview file type support & replace TextViewModal with PreviewModal variant (#9212)

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

.github/workflows/deployment.yml

@@ -151,7 +151,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # ratchet:astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # ratchet:astral-sh/setup-uv@v7
         with:
           version: "0.9.9"
           # NOTE: This isn't caching much and zizmor suggests this could be poisoned, so disable.

.github/workflows/post-merge-beta-cherry-pick.yml

@@ -70,7 +70,7 @@ jobs:
 
       - name: Install the latest version of uv
         if: steps.gate.outputs.should_cherrypick == 'true'
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # ratchet:astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # ratchet:astral-sh/setup-uv@v7
         with:
           enable-cache: false
           version: "0.9.9"

.github/workflows/pr-integration-tests.yml

@@ -316,6 +316,7 @@ jobs:
           # Base config shared by both editions
           cat <<EOF > deployment/docker_compose/.env
           COMPOSE_PROFILES=s3-filestore
+          OPENSEARCH_FOR_ONYX_ENABLED=false
           AUTH_TYPE=basic
           POSTGRES_POOL_PRE_PING=true
           POSTGRES_USE_NULL_POOL=true
@@ -418,6 +419,7 @@ jobs:
               -e POSTGRES_POOL_PRE_PING=true \
               -e POSTGRES_USE_NULL_POOL=true \
               -e VESPA_HOST=index \
+              -e ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=false \
               -e REDIS_HOST=cache \
               -e API_SERVER_HOST=api_server \
               -e OPENAI_API_KEY=${OPENAI_API_KEY} \
@@ -637,6 +639,7 @@ jobs:
           ONYX_BACKEND_IMAGE=${ECR_CACHE}:integration-test-backend-test-${RUN_ID} \
           ONYX_MODEL_SERVER_IMAGE=${ECR_CACHE}:integration-test-model-server-test-${RUN_ID} \
           DEV_MODE=true \
+          OPENSEARCH_FOR_ONYX_ENABLED=false \
           docker compose -f docker-compose.multitenant-dev.yml up \
             relational_db \
             index \
@@ -691,6 +694,7 @@ jobs:
             -e POSTGRES_DB=postgres \
             -e POSTGRES_USE_NULL_POOL=true \
             -e VESPA_HOST=index \
+            -e ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=false \
             -e REDIS_HOST=cache \
             -e API_SERVER_HOST=api_server \
             -e OPENAI_API_KEY=${OPENAI_API_KEY} \

.github/workflows/pr-playwright-tests.yml

@@ -12,6 +12,9 @@ on:
   push:
     tags:
       - "v*.*.*"
+    # TODO: Remove this if we enable merge-queues for release branches.
+    branches:
+      - "release/**"
 
 permissions:
   contents: read
@@ -468,7 +471,7 @@ jobs:
 
       - name: Install the latest version of uv
         if: always()
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # ratchet:astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # ratchet:astral-sh/setup-uv@v7
         with:
           enable-cache: false
           version: "0.9.9"
@@ -707,7 +710,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Download visual diff summaries
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           pattern: screenshot-diff-summary-*
           path: summaries/

.github/workflows/pr-quality-checks.yml

@@ -28,7 +28,7 @@ jobs:
         with:
           python-version: "3.11"
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # ratchet:hashicorp/setup-terraform@v4.0.0
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # ratchet:hashicorp/setup-terraform@v3
       - name: Setup node
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # ratchet:actions/setup-node@v6
         with: # zizmor: ignore[cache-poisoning]

.github/workflows/release-devtools.yml

@@ -26,7 +26,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # ratchet:astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # ratchet:astral-sh/setup-uv@v7
         with:
           enable-cache: false
           version: "0.9.9"

.github/workflows/zizmor.yml

@@ -24,7 +24,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # ratchet:astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # ratchet:astral-sh/setup-uv@v7
         with:
           enable-cache: false
           version: "0.9.9"

AGENTS.md

@@ -598,7 +598,7 @@ Before writing your plan, make sure to do research. Explore the relevant section
 Never hardcode status codes or use `starlette.status` / `fastapi.status` constants directly.**
 
 A global FastAPI exception handler converts `OnyxError` into a JSON response with the standard
-`{"error_code": "...", "message": "..."}` shape. This eliminates boilerplate and keeps error
+`{"error_code": "...", "detail": "..."}` shape. This eliminates boilerplate and keeps error
 handling consistent across the entire backend.
 
 ```python

backend/Dockerfile

@@ -46,7 +46,9 @@ RUN apt-get update && \
         pkg-config \
         gcc \
         nano \
-        vim && \
+        vim \
+        libjemalloc2 \
+        && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get clean
 
@@ -141,7 +143,6 @@ COPY --chown=onyx:onyx ./scripts/debugging /app/scripts/debugging
 COPY --chown=onyx:onyx ./scripts/force_delete_connector_by_id.py /app/scripts/force_delete_connector_by_id.py
 COPY --chown=onyx:onyx ./scripts/supervisord_entrypoint.sh /app/scripts/supervisord_entrypoint.sh
 COPY --chown=onyx:onyx ./scripts/setup_craft_templates.sh /app/scripts/setup_craft_templates.sh
-COPY --chown=onyx:onyx ./scripts/reencrypt_secrets.py /app/scripts/reencrypt_secrets.py
 RUN chmod +x /app/scripts/supervisord_entrypoint.sh /app/scripts/setup_craft_templates.sh
 
 # Run Craft template setup at build time when ENABLE_CRAFT=true
@@ -165,6 +166,13 @@ ENV PYTHONPATH=/app
 ARG ONYX_VERSION=0.0.0-dev
 ENV ONYX_VERSION=${ONYX_VERSION}
 
+# Use jemalloc instead of glibc malloc to reduce memory fragmentation
+# in long-running Python processes (API server, Celery workers).
+# The soname is architecture-independent; the dynamic linker resolves
+# the correct path from standard library directories.
+# Placed after all RUN steps so build-time processes are unaffected.
+ENV LD_PRELOAD=libjemalloc.so.2
+
 # Default command which does nothing
 # This container is used by api server and background which specify their own CMD
 CMD ["tail", "-f", "/dev/null"]

backend/alembic_tenants/versions/3b9f09038764_add_read_only_kg_user.py

@@ -11,6 +11,7 @@ from sqlalchemy import text
 from alembic import op
 from onyx.configs.app_configs import DB_READONLY_PASSWORD
 from onyx.configs.app_configs import DB_READONLY_USER
+from shared_configs.configs import MULTI_TENANT
 
 
 # revision identifiers, used by Alembic.
@@ -21,52 +22,59 @@ depends_on = None
 
 
 def upgrade() -> None:
-    # Enable pg_trgm extension if not already enabled
-    op.execute("CREATE EXTENSION IF NOT EXISTS pg_trgm")
+    if MULTI_TENANT:
 
-    # Create the read-only db user if it does not already exist.
-    if not (DB_READONLY_USER and DB_READONLY_PASSWORD):
-        raise Exception("DB_READONLY_USER or DB_READONLY_PASSWORD is not set")
+        # Enable pg_trgm extension if not already enabled
+        op.execute("CREATE EXTENSION IF NOT EXISTS pg_trgm")
 
-    op.execute(
-        text(
-            f"""
-            DO $$
-            BEGIN
-                -- Check if the read-only user already exists
-                IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{DB_READONLY_USER}') THEN
-                    -- Create the read-only user with the specified password
-                    EXECUTE format('CREATE USER %I WITH PASSWORD %L', '{DB_READONLY_USER}', '{DB_READONLY_PASSWORD}');
-                    -- First revoke all privileges to ensure a clean slate
-                    EXECUTE format('REVOKE ALL ON DATABASE %I FROM %I', current_database(), '{DB_READONLY_USER}');
-                    -- Grant only the CONNECT privilege to allow the user to connect to the database
-                    -- but not perform any operations without additional specific grants
-                    EXECUTE format('GRANT CONNECT ON DATABASE %I TO %I', current_database(), '{DB_READONLY_USER}');
-                END IF;
-            END
-            $$;
-            """
+        # Create read-only db user here only in multi-tenant mode. For single-tenant mode,
+        # the user is created in the standard migration.
+        if not (DB_READONLY_USER and DB_READONLY_PASSWORD):
+            raise Exception("DB_READONLY_USER or DB_READONLY_PASSWORD is not set")
+
+        op.execute(
+            text(
+                f"""
+                DO $$
+                BEGIN
+                    -- Check if the read-only user already exists
+                    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{DB_READONLY_USER}') THEN
+                        -- Create the read-only user with the specified password
+                        EXECUTE format('CREATE USER %I WITH PASSWORD %L', '{DB_READONLY_USER}', '{DB_READONLY_PASSWORD}');
+                        -- First revoke all privileges to ensure a clean slate
+                        EXECUTE format('REVOKE ALL ON DATABASE %I FROM %I', current_database(), '{DB_READONLY_USER}');
+                        -- Grant only the CONNECT privilege to allow the user to connect to the database
+                        -- but not perform any operations without additional specific grants
+                        EXECUTE format('GRANT CONNECT ON DATABASE %I TO %I', current_database(), '{DB_READONLY_USER}');
+                    END IF;
+                END
+                $$;
+                """
+            )
         )
-    )
 
 
 def downgrade() -> None:
-    op.execute(
-        text(
-            f"""
-        DO $$
-        BEGIN
-            IF EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{DB_READONLY_USER}') THEN
-                -- First revoke all privileges from the database
-                EXECUTE format('REVOKE ALL ON DATABASE %I FROM %I', current_database(), '{DB_READONLY_USER}');
-                -- Then revoke all privileges from the public schema
-                EXECUTE format('REVOKE ALL ON SCHEMA public FROM %I', '{DB_READONLY_USER}');
-                -- Then drop the user
-                EXECUTE format('DROP USER %I', '{DB_READONLY_USER}');
-            END IF;
-        END
-        $$;
-    """
+    if MULTI_TENANT:
+        # Drop read-only db user here only in single tenant mode. For multi-tenant mode,
+        # the user is dropped in the alembic_tenants migration.
+
+        op.execute(
+            text(
+                f"""
+            DO $$
+            BEGIN
+                IF EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{DB_READONLY_USER}') THEN
+                    -- First revoke all privileges from the database
+                    EXECUTE format('REVOKE ALL ON DATABASE %I FROM %I', current_database(), '{DB_READONLY_USER}');
+                    -- Then revoke all privileges from the public schema
+                    EXECUTE format('REVOKE ALL ON SCHEMA public FROM %I', '{DB_READONLY_USER}');
+                    -- Then drop the user
+                    EXECUTE format('DROP USER %I', '{DB_READONLY_USER}');
+                END IF;
+            END
+            $$;
+        """
+            )
         )
-    )
-    op.execute(text("DROP EXTENSION IF EXISTS pg_trgm"))
+        op.execute(text("DROP EXTENSION IF EXISTS pg_trgm"))

backend/ee/onyx/external_permissions/jira/group_sync.py

@@ -1,6 +1,8 @@
 from collections.abc import Generator
+from typing import Any
 
 from jira import JIRA
+from jira.exceptions import JIRAError
 
 from ee.onyx.db.external_perm import ExternalUserGroup
 from onyx.connectors.jira.utils import build_jira_client
@@ -9,107 +11,102 @@ from onyx.utils.logger import setup_logger
 
 logger = setup_logger()
 
+_ATLASSIAN_ACCOUNT_TYPE = "atlassian"
+_GROUP_MEMBER_PAGE_SIZE = 50
 
-def _get_jira_group_members_email(
+# The GET /group/member endpoint was introduced in Jira 6.0.
+# Jira versions older than 6.0 do not have group management REST APIs at all.
+_MIN_JIRA_VERSION_FOR_GROUP_MEMBER = "6.0"
+
+
+def _fetch_group_member_page(
     jira_client: JIRA,
     group_name: str,
-) -> list[str]:
-    """Get all member emails for a Jira group.
+    start_at: int,
+) -> dict[str, Any]:
+    """Fetch a single page from the non-deprecated GET /group/member endpoint.
 
-    Filters out app accounts (bots, integrations) and only returns real user emails.
+    The old GET /group endpoint (used by jira_client.group_members()) is deprecated
+    and decommissioned in Jira Server 10.3+. This uses the replacement endpoint
+    directly via the library's internal _get_json helper, following the same pattern
+    as enhanced_search_ids / bulk_fetch_issues in connector.py.
+
+    There is an open PR to the library to switch to this endpoint since last year:
+    https://github.com/pycontribs/jira/pull/2356
+    so once it is merged and released, we can switch to using the library function.
     """
-    emails: list[str] = []
-
     try:
-        # group_members returns an OrderedDict of account_id -> member_info
-        members = jira_client.group_members(group=group_name)
-
-        if not members:
-            logger.warning(f"No members found for group {group_name}")
-            return emails
-
-        for account_id, member_info in members.items():
-            # member_info is a dict with keys like 'fullname', 'email', 'active'
-            email = member_info.get("email")
-
-            # Skip "hidden" emails - these are typically app accounts
-            if email and email != "hidden":
-                emails.append(email)
-            else:
-                # For cloud, we might need to fetch user details separately
-                try:
-                    user = jira_client.user(id=account_id)
-
-                    # Skip app accounts (bots, integrations, etc.)
-                    if hasattr(user, "accountType") and user.accountType == "app":
-                        logger.info(
-                            f"Skipping app account {account_id} for group {group_name}"
-                        )
-                        continue
-
-                    if hasattr(user, "emailAddress") and user.emailAddress:
-                        emails.append(user.emailAddress)
-                    else:
-                        logger.warning(f"User {account_id} has no email address")
-                except Exception as e:
-                    logger.warning(
-                        f"Could not fetch email for user {account_id} in group {group_name}: {e}"
-                    )
-
-    except Exception as e:
-        logger.error(f"Error fetching members for group {group_name}: {e}")
-
-    return emails
+        return jira_client._get_json(
+            "group/member",
+            params={
+                "groupname": group_name,
+                "includeInactiveUsers": "false",
+                "startAt": start_at,
+                "maxResults": _GROUP_MEMBER_PAGE_SIZE,
+            },
+        )
+    except JIRAError as e:
+        if e.status_code == 404:
+            raise RuntimeError(
+                f"GET /group/member returned 404 for group '{group_name}'. "
+                f"This endpoint requires Jira {_MIN_JIRA_VERSION_FOR_GROUP_MEMBER}+. "
+                f"If you are running a self-hosted Jira instance, please upgrade "
+                f"to at least Jira {_MIN_JIRA_VERSION_FOR_GROUP_MEMBER}."
+            ) from e
+        raise
 
 
-def _build_group_member_email_map(
+def _get_group_member_emails(
     jira_client: JIRA,
-) -> dict[str, set[str]]:
-    """Build a map of group names to member emails."""
-    group_member_emails: dict[str, set[str]] = {}
+    group_name: str,
+) -> set[str]:
+    """Get all member emails for a single Jira group.
 
-    try:
-        # Get all groups from Jira - returns a list of group name strings
-        group_names = jira_client.groups()
+    Uses the non-deprecated GET /group/member endpoint which returns full user
+    objects including accountType, so we can filter out app/customer accounts
+    without making separate user() calls.
+    """
+    emails: set[str] = set()
+    start_at = 0
 
-        if not group_names:
-            logger.warning("No groups found in Jira")
-            return group_member_emails
+    while True:
+        try:
+            page = _fetch_group_member_page(jira_client, group_name, start_at)
+        except Exception as e:
+            logger.error(f"Error fetching members for group {group_name}: {e}")
+            raise
 
-        logger.info(f"Found {len(group_names)} groups in Jira")
-
-        for group_name in group_names:
-            if not group_name:
+        members: list[dict[str, Any]] = page.get("values", [])
+        for member in members:
+            account_type = member.get("accountType")
+            # On Jira DC < 9.0, accountType is absent; include those users.
+            # On Cloud / DC 9.0+, filter to real user accounts only.
+            if account_type is not None and account_type != _ATLASSIAN_ACCOUNT_TYPE:
                 continue
 
-            member_emails = _get_jira_group_members_email(
-                jira_client=jira_client,
-                group_name=group_name,
-            )
-
-            if member_emails:
-                group_member_emails[group_name] = set(member_emails)
-                logger.debug(
-                    f"Found {len(member_emails)} members for group {group_name}"
-                )
+            email = member.get("emailAddress")
+            if email:
+                emails.add(email)
             else:
-                logger.debug(f"No members found for group {group_name}")
+                logger.warning(
+                    f"Atlassian user {member.get('accountId', 'unknown')} "
+                    f"in group {group_name} has no visible email address"
+                )
 
-    except Exception as e:
-        logger.error(f"Error building group member email map: {e}")
+        if page.get("isLast", True) or not members:
+            break
+        start_at += len(members)
 
-    return group_member_emails
+    return emails
 
 
 def jira_group_sync(
     tenant_id: str,  # noqa: ARG001
     cc_pair: ConnectorCredentialPair,
 ) -> Generator[ExternalUserGroup, None, None]:
-    """
-    Sync Jira groups and their members.
+    """Sync Jira groups and their members, yielding one group at a time.
 
-    This function fetches all groups from Jira and yields ExternalUserGroup
-    objects containing the group ID and member emails.
+    Streams group-by-group rather than accumulating all groups in memory.
     """
     jira_base_url = cc_pair.connector.connector_specific_config.get("jira_base_url", "")
     scoped_token = cc_pair.connector.connector_specific_config.get(
@@ -130,12 +127,26 @@ def jira_group_sync(
         scoped_token=scoped_token,
     )
 
-    group_member_email_map = _build_group_member_email_map(jira_client=jira_client)
-    if not group_member_email_map:
-        raise ValueError(f"No groups with members found for cc_pair_id={cc_pair.id}")
+    group_names = jira_client.groups()
+    if not group_names:
+        raise ValueError(f"No groups found for cc_pair_id={cc_pair.id}")
 
-    for group_id, group_member_emails in group_member_email_map.items():
-        yield ExternalUserGroup(
-            id=group_id,
-            user_emails=list(group_member_emails),
+    logger.info(f"Found {len(group_names)} groups in Jira")
+
+    for group_name in group_names:
+        if not group_name:
+            continue
+
+        member_emails = _get_group_member_emails(
+            jira_client=jira_client,
+            group_name=group_name,
+        )
+        if not member_emails:
+            logger.debug(f"No members found for group {group_name}")
+            continue
+
+        logger.debug(f"Found {len(member_emails)} members for group {group_name}")
+        yield ExternalUserGroup(
+            id=group_name,
+            user_emails=list(member_emails),
         )

backend/ee/onyx/server/seeding.py

@@ -26,6 +26,7 @@ from onyx.db.models import Tool
 from onyx.db.persona import upsert_persona
 from onyx.server.features.persona.models import PersonaUpsertRequest
 from onyx.server.manage.llm.models import LLMProviderUpsertRequest
+from onyx.server.manage.llm.models import LLMProviderView
 from onyx.server.settings.models import Settings
 from onyx.server.settings.store import store_settings as store_base_settings
 from onyx.utils.logger import setup_logger
@@ -125,10 +126,16 @@ def _seed_llms(
         existing = fetch_existing_llm_provider(name=request.name, db_session=db_session)
         if existing:
             request.id = existing.id
-    seeded_providers = [
-        upsert_llm_provider(llm_upsert_request, db_session)
-        for llm_upsert_request in llm_upsert_requests
-    ]
+    seeded_providers: list[LLMProviderView] = []
+    for llm_upsert_request in llm_upsert_requests:
+        try:
+            seeded_providers.append(upsert_llm_provider(llm_upsert_request, db_session))
+        except ValueError as e:
+            logger.warning(
+                "Failed to upsert LLM provider '%s' during seeding: %s",
+                llm_upsert_request.name,
+                e,
+            )
 
     default_provider = next(
         (p for p in seeded_providers if p.model_configurations), None

backend/ee/onyx/utils/encryption.py

@@ -14,91 +14,67 @@ from onyx.utils.variable_functionality import fetch_versioned_implementation
 logger = setup_logger()
 
 
-@lru_cache(maxsize=2)
+@lru_cache(maxsize=1)
 def _get_trimmed_key(key: str) -> bytes:
     encoded_key = key.encode()
     key_length = len(encoded_key)
     if key_length < 16:
         raise RuntimeError("Invalid ENCRYPTION_KEY_SECRET - too short")
+    elif key_length > 32:
+        key = key[:32]
+    elif key_length not in (16, 24, 32):
+        valid_lengths = [16, 24, 32]
+        key = key[: min(valid_lengths, key=lambda x: abs(x - key_length))]
 
-    # Trim to the largest valid AES key size that fits
-    valid_lengths = [32, 24, 16]
-    for size in valid_lengths:
-        if key_length >= size:
-            return encoded_key[:size]
-
-    raise AssertionError("unreachable")
+    return encoded_key
 
 
-def _encrypt_string(input_str: str, key: str | None = None) -> bytes:
-    effective_key = key if key is not None else ENCRYPTION_KEY_SECRET
-    if not effective_key:
+def _encrypt_string(input_str: str) -> bytes:
+    if not ENCRYPTION_KEY_SECRET:
         return input_str.encode()
 
-    trimmed = _get_trimmed_key(effective_key)
+    key = _get_trimmed_key(ENCRYPTION_KEY_SECRET)
     iv = urandom(16)
     padder = padding.PKCS7(algorithms.AES.block_size).padder()
     padded_data = padder.update(input_str.encode()) + padder.finalize()
 
-    cipher = Cipher(algorithms.AES(trimmed), modes.CBC(iv), backend=default_backend())
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
     encryptor = cipher.encryptor()
     encrypted_data = encryptor.update(padded_data) + encryptor.finalize()
 
     return iv + encrypted_data
 
 
-def _decrypt_bytes(input_bytes: bytes, key: str | None = None) -> str:
-    effective_key = key if key is not None else ENCRYPTION_KEY_SECRET
-    if not effective_key:
+def _decrypt_bytes(input_bytes: bytes) -> str:
+    if not ENCRYPTION_KEY_SECRET:
         return input_bytes.decode()
 
-    trimmed = _get_trimmed_key(effective_key)
-    try:
-        iv = input_bytes[:16]
-        encrypted_data = input_bytes[16:]
+    key = _get_trimmed_key(ENCRYPTION_KEY_SECRET)
+    iv = input_bytes[:16]
+    encrypted_data = input_bytes[16:]
 
-        cipher = Cipher(
-            algorithms.AES(trimmed), modes.CBC(iv), backend=default_backend()
-        )
-        decryptor = cipher.decryptor()
-        decrypted_padded_data = decryptor.update(encrypted_data) + decryptor.finalize()
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+    decryptor = cipher.decryptor()
+    decrypted_padded_data = decryptor.update(encrypted_data) + decryptor.finalize()
 
-        unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
-        decrypted_data = unpadder.update(decrypted_padded_data) + unpadder.finalize()
+    unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
+    decrypted_data = unpadder.update(decrypted_padded_data) + unpadder.finalize()
 
-        return decrypted_data.decode()
-    except (ValueError, UnicodeDecodeError):
-        if key is not None:
-            # Explicit key was provided — don't fall back silently
-            raise
-        # Read path: attempt raw UTF-8 decode as a fallback for legacy data.
-        # Does NOT handle data encrypted with a different key — that
-        # ciphertext is not valid UTF-8 and will raise below.
-        logger.warning(
-            "AES decryption failed — falling back to raw decode. "
-            "Run the re-encrypt secrets script to rotate to the current key."
-        )
-        try:
-            return input_bytes.decode()
-        except UnicodeDecodeError:
-            raise ValueError(
-                "Data is not valid UTF-8 — likely encrypted with a different key. "
-                "Run the re-encrypt secrets script to rotate to the current key."
-            ) from None
+    return decrypted_data.decode()
 
 
-def encrypt_string_to_bytes(input_str: str, key: str | None = None) -> bytes:
+def encrypt_string_to_bytes(input_str: str) -> bytes:
     versioned_encryption_fn = fetch_versioned_implementation(
         "onyx.utils.encryption", "_encrypt_string"
     )
-    return versioned_encryption_fn(input_str, key=key)
+    return versioned_encryption_fn(input_str)
 
 
-def decrypt_bytes_to_string(input_bytes: bytes, key: str | None = None) -> str:
+def decrypt_bytes_to_string(input_bytes: bytes) -> str:
     versioned_decryption_fn = fetch_versioned_implementation(
         "onyx.utils.encryption", "_decrypt_bytes"
     )
-    return versioned_decryption_fn(input_bytes, key=key)
+    return versioned_decryption_fn(input_bytes)
 
 
 def test_encryption() -> None:

backend/model_server/encoders.py

@@ -4,11 +4,10 @@ from typing import Any
 from typing import TYPE_CHECKING
 
 from fastapi import APIRouter
+from fastapi import HTTPException
 from fastapi import Request
 
 from model_server.utils import simple_log_function_time
-from onyx.error_handling.error_codes import OnyxErrorCode
-from onyx.error_handling.exceptions import OnyxError
 from onyx.utils.logger import setup_logger
 from shared_configs.enums import EmbedTextType
 from shared_configs.model_server_models import Embedding
@@ -189,7 +188,7 @@ async def process_embed_request(
         )
 
     if not embed_request.texts:
-        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "No texts to be embedded")
+        raise HTTPException(status_code=400, detail="No texts to be embedded")
 
     if not all(embed_request.texts):
         raise ValueError("Empty strings are not allowed for embedding.")
@@ -212,12 +211,14 @@ async def process_embed_request(
         )
         return EmbedResponse(embeddings=embeddings)
     except RateLimitError as e:
-        raise OnyxError(OnyxErrorCode.RATE_LIMITED, str(e))
+        raise HTTPException(
+            status_code=429,
+            detail=str(e),
+        )
     except Exception as e:
         logger.exception(
             f"Error during embedding process: provider={embed_request.provider_type} model={embed_request.model_name}"
         )
-        raise OnyxError(
-            OnyxErrorCode.INTERNAL_ERROR,
-            f"Error during embedding process: {e}",
+        raise HTTPException(
+            status_code=500, detail=f"Error during embedding process: {e}"
         )

backend/model_server/main.py

@@ -18,7 +18,6 @@ from model_server.encoders import router as encoders_router
 from model_server.management_endpoints import router as management_router
 from model_server.utils import get_gpu_type
 from onyx import __version__
-from onyx.error_handling.exceptions import register_onyx_exception_handlers
 from onyx.utils.logger import setup_logger
 from onyx.utils.logger import setup_uvicorn_logger
 from onyx.utils.middleware import add_onyx_request_id_middleware
@@ -109,8 +108,6 @@ def get_model_app() -> FastAPI:
     application.include_router(management_router)
     application.include_router(encoders_router)
 
-    register_onyx_exception_handlers(application)
-
     request_id_prefix = "INF"
     if INDEXING_ONLY:
         request_id_prefix = "IDX"

backend/onyx/chat/llm_loop.py

@@ -50,6 +50,7 @@ from onyx.tools.built_in_tools import CITEABLE_TOOLS_NAMES
 from onyx.tools.built_in_tools import STOPPING_TOOLS_NAMES
 from onyx.tools.interface import Tool
 from onyx.tools.models import ChatFile
+from onyx.tools.models import CustomToolCallSummary
 from onyx.tools.models import MemoryToolResponseSnapshot
 from onyx.tools.models import PythonToolRichResponse
 from onyx.tools.models import ToolCallInfo
@@ -980,6 +981,10 @@ def run_llm_loop(
 
                 if memory_snapshot:
                     saved_response = json.dumps(memory_snapshot.model_dump())
+                elif isinstance(tool_response.rich_response, CustomToolCallSummary):
+                    saved_response = json.dumps(
+                        tool_response.rich_response.model_dump()
+                    )
                 elif isinstance(tool_response.rich_response, str):
                     saved_response = tool_response.rich_response
                 else:

backend/onyx/chat/llm_step.py

@@ -15,7 +15,6 @@ from onyx.chat.citation_processor import DynamicCitationProcessor
 from onyx.chat.emitter import Emitter
 from onyx.chat.models import ChatMessageSimple
 from onyx.chat.models import LlmStepResult
-from onyx.chat.tool_call_args_streaming import maybe_emit_argument_delta
 from onyx.configs.app_configs import LOG_ONYX_MODEL_INTERACTIONS
 from onyx.configs.app_configs import PROMPT_CACHE_CHAT_HISTORY
 from onyx.configs.constants import MessageType
@@ -55,7 +54,6 @@ from onyx.server.query_and_chat.streaming_models import ReasoningStart
 from onyx.tools.models import ToolCallKickoff
 from onyx.tracing.framework.create import generation_span
 from onyx.utils.b64 import get_image_type_from_bytes
-from onyx.utils.jsonriver import Parser
 from onyx.utils.logger import setup_logger
 from onyx.utils.postgres_sanitization import sanitize_string
 from onyx.utils.text_processing import find_all_json_objects
@@ -1011,7 +1009,6 @@ def run_llm_step_pkt_generator(
         )
 
     id_to_tool_call_map: dict[int, dict[str, Any]] = {}
-    arg_parsers: dict[int, Parser] = {}
     reasoning_start = False
     answer_start = False
     accumulated_reasoning = ""
@@ -1218,14 +1215,7 @@ def run_llm_step_pkt_generator(
                 yield from _close_reasoning_if_active()
 
                 for tool_call_delta in delta.tool_calls:
-                    # maybe_emit depends and update being called first and attaching the delta
                     _update_tool_call_with_delta(id_to_tool_call_map, tool_call_delta)
-                    yield from maybe_emit_argument_delta(
-                        tool_calls_in_progress=id_to_tool_call_map,
-                        tool_call_delta=tool_call_delta,
-                        placement=_current_placement(),
-                        parsers=arg_parsers,
-                    )
 
         # Flush any tail text buffered while checking for split "<function_calls" markers.
         filtered_content_tail = xml_tool_call_content_filter.flush()

backend/onyx/chat/tool_call_args_streaming.py

@@ -1,77 +0,0 @@
-from collections.abc import Generator
-from collections.abc import Mapping
-from typing import Any
-from typing import Type
-
-from onyx.llm.model_response import ChatCompletionDeltaToolCall
-from onyx.server.query_and_chat.placement import Placement
-from onyx.server.query_and_chat.streaming_models import Packet
-from onyx.server.query_and_chat.streaming_models import ToolCallArgumentDelta
-from onyx.tools.built_in_tools import TOOL_NAME_TO_CLASS
-from onyx.tools.interface import Tool
-from onyx.utils.jsonriver import Parser
-
-
-def _get_tool_class(
-    tool_calls_in_progress: Mapping[int, Mapping[str, Any]],
-    tool_call_delta: ChatCompletionDeltaToolCall,
-) -> Type[Tool] | None:
-    """Look up the Tool subclass for a streaming tool call delta."""
-    tool_name = tool_calls_in_progress.get(tool_call_delta.index, {}).get("name")
-    if not tool_name:
-        return None
-    return TOOL_NAME_TO_CLASS.get(tool_name)
-
-
-def maybe_emit_argument_delta(
-    tool_calls_in_progress: Mapping[int, Mapping[str, Any]],
-    tool_call_delta: ChatCompletionDeltaToolCall,
-    placement: Placement,
-    parsers: dict[int, Parser],
-) -> Generator[Packet, None, None]:
-    """Emit decoded tool-call argument deltas to the frontend.
-
-    Uses a ``jsonriver.Parser`` per tool-call index to incrementally parse
-    the JSON argument string and extract only the newly-appended content
-    for each string-valued argument.
-
-    NOTE: Non-string arguments (numbers, booleans, null, arrays, objects)
-    are skipped — they are available in the final tool-call kickoff packet.
-
-    ``parsers`` is a mutable dict keyed by tool-call index. A new
-    ``Parser`` is created automatically for each new index.
-    """
-    tool_cls = _get_tool_class(tool_calls_in_progress, tool_call_delta)
-    if not tool_cls or not tool_cls.should_emit_argument_deltas():
-        return
-
-    fn = tool_call_delta.function
-    delta_fragment = fn.arguments if fn else None
-    if not delta_fragment:
-        return
-
-    idx = tool_call_delta.index
-    if idx not in parsers:
-        parsers[idx] = Parser()
-    parser = parsers[idx]
-
-    deltas = parser.feed(delta_fragment)
-
-    argument_deltas: dict[str, str] = {}
-    for delta in deltas:
-        if isinstance(delta, dict):
-            for key, value in delta.items():
-                if isinstance(value, str):
-                    argument_deltas[key] = argument_deltas.get(key, "") + value
-
-    if not argument_deltas:
-        return
-
-    tc_data = tool_calls_in_progress[tool_call_delta.index]
-    yield Packet(
-        placement=placement,
-        obj=ToolCallArgumentDelta(
-            tool_type=tc_data.get("name", ""),
-            argument_deltas=argument_deltas,
-        ),
-    )

backend/onyx/configs/app_configs.py

@@ -68,10 +68,6 @@ FILE_TOKEN_COUNT_THRESHOLD = int(
     os.environ.get("FILE_TOKEN_COUNT_THRESHOLD", str(_DEFAULT_FILE_TOKEN_LIMIT))
 )
 
-# Maximum upload size for a single user file (chat/projects) in MB.
-USER_FILE_MAX_UPLOAD_SIZE_MB = int(os.environ.get("USER_FILE_MAX_UPLOAD_SIZE_MB") or 50)
-USER_FILE_MAX_UPLOAD_SIZE_BYTES = USER_FILE_MAX_UPLOAD_SIZE_MB * 1024 * 1024
-
 # If set to true, will show extra/uncommon connectors in the "Other" category
 SHOW_EXTRA_CONNECTORS = os.environ.get("SHOW_EXTRA_CONNECTORS", "").lower() == "true"
 
@@ -292,8 +288,9 @@ OPENSEARCH_TEXT_ANALYZER = os.environ.get("OPENSEARCH_TEXT_ANALYZER") or "englis
 # environments we always want to be dual indexing into both OpenSearch and Vespa
 # to stress test the new codepaths. Only enable this if there is some instance
 # of OpenSearch running for the relevant Onyx instance.
+# NOTE: Now enabled on by default, unless the env indicates otherwise.
 ENABLE_OPENSEARCH_INDEXING_FOR_ONYX = (
-    os.environ.get("ENABLE_OPENSEARCH_INDEXING_FOR_ONYX", "").lower() == "true"
+    os.environ.get("ENABLE_OPENSEARCH_INDEXING_FOR_ONYX", "true").lower() == "true"
 )
 # NOTE: This effectively does nothing anymore, admins can now toggle whether
 # retrieval is through OpenSearch. This value is only used as a final fallback

backend/onyx/connectors/discord/connector.py

@@ -1,4 +1,5 @@
 import asyncio
+from collections.abc import AsyncGenerator
 from collections.abc import AsyncIterable
 from collections.abc import Iterable
 from datetime import datetime
@@ -204,7 +205,7 @@ def _manage_async_retrieval(
 
     end_time: datetime | None = end
 
-    async def _async_fetch() -> AsyncIterable[Document]:
+    async def _async_fetch() -> AsyncGenerator[Document, None]:
         intents = Intents.default()
         intents.message_content = True
         async with Client(intents=intents) as discord_client:
@@ -227,22 +228,23 @@ def _manage_async_retrieval(
 
     def run_and_yield() -> Iterable[Document]:
         loop = asyncio.new_event_loop()
+        async_gen = _async_fetch()
         try:
-            # Get the async generator
-            async_gen = _async_fetch()
-            # Convert to AsyncIterator
-            async_iter = async_gen.__aiter__()
             while True:
                 try:
-                    # Create a coroutine by calling anext with the async iterator
-                    next_coro = anext(async_iter)
-                    # Run the coroutine to get the next document
-                    doc = loop.run_until_complete(next_coro)
+                    doc = loop.run_until_complete(anext(async_gen))
                     yield doc
                 except StopAsyncIteration:
                     break
         finally:
-            loop.close()
+            # Must close the async generator before the loop so the Discord
+            # client's `async with` block can await its shutdown coroutine.
+            # The nested try/finally ensures the loop always closes even if
+            # aclose() raises (same pattern as cursor.close() before conn.close()).
+            try:
+                loop.run_until_complete(async_gen.aclose())
+            finally:
+                loop.close()
 
     return run_and_yield()
 

backend/onyx/db/llm.py

@@ -25,6 +25,7 @@ from onyx.server.manage.embedding.models import CloudEmbeddingProvider
 from onyx.server.manage.embedding.models import CloudEmbeddingProviderCreationRequest
 from onyx.server.manage.llm.models import LLMProviderUpsertRequest
 from onyx.server.manage.llm.models import LLMProviderView
+from onyx.server.manage.llm.models import SyncModelEntry
 from onyx.utils.logger import setup_logger
 from shared_configs.enums import EmbeddingProvider
 
@@ -270,10 +271,35 @@ def upsert_llm_provider(
         mc.name for mc in llm_provider_upsert_request.model_configurations
     }
 
+    # Build a lookup of requested visibility by model name
+    requested_visibility = {
+        mc.name: mc.is_visible
+        for mc in llm_provider_upsert_request.model_configurations
+    }
+
     # Delete removed models
     removed_ids = [
         mc.id for name, mc in existing_by_name.items() if name not in models_to_exist
     ]
+
+    default_model = fetch_default_llm_model(db_session)
+
+    # Prevent removing and hiding the default model
+    if default_model:
+        for name, mc in existing_by_name.items():
+            if mc.id == default_model.id:
+                if default_model.id in removed_ids:
+                    raise ValueError(
+                        f"Cannot remove the default model '{name}'. "
+                        "Please change the default model before removing."
+                    )
+                if not requested_visibility.get(name, True):
+                    raise ValueError(
+                        f"Cannot hide the default model '{name}'. "
+                        "Please change the default model before hiding."
+                    )
+                break
+
     if removed_ids:
         db_session.query(ModelConfiguration).filter(
             ModelConfiguration.id.in_(removed_ids)
@@ -344,9 +370,9 @@ def upsert_llm_provider(
 def sync_model_configurations(
     db_session: Session,
     provider_name: str,
-    models: list[dict],
+    models: list[SyncModelEntry],
 ) -> int:
-    """Sync model configurations for a dynamic provider (OpenRouter, Bedrock, Ollama).
+    """Sync model configurations for a dynamic provider (OpenRouter, Bedrock, Ollama, etc.).
 
     This inserts NEW models from the source API without overwriting existing ones.
     User preferences (is_visible, max_input_tokens) are preserved for existing models.
@@ -354,7 +380,7 @@ def sync_model_configurations(
     Args:
         db_session: Database session
         provider_name: Name of the LLM provider
-        models: List of model dicts with keys: name, display_name, max_input_tokens, supports_image_input
+        models: List of SyncModelEntry objects describing the fetched models
 
     Returns:
         Number of new models added
@@ -368,21 +394,20 @@ def sync_model_configurations(
 
     new_count = 0
     for model in models:
-        model_name = model["name"]
-        if model_name not in existing_names:
+        if model.name not in existing_names:
             # Insert new model with is_visible=False (user must explicitly enable)
             supported_flows = [LLMModelFlowType.CHAT]
-            if model.get("supports_image_input", False):
+            if model.supports_image_input:
                 supported_flows.append(LLMModelFlowType.VISION)
 
             insert_new_model_configuration__no_commit(
                 db_session=db_session,
                 llm_provider_id=provider.id,
-                model_name=model_name,
+                model_name=model.name,
                 supported_flows=supported_flows,
                 is_visible=False,
-                max_input_tokens=model.get("max_input_tokens"),
-                display_name=model.get("display_name"),
+                max_input_tokens=model.max_input_tokens,
+                display_name=model.display_name,
             )
             new_count += 1
 
@@ -538,7 +563,6 @@ def fetch_default_model(
         .options(selectinload(ModelConfiguration.llm_provider))
         .join(LLMModelFlow)
         .where(
-            ModelConfiguration.is_visible == True,  # noqa: E712
             LLMModelFlow.llm_model_flow_type == flow_type,
             LLMModelFlow.is_default == True,  # noqa: E712
         )
@@ -814,44 +838,30 @@ def sync_auto_mode_models(
             )
             changes += 1
 
-    db_session.commit()
+    # Update the default if this provider currently holds the global CHAT default.
+    # We flush (but don't commit) so that _update_default_model can see the new
+    # model rows, then commit everything atomically to avoid a window where the
+    # old default is invisible but still pointed-to.
+    db_session.flush()
 
-    # Update the default if this provider currently holds the global CHAT default
     recommended_default = llm_recommendations.get_default_model(provider.provider)
     if recommended_default:
-        current_default_name = db_session.scalar(
-            select(ModelConfiguration.name)
-            .join(
-                LLMModelFlow,
-                LLMModelFlow.model_configuration_id == ModelConfiguration.id,
-            )
-            .where(
-                ModelConfiguration.llm_provider_id == provider.id,
-                LLMModelFlow.llm_model_flow_type == LLMModelFlowType.CHAT,
-                LLMModelFlow.is_default == True,  # noqa: E712
-            )
-        )
+        current_default = fetch_default_llm_model(db_session)
 
         if (
-            current_default_name is not None
-            and current_default_name != recommended_default.name
+            current_default
+            and current_default.llm_provider_id == provider.id
+            and current_default.name != recommended_default.name
         ):
-            try:
-                _update_default_model(
-                    db_session=db_session,
-                    provider_id=provider.id,
-                    model=recommended_default.name,
-                    flow_type=LLMModelFlowType.CHAT,
-                )
-                changes += 1
-            except ValueError:
-                logger.warning(
-                    "Recommended default model '%s' not found "
-                    "for provider_id=%s; skipping default update.",
-                    recommended_default.name,
-                    provider.id,
-                )
+            _update_default_model__no_commit(
+                db_session=db_session,
+                provider_id=provider.id,
+                model=recommended_default.name,
+                flow_type=LLMModelFlowType.CHAT,
+            )
+            changes += 1
 
+    db_session.commit()
     return changes
 
 
@@ -982,7 +992,7 @@ def update_model_configuration__no_commit(
     db_session.flush()
 
 
-def _update_default_model(
+def _update_default_model__no_commit(
     db_session: Session,
     provider_id: int,
     model: str,
@@ -1020,6 +1030,14 @@ def _update_default_model(
     new_default.is_default = True
     model_config.is_visible = True
 
+
+def _update_default_model(
+    db_session: Session,
+    provider_id: int,
+    model: str,
+    flow_type: LLMModelFlowType,
+) -> None:
+    _update_default_model__no_commit(db_session, provider_id, model, flow_type)
     db_session.commit()
 
 

backend/onyx/db/models.py

@@ -36,11 +36,9 @@ from sqlalchemy import Text
 from sqlalchemy import text
 from sqlalchemy import UniqueConstraint
 from sqlalchemy.dialects import postgresql
-from sqlalchemy import event
 from sqlalchemy.engine.interfaces import Dialect
 from sqlalchemy.orm import DeclarativeBase
 from sqlalchemy.orm import Mapped
-from sqlalchemy.orm import Mapper
 from sqlalchemy.orm import mapped_column
 from sqlalchemy.orm import relationship
 from sqlalchemy.types import LargeBinary
@@ -119,50 +117,10 @@ class Base(DeclarativeBase):
     __abstract__ = True
 
 
-class _EncryptedBase(TypeDecorator):
-    """Base for encrypted column types that wrap values in SensitiveValue."""
-
+class EncryptedString(TypeDecorator):
     impl = LargeBinary
+    # This type's behavior is fully deterministic and doesn't depend on any external factors.
     cache_ok = True
-    _is_json: bool = False
-
-    def wrap_raw(self, value: Any) -> SensitiveValue:
-        """Encrypt a raw value and wrap it in SensitiveValue.
-
-        Called by the attribute set event so the Python-side type is always
-        SensitiveValue, regardless of whether the value was loaded from the DB
-        or assigned in application code.
-        """
-        if self._is_json:
-            if not isinstance(value, dict):
-                raise TypeError(
-                    f"EncryptedJson column expected dict, got {type(value).__name__}"
-                )
-            raw_str = json.dumps(value)
-        else:
-            if not isinstance(value, str):
-                raise TypeError(
-                    f"EncryptedString column expected str, got {type(value).__name__}"
-                )
-            raw_str = value
-        return SensitiveValue(
-            encrypted_bytes=encrypt_string_to_bytes(raw_str),
-            decrypt_fn=decrypt_bytes_to_string,
-            is_json=self._is_json,
-        )
-
-    def compare_values(self, x: Any, y: Any) -> bool:
-        if x is None or y is None:
-            return x == y
-        if isinstance(x, SensitiveValue):
-            x = x.get_value(apply_mask=False)
-        if isinstance(y, SensitiveValue):
-            y = y.get_value(apply_mask=False)
-        return x == y
-
-
-class EncryptedString(_EncryptedBase):
-    _is_json: bool = False
 
     def process_bind_param(
         self, value: str | SensitiveValue[str] | None, dialect: Dialect  # noqa: ARG002
@@ -186,9 +144,20 @@ class EncryptedString(_EncryptedBase):
             )
         return None
 
+    def compare_values(self, x: Any, y: Any) -> bool:
+        if x is None or y is None:
+            return x == y
+        if isinstance(x, SensitiveValue):
+            x = x.get_value(apply_mask=False)
+        if isinstance(y, SensitiveValue):
+            y = y.get_value(apply_mask=False)
+        return x == y
 
-class EncryptedJson(_EncryptedBase):
-    _is_json: bool = True
+
+class EncryptedJson(TypeDecorator):
+    impl = LargeBinary
+    # This type's behavior is fully deterministic and doesn't depend on any external factors.
+    cache_ok = True
 
     def process_bind_param(
         self,
@@ -196,7 +165,9 @@ class EncryptedJson(_EncryptedBase):
         dialect: Dialect,  # noqa: ARG002
     ) -> bytes | None:
         if value is not None:
+            # Handle both raw dicts and SensitiveValue wrappers
             if isinstance(value, SensitiveValue):
+                # Get raw value for storage
                 value = value.get_value(apply_mask=False)
             json_str = json.dumps(value)
             return encrypt_string_to_bytes(json_str)
@@ -213,40 +184,14 @@ class EncryptedJson(_EncryptedBase):
             )
         return None
 
-
-_REGISTERED_ATTRS: set[str] = set()
-
-
-@event.listens_for(Mapper, "mapper_configured")
-def _register_sensitive_value_set_events(
-    mapper: Mapper,
-    class_: type,
-) -> None:
-    """Auto-wrap raw values in SensitiveValue when assigned to encrypted columns."""
-    for prop in mapper.column_attrs:
-        for col in prop.columns:
-            if isinstance(col.type, _EncryptedBase):
-                col_type = col.type
-                attr = getattr(class_, prop.key)
-
-                # Guard against double-registration (e.g. if mapper is
-                # re-configured in test setups)
-                attr_key = f"{class_.__qualname__}.{prop.key}"
-                if attr_key in _REGISTERED_ATTRS:
-                    continue
-                _REGISTERED_ATTRS.add(attr_key)
-
-                @event.listens_for(attr, "set", retval=True)
-                def _wrap_value(
-                    target: Any,  # noqa: ARG001
-                    value: Any,
-                    oldvalue: Any,  # noqa: ARG001
-                    initiator: Any,  # noqa: ARG001
-                    _col_type: _EncryptedBase = col_type,
-                ) -> Any:
-                    if value is not None and not isinstance(value, SensitiveValue):
-                        return _col_type.wrap_raw(value)
-                    return value
+    def compare_values(self, x: Any, y: Any) -> bool:
+        if x is None or y is None:
+            return x == y
+        if isinstance(x, SensitiveValue):
+            x = x.get_value(apply_mask=False)
+        if isinstance(y, SensitiveValue):
+            y = y.get_value(apply_mask=False)
+        return x == y
 
 
 class NullFilteredString(TypeDecorator):

backend/onyx/db/rotate_encryption_key.py

@@ -1,161 +0,0 @@
-"""Rotate encryption key for all encrypted columns.
-
-Dynamically discovers all columns using EncryptedString / EncryptedJson,
-decrypts each value with the old key, and re-encrypts with the current
-ENCRYPTION_KEY_SECRET.
-
-The operation is idempotent: rows already encrypted with the current key
-are skipped. Commits are made in batches so a crash mid-rotation can be
-safely resumed by re-running.
-"""
-
-import json
-from typing import Any
-
-from sqlalchemy import LargeBinary
-from sqlalchemy import select
-from sqlalchemy import update
-from sqlalchemy.orm import Session
-
-from onyx.configs.app_configs import ENCRYPTION_KEY_SECRET
-from onyx.db.models import Base
-from onyx.db.models import EncryptedJson
-from onyx.db.models import EncryptedString
-from onyx.utils.encryption import decrypt_bytes_to_string
-from onyx.utils.logger import setup_logger
-from onyx.utils.variable_functionality import global_version
-
-logger = setup_logger()
-
-_BATCH_SIZE = 500
-
-
-def _can_decrypt_with_current_key(data: bytes) -> bool:
-    """Check if data is already encrypted with the current key.
-
-    Passes the key explicitly so the fallback-to-raw-decode path in
-    _decrypt_bytes is NOT triggered — a clean success/failure signal.
-    """
-    try:
-        decrypt_bytes_to_string(data, key=ENCRYPTION_KEY_SECRET)
-        return True
-    except Exception:
-        return False
-
-
-def _discover_encrypted_columns() -> list[tuple[type, str, list[str], bool]]:
-    """Walk all ORM models and find columns using EncryptedString/EncryptedJson.
-
-    Returns list of (ModelClass, column_attr_name, [pk_attr_names], is_json).
-    """
-    results: list[tuple[type, str, list[str], bool]] = []
-
-    for mapper in Base.registry.mappers:
-        model_cls = mapper.class_
-        pk_names = [col.key for col in mapper.primary_key]
-
-        for prop in mapper.column_attrs:
-            for col in prop.columns:
-                if isinstance(col.type, EncryptedJson):
-                    results.append((model_cls, prop.key, pk_names, True))
-                elif isinstance(col.type, EncryptedString):
-                    results.append((model_cls, prop.key, pk_names, False))
-
-    return results
-
-
-def rotate_encryption_key(
-    db_session: Session,
-    old_key: str | None,
-    dry_run: bool = False,
-) -> dict[str, int]:
-    """Decrypt all encrypted columns with old_key and re-encrypt with the current key.
-
-    Args:
-        db_session: Active database session.
-        old_key: The previous encryption key. Pass None or "" if values were
-                 not previously encrypted with a key.
-        dry_run: If True, count rows that need rotation without modifying data.
-
-    Returns:
-        Dict of "table.column" -> number of rows re-encrypted (or would be).
-
-    Commits every _BATCH_SIZE rows so that locks are held briefly and progress
-    is preserved on crash. Already-rotated rows are detected and skipped,
-    making the operation safe to re-run.
-    """
-    if not global_version.is_ee_version():
-        raise RuntimeError("EE mode is not enabled — rotation requires EE encryption.")
-
-    if not ENCRYPTION_KEY_SECRET:
-        raise RuntimeError(
-            "ENCRYPTION_KEY_SECRET is not set — cannot rotate. "
-            "Set the target encryption key in the environment before running."
-        )
-
-    encrypted_columns = _discover_encrypted_columns()
-    totals: dict[str, int] = {}
-
-    for model_cls, col_name, pk_names, is_json in encrypted_columns:
-        table_name: str = model_cls.__tablename__  # type: ignore[attr-defined]
-        col_attr = getattr(model_cls, col_name)
-        pk_attrs = [getattr(model_cls, pk) for pk in pk_names]
-
-        # Read raw bytes directly, bypassing the TypeDecorator
-        raw_col = col_attr.property.columns[0]
-
-        stmt = select(*pk_attrs, raw_col.cast(LargeBinary)).where(col_attr.is_not(None))
-        rows = db_session.execute(stmt).all()
-
-        reencrypted = 0
-        batch_pending = 0
-        for row in rows:
-            raw_bytes: bytes | None = row[-1]
-            if raw_bytes is None:
-                continue
-
-            if _can_decrypt_with_current_key(raw_bytes):
-                continue
-
-            try:
-                if not old_key:
-                    decrypted_str = raw_bytes.decode("utf-8")
-                else:
-                    decrypted_str = decrypt_bytes_to_string(raw_bytes, key=old_key)
-
-                # For EncryptedJson, parse back to dict so the TypeDecorator
-                # can json.dumps() it cleanly (avoids double-encoding).
-                value: Any = json.loads(decrypted_str) if is_json else decrypted_str
-            except (ValueError, UnicodeDecodeError) as e:
-                pk_vals = [row[i] for i in range(len(pk_names))]
-                logger.warning(
-                    f"Could not decrypt/parse {table_name}.{col_name} "
-                    f"row {pk_vals} — skipping: {e}"
-                )
-                continue
-
-            if not dry_run:
-                pk_filters = [pk_attr == row[i] for i, pk_attr in enumerate(pk_attrs)]
-                update_stmt = (
-                    update(model_cls).where(*pk_filters).values({col_name: value})
-                )
-                db_session.execute(update_stmt)
-                batch_pending += 1
-
-                if batch_pending >= _BATCH_SIZE:
-                    db_session.commit()
-                    batch_pending = 0
-            reencrypted += 1
-
-        # Flush remaining rows in this column
-        if batch_pending > 0:
-            db_session.commit()
-
-        if reencrypted > 0:
-            totals[f"{table_name}.{col_name}"] = reencrypted
-            logger.info(
-                f"{'[DRY RUN] Would re-encrypt' if dry_run else 'Re-encrypted'} "
-                f"{reencrypted} value(s) in {table_name}.{col_name}"
-            )
-
-    return totals

backend/onyx/error_handling/error_codes.py

@@ -91,11 +91,11 @@ class OnyxErrorCode(Enum):
         """Build a structured error detail dict.
 
         Returns a dict like:
-            {"error_code": "UNAUTHENTICATED", "message": "Token expired"}
+            {"error_code": "UNAUTHENTICATED", "detail": "Token expired"}
 
-        If no message is supplied, the error code itself is used as the message.
+        If no message is supplied, the error code itself is used as the detail.
         """
         return {
             "error_code": self.code,
-            "message": message or self.code,
+            "detail": message or self.code,
         }

backend/onyx/error_handling/exceptions.py

@@ -3,7 +3,7 @@
 Raise ``OnyxError`` instead of ``HTTPException`` in business code.  A global
 FastAPI exception handler (registered via ``register_onyx_exception_handlers``)
 converts it into a JSON response with the standard
-``{"error_code": "...", "message": "..."}`` shape.
+``{"error_code": "...", "detail": "..."}`` shape.
 
 Usage::
 
@@ -37,21 +37,21 @@ class OnyxError(Exception):
 
     Attributes:
         error_code: The ``OnyxErrorCode`` enum member.
-        message: Human-readable message (defaults to the error code string).
+        detail: Human-readable detail (defaults to the error code string).
         status_code: HTTP status — either overridden or from the error code.
     """
 
     def __init__(
         self,
         error_code: OnyxErrorCode,
-        message: str | None = None,
+        detail: str | None = None,
         *,
         status_code_override: int | None = None,
     ) -> None:
-        resolved_message = message or error_code.code
-        super().__init__(resolved_message)
+        resolved_detail = detail or error_code.code
+        super().__init__(resolved_detail)
         self.error_code = error_code
-        self.message = resolved_message
+        self.detail = resolved_detail
         self._status_code_override = status_code_override
 
     @property
@@ -73,11 +73,11 @@ def register_onyx_exception_handlers(app: FastAPI) -> None:
     ) -> JSONResponse:
         status_code = exc.status_code
         if status_code >= 500:
-            logger.error(f"OnyxError {exc.error_code.code}: {exc.message}")
+            logger.error(f"OnyxError {exc.error_code.code}: {exc.detail}")
         elif status_code >= 400:
-            logger.warning(f"OnyxError {exc.error_code.code}: {exc.message}")
+            logger.warning(f"OnyxError {exc.error_code.code}: {exc.detail}")
 
         return JSONResponse(
             status_code=status_code,
-            content=exc.error_code.detail(exc.message),
+            content=exc.error_code.detail(exc.detail),
         )

backend/onyx/file_processing/file_types.py

@@ -19,12 +19,16 @@ class OnyxMimeTypes:
         PLAIN_TEXT_MIME_TYPE,
         "text/markdown",
         "text/x-markdown",
+        "text/x-log",
         "text/x-config",
         "text/tab-separated-values",
         "application/json",
         "application/xml",
         "text/xml",
         "application/x-yaml",
+        "application/yaml",
+        "text/yaml",
+        "text/x-yaml",
     }
     DOCUMENT_MIME_TYPES = {
         PDF_MIME_TYPE,

backend/onyx/llm/constants.py

@@ -43,6 +43,7 @@ WELL_KNOWN_PROVIDER_NAMES = [
     LlmProviderNames.AZURE,
     LlmProviderNames.OLLAMA_CHAT,
     LlmProviderNames.LM_STUDIO,
+    LlmProviderNames.LITELLM_PROXY,
 ]
 
 
@@ -59,6 +60,7 @@ PROVIDER_DISPLAY_NAMES: dict[str, str] = {
     "ollama": "Ollama",
     LlmProviderNames.OLLAMA_CHAT: "Ollama",
     LlmProviderNames.LM_STUDIO: "LM Studio",
+    LlmProviderNames.LITELLM_PROXY: "LiteLLM Proxy",
     "groq": "Groq",
     "anyscale": "Anyscale",
     "deepseek": "DeepSeek",
@@ -109,6 +111,7 @@ AGGREGATOR_PROVIDERS: set[str] = {
     LlmProviderNames.LM_STUDIO,
     LlmProviderNames.VERTEX_AI,
     LlmProviderNames.AZURE,
+    LlmProviderNames.LITELLM_PROXY,
 }
 
 # Model family name mappings for display name generation

backend/onyx/llm/well_known_providers/constants.py

@@ -11,6 +11,8 @@ OLLAMA_API_KEY_CONFIG_KEY = "OLLAMA_API_KEY"
 LM_STUDIO_PROVIDER_NAME = "lm_studio"
 LM_STUDIO_API_KEY_CONFIG_KEY = "LM_STUDIO_API_KEY"
 
+LITELLM_PROXY_PROVIDER_NAME = "litellm_proxy"
+
 # Providers that use optional Bearer auth from custom_config
 PROVIDERS_WITH_SPECIAL_API_KEY_HANDLING: dict[str, str] = {
     LlmProviderNames.OLLAMA_CHAT: OLLAMA_API_KEY_CONFIG_KEY,

backend/onyx/llm/well_known_providers/llm_provider_options.py

@@ -15,6 +15,7 @@ from onyx.llm.well_known_providers.auto_update_service import (
 from onyx.llm.well_known_providers.constants import ANTHROPIC_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import AZURE_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import BEDROCK_PROVIDER_NAME
+from onyx.llm.well_known_providers.constants import LITELLM_PROXY_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import LM_STUDIO_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OLLAMA_PROVIDER_NAME
 from onyx.llm.well_known_providers.constants import OPENAI_PROVIDER_NAME
@@ -47,6 +48,7 @@ def _get_provider_to_models_map() -> dict[str, list[str]]:
         OLLAMA_PROVIDER_NAME: [],  # Dynamic - fetched from Ollama API
         LM_STUDIO_PROVIDER_NAME: [],  # Dynamic - fetched from LM Studio API
         OPENROUTER_PROVIDER_NAME: [],  # Dynamic - fetched from OpenRouter API
+        LITELLM_PROXY_PROVIDER_NAME: [],  # Dynamic - fetched from LiteLLM proxy API
     }
 
 
@@ -331,6 +333,7 @@ def get_provider_display_name(provider_name: str) -> str:
         BEDROCK_PROVIDER_NAME: "Amazon Bedrock",
         VERTEXAI_PROVIDER_NAME: "Google Vertex AI",
         OPENROUTER_PROVIDER_NAME: "OpenRouter",
+        LITELLM_PROXY_PROVIDER_NAME: "LiteLLM Proxy",
     }
 
     if provider_name in _ONYX_PROVIDER_DISPLAY_NAMES:

backend/onyx/server/features/projects/projects_file_utils.py

@@ -10,8 +10,6 @@ from pydantic import Field
 from sqlalchemy.orm import Session
 
 from onyx.configs.app_configs import FILE_TOKEN_COUNT_THRESHOLD
-from onyx.configs.app_configs import USER_FILE_MAX_UPLOAD_SIZE_BYTES
-from onyx.configs.app_configs import USER_FILE_MAX_UPLOAD_SIZE_MB
 from onyx.db.llm import fetch_default_llm_model
 from onyx.file_processing.extract_file_text import extract_file_text
 from onyx.file_processing.extract_file_text import get_file_ext
@@ -37,38 +35,6 @@ def get_safe_filename(upload: UploadFile) -> str:
     return upload.filename
 
 
-def get_upload_size_bytes(upload: UploadFile) -> int | None:
-    """Best-effort file size in bytes without consuming the stream."""
-    if upload.size is not None:
-        return upload.size
-
-    try:
-        current_pos = upload.file.tell()
-        upload.file.seek(0, 2)
-        size = upload.file.tell()
-        upload.file.seek(current_pos)
-        return size
-    except Exception as e:
-        logger.warning(
-            "Could not determine upload size via stream seek "
-            f"(filename='{get_safe_filename(upload)}', "
-            f"error_type={type(e).__name__}, error={e})"
-        )
-        return None
-
-
-def is_upload_too_large(upload: UploadFile, max_bytes: int) -> bool:
-    """Return True when upload size is known and exceeds max_bytes."""
-    size_bytes = get_upload_size_bytes(upload)
-    if size_bytes is None:
-        logger.warning(
-            "Could not determine upload size; skipping size-limit check for "
-            f"'{get_safe_filename(upload)}'"
-        )
-        return False
-    return size_bytes > max_bytes
-
-
 # Guard against extremely large images
 Image.MAX_IMAGE_PIXELS = 12000 * 12000
 
@@ -193,18 +159,6 @@ def categorize_uploaded_files(
     for upload in files:
         try:
             filename = get_safe_filename(upload)
-
-            # Size limit is a hard safety cap and is enforced even when token
-            # threshold checks are skipped via SKIP_USERFILE_THRESHOLD settings.
-            if is_upload_too_large(upload, USER_FILE_MAX_UPLOAD_SIZE_BYTES):
-                results.rejected.append(
-                    RejectedFile(
-                        filename=filename,
-                        reason=f"Exceeds {USER_FILE_MAX_UPLOAD_SIZE_MB} MB file size limit",
-                    )
-                )
-                continue
-
             extension = get_file_ext(filename)
 
             # If image, estimate tokens via dedicated method first

backend/onyx/server/manage/llm/api.py

@@ -58,6 +58,9 @@ from onyx.llm.well_known_providers.llm_provider_options import (
 from onyx.server.manage.llm.models import BedrockFinalModelResponse
 from onyx.server.manage.llm.models import BedrockModelsRequest
 from onyx.server.manage.llm.models import DefaultModel
+from onyx.server.manage.llm.models import LitellmFinalModelResponse
+from onyx.server.manage.llm.models import LitellmModelDetails
+from onyx.server.manage.llm.models import LitellmModelsRequest
 from onyx.server.manage.llm.models import LLMCost
 from onyx.server.manage.llm.models import LLMProviderDescriptor
 from onyx.server.manage.llm.models import LLMProviderResponse
@@ -65,12 +68,14 @@ from onyx.server.manage.llm.models import LLMProviderUpsertRequest
 from onyx.server.manage.llm.models import LLMProviderView
 from onyx.server.manage.llm.models import LMStudioFinalModelResponse
 from onyx.server.manage.llm.models import LMStudioModelsRequest
+from onyx.server.manage.llm.models import ModelConfigurationUpsertRequest
 from onyx.server.manage.llm.models import OllamaFinalModelResponse
 from onyx.server.manage.llm.models import OllamaModelDetails
 from onyx.server.manage.llm.models import OllamaModelsRequest
 from onyx.server.manage.llm.models import OpenRouterFinalModelResponse
 from onyx.server.manage.llm.models import OpenRouterModelDetails
 from onyx.server.manage.llm.models import OpenRouterModelsRequest
+from onyx.server.manage.llm.models import SyncModelEntry
 from onyx.server.manage.llm.models import TestLLMRequest
 from onyx.server.manage.llm.models import VisionProviderResponse
 from onyx.server.manage.llm.utils import generate_bedrock_display_name
@@ -97,6 +102,34 @@ def _mask_string(value: str) -> str:
     return value[:4] + "****" + value[-4:]
 
 
+def _sync_fetched_models(
+    db_session: Session,
+    provider_name: str,
+    models: list[SyncModelEntry],
+    source_label: str,
+) -> None:
+    """Sync fetched models to DB for the given provider.
+
+    Args:
+        db_session: Database session
+        provider_name: Name of the LLM provider
+        models: List of SyncModelEntry objects describing the fetched models
+        source_label: Human-readable label for log messages (e.g. "Bedrock", "LiteLLM")
+    """
+    try:
+        new_count = sync_model_configurations(
+            db_session=db_session,
+            provider_name=provider_name,
+            models=models,
+        )
+        if new_count > 0:
+            logger.info(
+                f"Added {new_count} new {source_label} models to provider '{provider_name}'"
+            )
+    except ValueError as e:
+        logger.warning(f"Failed to sync {source_label} models to DB: {e}")
+
+
 # Keys in custom_config that contain sensitive credentials
 _SENSITIVE_CONFIG_KEYS = {
     "vertex_credentials",
@@ -445,16 +478,17 @@ def put_llm_provider(
         not existing_provider or not existing_provider.is_auto_mode
     )
 
-    # Before the upsert, check if this provider currently owns the global
-    # CHAT default. The upsert may cascade-delete model_configurations
-    # (and their flow mappings), so we need to remember this beforehand.
-    was_default_provider = False
-    if existing_provider and transitioning_to_auto_mode:
-        current_default = fetch_default_llm_model(db_session)
-        was_default_provider = (
-            current_default is not None
-            and current_default.llm_provider_id == existing_provider.id
-        )
+    # When transitioning to auto mode, preserve existing model configurations
+    # so the upsert doesn't try to delete them (which would trip the default
+    # model protection guard). sync_auto_mode_models will handle the model
+    # lifecycle afterward — adding new models, hiding removed ones, and
+    # updating the default. This is safe even if sync fails: the provider
+    # keeps its old models and default rather than losing them.
+    if transitioning_to_auto_mode and existing_provider:
+        llm_provider_upsert_request.model_configurations = [
+            ModelConfigurationUpsertRequest.from_model(mc)
+            for mc in existing_provider.model_configurations
+        ]
 
     try:
         result = upsert_llm_provider(
@@ -468,7 +502,6 @@ def put_llm_provider(
 
             config = fetch_llm_recommendations_from_github()
             if config and llm_provider_upsert_request.provider in config.providers:
-                # Refetch the provider to get the updated model
                 updated_provider = fetch_existing_llm_provider_by_id(
                     id=result.id, db_session=db_session
                 )
@@ -478,20 +511,6 @@ def put_llm_provider(
                         updated_provider,
                         config,
                     )
-
-                    # If this provider was the default before the transition,
-                    # restore the default using the recommended model.
-                    if was_default_provider:
-                        recommended = config.get_default_model(
-                            llm_provider_upsert_request.provider
-                        )
-                        if recommended:
-                            update_default_provider(
-                                provider_id=updated_provider.id,
-                                model_name=recommended.name,
-                                db_session=db_session,
-                            )
-
                     # Refresh result with synced models
                     result = LLMProviderView.from_model(updated_provider)
 
@@ -976,27 +995,20 @@ def get_bedrock_available_models(
 
         # Sync new models to DB if provider_name is specified
         if request.provider_name:
-            try:
-                models_to_sync = [
-                    {
-                        "name": r.name,
-                        "display_name": r.display_name,
-                        "max_input_tokens": r.max_input_tokens,
-                        "supports_image_input": r.supports_image_input,
-                    }
-                    for r in results
-                ]
-                new_count = sync_model_configurations(
-                    db_session=db_session,
-                    provider_name=request.provider_name,
-                    models=models_to_sync,
-                )
-                if new_count > 0:
-                    logger.info(
-                        f"Added {new_count} new Bedrock models to provider '{request.provider_name}'"
+            _sync_fetched_models(
+                db_session=db_session,
+                provider_name=request.provider_name,
+                models=[
+                    SyncModelEntry(
+                        name=r.name,
+                        display_name=r.display_name,
+                        max_input_tokens=r.max_input_tokens,
+                        supports_image_input=r.supports_image_input,
                     )
-            except ValueError as e:
-                logger.warning(f"Failed to sync Bedrock models to DB: {e}")
+                    for r in results
+                ],
+                source_label="Bedrock",
+            )
 
         return results
 
@@ -1114,27 +1126,20 @@ def get_ollama_available_models(
 
     # Sync new models to DB if provider_name is specified
     if request.provider_name:
-        try:
-            models_to_sync = [
-                {
-                    "name": r.name,
-                    "display_name": r.display_name,
-                    "max_input_tokens": r.max_input_tokens,
-                    "supports_image_input": r.supports_image_input,
-                }
-                for r in sorted_results
-            ]
-            new_count = sync_model_configurations(
-                db_session=db_session,
-                provider_name=request.provider_name,
-                models=models_to_sync,
-            )
-            if new_count > 0:
-                logger.info(
-                    f"Added {new_count} new Ollama models to provider '{request.provider_name}'"
+        _sync_fetched_models(
+            db_session=db_session,
+            provider_name=request.provider_name,
+            models=[
+                SyncModelEntry(
+                    name=r.name,
+                    display_name=r.display_name,
+                    max_input_tokens=r.max_input_tokens,
+                    supports_image_input=r.supports_image_input,
                 )
-        except ValueError as e:
-            logger.warning(f"Failed to sync Ollama models to DB: {e}")
+                for r in sorted_results
+            ],
+            source_label="Ollama",
+        )
 
     return sorted_results
 
@@ -1223,27 +1228,20 @@ def get_openrouter_available_models(
 
     # Sync new models to DB if provider_name is specified
     if request.provider_name:
-        try:
-            models_to_sync = [
-                {
-                    "name": r.name,
-                    "display_name": r.display_name,
-                    "max_input_tokens": r.max_input_tokens,
-                    "supports_image_input": r.supports_image_input,
-                }
-                for r in sorted_results
-            ]
-            new_count = sync_model_configurations(
-                db_session=db_session,
-                provider_name=request.provider_name,
-                models=models_to_sync,
-            )
-            if new_count > 0:
-                logger.info(
-                    f"Added {new_count} new OpenRouter models to provider '{request.provider_name}'"
+        _sync_fetched_models(
+            db_session=db_session,
+            provider_name=request.provider_name,
+            models=[
+                SyncModelEntry(
+                    name=r.name,
+                    display_name=r.display_name,
+                    max_input_tokens=r.max_input_tokens,
+                    supports_image_input=r.supports_image_input,
                 )
-        except ValueError as e:
-            logger.warning(f"Failed to sync OpenRouter models to DB: {e}")
+                for r in sorted_results
+            ],
+            source_label="OpenRouter",
+        )
 
     return sorted_results
 
@@ -1337,26 +1335,119 @@ def get_lm_studio_available_models(
 
     # Sync new models to DB if provider_name is specified
     if request.provider_name:
-        try:
-            models_to_sync = [
-                {
-                    "name": r.name,
-                    "display_name": r.display_name,
-                    "max_input_tokens": r.max_input_tokens,
-                    "supports_image_input": r.supports_image_input,
-                }
-                for r in sorted_results
-            ]
-            new_count = sync_model_configurations(
-                db_session=db_session,
-                provider_name=request.provider_name,
-                models=models_to_sync,
-            )
-            if new_count > 0:
-                logger.info(
-                    f"Added {new_count} new LM Studio models to provider '{request.provider_name}'"
+        _sync_fetched_models(
+            db_session=db_session,
+            provider_name=request.provider_name,
+            models=[
+                SyncModelEntry(
+                    name=r.name,
+                    display_name=r.display_name,
+                    max_input_tokens=r.max_input_tokens,
+                    supports_image_input=r.supports_image_input,
                 )
-        except ValueError as e:
-            logger.warning(f"Failed to sync LM Studio models to DB: {e}")
+                for r in sorted_results
+            ],
+            source_label="LM Studio",
+        )
 
     return sorted_results
+
+
+@admin_router.post("/litellm/available-models")
+def get_litellm_available_models(
+    request: LitellmModelsRequest,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> list[LitellmFinalModelResponse]:
+    """Fetch available models from Litellm proxy /v1/models endpoint."""
+    response_json = _get_litellm_models_response(
+        api_key=request.api_key, api_base=request.api_base
+    )
+
+    models = response_json.get("data", [])
+    if not isinstance(models, list) or len(models) == 0:
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "No models found from your Litellm endpoint",
+        )
+
+    results: list[LitellmFinalModelResponse] = []
+    for model in models:
+        try:
+            model_details = LitellmModelDetails.model_validate(model)
+
+            results.append(
+                LitellmFinalModelResponse(
+                    provider_name=model_details.owned_by,
+                    model_name=model_details.id,
+                )
+            )
+        except Exception as e:
+            logger.warning(
+                "Failed to parse Litellm model entry",
+                extra={"error": str(e), "item": str(model)[:1000]},
+            )
+
+    if not results:
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "No compatible models found from Litellm",
+        )
+
+    sorted_results = sorted(results, key=lambda m: m.model_name.lower())
+
+    # Sync new models to DB if provider_name is specified
+    if request.provider_name:
+        _sync_fetched_models(
+            db_session=db_session,
+            provider_name=request.provider_name,
+            models=[
+                SyncModelEntry(
+                    name=r.model_name,
+                    display_name=r.model_name,
+                )
+                for r in sorted_results
+            ],
+            source_label="LiteLLM",
+        )
+
+    return sorted_results
+
+
+def _get_litellm_models_response(api_key: str, api_base: str) -> dict:
+    """Perform GET to Litellm proxy /api/v1/models and return parsed JSON."""
+    cleaned_api_base = api_base.strip().rstrip("/")
+    url = f"{cleaned_api_base}/v1/models"
+
+    headers = {
+        "Authorization": f"Bearer {api_key}",
+        "HTTP-Referer": "https://onyx.app",
+        "X-Title": "Onyx",
+    }
+
+    try:
+        response = httpx.get(url, headers=headers, timeout=10.0)
+        response.raise_for_status()
+        return response.json()
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code == 401:
+            raise OnyxError(
+                OnyxErrorCode.VALIDATION_ERROR,
+                "Authentication failed: invalid or missing API key for LiteLLM proxy.",
+            )
+        elif e.response.status_code == 404:
+            raise OnyxError(
+                OnyxErrorCode.VALIDATION_ERROR,
+                f"LiteLLM models endpoint not found at {url}. "
+                "Please verify the API base URL.",
+            )
+        else:
+            raise OnyxError(
+                OnyxErrorCode.BAD_GATEWAY,
+                f"Failed to fetch LiteLLM models: {e}",
+            )
+    except Exception as e:
+        raise OnyxError(
+            OnyxErrorCode.BAD_GATEWAY,
+            f"Failed to fetch LiteLLM models: {e}",
+        )

backend/onyx/server/manage/llm/models.py

@@ -420,3 +420,32 @@ class LLMProviderResponse(BaseModel, Generic[T]):
             default_text=default_text,
             default_vision=default_vision,
         )
+
+
+class SyncModelEntry(BaseModel):
+    """Typed model for syncing fetched models to the DB."""
+
+    name: str
+    display_name: str
+    max_input_tokens: int | None = None
+    supports_image_input: bool = False
+
+
+class LitellmModelsRequest(BaseModel):
+    api_key: str
+    api_base: str
+    provider_name: str | None = None  # Optional: to save models to existing provider
+
+
+class LitellmModelDetails(BaseModel):
+    """Response model for Litellm proxy /api/v1/models endpoint"""
+
+    id: str  # Model ID (e.g. "gpt-4o")
+    object: str  # "model"
+    created: int  # Unix timestamp in seconds
+    owned_by: str  # Provider name (e.g. "openai")
+
+
+class LitellmFinalModelResponse(BaseModel):
+    provider_name: str  # Provider name (e.g. "openai")
+    model_name: str  # Model ID (e.g. "gpt-4o")

backend/onyx/server/query_and_chat/session_loading.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
 
 import json
+from typing import Any
 from typing import cast
 from typing import Literal
 
+from pydantic import ValidationError
 from sqlalchemy.orm import Session
 
 from onyx.chat.citation_utils import extract_citation_order_from_text
@@ -20,7 +22,9 @@ from onyx.server.query_and_chat.placement import Placement
 from onyx.server.query_and_chat.streaming_models import AgentResponseDelta
 from onyx.server.query_and_chat.streaming_models import AgentResponseStart
 from onyx.server.query_and_chat.streaming_models import CitationInfo
+from onyx.server.query_and_chat.streaming_models import CustomToolArgs
 from onyx.server.query_and_chat.streaming_models import CustomToolDelta
+from onyx.server.query_and_chat.streaming_models import CustomToolErrorInfo
 from onyx.server.query_and_chat.streaming_models import CustomToolStart
 from onyx.server.query_and_chat.streaming_models import FileReaderResult
 from onyx.server.query_and_chat.streaming_models import FileReaderStart
@@ -180,24 +184,37 @@ def create_custom_tool_packets(
     tab_index: int = 0,
     data: dict | list | str | int | float | bool | None = None,
     file_ids: list[str] | None = None,
+    error: CustomToolErrorInfo | None = None,
+    tool_args: dict[str, Any] | None = None,
+    tool_id: int | None = None,
 ) -> list[Packet]:
     packets: list[Packet] = []
 
     packets.append(
         Packet(
             placement=Placement(turn_index=turn_index, tab_index=tab_index),
-            obj=CustomToolStart(tool_name=tool_name),
+            obj=CustomToolStart(tool_name=tool_name, tool_id=tool_id),
         )
     )
 
+    if tool_args:
+        packets.append(
+            Packet(
+                placement=Placement(turn_index=turn_index, tab_index=tab_index),
+                obj=CustomToolArgs(tool_name=tool_name, tool_args=tool_args),
+            )
+        )
+
     packets.append(
         Packet(
             placement=Placement(turn_index=turn_index, tab_index=tab_index),
             obj=CustomToolDelta(
                 tool_name=tool_name,
+                tool_id=tool_id,
                 response_type=response_type,
                 data=data,
                 file_ids=file_ids,
+                error=error,
             ),
         ),
     )
@@ -657,13 +674,55 @@ def translate_assistant_message_to_packets(
 
                     else:
                         # Custom tool or unknown tool
+                        # Try to parse as structured CustomToolCallSummary JSON
+                        custom_data: dict | list | str | int | float | bool | None = (
+                            tool_call.tool_call_response
+                        )
+                        custom_error: CustomToolErrorInfo | None = None
+                        custom_response_type = "text"
+
+                        try:
+                            parsed = json.loads(tool_call.tool_call_response)
+                            if isinstance(parsed, dict) and "tool_name" in parsed:
+                                custom_data = parsed.get("tool_result")
+                                custom_response_type = parsed.get(
+                                    "response_type", "text"
+                                )
+                                if parsed.get("error"):
+                                    custom_error = CustomToolErrorInfo(
+                                        **parsed["error"]
+                                    )
+                        except (
+                            json.JSONDecodeError,
+                            KeyError,
+                            TypeError,
+                            ValidationError,
+                        ):
+                            pass
+
+                        custom_file_ids: list[str] | None = None
+                        if custom_response_type in ("image", "csv") and isinstance(
+                            custom_data, dict
+                        ):
+                            custom_file_ids = custom_data.get("file_ids")
+                            custom_data = None
+
+                        custom_args = {
+                            k: v
+                            for k, v in (tool_call.tool_call_arguments or {}).items()
+                            if k != "requestBody"
+                        }
                         turn_tool_packets.extend(
                             create_custom_tool_packets(
                                 tool_name=tool.display_name or tool.name,
-                                response_type="text",
+                                response_type=custom_response_type,
                                 turn_index=turn_num,
                                 tab_index=tool_call.tab_index,
-                                data=tool_call.tool_call_response,
+                                data=custom_data,
+                                file_ids=custom_file_ids,
+                                error=custom_error,
+                                tool_args=custom_args if custom_args else None,
+                                tool_id=tool_call.tool_id,
                             )
                         )
 

backend/onyx/server/query_and_chat/streaming_models.py

@@ -33,6 +33,7 @@ class StreamingType(Enum):
     PYTHON_TOOL_START = "python_tool_start"
     PYTHON_TOOL_DELTA = "python_tool_delta"
     CUSTOM_TOOL_START = "custom_tool_start"
+    CUSTOM_TOOL_ARGS = "custom_tool_args"
     CUSTOM_TOOL_DELTA = "custom_tool_delta"
     FILE_READER_START = "file_reader_start"
     FILE_READER_RESULT = "file_reader_result"
@@ -41,7 +42,6 @@ class StreamingType(Enum):
     REASONING_DONE = "reasoning_done"
     CITATION_INFO = "citation_info"
     TOOL_CALL_DEBUG = "tool_call_debug"
-    TOOL_CALL_ARGUMENT_DELTA = "tool_call_argument_delta"
 
     MEMORY_TOOL_START = "memory_tool_start"
     MEMORY_TOOL_DELTA = "memory_tool_delta"
@@ -246,6 +246,20 @@ class CustomToolStart(BaseObj):
     type: Literal["custom_tool_start"] = StreamingType.CUSTOM_TOOL_START.value
 
     tool_name: str
+    tool_id: int | None = None
+
+
+class CustomToolArgs(BaseObj):
+    type: Literal["custom_tool_args"] = StreamingType.CUSTOM_TOOL_ARGS.value
+
+    tool_name: str
+    tool_args: dict[str, Any]
+
+
+class CustomToolErrorInfo(BaseModel):
+    is_auth_error: bool = False
+    status_code: int
+    message: str
 
 
 # The allowed streamed packets for a custom tool
@@ -253,20 +267,13 @@ class CustomToolDelta(BaseObj):
     type: Literal["custom_tool_delta"] = StreamingType.CUSTOM_TOOL_DELTA.value
 
     tool_name: str
+    tool_id: int | None = None
     response_type: str
     # For non-file responses
     data: dict | list | str | int | float | bool | None = None
     # For file-based responses like image/csv
     file_ids: list[str] | None = None
-
-
-class ToolCallArgumentDelta(BaseObj):
-    type: Literal["tool_call_argument_delta"] = (
-        StreamingType.TOOL_CALL_ARGUMENT_DELTA.value
-    )
-
-    tool_type: str
-    argument_deltas: dict[str, Any]
+    error: CustomToolErrorInfo | None = None
 
 
 ################################################
@@ -376,6 +383,7 @@ PacketObj = Union[
     PythonToolStart,
     PythonToolDelta,
     CustomToolStart,
+    CustomToolArgs,
     CustomToolDelta,
     FileReaderStart,
     FileReaderResult,
@@ -389,7 +397,6 @@ PacketObj = Union[
     # Citation Packets
     CitationInfo,
     ToolCallDebug,
-    ToolCallArgumentDelta,
     # Deep Research Packets
     DeepResearchPlanStart,
     DeepResearchPlanDelta,

backend/onyx/server/query_and_chat/streaming_utils.py

@@ -8,8 +8,6 @@ from onyx.server.query_and_chat.placement import Placement
 from onyx.server.query_and_chat.streaming_models import AgentResponseDelta
 from onyx.server.query_and_chat.streaming_models import AgentResponseStart
 from onyx.server.query_and_chat.streaming_models import CitationInfo
-from onyx.server.query_and_chat.streaming_models import CustomToolDelta
-from onyx.server.query_and_chat.streaming_models import CustomToolStart
 from onyx.server.query_and_chat.streaming_models import GeneratedImage
 from onyx.server.query_and_chat.streaming_models import ImageGenerationFinal
 from onyx.server.query_and_chat.streaming_models import ImageGenerationToolStart
@@ -165,39 +163,6 @@ def create_image_generation_packets(
     return packets
 
 
-def create_custom_tool_packets(
-    tool_name: str,
-    response_type: str,
-    turn_index: int,
-    data: dict | list | str | int | float | bool | None = None,
-    file_ids: list[str] | None = None,
-) -> list[Packet]:
-    packets: list[Packet] = []
-
-    packets.append(
-        Packet(
-            placement=Placement(turn_index=turn_index),
-            obj=CustomToolStart(tool_name=tool_name),
-        )
-    )
-
-    packets.append(
-        Packet(
-            placement=Placement(turn_index=turn_index),
-            obj=CustomToolDelta(
-                tool_name=tool_name,
-                response_type=response_type,
-                data=data,
-                file_ids=file_ids,
-            ),
-        ),
-    )
-
-    packets.append(Packet(placement=Placement(turn_index=turn_index), obj=SectionEnd()))
-
-    return packets
-
-
 def create_fetch_packets(
     fetch_docs: list[SavedSearchDoc],
     urls: list[str],

backend/onyx/server/settings/models.py

@@ -78,7 +78,6 @@ class Settings(BaseModel):
 
     # User Knowledge settings
     user_knowledge_enabled: bool | None = True
-    user_file_max_upload_size_mb: int | None = None
 
     # Connector settings
     show_extra_connectors: bool | None = True

backend/onyx/server/settings/store.py

@@ -3,7 +3,6 @@ from onyx.configs.app_configs import DISABLE_USER_KNOWLEDGE
 from onyx.configs.app_configs import ENABLE_OPENSEARCH_INDEXING_FOR_ONYX
 from onyx.configs.app_configs import ONYX_QUERY_HISTORY_TYPE
 from onyx.configs.app_configs import SHOW_EXTRA_CONNECTORS
-from onyx.configs.app_configs import USER_FILE_MAX_UPLOAD_SIZE_MB
 from onyx.configs.constants import KV_SETTINGS_KEY
 from onyx.configs.constants import OnyxRedisLocks
 from onyx.key_value_store.factory import get_kv_store
@@ -51,7 +50,6 @@ def load_settings() -> Settings:
     if DISABLE_USER_KNOWLEDGE:
         settings.user_knowledge_enabled = False
 
-    settings.user_file_max_upload_size_mb = USER_FILE_MAX_UPLOAD_SIZE_MB
     settings.show_extra_connectors = SHOW_EXTRA_CONNECTORS
     settings.opensearch_indexing_enabled = ENABLE_OPENSEARCH_INDEXING_FOR_ONYX
     return settings

backend/onyx/setup.py

@@ -275,9 +275,13 @@ def setup_postgres(db_session: Session) -> None:
             ],
             api_key_changed=True,
         )
-        new_llm_provider = upsert_llm_provider(
-            llm_provider_upsert_request=model_req, db_session=db_session
-        )
+        try:
+            new_llm_provider = upsert_llm_provider(
+                llm_provider_upsert_request=model_req, db_session=db_session
+            )
+        except ValueError as e:
+            logger.warning("Failed to upsert LLM provider during setup: %s", e)
+            return
         update_default_provider(
             provider_id=new_llm_provider.id, model_name=llm_model, db_session=db_session
         )

backend/onyx/tools/built_in_tools.py

@@ -56,23 +56,3 @@ def get_built_in_tool_ids() -> list[str]:
 
 def get_built_in_tool_by_id(in_code_tool_id: str) -> Type[BUILT_IN_TOOL_TYPES]:
     return BUILT_IN_TOOL_MAP[in_code_tool_id]
-
-
-def _build_tool_name_to_class() -> dict[str, Type[BUILT_IN_TOOL_TYPES]]:
-    """Build a mapping from LLM-facing tool name to tool class."""
-    result: dict[str, Type[BUILT_IN_TOOL_TYPES]] = {}
-    for cls in BUILT_IN_TOOL_MAP.values():
-        name_attr = cls.__dict__.get("name")
-        if isinstance(name_attr, property) and name_attr.fget is not None:
-            tool_name = name_attr.fget(cls)
-        elif isinstance(name_attr, str):
-            tool_name = name_attr
-        else:
-            raise ValueError(
-                f"Built-in tool {cls.__name__} must define a valid LLM-facing tool name"
-            )
-        result[tool_name] = cls
-    return result
-
-
-TOOL_NAME_TO_CLASS: dict[str, Type[BUILT_IN_TOOL_TYPES]] = _build_tool_name_to_class()

backend/onyx/tools/interface.py

@@ -92,7 +92,3 @@ class Tool(abc.ABC, Generic[TOverride]):
         **llm_kwargs: Any,
     ) -> ToolResponse:
         raise NotImplementedError
-
-    @classmethod
-    def should_emit_argument_deltas(cls) -> bool:
-        return False

backend/onyx/tools/models.py

@@ -18,6 +18,7 @@ from onyx.context.search.models import SearchDoc
 from onyx.context.search.models import SearchDocsResponse
 from onyx.db.memory import UserMemoryContext
 from onyx.server.query_and_chat.placement import Placement
+from onyx.server.query_and_chat.streaming_models import CustomToolErrorInfo
 from onyx.server.query_and_chat.streaming_models import GeneratedImage
 from onyx.tools.tool_implementations.images.models import FinalImageGenerationResponse
 from onyx.tools.tool_implementations.memory.models import MemoryToolResponse
@@ -61,6 +62,7 @@ class CustomToolCallSummary(BaseModel):
     tool_name: str
     response_type: str  # e.g., 'json', 'image', 'csv', 'graph'
     tool_result: Any  # The response data
+    error: CustomToolErrorInfo | None = None
 
 
 class ToolCallKickoff(BaseModel):

backend/onyx/tools/tool_implementations/custom/custom_tool.py

@@ -15,7 +15,9 @@ from onyx.chat.emitter import get_default_emitter
 from onyx.configs.constants import FileOrigin
 from onyx.file_store.file_store import get_default_file_store
 from onyx.server.query_and_chat.placement import Placement
+from onyx.server.query_and_chat.streaming_models import CustomToolArgs
 from onyx.server.query_and_chat.streaming_models import CustomToolDelta
+from onyx.server.query_and_chat.streaming_models import CustomToolErrorInfo
 from onyx.server.query_and_chat.streaming_models import CustomToolStart
 from onyx.server.query_and_chat.streaming_models import Packet
 from onyx.tools.interface import Tool
@@ -139,7 +141,7 @@ class CustomTool(Tool[None]):
         self.emitter.emit(
             Packet(
                 placement=placement,
-                obj=CustomToolStart(tool_name=self._name),
+                obj=CustomToolStart(tool_name=self._name, tool_id=self._id),
             )
         )
 
@@ -149,10 +151,8 @@ class CustomTool(Tool[None]):
         override_kwargs: None = None,  # noqa: ARG002
         **llm_kwargs: Any,
     ) -> ToolResponse:
-        request_body = llm_kwargs.get(REQUEST_BODY)
-
+        # Build path params
         path_params = {}
-
         for path_param_schema in self._method_spec.get_path_param_schemas():
             param_name = path_param_schema["name"]
             if param_name not in llm_kwargs:
@@ -165,6 +165,7 @@ class CustomTool(Tool[None]):
                 )
             path_params[param_name] = llm_kwargs[param_name]
 
+        # Build query params
         query_params = {}
         for query_param_schema in self._method_spec.get_query_param_schemas():
             if query_param_schema["name"] in llm_kwargs:
@@ -172,6 +173,20 @@ class CustomTool(Tool[None]):
                     query_param_schema["name"]
                 ]
 
+        # Emit args packet (path + query params only, no request body)
+        tool_args = {**path_params, **query_params}
+        if tool_args:
+            self.emitter.emit(
+                Packet(
+                    placement=placement,
+                    obj=CustomToolArgs(
+                        tool_name=self._name,
+                        tool_args=tool_args,
+                    ),
+                )
+            )
+
+        request_body = llm_kwargs.get(REQUEST_BODY)
         url = self._method_spec.build_url(self._base_url, path_params, query_params)
         method = self._method_spec.method
 
@@ -180,6 +195,18 @@ class CustomTool(Tool[None]):
         )
         content_type = response.headers.get("Content-Type", "")
 
+        # Detect HTTP errors — only 401/403 are flagged as auth errors
+        error_info: CustomToolErrorInfo | None = None
+        if response.status_code in (401, 403):
+            error_info = CustomToolErrorInfo(
+                is_auth_error=True,
+                status_code=response.status_code,
+                message=f"{self._name} action failed because of authentication error",
+            )
+            logger.warning(
+                f"Auth error from custom tool '{self._name}': HTTP {response.status_code}"
+            )
+
         tool_result: Any
         response_type: str
         file_ids: List[str] | None = None
@@ -222,9 +249,11 @@ class CustomTool(Tool[None]):
                 placement=placement,
                 obj=CustomToolDelta(
                     tool_name=self._name,
+                    tool_id=self._id,
                     response_type=response_type,
                     data=data,
                     file_ids=file_ids,
+                    error=error_info,
                 ),
             )
         )
@@ -236,6 +265,7 @@ class CustomTool(Tool[None]):
                 tool_name=self._name,
                 response_type=response_type,
                 tool_result=tool_result,
+                error=error_info,
             ),
             llm_facing_response=llm_facing_response,
         )

backend/onyx/tools/tool_implementations/python/python_tool.py

@@ -376,8 +376,3 @@ class PythonTool(Tool[PythonToolOverrideKwargs]):
                     rich_response=None,
                     llm_facing_response=llm_response,
                 )
-
-    @classmethod
-    @override
-    def should_emit_argument_deltas(cls) -> bool:
-        return True

backend/onyx/utils/encryption.py

@@ -11,20 +11,16 @@ logger = setup_logger()
 
 
 # IMPORTANT DO NOT DELETE, THIS IS USED BY fetch_versioned_implementation
-def _encrypt_string(input_str: str, key: str | None = None) -> bytes:  # noqa: ARG001
+def _encrypt_string(input_str: str) -> bytes:
     if ENCRYPTION_KEY_SECRET:
         logger.warning("MIT version of Onyx does not support encryption of secrets.")
-    elif key is not None:
-        logger.debug("MIT encrypt called with explicit key — key ignored.")
     return input_str.encode()
 
 
 # IMPORTANT DO NOT DELETE, THIS IS USED BY fetch_versioned_implementation
-def _decrypt_bytes(input_bytes: bytes, key: str | None = None) -> str:  # noqa: ARG001
-    if ENCRYPTION_KEY_SECRET:
-        logger.warning("MIT version of Onyx does not support decryption of secrets.")
-    elif key is not None:
-        logger.debug("MIT decrypt called with explicit key — key ignored.")
+def _decrypt_bytes(input_bytes: bytes) -> str:
+    # No need to double warn. If you wish to learn more about encryption features
+    # refer to the Onyx EE code
     return input_bytes.decode()
 
 
@@ -90,15 +86,15 @@ def _mask_list(items: list[Any]) -> list[Any]:
     return masked
 
 
-def encrypt_string_to_bytes(intput_str: str, key: str | None = None) -> bytes:
+def encrypt_string_to_bytes(intput_str: str) -> bytes:
     versioned_encryption_fn = fetch_versioned_implementation(
         "onyx.utils.encryption", "_encrypt_string"
     )
-    return versioned_encryption_fn(intput_str, key=key)
+    return versioned_encryption_fn(intput_str)
 
 
-def decrypt_bytes_to_string(intput_bytes: bytes, key: str | None = None) -> str:
+def decrypt_bytes_to_string(intput_bytes: bytes) -> str:
     versioned_decryption_fn = fetch_versioned_implementation(
         "onyx.utils.encryption", "_decrypt_bytes"
     )
-    return versioned_decryption_fn(intput_bytes, key=key)
+    return versioned_decryption_fn(intput_bytes)

backend/onyx/utils/sensitive.py

@@ -128,8 +128,6 @@ class SensitiveValue(Generic[T]):
         value = self._decrypt()
 
         if not apply_mask:
-            # Callers must not mutate the returned dict — doing so would
-            # desync the cache from the encrypted bytes and the DB.
             return value
 
         # Apply masking
@@ -176,20 +174,18 @@ class SensitiveValue(Generic[T]):
         )
 
     def __eq__(self, other: Any) -> bool:
-        """Compare SensitiveValues by their decrypted content."""
-        # NOTE: if you attempt to compare a string/dict to a SensitiveValue,
-        # this comparison will return NotImplemented, which then evaluates to False.
-        # This is the convention and required for SQLAlchemy's attribute tracking.
-        if not isinstance(other, SensitiveValue):
-            return NotImplemented
-        return self._decrypt() == other._decrypt()
+        """Prevent direct comparison which might expose value."""
+        if isinstance(other, SensitiveValue):
+            # Compare encrypted bytes for equality check
+            return self._encrypted_bytes == other._encrypted_bytes
+        raise SensitiveAccessError(
+            "Cannot compare SensitiveValue with non-SensitiveValue. "
+            "Use .get_value(apply_mask=True/False) to access the value for comparison."
+        )
 
     def __hash__(self) -> int:
-        """Hash based on decrypted content."""
-        value = self._decrypt()
-        if isinstance(value, dict):
-            return hash(json.dumps(value, sort_keys=True))
-        return hash(value)
+        """Allow hashing based on encrypted bytes."""
+        return hash(self._encrypted_bytes)
 
     # Prevent JSON serialization
     def __json__(self) -> Any:

backend/requirements/dev.txt

@@ -406,7 +406,7 @@ referencing==0.36.2
     #   jsonschema-specifications
 regex==2025.11.3
     # via tiktoken
-release-tag==0.4.3
+release-tag==0.5.2
     # via onyx
 reorder-python-imports-black==3.14.0
     # via onyx

backend/scripts/decrypt.py

@@ -1,93 +1,48 @@
-"""Decrypt a raw hex-encoded credential value.
-
-Usage:
-    python -m scripts.decrypt <hex_value>
-    python -m scripts.decrypt <hex_value> --key "my-encryption-key"
-    python -m scripts.decrypt <hex_value> --key ""
-
-Pass --key "" to skip decryption and just decode the raw bytes as UTF-8.
-Omit --key to use the current ENCRYPTION_KEY_SECRET from the environment.
-"""
-
-import argparse
 import binascii
 import json
-import os
 import sys
 
-parent_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
-sys.path.append(parent_dir)
-
-from onyx.utils.encryption import decrypt_bytes_to_string  # noqa: E402
-from onyx.utils.variable_functionality import global_version  # noqa: E402
+from onyx.utils.encryption import decrypt_bytes_to_string
 
 
-def decrypt_raw_credential(encrypted_value: str, key: str | None = None) -> None:
-    """Decrypt and display a raw encrypted credential value.
+def decrypt_raw_credential(encrypted_value: str) -> None:
+    """Decrypt and display a raw encrypted credential value
 
     Args:
-        encrypted_value: The hex-encoded encrypted credential value.
-        key: Encryption key to use. None means use ENCRYPTION_KEY_SECRET,
-             empty string means just decode as UTF-8.
+        encrypted_value: The hex encoded encrypted credential value
     """
-    # Strip common hex prefixes
-    if encrypted_value.startswith("\\x"):
-        encrypted_value = encrypted_value[2:]
-    elif encrypted_value.startswith("x"):
-        encrypted_value = encrypted_value[1:]
-    print(encrypted_value)
-
     try:
-        raw_bytes = binascii.unhexlify(encrypted_value)
+        # If string starts with 'x', remove it as it's just a prefix indicating hex
+        if encrypted_value.startswith("x"):
+            encrypted_value = encrypted_value[1:]
+        elif encrypted_value.startswith("\\x"):
+            encrypted_value = encrypted_value[2:]
+
+        # Convert hex string to bytes
+        encrypted_bytes = binascii.unhexlify(encrypted_value)
+
+        # Decrypt the bytes
+        decrypted_str = decrypt_bytes_to_string(encrypted_bytes)
+
+        # Parse and pretty print the decrypted JSON
+        decrypted_json = json.loads(decrypted_str)
+        print("Decrypted credential value:")
+        print(json.dumps(decrypted_json, indent=2))
+
     except binascii.Error:
-        print("Error: Invalid hex-encoded string")
-        sys.exit(1)
+        print("Error: Invalid hex encoded string")
 
-    if key == "":
-        # Empty key → just decode as UTF-8, no decryption
-        try:
-            decrypted_str = raw_bytes.decode("utf-8")
-        except UnicodeDecodeError as e:
-            print(f"Error decoding bytes as UTF-8: {e}")
-            sys.exit(1)
-    else:
-        print(key)
-        try:
-            decrypted_str = decrypt_bytes_to_string(raw_bytes, key=key)
-        except Exception as e:
-            print(f"Error decrypting value: {e}")
-            sys.exit(1)
+    except json.JSONDecodeError as e:
+        print(f"Decrypted raw value (not JSON): {e}")
 
-    # Try to pretty-print as JSON, otherwise print raw
-    try:
-        parsed = json.loads(decrypted_str)
-        print(json.dumps(parsed, indent=2))
-    except json.JSONDecodeError:
-        print(decrypted_str)
-
-
-def main() -> None:
-    parser = argparse.ArgumentParser(
-        description="Decrypt a hex-encoded credential value."
-    )
-    parser.add_argument(
-        "value",
-        help="Hex-encoded encrypted value to decrypt.",
-    )
-    parser.add_argument(
-        "--key",
-        default=None,
-        help=(
-            "Encryption key. Omit to use ENCRYPTION_KEY_SECRET from env. "
-            'Pass "" (empty) to just decode as UTF-8 without decryption.'
-        ),
-    )
-    args = parser.parse_args()
-
-    global_version.set_ee()
-    decrypt_raw_credential(args.value, key=args.key)
-    global_version.unset_ee()
+    except Exception as e:
+        print(f"Error decrypting value: {e}")
 
 
 if __name__ == "__main__":
-    main()
+    if len(sys.argv) != 2:
+        print("Usage: python decrypt.py <hex_encoded_encrypted_value>")
+        sys.exit(1)
+
+    encrypted_value = sys.argv[1]
+    decrypt_raw_credential(encrypted_value)

backend/scripts/reencrypt_secrets.py

@@ -1,107 +0,0 @@
-"""Re-encrypt secrets under the current ENCRYPTION_KEY_SECRET.
-
-Decrypts all encrypted columns using the old key (or raw decode if the old key
-is empty), then re-encrypts them with the current ENCRYPTION_KEY_SECRET.
-
-Usage (docker):
-    docker exec -it onyx-api_server-1 \
-        python -m scripts.reencrypt_secrets --old-key "previous-key"
-
-Usage (kubernetes):
-    kubectl exec -it <pod> -- \
-        python -m scripts.reencrypt_secrets --old-key "previous-key"
-
-Omit --old-key (or pass "") if secrets were not previously encrypted.
-
-For multi-tenant deployments, pass --tenant-id to target a specific tenant,
-or --all-tenants to iterate every tenant.
-"""
-
-import argparse
-import os
-import sys
-
-parent_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
-sys.path.append(parent_dir)
-
-from onyx.db.rotate_encryption_key import rotate_encryption_key  # noqa: E402
-from onyx.db.engine.sql_engine import get_session_with_tenant  # noqa: E402
-from onyx.db.engine.sql_engine import SqlEngine  # noqa: E402
-from onyx.db.engine.tenant_utils import get_all_tenant_ids  # noqa: E402
-from onyx.utils.variable_functionality import global_version  # noqa: E402
-from shared_configs.configs import POSTGRES_DEFAULT_SCHEMA  # noqa: E402
-
-
-def _run_for_tenant(tenant_id: str, old_key: str | None, dry_run: bool = False) -> None:
-    print(f"Re-encrypting secrets for tenant: {tenant_id}")
-    with get_session_with_tenant(tenant_id=tenant_id) as db_session:
-        results = rotate_encryption_key(db_session, old_key=old_key, dry_run=dry_run)
-
-    if results:
-        for col, count in results.items():
-            print(
-                f"  {col}: {count} row(s) {'would be ' if dry_run else ''}re-encrypted"
-            )
-    else:
-        print("No rows needed re-encryption.")
-
-
-def main() -> None:
-    parser = argparse.ArgumentParser(
-        description="Re-encrypt secrets under the current encryption key."
-    )
-    parser.add_argument(
-        "--old-key",
-        default=None,
-        help="Previous encryption key. Omit or pass empty string if not applicable.",
-    )
-    parser.add_argument(
-        "--dry-run",
-        action="store_true",
-        help="Show what would be re-encrypted without making changes.",
-    )
-
-    tenant_group = parser.add_mutually_exclusive_group()
-    tenant_group.add_argument(
-        "--tenant-id",
-        default=None,
-        help="Target a specific tenant schema.",
-    )
-    tenant_group.add_argument(
-        "--all-tenants",
-        action="store_true",
-        help="Iterate all tenants.",
-    )
-
-    args = parser.parse_args()
-
-    old_key = args.old_key if args.old_key else None
-
-    global_version.set_ee()
-    SqlEngine.init_engine(pool_size=5, max_overflow=2)
-
-    if args.dry_run:
-        print("DRY RUN — no changes will be made")
-
-    if args.all_tenants:
-        tenant_ids = get_all_tenant_ids()
-        print(f"Found {len(tenant_ids)} tenant(s)")
-        failed_tenants: list[str] = []
-        for tid in tenant_ids:
-            try:
-                _run_for_tenant(tid, old_key, dry_run=args.dry_run)
-            except Exception as e:
-                print(f"  ERROR for tenant {tid}: {e}")
-                failed_tenants.append(tid)
-        if failed_tenants:
-            print(f"FAILED tenants ({len(failed_tenants)}): {failed_tenants}")
-            sys.exit(1)
-    else:
-        tenant_id = args.tenant_id or POSTGRES_DEFAULT_SCHEMA
-        _run_for_tenant(tenant_id, old_key, dry_run=args.dry_run)
-
-    print("Done.")
-
-
-if __name__ == "__main__":
-    main()

backend/tests/external_dependency_unit/db/test_credential_sensitive_value.py

@@ -1,90 +0,0 @@
-"""Test that Credential with nested JSON round-trips through SensitiveValue correctly.
-
-Exercises the full encrypt → store → read → decrypt → SensitiveValue path
-with realistic nested OAuth credential data, and verifies SQLAlchemy dirty
-tracking works with nested dict comparison.
-
-Requires a running Postgres instance.
-"""
-
-from sqlalchemy.orm import Session
-
-from onyx.configs.constants import DocumentSource
-from onyx.db.models import Credential
-from onyx.utils.sensitive import SensitiveValue
-
-# NOTE: this is not the real shape of a Drive credential,
-# but it is intended to test nested JSON credential handling
-
-_NESTED_CRED_JSON = {
-    "oauth_tokens": {
-        "access_token": "ya29.abc123",
-        "refresh_token": "1//xEg-def456",
-    },
-    "scopes": ["read", "write", "admin"],
-    "client_config": {
-        "client_id": "123.apps.googleusercontent.com",
-        "client_secret": "GOCSPX-secret",
-    },
-}
-
-
-def test_nested_credential_json_round_trip(db_session: Session) -> None:
-    """Nested OAuth credential survives encrypt → store → read → decrypt."""
-    credential = Credential(
-        source=DocumentSource.GOOGLE_DRIVE,
-        credential_json=_NESTED_CRED_JSON,
-    )
-    db_session.add(credential)
-    db_session.flush()
-
-    # Immediate read (no DB round-trip) — tests the set event wrapping
-    assert isinstance(credential.credential_json, SensitiveValue)
-    assert credential.credential_json.get_value(apply_mask=False) == _NESTED_CRED_JSON
-
-    # DB round-trip — tests process_result_value
-    db_session.expire(credential)
-    reloaded = credential.credential_json
-    assert isinstance(reloaded, SensitiveValue)
-    assert reloaded.get_value(apply_mask=False) == _NESTED_CRED_JSON
-
-    db_session.rollback()
-
-
-def test_reassign_same_nested_json_not_dirty(db_session: Session) -> None:
-    """Re-assigning the same nested dict should not mark the session dirty."""
-    credential = Credential(
-        source=DocumentSource.GOOGLE_DRIVE,
-        credential_json=_NESTED_CRED_JSON,
-    )
-    db_session.add(credential)
-    db_session.flush()
-
-    # Clear dirty state from the insert
-    db_session.expire(credential)
-    _ = credential.credential_json  # force reload
-
-    # Re-assign identical value
-    credential.credential_json = _NESTED_CRED_JSON  # type: ignore[assignment]
-    assert not db_session.is_modified(credential)
-
-    db_session.rollback()
-
-
-def test_assign_different_nested_json_is_dirty(db_session: Session) -> None:
-    """Assigning a different nested dict should mark the session dirty."""
-    credential = Credential(
-        source=DocumentSource.GOOGLE_DRIVE,
-        credential_json=_NESTED_CRED_JSON,
-    )
-    db_session.add(credential)
-    db_session.flush()
-
-    db_session.expire(credential)
-    _ = credential.credential_json  # force reload
-
-    modified_cred = {**_NESTED_CRED_JSON, "scopes": ["read"]}
-    credential.credential_json = modified_cred  # type: ignore[assignment]
-    assert db_session.is_modified(credential)
-
-    db_session.rollback()

backend/tests/external_dependency_unit/db/test_rotate_encryption_key.py

@@ -1,305 +0,0 @@
-"""Tests for rotate_encryption_key against real Postgres.
-
-Uses real ORM models (Credential, InternetSearchProvider) and the actual
-Postgres database. Discovery is mocked in rotation tests to scope mutations
-to only the test rows — the real _discover_encrypted_columns walk is tested
-separately in TestDiscoverEncryptedColumns.
-
-Requires a running Postgres instance. Run with::
-
-    python -m dotenv -f .vscode/.env run -- pytest tests/external_dependency_unit/db/test_rotate_encryption_key.py
-"""
-
-import json
-from collections.abc import Generator
-from unittest.mock import patch
-
-import pytest
-from sqlalchemy import LargeBinary
-from sqlalchemy import select
-from sqlalchemy import text
-from sqlalchemy.orm import Session
-
-from ee.onyx.utils.encryption import _decrypt_bytes
-from ee.onyx.utils.encryption import _encrypt_string
-from ee.onyx.utils.encryption import _get_trimmed_key
-from onyx.configs.constants import DocumentSource
-from onyx.db.models import Credential
-from onyx.db.models import EncryptedJson
-from onyx.db.models import EncryptedString
-from onyx.db.models import InternetSearchProvider
-from onyx.db.rotate_encryption_key import _discover_encrypted_columns
-from onyx.db.rotate_encryption_key import rotate_encryption_key
-from onyx.utils.variable_functionality import fetch_versioned_implementation
-from onyx.utils.variable_functionality import global_version
-
-EE_MODULE = "ee.onyx.utils.encryption"
-ROTATE_MODULE = "onyx.db.rotate_encryption_key"
-
-OLD_KEY = "o" * 16
-NEW_KEY = "n" * 16
-
-
-@pytest.fixture(autouse=True)
-def _enable_ee() -> Generator[None, None, None]:
-    prev = global_version._is_ee
-    global_version.set_ee()
-    fetch_versioned_implementation.cache_clear()
-    yield
-    global_version._is_ee = prev
-    fetch_versioned_implementation.cache_clear()
-
-
-@pytest.fixture(autouse=True)
-def _clear_key_cache() -> None:
-    _get_trimmed_key.cache_clear()
-
-
-def _raw_credential_bytes(db_session: Session, credential_id: int) -> bytes | None:
-    """Read raw bytes from credential_json, bypassing the TypeDecorator."""
-    col = Credential.__table__.c.credential_json
-    stmt = select(col.cast(LargeBinary)).where(
-        Credential.__table__.c.id == credential_id
-    )
-    return db_session.execute(stmt).scalar()
-
-
-def _raw_isp_bytes(db_session: Session, isp_id: int) -> bytes | None:
-    """Read raw bytes from InternetSearchProvider.api_key."""
-    col = InternetSearchProvider.__table__.c.api_key
-    stmt = select(col.cast(LargeBinary)).where(
-        InternetSearchProvider.__table__.c.id == isp_id
-    )
-    return db_session.execute(stmt).scalar()
-
-
-class TestDiscoverEncryptedColumns:
-    """Verify _discover_encrypted_columns finds real production models."""
-
-    def test_discovers_credential_json(self) -> None:
-        results = _discover_encrypted_columns()
-        found = {
-            (model_cls.__tablename__, col_name, is_json)  # type: ignore[attr-defined]
-            for model_cls, col_name, _, is_json in results
-        }
-        assert ("credential", "credential_json", True) in found
-
-    def test_discovers_internet_search_provider_api_key(self) -> None:
-        results = _discover_encrypted_columns()
-        found = {
-            (model_cls.__tablename__, col_name, is_json)  # type: ignore[attr-defined]
-            for model_cls, col_name, _, is_json in results
-        }
-        assert ("internet_search_provider", "api_key", False) in found
-
-    def test_all_encrypted_string_columns_are_not_json(self) -> None:
-        results = _discover_encrypted_columns()
-        for model_cls, col_name, _, is_json in results:
-            col = getattr(model_cls, col_name).property.columns[0]
-            if isinstance(col.type, EncryptedString):
-                assert not is_json, (
-                    f"{model_cls.__tablename__}.{col_name} is EncryptedString "  # type: ignore[attr-defined]
-                    f"but is_json={is_json}"
-                )
-
-    def test_all_encrypted_json_columns_are_json(self) -> None:
-        results = _discover_encrypted_columns()
-        for model_cls, col_name, _, is_json in results:
-            col = getattr(model_cls, col_name).property.columns[0]
-            if isinstance(col.type, EncryptedJson):
-                assert is_json, (
-                    f"{model_cls.__tablename__}.{col_name} is EncryptedJson "  # type: ignore[attr-defined]
-                    f"but is_json={is_json}"
-                )
-
-
-class TestRotateCredential:
-    """Test rotation against the real Credential table (EncryptedJson).
-
-    Discovery is scoped to only the Credential model to avoid mutating
-    other tables in the test database.
-    """
-
-    @pytest.fixture(autouse=True)
-    def _limit_discovery(self) -> Generator[None, None, None]:
-        with patch(
-            f"{ROTATE_MODULE}._discover_encrypted_columns",
-            return_value=[(Credential, "credential_json", ["id"], True)],
-        ):
-            yield
-
-    @pytest.fixture()
-    def credential_id(
-        self, db_session: Session, tenant_context: None  # noqa: ARG002
-    ) -> Generator[int, None, None]:
-        """Insert a Credential row with raw encrypted bytes, clean up after."""
-        config = {"api_key": "sk-test-1234", "endpoint": "https://example.com"}
-        encrypted = _encrypt_string(json.dumps(config), key=OLD_KEY)
-
-        result = db_session.execute(
-            text(
-                "INSERT INTO credential "
-                "(source, credential_json, admin_public, curator_public) "
-                "VALUES (:source, :cred_json, true, false) "
-                "RETURNING id"
-            ),
-            {"source": DocumentSource.INGESTION_API.value, "cred_json": encrypted},
-        )
-        cred_id = result.scalar_one()
-        db_session.commit()
-
-        yield cred_id
-
-        db_session.execute(
-            text("DELETE FROM credential WHERE id = :id"), {"id": cred_id}
-        )
-        db_session.commit()
-
-    def test_rotates_credential_json(
-        self, db_session: Session, credential_id: int
-    ) -> None:
-        with (
-            patch(f"{ROTATE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-            patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-        ):
-            totals = rotate_encryption_key(db_session, old_key=OLD_KEY)
-
-        assert totals.get("credential.credential_json", 0) >= 1
-
-        raw = _raw_credential_bytes(db_session, credential_id)
-        assert raw is not None
-        decrypted = json.loads(_decrypt_bytes(raw, key=NEW_KEY))
-        assert decrypted["api_key"] == "sk-test-1234"
-        assert decrypted["endpoint"] == "https://example.com"
-
-    def test_skips_already_rotated(
-        self, db_session: Session, credential_id: int
-    ) -> None:
-        with (
-            patch(f"{ROTATE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-            patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-        ):
-            rotate_encryption_key(db_session, old_key=OLD_KEY)
-            _ = rotate_encryption_key(db_session, old_key=OLD_KEY)
-
-        raw = _raw_credential_bytes(db_session, credential_id)
-        assert raw is not None
-        decrypted = json.loads(_decrypt_bytes(raw, key=NEW_KEY))
-        assert decrypted["api_key"] == "sk-test-1234"
-
-    def test_dry_run_does_not_modify(
-        self, db_session: Session, credential_id: int
-    ) -> None:
-        original = _raw_credential_bytes(db_session, credential_id)
-
-        with (
-            patch(f"{ROTATE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-            patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-        ):
-            totals = rotate_encryption_key(db_session, old_key=OLD_KEY, dry_run=True)
-
-        assert totals.get("credential.credential_json", 0) >= 1
-
-        raw_after = _raw_credential_bytes(db_session, credential_id)
-        assert raw_after == original
-
-
-class TestRotateInternetSearchProvider:
-    """Test rotation against the real InternetSearchProvider table (EncryptedString).
-
-    Discovery is scoped to only the InternetSearchProvider model to avoid
-    mutating other tables in the test database.
-    """
-
-    @pytest.fixture(autouse=True)
-    def _limit_discovery(self) -> Generator[None, None, None]:
-        with patch(
-            f"{ROTATE_MODULE}._discover_encrypted_columns",
-            return_value=[
-                (InternetSearchProvider, "api_key", ["id"], False),
-            ],
-        ):
-            yield
-
-    @pytest.fixture()
-    def isp_id(
-        self, db_session: Session, tenant_context: None  # noqa: ARG002
-    ) -> Generator[int, None, None]:
-        """Insert an InternetSearchProvider row with raw encrypted bytes."""
-        encrypted = _encrypt_string("sk-secret-api-key", key=OLD_KEY)
-
-        result = db_session.execute(
-            text(
-                "INSERT INTO internet_search_provider "
-                "(name, provider_type, api_key, is_active) "
-                "VALUES (:name, :ptype, :api_key, false) "
-                "RETURNING id"
-            ),
-            {
-                "name": f"test-rotation-{id(self)}",
-                "ptype": "test",
-                "api_key": encrypted,
-            },
-        )
-        isp_id = result.scalar_one()
-        db_session.commit()
-
-        yield isp_id
-
-        db_session.execute(
-            text("DELETE FROM internet_search_provider WHERE id = :id"),
-            {"id": isp_id},
-        )
-        db_session.commit()
-
-    def test_rotates_api_key(self, db_session: Session, isp_id: int) -> None:
-        with (
-            patch(f"{ROTATE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-            patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-        ):
-            totals = rotate_encryption_key(db_session, old_key=OLD_KEY)
-
-        assert totals.get("internet_search_provider.api_key", 0) >= 1
-
-        raw = _raw_isp_bytes(db_session, isp_id)
-        assert raw is not None
-        assert _decrypt_bytes(raw, key=NEW_KEY) == "sk-secret-api-key"
-
-    def test_rotates_from_unencrypted(
-        self, db_session: Session, tenant_context: None  # noqa: ARG002
-    ) -> None:
-        """Test rotating data that was stored without any encryption key."""
-        result = db_session.execute(
-            text(
-                "INSERT INTO internet_search_provider "
-                "(name, provider_type, api_key, is_active) "
-                "VALUES (:name, :ptype, :api_key, false) "
-                "RETURNING id"
-            ),
-            {
-                "name": f"test-raw-{id(self)}",
-                "ptype": "test",
-                "api_key": b"raw-api-key",
-            },
-        )
-        isp_id = result.scalar_one()
-        db_session.commit()
-
-        try:
-            with (
-                patch(f"{ROTATE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-                patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", NEW_KEY),
-            ):
-                totals = rotate_encryption_key(db_session, old_key=None)
-
-            assert totals.get("internet_search_provider.api_key", 0) >= 1
-
-            raw = _raw_isp_bytes(db_session, isp_id)
-            assert raw is not None
-            assert _decrypt_bytes(raw, key=NEW_KEY) == "raw-api-key"
-        finally:
-            db_session.execute(
-                text("DELETE FROM internet_search_provider WHERE id = :id"),
-                {"id": isp_id},
-            )
-            db_session.commit()

backend/tests/external_dependency_unit/llm/test_llm_provider.py

@@ -158,7 +158,7 @@ class TestLLMConfigurationEndpoint:
                     )
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
-                assert exc_info.value.message == error_message
+                assert exc_info.value.detail == error_message
 
         finally:
             db_session.rollback()
@@ -540,7 +540,7 @@ class TestDefaultProviderEndpoint:
                 run_test_default_provider(_=_create_mock_admin())
 
             assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
-            assert "No LLM Provider setup" in exc_info.value.message
+            assert "No LLM Provider setup" in exc_info.value.detail
 
         finally:
             db_session.rollback()
@@ -585,7 +585,7 @@ class TestDefaultProviderEndpoint:
                     run_test_default_provider(_=_create_mock_admin())
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
-                assert exc_info.value.message == error_message
+                assert exc_info.value.detail == error_message
 
         finally:
             db_session.rollback()

backend/tests/external_dependency_unit/llm/test_llm_provider_api_base.py

@@ -111,7 +111,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.message
+                    exc_info.value.detail
                 )
         finally:
             _cleanup_provider(db_session, provider_name)
@@ -247,7 +247,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.message
+                    exc_info.value.detail
                 )
         finally:
             _cleanup_provider(db_session, provider_name)
@@ -350,7 +350,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.message
+                    exc_info.value.detail
                 )
         finally:
             _cleanup_provider(db_session, provider_name)
@@ -386,7 +386,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.message
+                    exc_info.value.detail
                 )
         finally:
             _cleanup_provider(db_session, provider_name)

backend/tests/external_dependency_unit/llm/test_llm_provider_auto_mode.py

@@ -1152,3 +1152,179 @@ class TestAutoModeTransitionsAndResync:
         finally:
             db_session.rollback()
             _cleanup_provider(db_session, provider_name)
+
+    def test_sync_updates_default_when_recommended_default_changes(
+        self,
+        db_session: Session,
+        provider_name: str,
+    ) -> None:
+        """When the provider owns the CHAT default and a sync arrives with a
+        different recommended default model (both models still in config),
+        the global default should be updated to the new recommendation.
+
+        Steps:
+        1. Create auto-mode provider with config v1: default=gpt-4o.
+        2. Set gpt-4o as the global CHAT default.
+        3. Re-sync with config v2: default=gpt-4o-mini (gpt-4o still present).
+        4. Verify the CHAT default switched to gpt-4o-mini and both models
+           remain visible.
+        """
+        config_v1 = _create_mock_llm_recommendations(
+            provider=LlmProviderNames.OPENAI,
+            default_model_name="gpt-4o",
+            additional_models=["gpt-4o-mini"],
+        )
+        config_v2 = _create_mock_llm_recommendations(
+            provider=LlmProviderNames.OPENAI,
+            default_model_name="gpt-4o-mini",
+            additional_models=["gpt-4o"],
+        )
+
+        try:
+            with patch(
+                "onyx.server.manage.llm.api.fetch_llm_recommendations_from_github",
+                return_value=config_v1,
+            ):
+                put_llm_provider(
+                    llm_provider_upsert_request=LLMProviderUpsertRequest(
+                        name=provider_name,
+                        provider=LlmProviderNames.OPENAI,
+                        api_key="sk-test-key-00000000000000000000000000000000000",
+                        api_key_changed=True,
+                        is_auto_mode=True,
+                        model_configurations=[],
+                    ),
+                    is_creation=True,
+                    _=_create_mock_admin(),
+                    db_session=db_session,
+                )
+
+            # Set gpt-4o as the global CHAT default
+            db_session.expire_all()
+            provider = fetch_existing_llm_provider(
+                name=provider_name, db_session=db_session
+            )
+            assert provider is not None
+            update_default_provider(provider.id, "gpt-4o", db_session)
+
+            default_before = fetch_default_llm_model(db_session)
+            assert default_before is not None
+            assert default_before.name == "gpt-4o"
+
+            # Re-sync with config v2 (recommended default changed)
+            db_session.expire_all()
+            provider = fetch_existing_llm_provider(
+                name=provider_name, db_session=db_session
+            )
+            assert provider is not None
+
+            changes = sync_auto_mode_models(
+                db_session=db_session,
+                provider=provider,
+                llm_recommendations=config_v2,
+            )
+            assert changes > 0, "Sync should report changes when default switches"
+
+            # Both models should remain visible
+            db_session.expire_all()
+            provider = fetch_existing_llm_provider(
+                name=provider_name, db_session=db_session
+            )
+            assert provider is not None
+            visibility = {
+                mc.name: mc.is_visible for mc in provider.model_configurations
+            }
+            assert visibility["gpt-4o"] is True
+            assert visibility["gpt-4o-mini"] is True
+
+            # The CHAT default should now be gpt-4o-mini
+            default_after = fetch_default_llm_model(db_session)
+            assert default_after is not None
+            assert (
+                default_after.name == "gpt-4o-mini"
+            ), f"Default should be updated to 'gpt-4o-mini', got '{default_after.name}'"
+
+        finally:
+            db_session.rollback()
+            _cleanup_provider(db_session, provider_name)
+
+    def test_sync_idempotent_when_default_already_matches(
+        self,
+        db_session: Session,
+        provider_name: str,
+    ) -> None:
+        """When the provider owns the CHAT default and it already matches the
+        recommended default, re-syncing should report zero changes.
+
+        This is a regression test for the bug where changes was unconditionally
+        incremented even when the default was already correct.
+        """
+        config = _create_mock_llm_recommendations(
+            provider=LlmProviderNames.OPENAI,
+            default_model_name="gpt-4o",
+            additional_models=["gpt-4o-mini"],
+        )
+
+        try:
+            with patch(
+                "onyx.server.manage.llm.api.fetch_llm_recommendations_from_github",
+                return_value=config,
+            ):
+                put_llm_provider(
+                    llm_provider_upsert_request=LLMProviderUpsertRequest(
+                        name=provider_name,
+                        provider=LlmProviderNames.OPENAI,
+                        api_key="sk-test-key-00000000000000000000000000000000000",
+                        api_key_changed=True,
+                        is_auto_mode=True,
+                        model_configurations=[],
+                    ),
+                    is_creation=True,
+                    _=_create_mock_admin(),
+                    db_session=db_session,
+                )
+
+            # Set gpt-4o (the recommended default) as global CHAT default
+            db_session.expire_all()
+            provider = fetch_existing_llm_provider(
+                name=provider_name, db_session=db_session
+            )
+            assert provider is not None
+            update_default_provider(provider.id, "gpt-4o", db_session)
+
+            # First sync to stabilize state
+            db_session.expire_all()
+            provider = fetch_existing_llm_provider(
+                name=provider_name, db_session=db_session
+            )
+            assert provider is not None
+            sync_auto_mode_models(
+                db_session=db_session,
+                provider=provider,
+                llm_recommendations=config,
+            )
+
+            # Second sync — default already matches, should be a no-op
+            db_session.expire_all()
+            provider = fetch_existing_llm_provider(
+                name=provider_name, db_session=db_session
+            )
+            assert provider is not None
+            changes = sync_auto_mode_models(
+                db_session=db_session,
+                provider=provider,
+                llm_recommendations=config,
+            )
+            assert changes == 0, (
+                f"Expected 0 changes when default already matches recommended, "
+                f"got {changes}"
+            )
+
+            # Default should still be gpt-4o
+            default_model = fetch_default_llm_model(db_session)
+            assert default_model is not None
+            assert default_model.name == "gpt-4o"
+
+        finally:
+            db_session.rollback()
+            _cleanup_provider(db_session, provider_name)

backend/tests/external_dependency_unit/llm/test_llm_provider_default_model_protection.py

@@ -0,0 +1,220 @@
+"""
+This should act as the main point of reference for testing that default model
+logic is consisten.
+
+ -
+"""
+
+from collections.abc import Generator
+from uuid import uuid4
+
+import pytest
+from sqlalchemy.orm import Session
+
+from onyx.db.llm import fetch_existing_llm_provider
+from onyx.db.llm import remove_llm_provider
+from onyx.db.llm import update_default_provider
+from onyx.db.llm import update_default_vision_provider
+from onyx.db.llm import upsert_llm_provider
+from onyx.llm.constants import LlmProviderNames
+from onyx.server.manage.llm.models import LLMProviderUpsertRequest
+from onyx.server.manage.llm.models import LLMProviderView
+from onyx.server.manage.llm.models import ModelConfigurationUpsertRequest
+
+
+def _create_test_provider(
+    db_session: Session,
+    name: str,
+    models: list[ModelConfigurationUpsertRequest] | None = None,
+) -> LLMProviderView:
+    """Helper to create a test LLM provider with multiple models."""
+    if models is None:
+        models = [
+            ModelConfigurationUpsertRequest(
+                name="gpt-4o", is_visible=True, supports_image_input=True
+            ),
+            ModelConfigurationUpsertRequest(
+                name="gpt-4o-mini", is_visible=True, supports_image_input=False
+            ),
+        ]
+    return upsert_llm_provider(
+        LLMProviderUpsertRequest(
+            name=name,
+            provider=LlmProviderNames.OPENAI,
+            api_key="sk-test-key-00000000000000000000000000000000000",
+            api_key_changed=True,
+            model_configurations=models,
+        ),
+        db_session=db_session,
+    )
+
+
+def _cleanup_provider(db_session: Session, name: str) -> None:
+    """Helper to clean up a test provider by name."""
+    provider = fetch_existing_llm_provider(name=name, db_session=db_session)
+    if provider:
+        remove_llm_provider(db_session, provider.id)
+
+
+@pytest.fixture
+def provider_name(db_session: Session) -> Generator[str, None, None]:
+    """Generate a unique provider name for each test, with automatic cleanup."""
+    name = f"test-provider-{uuid4().hex[:8]}"
+    yield name
+    db_session.rollback()
+    _cleanup_provider(db_session, name)
+
+
+class TestDefaultModelProtection:
+    """Tests that the default model cannot be removed or hidden."""
+
+    def test_cannot_remove_default_text_model(
+        self,
+        db_session: Session,
+        provider_name: str,
+    ) -> None:
+        """Removing the default text model from a provider should raise ValueError."""
+        provider = _create_test_provider(db_session, provider_name)
+        update_default_provider(provider.id, "gpt-4o", db_session)
+
+        # Try to update the provider without the default model
+        with pytest.raises(ValueError, match="Cannot remove the default model"):
+            upsert_llm_provider(
+                LLMProviderUpsertRequest(
+                    id=provider.id,
+                    name=provider_name,
+                    provider=LlmProviderNames.OPENAI,
+                    api_key="sk-test-key-00000000000000000000000000000000000",
+                    api_key_changed=True,
+                    model_configurations=[
+                        ModelConfigurationUpsertRequest(
+                            name="gpt-4o-mini", is_visible=True
+                        ),
+                    ],
+                ),
+                db_session=db_session,
+            )
+
+    def test_cannot_hide_default_text_model(
+        self,
+        db_session: Session,
+        provider_name: str,
+    ) -> None:
+        """Setting is_visible=False on the default text model should raise ValueError."""
+        provider = _create_test_provider(db_session, provider_name)
+        update_default_provider(provider.id, "gpt-4o", db_session)
+
+        # Try to hide the default model
+        with pytest.raises(ValueError, match="Cannot hide the default model"):
+            upsert_llm_provider(
+                LLMProviderUpsertRequest(
+                    id=provider.id,
+                    name=provider_name,
+                    provider=LlmProviderNames.OPENAI,
+                    api_key="sk-test-key-00000000000000000000000000000000000",
+                    api_key_changed=True,
+                    model_configurations=[
+                        ModelConfigurationUpsertRequest(
+                            name="gpt-4o", is_visible=False
+                        ),
+                        ModelConfigurationUpsertRequest(
+                            name="gpt-4o-mini", is_visible=True
+                        ),
+                    ],
+                ),
+                db_session=db_session,
+            )
+
+    def test_cannot_remove_default_vision_model(
+        self,
+        db_session: Session,
+        provider_name: str,
+    ) -> None:
+        """Removing the default vision model from a provider should raise ValueError."""
+        provider = _create_test_provider(db_session, provider_name)
+        # Set gpt-4o as both the text and vision default
+        update_default_provider(provider.id, "gpt-4o", db_session)
+        update_default_vision_provider(provider.id, "gpt-4o", db_session)
+
+        # Try to remove the default vision model
+        with pytest.raises(ValueError, match="Cannot remove the default model"):
+            upsert_llm_provider(
+                LLMProviderUpsertRequest(
+                    id=provider.id,
+                    name=provider_name,
+                    provider=LlmProviderNames.OPENAI,
+                    api_key="sk-test-key-00000000000000000000000000000000000",
+                    api_key_changed=True,
+                    model_configurations=[
+                        ModelConfigurationUpsertRequest(
+                            name="gpt-4o-mini", is_visible=True
+                        ),
+                    ],
+                ),
+                db_session=db_session,
+            )
+
+    def test_can_remove_non_default_model(
+        self,
+        db_session: Session,
+        provider_name: str,
+    ) -> None:
+        """Removing a non-default model should succeed."""
+        provider = _create_test_provider(db_session, provider_name)
+        update_default_provider(provider.id, "gpt-4o", db_session)
+
+        # Remove gpt-4o-mini (not default) — should succeed
+        updated = upsert_llm_provider(
+            LLMProviderUpsertRequest(
+                id=provider.id,
+                name=provider_name,
+                provider=LlmProviderNames.OPENAI,
+                api_key="sk-test-key-00000000000000000000000000000000000",
+                api_key_changed=True,
+                model_configurations=[
+                    ModelConfigurationUpsertRequest(
+                        name="gpt-4o", is_visible=True, supports_image_input=True
+                    ),
+                ],
+            ),
+            db_session=db_session,
+        )
+
+        model_names = {mc.name for mc in updated.model_configurations}
+        assert "gpt-4o" in model_names
+        assert "gpt-4o-mini" not in model_names
+
+    def test_can_hide_non_default_model(
+        self,
+        db_session: Session,
+        provider_name: str,
+    ) -> None:
+        """Hiding a non-default model should succeed."""
+        provider = _create_test_provider(db_session, provider_name)
+        update_default_provider(provider.id, "gpt-4o", db_session)
+
+        # Hide gpt-4o-mini (not default) — should succeed
+        updated = upsert_llm_provider(
+            LLMProviderUpsertRequest(
+                id=provider.id,
+                name=provider_name,
+                provider=LlmProviderNames.OPENAI,
+                api_key="sk-test-key-00000000000000000000000000000000000",
+                api_key_changed=True,
+                model_configurations=[
+                    ModelConfigurationUpsertRequest(
+                        name="gpt-4o", is_visible=True, supports_image_input=True
+                    ),
+                    ModelConfigurationUpsertRequest(
+                        name="gpt-4o-mini", is_visible=False
+                    ),
+                ],
+            ),
+            db_session=db_session,
+        )
+
+        model_visibility = {
+            mc.name: mc.is_visible for mc in updated.model_configurations
+        }
+        assert model_visibility["gpt-4o"] is True
+        assert model_visibility["gpt-4o-mini"] is False

backend/tests/external_dependency_unit/slack_bot/test_slack_bot_crud.py

@@ -1,85 +0,0 @@
-"""Tests that SlackBot CRUD operations return properly typed SensitiveValue fields.
-
-Regression test for the bug where insert_slack_bot/update_slack_bot returned
-objects with raw string tokens instead of SensitiveValue wrappers, causing
-'str object has no attribute get_value' errors in SlackBot.from_model().
-"""
-
-from uuid import uuid4
-
-from sqlalchemy.orm import Session
-
-from onyx.db.slack_bot import insert_slack_bot
-from onyx.db.slack_bot import update_slack_bot
-from onyx.server.manage.models import SlackBot
-from onyx.utils.sensitive import SensitiveValue
-
-
-def _unique(prefix: str) -> str:
-    return f"{prefix}-{uuid4().hex[:8]}"
-
-
-def test_insert_slack_bot_returns_sensitive_values(db_session: Session) -> None:
-    bot_token = _unique("xoxb-insert")
-    app_token = _unique("xapp-insert")
-    user_token = _unique("xoxp-insert")
-
-    slack_bot = insert_slack_bot(
-        db_session=db_session,
-        name=_unique("test-bot-insert"),
-        enabled=True,
-        bot_token=bot_token,
-        app_token=app_token,
-        user_token=user_token,
-    )
-
-    assert isinstance(slack_bot.bot_token, SensitiveValue)
-    assert isinstance(slack_bot.app_token, SensitiveValue)
-    assert isinstance(slack_bot.user_token, SensitiveValue)
-
-    assert slack_bot.bot_token.get_value(apply_mask=False) == bot_token
-    assert slack_bot.app_token.get_value(apply_mask=False) == app_token
-    assert slack_bot.user_token.get_value(apply_mask=False) == user_token
-
-    # Verify from_model works without error
-    pydantic_bot = SlackBot.from_model(slack_bot)
-    assert pydantic_bot.bot_token  # masked, but not empty
-    assert pydantic_bot.app_token
-
-
-def test_update_slack_bot_returns_sensitive_values(db_session: Session) -> None:
-    slack_bot = insert_slack_bot(
-        db_session=db_session,
-        name=_unique("test-bot-update"),
-        enabled=True,
-        bot_token=_unique("xoxb-update"),
-        app_token=_unique("xapp-update"),
-    )
-
-    new_bot_token = _unique("xoxb-update-new")
-    new_app_token = _unique("xapp-update-new")
-    new_user_token = _unique("xoxp-update-new")
-
-    updated = update_slack_bot(
-        db_session=db_session,
-        slack_bot_id=slack_bot.id,
-        name=_unique("test-bot-updated"),
-        enabled=False,
-        bot_token=new_bot_token,
-        app_token=new_app_token,
-        user_token=new_user_token,
-    )
-
-    assert isinstance(updated.bot_token, SensitiveValue)
-    assert isinstance(updated.app_token, SensitiveValue)
-    assert isinstance(updated.user_token, SensitiveValue)
-
-    assert updated.bot_token.get_value(apply_mask=False) == new_bot_token
-    assert updated.app_token.get_value(apply_mask=False) == new_app_token
-    assert updated.user_token.get_value(apply_mask=False) == new_user_token
-
-    # Verify from_model works without error
-    pydantic_bot = SlackBot.from_model(updated)
-    assert pydantic_bot.bot_token
-    assert pydantic_bot.app_token
-    assert pydantic_bot.user_token is not None

backend/tests/external_dependency_unit/tools/test_oauth_config_crud.py

@@ -148,16 +148,8 @@ class TestOAuthConfigCRUD:
         )
 
         # Secrets should be preserved
-        assert updated_config.client_id is not None
-        assert original_client_id is not None
-        assert updated_config.client_id.get_value(
-            apply_mask=False
-        ) == original_client_id.get_value(apply_mask=False)
-        assert updated_config.client_secret is not None
-        assert original_client_secret is not None
-        assert updated_config.client_secret.get_value(
-            apply_mask=False
-        ) == original_client_secret.get_value(apply_mask=False)
+        assert updated_config.client_id == original_client_id
+        assert updated_config.client_secret == original_client_secret
         # But name should be updated
         assert updated_config.name == new_name
 
@@ -181,14 +173,9 @@ class TestOAuthConfigCRUD:
         )
 
         # client_id should be cleared (empty string)
-        assert updated_config.client_id is not None
-        assert updated_config.client_id.get_value(apply_mask=False) == ""
+        assert updated_config.client_id == ""
         # client_secret should be preserved
-        assert updated_config.client_secret is not None
-        assert original_client_secret is not None
-        assert updated_config.client_secret.get_value(
-            apply_mask=False
-        ) == original_client_secret.get_value(apply_mask=False)
+        assert updated_config.client_secret == original_client_secret
 
     def test_update_oauth_config_clear_client_secret(self, db_session: Session) -> None:
         """Test clearing client_secret while preserving client_id"""
@@ -203,14 +190,9 @@ class TestOAuthConfigCRUD:
         )
 
         # client_secret should be cleared (empty string)
-        assert updated_config.client_secret is not None
-        assert updated_config.client_secret.get_value(apply_mask=False) == ""
+        assert updated_config.client_secret == ""
         # client_id should be preserved
-        assert updated_config.client_id is not None
-        assert original_client_id is not None
-        assert updated_config.client_id.get_value(
-            apply_mask=False
-        ) == original_client_id.get_value(apply_mask=False)
+        assert updated_config.client_id == original_client_id
 
     def test_update_oauth_config_clear_both_secrets(self, db_session: Session) -> None:
         """Test clearing both client_id and client_secret"""
@@ -225,10 +207,8 @@ class TestOAuthConfigCRUD:
         )
 
         # Both should be cleared (empty strings)
-        assert updated_config.client_id is not None
-        assert updated_config.client_id.get_value(apply_mask=False) == ""
-        assert updated_config.client_secret is not None
-        assert updated_config.client_secret.get_value(apply_mask=False) == ""
+        assert updated_config.client_id == ""
+        assert updated_config.client_secret == ""
 
     def test_update_oauth_config_authorization_url(self, db_session: Session) -> None:
         """Test updating authorization_url"""
@@ -295,8 +275,7 @@ class TestOAuthConfigCRUD:
         assert updated_config.token_url == new_token_url
         assert updated_config.scopes == new_scopes
         assert updated_config.additional_params == new_params
-        assert updated_config.client_id is not None
-        assert updated_config.client_id.get_value(apply_mask=False) == new_client_id
+        assert updated_config.client_id == new_client_id
 
     def test_delete_oauth_config(self, db_session: Session) -> None:
         """Test deleting an OAuth configuration"""
@@ -437,8 +416,7 @@ class TestOAuthUserTokenCRUD:
         assert user_token.id is not None
         assert user_token.oauth_config_id == oauth_config.id
         assert user_token.user_id == user.id
-        assert user_token.token_data is not None
-        assert user_token.token_data.get_value(apply_mask=False) == token_data
+        assert user_token.token_data == token_data
         assert user_token.created_at is not None
         assert user_token.updated_at is not None
 
@@ -468,13 +446,8 @@ class TestOAuthUserTokenCRUD:
 
         # Should be the same token record (updated, not inserted)
         assert updated_token.id == initial_token_id
-        assert updated_token.token_data is not None
-        assert (
-            updated_token.token_data.get_value(apply_mask=False) == updated_token_data
-        )
-        assert (
-            updated_token.token_data.get_value(apply_mask=False) != initial_token_data
-        )
+        assert updated_token.token_data == updated_token_data
+        assert updated_token.token_data != initial_token_data
 
     def test_get_user_oauth_token(self, db_session: Session) -> None:
         """Test retrieving a user's OAuth token"""
@@ -490,8 +463,7 @@ class TestOAuthUserTokenCRUD:
 
         assert retrieved_token is not None
         assert retrieved_token.id == created_token.id
-        assert retrieved_token.token_data is not None
-        assert retrieved_token.token_data.get_value(apply_mask=False) == token_data
+        assert retrieved_token.token_data == token_data
 
     def test_get_user_oauth_token_not_found(self, db_session: Session) -> None:
         """Test retrieving a non-existent user token returns None"""
@@ -547,8 +519,7 @@ class TestOAuthUserTokenCRUD:
         retrieved_token = get_user_oauth_token(oauth_config.id, user.id, db_session)
         assert retrieved_token is not None
         assert retrieved_token.id == updated_token.id
-        assert retrieved_token.token_data is not None
-        assert retrieved_token.token_data.get_value(apply_mask=False) == token_data2
+        assert retrieved_token.token_data == token_data2
 
     def test_cascade_delete_user_tokens_on_config_deletion(
         self, db_session: Session

backend/tests/external_dependency_unit/tools/test_oauth_token_manager.py

@@ -374,14 +374,8 @@ class TestOAuthTokenManagerCodeExchange:
         assert call_args[0][0] == oauth_config.token_url
         assert call_args[1]["data"]["grant_type"] == "authorization_code"
         assert call_args[1]["data"]["code"] == "auth_code_123"
-        assert oauth_config.client_id is not None
-        assert oauth_config.client_secret is not None
-        assert call_args[1]["data"]["client_id"] == oauth_config.client_id.get_value(
-            apply_mask=False
-        )
-        assert call_args[1]["data"][
-            "client_secret"
-        ] == oauth_config.client_secret.get_value(apply_mask=False)
+        assert call_args[1]["data"]["client_id"] == oauth_config.client_id
+        assert call_args[1]["data"]["client_secret"] == oauth_config.client_secret
         assert call_args[1]["data"]["redirect_uri"] == "https://example.com/callback"
 
     @patch("onyx.auth.oauth_token_manager.requests.post")

backend/tests/external_dependency_unit/tools/test_python_tool.py

@@ -950,7 +950,6 @@ from onyx.server.query_and_chat.streaming_models import Packet
 from onyx.server.query_and_chat.streaming_models import PythonToolDelta
 from onyx.server.query_and_chat.streaming_models import PythonToolStart
 from onyx.server.query_and_chat.streaming_models import SectionEnd
-from onyx.server.query_and_chat.streaming_models import ToolCallArgumentDelta
 from onyx.tools.tool_implementations.python.python_tool import PythonTool
 from tests.external_dependency_unit.answer.stream_test_builder import StreamTestBuilder
 from tests.external_dependency_unit.answer.stream_test_utils import create_chat_session
@@ -1292,21 +1291,12 @@ def test_code_interpreter_replay_packets_include_code_and_output(
                     tool_call_id="call_replay_test",
                     tool_call_argument_tokens=[json.dumps({"code": code})],
                 )
-            ).expect(
-                Packet(
-                    placement=create_placement(0),
-                    obj=ToolCallArgumentDelta(
-                        tool_type="python",
-                        argument_deltas={"code": code},
-                    ),
-                ),
-                forward=2,
             ).expect(
                 Packet(
                     placement=create_placement(0),
                     obj=PythonToolStart(code=code),
                 ),
-                forward=False,
+                forward=2,
             ).expect(
                 Packet(
                     placement=create_placement(0),

backend/tests/integration/tests/discord_bot/test_discord_bot_db.py

@@ -64,8 +64,7 @@ class TestBotConfigAPI:
         db_session.commit()
 
         assert config is not None
-        assert config.bot_token is not None
-        assert config.bot_token.get_value(apply_mask=False) == "test_token_123"
+        assert config.bot_token == "test_token_123"
 
         # Cleanup
         delete_discord_bot_config(db_session)

backend/tests/integration/tests/llm_provider/test_llm_provider.py

@@ -427,7 +427,7 @@ def test_delete_default_llm_provider_rejected(reset: None) -> None:  # noqa: ARG
         headers=admin_user.headers,
     )
     assert delete_response.status_code == 400
-    assert "Cannot delete the default LLM provider" in delete_response.json()["message"]
+    assert "Cannot delete the default LLM provider" in delete_response.json()["detail"]
 
     # Verify provider still exists
     provider_data = _get_provider_by_id(admin_user, created_provider["id"])
@@ -674,7 +674,7 @@ def test_duplicate_provider_name_rejected(reset: None) -> None:  # noqa: ARG001
         json=base_payload,
     )
     assert response.status_code == 409
-    assert "already exists" in response.json()["message"]
+    assert "already exists" in response.json()["detail"]
 
 
 def test_rename_provider_rejected(reset: None) -> None:  # noqa: ARG001
@@ -711,7 +711,7 @@ def test_rename_provider_rejected(reset: None) -> None:  # noqa: ARG001
         json=update_payload,
     )
     assert response.status_code == 400
-    assert "not currently supported" in response.json()["message"]
+    assert "not currently supported" in response.json()["detail"]
 
     # Verify no duplicate was created — only the original provider should exist
     provider = _get_provider_by_id(admin_user, provider_id)

backend/tests/integration/tests/llm_provider/test_llm_provider_persona_access.py

@@ -69,7 +69,7 @@ def test_unauthorized_persona_access_returns_403(
 
     # Should return 403 Forbidden
     assert response.status_code == 403
-    assert "don't have access to this assistant" in response.json()["message"]
+    assert "don't have access to this assistant" in response.json()["detail"]
 
 
 def test_authorized_persona_access_returns_filtered_providers(
@@ -245,4 +245,4 @@ def test_nonexistent_persona_returns_404(
 
     # Should return 404
     assert response.status_code == 404
-    assert "Persona not found" in response.json()["message"]
+    assert "Persona not found" in response.json()["detail"]

backend/tests/unit/ee/onyx/server/billing/test_billing_api.py

@@ -107,7 +107,7 @@ class TestCreateCheckoutSession:
 
         assert exc_info.value.status_code == 502
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert exc_info.value.message == "Stripe error"
+        assert exc_info.value.detail == "Stripe error"
 
 
 class TestCreateCustomerPortalSession:
@@ -137,7 +137,7 @@ class TestCreateCustomerPortalSession:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.VALIDATION_ERROR
-        assert exc_info.value.message == "No license found"
+        assert exc_info.value.detail == "No license found"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.api.create_portal_service")
@@ -243,7 +243,7 @@ class TestUpdateSeats:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.VALIDATION_ERROR
-        assert exc_info.value.message == "No license found"
+        assert exc_info.value.detail == "No license found"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.api.get_used_seats")
@@ -317,7 +317,7 @@ class TestUpdateSeats:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert exc_info.value.message == "Cannot reduce below 10 seats"
+        assert exc_info.value.detail == "Cannot reduce below 10 seats"
 
 
 class TestCircuitBreaker:
@@ -346,7 +346,7 @@ class TestCircuitBreaker:
 
         assert exc_info.value.status_code == 503
         assert exc_info.value.error_code is OnyxErrorCode.SERVICE_UNAVAILABLE
-        assert "Connect to Stripe" in exc_info.value.message
+        assert "Connect to Stripe" in exc_info.value.detail
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.api.MULTI_TENANT", False)

backend/tests/unit/ee/onyx/server/billing/test_billing_service.py

@@ -101,7 +101,7 @@ class TestMakeBillingRequest:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert "Bad request" in exc_info.value.message
+        assert "Bad request" in exc_info.value.detail
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.service._get_headers")
@@ -152,7 +152,7 @@ class TestMakeBillingRequest:
 
         assert exc_info.value.status_code == 502
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert "Failed to connect" in exc_info.value.message
+        assert "Failed to connect" in exc_info.value.detail
 
 
 class TestCreateCheckoutSession:

backend/tests/unit/ee/onyx/server/tenants/test_billing_api.py

@@ -72,7 +72,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert exc_info.value.message == "Invalid Stripe publishable key format"
+        assert exc_info.value.detail == "Invalid Stripe publishable key format"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.tenants.billing_api.STRIPE_PUBLISHABLE_KEY_OVERRIDE", None)
@@ -97,7 +97,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert exc_info.value.message == "Invalid Stripe publishable key format"
+        assert exc_info.value.detail == "Invalid Stripe publishable key format"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.tenants.billing_api.STRIPE_PUBLISHABLE_KEY_OVERRIDE", None)
@@ -118,7 +118,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert exc_info.value.message == "Failed to fetch Stripe publishable key"
+        assert exc_info.value.detail == "Failed to fetch Stripe publishable key"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.tenants.billing_api.STRIPE_PUBLISHABLE_KEY_OVERRIDE", None)
@@ -132,7 +132,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert "not configured" in exc_info.value.message
+        assert "not configured" in exc_info.value.detail
 
     @pytest.mark.asyncio
     @patch(

backend/tests/unit/ee/onyx/utils/test_encryption.py

@@ -1,165 +0,0 @@
-"""Tests for EE AES-CBC encryption/decryption with explicit key support.
-
-With EE mode enabled (via conftest), fetch_versioned_implementation resolves
-to the EE implementations, so no patching of the MIT layer is needed.
-"""
-
-from unittest.mock import patch
-
-import pytest
-
-from ee.onyx.utils.encryption import _decrypt_bytes
-from ee.onyx.utils.encryption import _encrypt_string
-from ee.onyx.utils.encryption import _get_trimmed_key
-from ee.onyx.utils.encryption import decrypt_bytes_to_string
-from ee.onyx.utils.encryption import encrypt_string_to_bytes
-
-EE_MODULE = "ee.onyx.utils.encryption"
-
-# Keys must be exactly 16, 24, or 32 bytes for AES
-KEY_16 = "a" * 16
-KEY_16_ALT = "b" * 16
-KEY_24 = "d" * 24
-KEY_32 = "c" * 32
-
-
-@pytest.fixture(autouse=True)
-def _clear_key_cache() -> None:
-    _get_trimmed_key.cache_clear()
-
-
-class TestEncryptDecryptRoundTrip:
-    def test_roundtrip_with_env_key(self) -> None:
-        with patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", KEY_16):
-            encrypted = _encrypt_string("hello world")
-            assert encrypted != b"hello world"
-            assert _decrypt_bytes(encrypted) == "hello world"
-
-    def test_roundtrip_with_explicit_key(self) -> None:
-        encrypted = _encrypt_string("secret data", key=KEY_32)
-        assert encrypted != b"secret data"
-        assert _decrypt_bytes(encrypted, key=KEY_32) == "secret data"
-
-    def test_roundtrip_no_key(self) -> None:
-        """Without any key, data is raw-encoded (no encryption)."""
-        with patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", ""):
-            encrypted = _encrypt_string("plain text")
-            assert encrypted == b"plain text"
-            assert _decrypt_bytes(encrypted) == "plain text"
-
-    def test_explicit_key_overrides_env(self) -> None:
-        with patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", KEY_16):
-            encrypted = _encrypt_string("data", key=KEY_16_ALT)
-            with pytest.raises(ValueError):
-                _decrypt_bytes(encrypted, key=KEY_16)
-            assert _decrypt_bytes(encrypted, key=KEY_16_ALT) == "data"
-
-    def test_different_encryptions_produce_different_bytes(self) -> None:
-        """Each encryption uses a random IV, so results differ."""
-        a = _encrypt_string("same", key=KEY_16)
-        b = _encrypt_string("same", key=KEY_16)
-        assert a != b
-
-    def test_roundtrip_empty_string(self) -> None:
-        encrypted = _encrypt_string("", key=KEY_16)
-        assert encrypted != b""
-        assert _decrypt_bytes(encrypted, key=KEY_16) == ""
-
-    def test_roundtrip_unicode(self) -> None:
-        text = "日本語テスト 🔐 émojis"
-        encrypted = _encrypt_string(text, key=KEY_16)
-        assert _decrypt_bytes(encrypted, key=KEY_16) == text
-
-
-class TestDecryptFallbackBehavior:
-    def test_wrong_env_key_falls_back_to_raw_decode(self) -> None:
-        """Default key path: AES fails on non-AES data → fallback to raw decode."""
-        raw = "readable text".encode()
-        with patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", KEY_16):
-            assert _decrypt_bytes(raw) == "readable text"
-
-    def test_explicit_wrong_key_raises(self) -> None:
-        """Explicit key path: AES fails → raises, no fallback."""
-        encrypted = _encrypt_string("secret", key=KEY_16)
-        with pytest.raises(ValueError):
-            _decrypt_bytes(encrypted, key=KEY_16_ALT)
-
-    def test_explicit_none_key_with_no_env(self) -> None:
-        """key=None with empty env → raw decode."""
-        with patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", ""):
-            assert _decrypt_bytes(b"hello", key=None) == "hello"
-
-    def test_explicit_empty_string_key(self) -> None:
-        """key='' means no encryption."""
-        encrypted = _encrypt_string("test", key="")
-        assert encrypted == b"test"
-        assert _decrypt_bytes(encrypted, key="") == "test"
-
-
-class TestKeyValidation:
-    def test_key_too_short_raises(self) -> None:
-        with pytest.raises(RuntimeError, match="too short"):
-            _encrypt_string("data", key="short")
-
-    def test_16_byte_key(self) -> None:
-        encrypted = _encrypt_string("data", key=KEY_16)
-        assert _decrypt_bytes(encrypted, key=KEY_16) == "data"
-
-    def test_24_byte_key(self) -> None:
-        encrypted = _encrypt_string("data", key=KEY_24)
-        assert _decrypt_bytes(encrypted, key=KEY_24) == "data"
-
-    def test_32_byte_key(self) -> None:
-        encrypted = _encrypt_string("data", key=KEY_32)
-        assert _decrypt_bytes(encrypted, key=KEY_32) == "data"
-
-    def test_long_key_truncated_to_32(self) -> None:
-        """Keys longer than 32 bytes are truncated to 32."""
-        long_key = "e" * 64
-        encrypted = _encrypt_string("data", key=long_key)
-        assert _decrypt_bytes(encrypted, key=long_key) == "data"
-
-    def test_20_byte_key_trimmed_to_16(self) -> None:
-        """A 20-byte key is trimmed to the largest valid AES size that fits (16)."""
-        key_20 = "f" * 20
-        encrypted = _encrypt_string("data", key=key_20)
-        assert _decrypt_bytes(encrypted, key=key_20) == "data"
-
-        # Verify it was trimmed to 16 by checking that the first 16 bytes
-        # of the key can also decrypt it
-        key_16_same_prefix = "f" * 16
-        assert _decrypt_bytes(encrypted, key=key_16_same_prefix) == "data"
-
-    def test_25_byte_key_trimmed_to_24(self) -> None:
-        """A 25-byte key is trimmed to the largest valid AES size that fits (24)."""
-        key_25 = "g" * 25
-        encrypted = _encrypt_string("data", key=key_25)
-        assert _decrypt_bytes(encrypted, key=key_25) == "data"
-
-        key_24_same_prefix = "g" * 24
-        assert _decrypt_bytes(encrypted, key=key_24_same_prefix) == "data"
-
-    def test_30_byte_key_trimmed_to_24(self) -> None:
-        """A 30-byte key is trimmed to the largest valid AES size that fits (24)."""
-        key_30 = "h" * 30
-        encrypted = _encrypt_string("data", key=key_30)
-        assert _decrypt_bytes(encrypted, key=key_30) == "data"
-
-        key_24_same_prefix = "h" * 24
-        assert _decrypt_bytes(encrypted, key=key_24_same_prefix) == "data"
-
-
-class TestWrapperFunctions:
-    """Test encrypt_string_to_bytes / decrypt_bytes_to_string pass key through.
-
-    With EE mode enabled, the wrappers resolve to EE implementations automatically.
-    """
-
-    def test_wrapper_passes_key(self) -> None:
-        encrypted = encrypt_string_to_bytes("payload", key=KEY_16)
-        assert decrypt_bytes_to_string(encrypted, key=KEY_16) == "payload"
-
-    def test_wrapper_no_key_uses_env(self) -> None:
-        with patch(f"{EE_MODULE}.ENCRYPTION_KEY_SECRET", KEY_32):
-            encrypted = encrypt_string_to_bytes("payload")
-            assert decrypt_bytes_to_string(encrypted) == "payload"

backend/tests/unit/onyx/chat/test_argument_delta_streaming.py

@@ -1,630 +0,0 @@
-from typing import Any
-from unittest.mock import MagicMock
-from unittest.mock import patch
-
-from onyx.chat.tool_call_args_streaming import maybe_emit_argument_delta
-from onyx.server.query_and_chat.placement import Placement
-from onyx.server.query_and_chat.streaming_models import ToolCallArgumentDelta
-from onyx.utils.jsonriver import Parser
-
-
-def _make_tool_call_delta(
-    index: int = 0,
-    name: str | None = None,
-    arguments: str | None = None,
-    function_is_none: bool = False,
-) -> MagicMock:
-    """Create a mock tool_call_delta matching the LiteLLM streaming shape."""
-    delta = MagicMock()
-    delta.index = index
-    if function_is_none:
-        delta.function = None
-    else:
-        delta.function = MagicMock()
-        delta.function.name = name
-        delta.function.arguments = arguments
-    return delta
-
-
-def _make_placement() -> Placement:
-    return Placement(turn_index=0, tab_index=0)
-
-
-def _mock_tool_class(emit: bool = True) -> MagicMock:
-    cls = MagicMock()
-    cls.should_emit_argument_deltas.return_value = emit
-    return cls
-
-
-def _collect(
-    tc_map: dict[int, dict[str, Any]],
-    delta: MagicMock,
-    placement: Placement | None = None,
-    parsers: dict[int, Parser] | None = None,
-) -> list[Any]:
-    """Run maybe_emit_argument_delta and return the yielded packets."""
-    return list(
-        maybe_emit_argument_delta(
-            tc_map,
-            delta,
-            placement or _make_placement(),
-            parsers if parsers is not None else {},
-        )
-    )
-
-
-def _stream_fragments(
-    fragments: list[str],
-    tc_map: dict[int, dict[str, Any]],
-    placement: Placement | None = None,
-) -> list[str]:
-    """Feed fragments into maybe_emit_argument_delta one by one, returning
-    all emitted content values concatenated per-key as a flat list."""
-    pl = placement or _make_placement()
-    parsers: dict[int, Parser] = {}
-    emitted: list[str] = []
-    for frag in fragments:
-        tc_map[0]["arguments"] += frag
-        delta = _make_tool_call_delta(arguments=frag)
-        for packet in maybe_emit_argument_delta(tc_map, delta, pl, parsers=parsers):
-            obj = packet.obj
-            assert isinstance(obj, ToolCallArgumentDelta)
-            for value in obj.argument_deltas.values():
-                emitted.append(value)
-    return emitted
-
-
-class TestMaybeEmitArgumentDeltaGuards:
-    """Tests for conditions that cause no packet to be emitted."""
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_no_emission_when_tool_does_not_opt_in(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        """Tools that return False from should_emit_argument_deltas emit nothing."""
-        mock_get_tool.return_value = _mock_tool_class(emit=False)
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": '{"code": "x'}
-        }
-        assert _collect(tc_map, _make_tool_call_delta(arguments="x")) == []
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_no_emission_when_tool_class_unknown(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        mock_get_tool.return_value = None
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "unknown", "arguments": '{"code": "x'}
-        }
-        assert _collect(tc_map, _make_tool_call_delta(arguments="x")) == []
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_no_emission_when_no_argument_fragment(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": '{"code": "x'}
-        }
-        assert _collect(tc_map, _make_tool_call_delta(arguments=None)) == []
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_no_emission_when_key_value_not_started(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        """Key exists in JSON but its string value hasn't begun yet."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": '{"code":'}
-        }
-        assert _collect(tc_map, _make_tool_call_delta(arguments=":")) == []
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_no_emission_before_any_key(self, mock_get_tool: MagicMock) -> None:
-        """Only the opening brace has arrived — no key to stream yet."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": "{"}
-        }
-        assert _collect(tc_map, _make_tool_call_delta(arguments="{")) == []
-
-
-class TestMaybeEmitArgumentDeltaBasic:
-    """Tests for correct packet content and incremental emission."""
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_emits_packet_with_correct_fields(self, mock_get_tool: MagicMock) -> None:
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "', "print(1)", '"}']
-
-        pl = _make_placement()
-        parsers: dict[int, Parser] = {}
-        all_packets = []
-        for frag in fragments:
-            tc_map[0]["arguments"] += frag
-            packets = _collect(
-                tc_map, _make_tool_call_delta(arguments=frag), pl, parsers
-            )
-            all_packets.extend(packets)
-
-        assert len(all_packets) >= 1
-        # Verify packet structure
-        obj = all_packets[0].obj
-        assert isinstance(obj, ToolCallArgumentDelta)
-        assert obj.tool_type == "python"
-        # All emitted content should reconstruct the value
-        full_code = ""
-        for p in all_packets:
-            assert isinstance(p.obj, ToolCallArgumentDelta)
-            if "code" in p.obj.argument_deltas:
-                full_code += p.obj.argument_deltas["code"]
-        assert full_code == "print(1)"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_emits_only_new_content_on_subsequent_call(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        """After a first emission, subsequent calls emit only the diff."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        parsers: dict[int, Parser] = {}
-        pl = _make_placement()
-
-        # First fragment opens the string
-        tc_map[0]["arguments"] = '{"code": "abc'
-        packets_1 = _collect(
-            tc_map, _make_tool_call_delta(arguments='{"code": "abc'), pl, parsers
-        )
-        code_1 = ""
-        for p in packets_1:
-            assert isinstance(p.obj, ToolCallArgumentDelta)
-            code_1 += p.obj.argument_deltas.get("code", "")
-        assert code_1 == "abc"
-
-        # Second fragment appends more
-        tc_map[0]["arguments"] = '{"code": "abcdef'
-        packets_2 = _collect(
-            tc_map, _make_tool_call_delta(arguments="def"), pl, parsers
-        )
-        code_2 = ""
-        for p in packets_2:
-            assert isinstance(p.obj, ToolCallArgumentDelta)
-            code_2 += p.obj.argument_deltas.get("code", "")
-        assert code_2 == "def"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_handles_multiple_keys_sequentially(self, mock_get_tool: MagicMock) -> None:
-        """When a second key starts, emissions switch to that key."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"code": "x',
-            '", "output": "hello',
-            '"}',
-        ]
-
-        emitted = _stream_fragments(fragments, tc_map)
-        full = "".join(emitted)
-        assert "x" in full
-        assert "hello" in full
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_delta_spans_key_boundary(self, mock_get_tool: MagicMock) -> None:
-        """A single delta contains the end of one value and the start of the next key."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"code": "x',
-            'y", "lang": "py',
-            '"}',
-        ]
-
-        emitted = _stream_fragments(fragments, tc_map)
-        full = "".join(emitted)
-        assert "xy" in full
-        assert "py" in full
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_empty_value_emits_nothing(self, mock_get_tool: MagicMock) -> None:
-        """An empty string value has nothing to emit."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        # Opening quote just arrived, value is empty
-        tc_map[0]["arguments"] = '{"code": "'
-        packets = _collect(tc_map, _make_tool_call_delta(arguments='{"code": "'))
-        # No string content yet, so either no packet or empty deltas
-        for p in packets:
-            assert isinstance(p.obj, ToolCallArgumentDelta)
-            assert p.obj.argument_deltas.get("code", "") == ""
-
-
-class TestMaybeEmitArgumentDeltaDecoding:
-    """Tests verifying that JSON escape sequences are properly decoded."""
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_decodes_newlines(self, mock_get_tool: MagicMock) -> None:
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "line1\\nline2"}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        assert "".join(emitted) == "line1\nline2"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_decodes_tabs(self, mock_get_tool: MagicMock) -> None:
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "\\tindented"}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        assert "".join(emitted) == "\tindented"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_decodes_escaped_quotes(self, mock_get_tool: MagicMock) -> None:
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "say \\"hi\\""}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        assert "".join(emitted) == 'say "hi"'
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_decodes_escaped_backslashes(self, mock_get_tool: MagicMock) -> None:
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "path\\\\dir"}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        assert "".join(emitted) == "path\\dir"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_decodes_unicode_escape(self, mock_get_tool: MagicMock) -> None:
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "\\u0041"}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        assert "".join(emitted) == "A"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_incomplete_escape_at_end_decoded_on_next_chunk(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        """A trailing backslash (incomplete escape) is completed in the next chunk."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "hello\\', 'n"}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        assert "".join(emitted) == "hello\n"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_incomplete_unicode_escape_completed_on_next_chunk(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        """A partial \\uXX sequence is completed in the next chunk."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"code": "hello\\u00', '41"}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        assert "".join(emitted) == "helloA"
-
-
-class TestArgumentDeltaStreamingE2E:
-    """Simulates realistic sequences of LLM argument deltas to verify
-    the full pipeline produces correct decoded output."""
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_realistic_python_code_streaming(self, mock_get_tool: MagicMock) -> None:
-        """Streams: {"code": "print('hello')\\nprint('world')"}"""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"',
-            "code",
-            '": "',
-            "print(",
-            "'hello')",
-            "\\n",
-            "print(",
-            "'world')",
-            '"}',
-        ]
-
-        full = "".join(_stream_fragments(fragments, tc_map))
-        assert full == "print('hello')\nprint('world')"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_streaming_with_tabs_and_newlines(self, mock_get_tool: MagicMock) -> None:
-        """Streams code with tabs and newlines."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"code": "',
-            "if True:",
-            "\\n",
-            "\\t",
-            "pass",
-            '"}',
-        ]
-
-        full = "".join(_stream_fragments(fragments, tc_map))
-        assert full == "if True:\n\tpass"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_split_escape_sequence(self, mock_get_tool: MagicMock) -> None:
-        """An escape sequence split across two fragments (backslash in one,
-        'n' in the next) should still decode correctly."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"code": "hello',
-            "\\",
-            "n",
-            'world"}',
-        ]
-
-        full = "".join(_stream_fragments(fragments, tc_map))
-        assert full == "hello\nworld"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_multiple_newlines_and_indentation(self, mock_get_tool: MagicMock) -> None:
-        """Streams a multi-line function with multiple escape sequences."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"code": "',
-            "def foo():",
-            "\\n",
-            "\\t",
-            "x = 1",
-            "\\n",
-            "\\t",
-            "return x",
-            '"}',
-        ]
-
-        full = "".join(_stream_fragments(fragments, tc_map))
-        assert full == "def foo():\n\tx = 1\n\treturn x"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_two_keys_streamed_sequentially(self, mock_get_tool: MagicMock) -> None:
-        """Streams code first, then a second key (language) — both decoded."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"code": "',
-            "x = 1",
-            '", "language": "',
-            "python",
-            '"}',
-        ]
-
-        emitted = _stream_fragments(fragments, tc_map)
-        # Should have emissions for both keys
-        full = "".join(emitted)
-        assert "x = 1" in full
-        assert "python" in full
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_code_containing_dict_literal(self, mock_get_tool: MagicMock) -> None:
-        """Python code like `x = {"key": "val"}` contains JSON-like patterns.
-        The escaped quotes inside the *outer* JSON value should prevent the
-        inner `"key":` from being mistaken for a top-level JSON key."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        # The LLM sends: {"code": "x = {\"key\": \"val\"}"}
-        # The inner quotes are escaped as \" in the JSON value.
-        fragments = [
-            '{"code": "',
-            "x = {",
-            '\\"key\\"',
-            ": ",
-            '\\"val\\"',
-            "}",
-            '"}',
-        ]
-
-        full = "".join(_stream_fragments(fragments, tc_map))
-        assert full == 'x = {"key": "val"}'
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_code_with_colon_in_value(self, mock_get_tool: MagicMock) -> None:
-        """Colons inside the string value should not confuse key detection."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = [
-            '{"code": "',
-            "url = ",
-            '\\"https://example.com\\"',
-            '"}',
-        ]
-
-        full = "".join(_stream_fragments(fragments, tc_map))
-        assert full == 'url = "https://example.com"'
-
-
-class TestMaybeEmitArgumentDeltaEdgeCases:
-    """Edge cases not covered by the standard test classes."""
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_no_emission_when_function_is_none(self, mock_get_tool: MagicMock) -> None:
-        """Some delta chunks have function=None (e.g. role-only deltas)."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": '{"code": "x'}
-        }
-        delta = _make_tool_call_delta(arguments=None, function_is_none=True)
-        assert _collect(tc_map, delta) == []
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_multiple_concurrent_tool_calls(self, mock_get_tool: MagicMock) -> None:
-        """Two tool calls streaming at different indices in parallel."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""},
-            1: {"id": "tc_2", "name": "python", "arguments": ""},
-        }
-
-        parsers: dict[int, Parser] = {}
-        pl = _make_placement()
-
-        # Feed full JSON to index 0
-        tc_map[0]["arguments"] = '{"code": "aaa"}'
-        packets_0 = _collect(
-            tc_map,
-            _make_tool_call_delta(index=0, arguments='{"code": "aaa"}'),
-            pl,
-            parsers,
-        )
-        code_0 = ""
-        for p in packets_0:
-            assert isinstance(p.obj, ToolCallArgumentDelta)
-            code_0 += p.obj.argument_deltas.get("code", "")
-        assert code_0 == "aaa"
-
-        # Feed full JSON to index 1
-        tc_map[1]["arguments"] = '{"code": "bbb"}'
-        packets_1 = _collect(
-            tc_map,
-            _make_tool_call_delta(index=1, arguments='{"code": "bbb"}'),
-            pl,
-            parsers,
-        )
-        code_1 = ""
-        for p in packets_1:
-            assert isinstance(p.obj, ToolCallArgumentDelta)
-            code_1 += p.obj.argument_deltas.get("code", "")
-        assert code_1 == "bbb"
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_delta_with_four_arguments(self, mock_get_tool: MagicMock) -> None:
-        """A single delta contains four complete key-value pairs."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        full = '{"a": "one", "b": "two", "c": "three", "d": "four"}'
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        tc_map[0]["arguments"] = full
-        parsers: dict[int, Parser] = {}
-        packets = _collect(
-            tc_map, _make_tool_call_delta(arguments=full), parsers=parsers
-        )
-
-        # Collect all argument deltas across packets
-        all_deltas: dict[str, str] = {}
-        for p in packets:
-            assert isinstance(p.obj, ToolCallArgumentDelta)
-            for k, v in p.obj.argument_deltas.items():
-                all_deltas[k] = all_deltas.get(k, "") + v
-
-        assert all_deltas == {
-            "a": "one",
-            "b": "two",
-            "c": "three",
-            "d": "four",
-        }
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_delta_on_second_arg_after_first_complete(
-        self, mock_get_tool: MagicMock
-    ) -> None:
-        """First argument is fully complete; delta only adds to the second."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-
-        fragments = [
-            '{"code": "print(1)", "lang": "py',
-            '"}',
-        ]
-
-        emitted = _stream_fragments(fragments, tc_map)
-        full = "".join(emitted)
-        assert "print(1)" in full
-        assert "py" in full
-
-    @patch("onyx.chat.tool_call_args_streaming._get_tool_class")
-    def test_non_string_values_skipped(self, mock_get_tool: MagicMock) -> None:
-        """Non-string values (numbers, booleans, null) are skipped — they are
-        available in the final tool-call kickoff packet. String arguments
-        following them are still emitted."""
-        mock_get_tool.return_value = _mock_tool_class()
-
-        tc_map: dict[int, dict[str, Any]] = {
-            0: {"id": "tc_1", "name": "python", "arguments": ""}
-        }
-        fragments = ['{"timeout": 30, "code": "hello"}']
-
-        emitted = _stream_fragments(fragments, tc_map)
-        full = "".join(emitted)
-        assert full == "hello"

backend/tests/unit/onyx/db/test_llm_sync.py

@@ -7,6 +7,7 @@ import pytest
 
 from onyx.db.llm import sync_model_configurations
 from onyx.llm.constants import LlmProviderNames
+from onyx.server.manage.llm.models import SyncModelEntry
 
 
 class TestSyncModelConfigurations:
@@ -25,18 +26,18 @@ class TestSyncModelConfigurations:
             "onyx.db.llm.fetch_existing_llm_provider", return_value=mock_provider
         ):
             models = [
-                {
-                    "name": "gpt-4",
-                    "display_name": "GPT-4",
-                    "max_input_tokens": 128000,
-                    "supports_image_input": True,
-                },
-                {
-                    "name": "gpt-4o",
-                    "display_name": "GPT-4o",
-                    "max_input_tokens": 128000,
-                    "supports_image_input": True,
-                },
+                SyncModelEntry(
+                    name="gpt-4",
+                    display_name="GPT-4",
+                    max_input_tokens=128000,
+                    supports_image_input=True,
+                ),
+                SyncModelEntry(
+                    name="gpt-4o",
+                    display_name="GPT-4o",
+                    max_input_tokens=128000,
+                    supports_image_input=True,
+                ),
             ]
 
             result = sync_model_configurations(
@@ -67,18 +68,18 @@ class TestSyncModelConfigurations:
             "onyx.db.llm.fetch_existing_llm_provider", return_value=mock_provider
         ):
             models = [
-                {
-                    "name": "gpt-4",  # Existing - should be skipped
-                    "display_name": "GPT-4",
-                    "max_input_tokens": 128000,
-                    "supports_image_input": True,
-                },
-                {
-                    "name": "gpt-4o",  # New - should be inserted
-                    "display_name": "GPT-4o",
-                    "max_input_tokens": 128000,
-                    "supports_image_input": True,
-                },
+                SyncModelEntry(
+                    name="gpt-4",  # Existing - should be skipped
+                    display_name="GPT-4",
+                    max_input_tokens=128000,
+                    supports_image_input=True,
+                ),
+                SyncModelEntry(
+                    name="gpt-4o",  # New - should be inserted
+                    display_name="GPT-4o",
+                    max_input_tokens=128000,
+                    supports_image_input=True,
+                ),
             ]
 
             result = sync_model_configurations(
@@ -105,12 +106,12 @@ class TestSyncModelConfigurations:
             "onyx.db.llm.fetch_existing_llm_provider", return_value=mock_provider
         ):
             models = [
-                {
-                    "name": "gpt-4",  # Already exists
-                    "display_name": "GPT-4",
-                    "max_input_tokens": 128000,
-                    "supports_image_input": True,
-                },
+                SyncModelEntry(
+                    name="gpt-4",  # Already exists
+                    display_name="GPT-4",
+                    max_input_tokens=128000,
+                    supports_image_input=True,
+                ),
             ]
 
             result = sync_model_configurations(
@@ -131,7 +132,7 @@ class TestSyncModelConfigurations:
                 sync_model_configurations(
                     db_session=mock_session,
                     provider_name="nonexistent",
-                    models=[{"name": "model", "display_name": "Model"}],
+                    models=[SyncModelEntry(name="model", display_name="Model")],
                 )
 
     def test_handles_missing_optional_fields(self) -> None:
@@ -145,12 +146,12 @@ class TestSyncModelConfigurations:
         with patch(
             "onyx.db.llm.fetch_existing_llm_provider", return_value=mock_provider
         ):
-            # Model with only required fields
+            # Model with only required fields (max_input_tokens and supports_image_input default)
             models = [
-                {
-                    "name": "model-1",
-                    # No display_name, max_input_tokens, or supports_image_input
-                },
+                SyncModelEntry(
+                    name="model-1",
+                    display_name="Model 1",
+                ),
             ]
 
             result = sync_model_configurations(

backend/tests/unit/onyx/error_handling/test_exceptions.py

@@ -15,12 +15,12 @@ class TestOnyxError:
     def test_basic_construction(self) -> None:
         err = OnyxError(OnyxErrorCode.NOT_FOUND, "Session not found")
         assert err.error_code is OnyxErrorCode.NOT_FOUND
-        assert err.message == "Session not found"
+        assert err.detail == "Session not found"
         assert err.status_code == 404
 
     def test_message_defaults_to_code(self) -> None:
         err = OnyxError(OnyxErrorCode.UNAUTHENTICATED)
-        assert err.message == "UNAUTHENTICATED"
+        assert err.detail == "UNAUTHENTICATED"
         assert str(err) == "UNAUTHENTICATED"
 
     def test_status_code_override(self) -> None:
@@ -73,18 +73,18 @@ class TestExceptionHandler:
         assert resp.status_code == 404
         body = resp.json()
         assert body["error_code"] == "NOT_FOUND"
-        assert body["message"] == "Thing not found"
+        assert body["detail"] == "Thing not found"
 
     def test_status_code_override_in_response(self, client: TestClient) -> None:
         resp = client.get("/boom-override")
         assert resp.status_code == 503
         body = resp.json()
         assert body["error_code"] == "BAD_GATEWAY"
-        assert body["message"] == "upstream 503"
+        assert body["detail"] == "upstream 503"
 
     def test_default_message(self, client: TestClient) -> None:
         resp = client.get("/boom-default-msg")
         assert resp.status_code == 401
         body = resp.json()
         assert body["error_code"] == "UNAUTHENTICATED"
-        assert body["message"] == "UNAUTHENTICATED"
+        assert body["detail"] == "UNAUTHENTICATED"

backend/tests/unit/onyx/llm/test_true_openai_model.py

@@ -26,14 +26,6 @@ class TestIsTrueOpenAIModel:
         """Test that real OpenAI GPT-4o-mini model is correctly identified."""
         assert is_true_openai_model(LlmProviderNames.OPENAI, "gpt-4o-mini") is True
 
-    def test_real_openai_o1_preview(self) -> None:
-        """Test that real OpenAI o1-preview reasoning model is correctly identified."""
-        assert is_true_openai_model(LlmProviderNames.OPENAI, "o1-preview") is True
-
-    def test_real_openai_o1_mini(self) -> None:
-        """Test that real OpenAI o1-mini reasoning model is correctly identified."""
-        assert is_true_openai_model(LlmProviderNames.OPENAI, "o1-mini") is True
-
     def test_openai_with_provider_prefix(self) -> None:
         """Test that OpenAI model with provider prefix is correctly identified."""
         assert is_true_openai_model(LlmProviderNames.OPENAI, "openai/gpt-4") is False

backend/tests/unit/onyx/server/manage/llm/test_fetch_models_api.py

@@ -1,15 +1,19 @@
 """Tests for LLM model fetch endpoints.
 
 These tests verify the full request/response flow for fetching models
-from dynamic providers (Ollama, OpenRouter), including the
+from dynamic providers (Ollama, OpenRouter, Litellm), including the
 sync-to-DB behavior when provider_name is specified.
 """
 
 from unittest.mock import MagicMock
 from unittest.mock import patch
 
+import httpx
 import pytest
 
+from onyx.error_handling.exceptions import OnyxError
+from onyx.server.manage.llm.models import LitellmFinalModelResponse
+from onyx.server.manage.llm.models import LitellmModelsRequest
 from onyx.server.manage.llm.models import LMStudioFinalModelResponse
 from onyx.server.manage.llm.models import LMStudioModelsRequest
 from onyx.server.manage.llm.models import OllamaFinalModelResponse
@@ -614,3 +618,283 @@ class TestGetLMStudioAvailableModels:
             request = LMStudioModelsRequest(api_base="http://localhost:1234")
             with pytest.raises(OnyxError):
                 get_lm_studio_available_models(request, MagicMock(), mock_session)
+
+
+class TestGetLitellmAvailableModels:
+    """Tests for the Litellm proxy model fetch endpoint."""
+
+    @pytest.fixture
+    def mock_litellm_response(self) -> dict:
+        """Mock response from Litellm /v1/models endpoint."""
+        return {
+            "data": [
+                {
+                    "id": "gpt-4o",
+                    "object": "model",
+                    "created": 1700000000,
+                    "owned_by": "openai",
+                },
+                {
+                    "id": "claude-3-5-sonnet",
+                    "object": "model",
+                    "created": 1700000001,
+                    "owned_by": "anthropic",
+                },
+                {
+                    "id": "gemini-pro",
+                    "object": "model",
+                    "created": 1700000002,
+                    "owned_by": "google",
+                },
+            ]
+        }
+
+    def test_returns_model_list(self, mock_litellm_response: dict) -> None:
+        """Test that endpoint returns properly formatted model list."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = mock_litellm_response
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            results = get_litellm_available_models(request, MagicMock(), mock_session)
+
+            assert len(results) == 3
+            assert all(isinstance(r, LitellmFinalModelResponse) for r in results)
+
+    def test_model_fields_parsed_correctly(self, mock_litellm_response: dict) -> None:
+        """Test that provider_name and model_name are correctly extracted."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = mock_litellm_response
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            results = get_litellm_available_models(request, MagicMock(), mock_session)
+
+            gpt = next(r for r in results if r.model_name == "gpt-4o")
+            assert gpt.provider_name == "openai"
+
+            claude = next(r for r in results if r.model_name == "claude-3-5-sonnet")
+            assert claude.provider_name == "anthropic"
+
+    def test_results_sorted_by_model_name(self, mock_litellm_response: dict) -> None:
+        """Test that results are alphabetically sorted by model_name."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = mock_litellm_response
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            results = get_litellm_available_models(request, MagicMock(), mock_session)
+
+            model_names = [r.model_name for r in results]
+            assert model_names == sorted(model_names, key=str.lower)
+
+    def test_empty_data_raises_onyx_error(self) -> None:
+        """Test that empty model list raises OnyxError."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = {"data": []}
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            with pytest.raises(OnyxError, match="No models found"):
+                get_litellm_available_models(request, MagicMock(), mock_session)
+
+    def test_missing_data_key_raises_onyx_error(self) -> None:
+        """Test that response without 'data' key raises OnyxError."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = {}
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            with pytest.raises(OnyxError):
+                get_litellm_available_models(request, MagicMock(), mock_session)
+
+    def test_skips_unparseable_entries(self) -> None:
+        """Test that malformed model entries are skipped without failing."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+        response_with_bad_entry = {
+            "data": [
+                {
+                    "id": "gpt-4o",
+                    "object": "model",
+                    "created": 1700000000,
+                    "owned_by": "openai",
+                },
+                # Missing required fields
+                {"bad_field": "bad_value"},
+            ]
+        }
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = response_with_bad_entry
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            results = get_litellm_available_models(request, MagicMock(), mock_session)
+
+            assert len(results) == 1
+            assert results[0].model_name == "gpt-4o"
+
+    def test_all_entries_unparseable_raises_onyx_error(self) -> None:
+        """Test that OnyxError is raised when all entries fail to parse."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+        response_all_bad = {
+            "data": [
+                {"bad_field": "bad_value"},
+                {"another_bad": 123},
+            ]
+        }
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = response_all_bad
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            with pytest.raises(OnyxError, match="No compatible models"):
+                get_litellm_available_models(request, MagicMock(), mock_session)
+
+    def test_api_base_trailing_slash_handled(self) -> None:
+        """Test that trailing slashes in api_base are handled correctly."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+        mock_litellm_response = {
+            "data": [
+                {
+                    "id": "gpt-4o",
+                    "object": "model",
+                    "created": 1700000000,
+                    "owned_by": "openai",
+                },
+            ]
+        }
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.json.return_value = mock_litellm_response
+            mock_response.raise_for_status = MagicMock()
+            mock_get.return_value = mock_response
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000/",
+                api_key="test-key",
+            )
+            get_litellm_available_models(request, MagicMock(), mock_session)
+
+            # Should call /v1/models without double slashes
+            call_args = mock_get.call_args
+            assert call_args[0][0] == "http://localhost:4000/v1/models"
+
+    def test_connection_failure_raises_onyx_error(self) -> None:
+        """Test that connection failures are wrapped in OnyxError."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_get.side_effect = Exception("Connection refused")
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            with pytest.raises(OnyxError, match="Failed to fetch LiteLLM models"):
+                get_litellm_available_models(request, MagicMock(), mock_session)
+
+    def test_401_raises_authentication_error(self) -> None:
+        """Test that a 401 response raises OnyxError with authentication message."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.status_code = 401
+            mock_get.side_effect = httpx.HTTPStatusError(
+                "Unauthorized", request=MagicMock(), response=mock_response
+            )
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="bad-key",
+            )
+            with pytest.raises(OnyxError, match="Authentication failed"):
+                get_litellm_available_models(request, MagicMock(), mock_session)
+
+    def test_404_raises_not_found_error(self) -> None:
+        """Test that a 404 response raises OnyxError with endpoint not found message."""
+        from onyx.server.manage.llm.api import get_litellm_available_models
+
+        mock_session = MagicMock()
+
+        with patch("onyx.server.manage.llm.api.httpx.get") as mock_get:
+            mock_response = MagicMock()
+            mock_response.status_code = 404
+            mock_get.side_effect = httpx.HTTPStatusError(
+                "Not Found", request=MagicMock(), response=mock_response
+            )
+
+            request = LitellmModelsRequest(
+                api_base="http://localhost:4000",
+                api_key="test-key",
+            )
+            with pytest.raises(OnyxError, match="endpoint not found"):
+                get_litellm_available_models(request, MagicMock(), mock_session)

backend/tests/unit/onyx/server/test_projects_file_utils.py

@@ -1,188 +0,0 @@
-from io import BytesIO
-from unittest.mock import MagicMock
-
-import pytest
-from fastapi import UploadFile
-
-from onyx.server.features.projects import projects_file_utils as utils
-
-
-class _Tokenizer:
-    def encode(self, text: str) -> list[int]:
-        return [1] * len(text)
-
-
-class _NonSeekableFile(BytesIO):
-    def tell(self) -> int:
-        raise OSError("tell not supported")
-
-    def seek(self, *_args: object, **_kwargs: object) -> int:
-        raise OSError("seek not supported")
-
-
-def _make_upload(filename: str, size: int, content: bytes | None = None) -> UploadFile:
-    payload = content if content is not None else (b"x" * size)
-    return UploadFile(filename=filename, file=BytesIO(payload), size=size)
-
-
-def _make_upload_no_size(filename: str, content: bytes) -> UploadFile:
-    return UploadFile(filename=filename, file=BytesIO(content), size=None)
-
-
-def _patch_common_dependencies(monkeypatch: pytest.MonkeyPatch) -> None:
-    monkeypatch.setattr(utils, "fetch_default_llm_model", lambda _db: None)
-    monkeypatch.setattr(utils, "get_tokenizer", lambda **_kwargs: _Tokenizer())
-    monkeypatch.setattr(utils, "is_file_password_protected", lambda **_kwargs: False)
-
-
-def test_get_upload_size_bytes_falls_back_to_stream_size() -> None:
-    upload = UploadFile(filename="example.txt", file=BytesIO(b"abcdef"), size=None)
-    upload.file.seek(2)
-
-    size = utils.get_upload_size_bytes(upload)
-
-    assert size == 6
-    assert upload.file.tell() == 2
-
-
-def test_get_upload_size_bytes_logs_warning_when_stream_size_unavailable(
-    caplog: pytest.LogCaptureFixture,
-) -> None:
-    upload = UploadFile(filename="non_seekable.txt", file=_NonSeekableFile(), size=None)
-
-    caplog.set_level("WARNING")
-    size = utils.get_upload_size_bytes(upload)
-
-    assert size is None
-    assert "Could not determine upload size via stream seek" in caplog.text
-    assert "non_seekable.txt" in caplog.text
-
-
-def test_is_upload_too_large_logs_warning_when_size_unknown(
-    monkeypatch: pytest.MonkeyPatch,
-    caplog: pytest.LogCaptureFixture,
-) -> None:
-    upload = _make_upload("size_unknown.txt", size=1)
-    monkeypatch.setattr(utils, "get_upload_size_bytes", lambda _upload: None)
-
-    caplog.set_level("WARNING")
-    is_too_large = utils.is_upload_too_large(upload, max_bytes=100)
-
-    assert is_too_large is False
-    assert "Could not determine upload size; skipping size-limit check" in caplog.text
-    assert "size_unknown.txt" in caplog.text
-
-
-def test_categorize_uploaded_files_accepts_size_under_limit(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    _patch_common_dependencies(monkeypatch)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 100)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
-    monkeypatch.setattr(utils, "estimate_image_tokens_for_upload", lambda _upload: 10)
-
-    upload = _make_upload("small.png", size=99)
-    result = utils.categorize_uploaded_files([upload], MagicMock())
-
-    assert len(result.acceptable) == 1
-    assert len(result.rejected) == 0
-
-
-def test_categorize_uploaded_files_uses_seek_fallback_when_upload_size_missing(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    _patch_common_dependencies(monkeypatch)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 100)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
-    monkeypatch.setattr(utils, "estimate_image_tokens_for_upload", lambda _upload: 10)
-
-    upload = _make_upload_no_size("small.png", content=b"x" * 99)
-    result = utils.categorize_uploaded_files([upload], MagicMock())
-
-    assert len(result.acceptable) == 1
-    assert len(result.rejected) == 0
-
-
-def test_categorize_uploaded_files_accepts_size_at_limit(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    _patch_common_dependencies(monkeypatch)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 100)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
-    monkeypatch.setattr(utils, "estimate_image_tokens_for_upload", lambda _upload: 10)
-
-    upload = _make_upload("edge.png", size=100)
-    result = utils.categorize_uploaded_files([upload], MagicMock())
-
-    assert len(result.acceptable) == 1
-    assert len(result.rejected) == 0
-
-
-def test_categorize_uploaded_files_rejects_size_over_limit_with_reason(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    _patch_common_dependencies(monkeypatch)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 100)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
-    monkeypatch.setattr(utils, "estimate_image_tokens_for_upload", lambda _upload: 10)
-
-    upload = _make_upload("large.png", size=101)
-    result = utils.categorize_uploaded_files([upload], MagicMock())
-
-    assert len(result.acceptable) == 0
-    assert len(result.rejected) == 1
-    assert result.rejected[0].reason == "Exceeds 1 MB file size limit"
-
-
-def test_categorize_uploaded_files_mixed_batch_keeps_valid_and_rejects_oversized(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    _patch_common_dependencies(monkeypatch)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 100)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
-    monkeypatch.setattr(utils, "estimate_image_tokens_for_upload", lambda _upload: 10)
-
-    small = _make_upload("small.png", size=50)
-    large = _make_upload("large.png", size=101)
-
-    result = utils.categorize_uploaded_files([small, large], MagicMock())
-
-    assert [file.filename for file in result.acceptable] == ["small.png"]
-    assert len(result.rejected) == 1
-    assert result.rejected[0].filename == "large.png"
-    assert result.rejected[0].reason == "Exceeds 1 MB file size limit"
-
-
-def test_categorize_uploaded_files_enforces_size_limit_even_when_threshold_is_skipped(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    _patch_common_dependencies(monkeypatch)
-    monkeypatch.setattr(utils, "SKIP_USERFILE_THRESHOLD", True)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 100)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
-
-    upload = _make_upload("oversized.pdf", size=101)
-    result = utils.categorize_uploaded_files([upload], MagicMock())
-
-    assert len(result.acceptable) == 0
-    assert len(result.rejected) == 1
-    assert result.rejected[0].reason == "Exceeds 1 MB file size limit"
-
-
-def test_categorize_uploaded_files_checks_size_before_text_extraction(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    _patch_common_dependencies(monkeypatch)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 100)
-    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
-
-    extract_mock = MagicMock(return_value="this should not run")
-    monkeypatch.setattr(utils, "extract_file_text", extract_mock)
-
-    oversized_doc = _make_upload("oversized.pdf", size=101)
-    result = utils.categorize_uploaded_files([oversized_doc], MagicMock())
-
-    extract_mock.assert_not_called()
-    assert len(result.acceptable) == 0
-    assert len(result.rejected) == 1
-    assert result.rejected[0].reason == "Exceeds 1 MB file size limit"

backend/tests/unit/onyx/server/test_settings_store.py

@@ -1,32 +0,0 @@
-import pytest
-
-from onyx.key_value_store.interface import KvKeyNotFoundError
-from onyx.server.settings import store as settings_store
-
-
-class _FakeKvStore:
-    def load(self, _key: str) -> dict:
-        raise KvKeyNotFoundError()
-
-
-class _FakeCache:
-    def __init__(self) -> None:
-        self._vals: dict[str, bytes] = {}
-
-    def get(self, key: str) -> bytes | None:
-        return self._vals.get(key)
-
-    def set(self, key: str, value: str, ex: int | None = None) -> None:  # noqa: ARG002
-        self._vals[key] = value.encode("utf-8")
-
-
-def test_load_settings_includes_user_file_max_upload_size_mb(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    monkeypatch.setattr(settings_store, "get_kv_store", lambda: _FakeKvStore())
-    monkeypatch.setattr(settings_store, "get_cache_backend", lambda: _FakeCache())
-    monkeypatch.setattr(settings_store, "USER_FILE_MAX_UPLOAD_SIZE_MB", 77)
-
-    settings = settings_store.load_settings()
-
-    assert settings.user_file_max_upload_size_mb == 77

backend/tests/unit/onyx/utils/test_sensitive.py

@@ -147,18 +147,15 @@ class TestSensitiveValueString:
         )
         assert sensitive1 != sensitive2
 
-    def test_equality_with_non_sensitive_returns_not_equal(self) -> None:
-        """Test that comparing with non-SensitiveValue is always not-equal.
-
-        Returns NotImplemented so Python falls back to identity comparison.
-        This is required for compatibility with SQLAlchemy's attribute tracking.
-        """
+    def test_equality_with_non_sensitive_raises(self) -> None:
+        """Test that comparing with non-SensitiveValue raises error."""
         sensitive = SensitiveValue(
             encrypted_bytes=_encrypt_string("secret"),
             decrypt_fn=_decrypt_string,
             is_json=False,
         )
-        assert not (sensitive == "secret")
+        with pytest.raises(SensitiveAccessError):
+            _ = sensitive == "secret"
 
 
 class TestSensitiveValueJson:

deployment/docker_compose/docker-compose.multitenant-dev.yml

@@ -61,6 +61,9 @@ services:
       - POSTGRES_HOST=relational_db
       - POSTGRES_DEFAULT_SCHEMA=${POSTGRES_DEFAULT_SCHEMA:-}
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - WEB_DOMAIN=${WEB_DOMAIN:-}
       # MinIO configuration
@@ -77,6 +80,7 @@ services:
       - DISABLE_RERANK_FOR_STREAMING=${DISABLE_RERANK_FOR_STREAMING:-}
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - MODEL_SERVER_PORT=${MODEL_SERVER_PORT:-}
+      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - LOG_ONYX_MODEL_INTERACTIONS=${LOG_ONYX_MODEL_INTERACTIONS:-}
       - LOG_VESPA_TIMING_INFORMATION=${LOG_VESPA_TIMING_INFORMATION:-}
       - LOG_ENDPOINT_LATENCY=${LOG_ENDPOINT_LATENCY:-}
@@ -168,6 +172,9 @@ services:
       - POSTGRES_DB=${POSTGRES_DB:-}
       - POSTGRES_DEFAULT_SCHEMA=${POSTGRES_DEFAULT_SCHEMA:-}
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - WEB_DOMAIN=${WEB_DOMAIN:-}
       # MinIO configuration
@@ -424,6 +431,50 @@ services:
         max-size: "50m"
         max-file: "6"
 
+  opensearch:
+    image: opensearchproject/opensearch:3.4.0
+    restart: unless-stopped
+    # Controls whether this service runs. In order to enable it, add
+    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
+    # docker-compose.
+    # NOTE: Now enabled on by default. To explicitly disable this service,
+    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
+    # list the profile, or when running docker compose, include all desired
+    # service names but this one. Additionally set
+    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
+    # profiles: ["opensearch-enabled"]
+    environment:
+      # We need discovery.type=single-node so that OpenSearch doesn't try
+      # forming a cluster and waiting for other nodes to become live.
+      - discovery.type=single-node
+      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+      # We do this to avoid unstable performance from page swaps.
+      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
+      # Java heap should be ~50% of memory limit. For now we assume a limit of
+      # 4g although in practice the container can request more than this.
+      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
+      # Xms is the starting size, Xmx is the maximum size. These should be the
+      # same.
+      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
+    volumes:
+      - opensearch-data:/usr/share/opensearch/data
+    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+    ulimits:
+      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
+      # how much memory a process can lock from being swapped.
+      memlock:
+        soft: -1 # Set memlock to unlimited (no soft or hard limit).
+        hard: -1
+      nofile:
+        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
+        hard: 65536
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "6"
+
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -508,3 +559,5 @@ volumes:
   model_cache_huggingface:
   indexing_huggingface_model_cache:
   # mcp_server_logs:
+  # Persistent data for OpenSearch.
+  opensearch-data:

deployment/docker_compose/docker-compose.prod-cloud.yml

@@ -21,6 +21,9 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       # MinIO configuration
@@ -55,6 +58,9 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -228,6 +234,50 @@ services:
         max-size: "50m"
         max-file: "6"
 
+  opensearch:
+    image: opensearchproject/opensearch:3.4.0
+    restart: unless-stopped
+    # Controls whether this service runs. In order to enable it, add
+    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
+    # docker-compose.
+    # NOTE: Now enabled on by default. To explicitly disable this service,
+    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
+    # list the profile, or when running docker compose, include all desired
+    # service names but this one. Additionally set
+    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
+    # profiles: ["opensearch-enabled"]
+    environment:
+      # We need discovery.type=single-node so that OpenSearch doesn't try
+      # forming a cluster and waiting for other nodes to become live.
+      - discovery.type=single-node
+      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+      # We do this to avoid unstable performance from page swaps.
+      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
+      # Java heap should be ~50% of memory limit. For now we assume a limit of
+      # 4g although in practice the container can request more than this.
+      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
+      # Xms is the starting size, Xmx is the maximum size. These should be the
+      # same.
+      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
+    volumes:
+      - opensearch-data:/usr/share/opensearch/data
+    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+    ulimits:
+      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
+      # how much memory a process can lock from being swapped.
+      memlock:
+        soft: -1 # Set memlock to unlimited (no soft or hard limit).
+        hard: -1
+      nofile:
+        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
+        hard: 65536
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "6"
+
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -315,3 +365,5 @@ volumes:
   model_cache_huggingface:
   indexing_huggingface_model_cache:
   # mcp_server_logs:
+  # Persistent data for OpenSearch.
+  opensearch-data:

deployment/docker_compose/docker-compose.prod-no-letsencrypt.yml

@@ -21,8 +21,12 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
+      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - USE_IAM_AUTH=${USE_IAM_AUTH}
       - AWS_REGION_NAME=${AWS_REGION_NAME-}
       - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID-}
@@ -68,6 +72,9 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -251,6 +258,50 @@ services:
         max-size: "50m"
         max-file: "6"
 
+  opensearch:
+    image: opensearchproject/opensearch:3.4.0
+    restart: unless-stopped
+    # Controls whether this service runs. In order to enable it, add
+    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
+    # docker-compose.
+    # NOTE: Now enabled on by default. To explicitly disable this service,
+    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
+    # list the profile, or when running docker compose, include all desired
+    # service names but this one. Additionally set
+    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
+    # profiles: ["opensearch-enabled"]
+    environment:
+      # We need discovery.type=single-node so that OpenSearch doesn't try
+      # forming a cluster and waiting for other nodes to become live.
+      - discovery.type=single-node
+      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+      # We do this to avoid unstable performance from page swaps.
+      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
+      # Java heap should be ~50% of memory limit. For now we assume a limit of
+      # 4g although in practice the container can request more than this.
+      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
+      # Xms is the starting size, Xmx is the maximum size. These should be the
+      # same.
+      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
+    volumes:
+      - opensearch-data:/usr/share/opensearch/data
+    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+    ulimits:
+      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
+      # how much memory a process can lock from being swapped.
+      memlock:
+        soft: -1 # Set memlock to unlimited (no soft or hard limit).
+        hard: -1
+      nofile:
+        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
+        hard: 65536
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "6"
+
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -343,3 +394,5 @@ volumes:
   # mcp_server_logs:
   # Shared volume for persistent document storage (Craft file-system mode)
   file-system:
+  # Persistent data for OpenSearch.
+  opensearch-data:

deployment/docker_compose/docker-compose.prod.yml

@@ -22,8 +22,12 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
+      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - USE_IAM_AUTH=${USE_IAM_AUTH}
       - AWS_REGION_NAME=${AWS_REGION_NAME-}
       - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID-}
@@ -73,6 +77,9 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
+      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
+      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -270,6 +277,50 @@ services:
         max-size: "50m"
         max-file: "6"
 
+  opensearch:
+    image: opensearchproject/opensearch:3.4.0
+    restart: unless-stopped
+    # Controls whether this service runs. In order to enable it, add
+    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
+    # docker-compose.
+    # NOTE: Now enabled on by default. To explicitly disable this service,
+    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
+    # list the profile, or when running docker compose, include all desired
+    # service names but this one. Additionally set
+    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
+    # profiles: ["opensearch-enabled"]
+    environment:
+      # We need discovery.type=single-node so that OpenSearch doesn't try
+      # forming a cluster and waiting for other nodes to become live.
+      - discovery.type=single-node
+      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
+      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+      # We do this to avoid unstable performance from page swaps.
+      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
+      # Java heap should be ~50% of memory limit. For now we assume a limit of
+      # 4g although in practice the container can request more than this.
+      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
+      # Xms is the starting size, Xmx is the maximum size. These should be the
+      # same.
+      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
+    volumes:
+      - opensearch-data:/usr/share/opensearch/data
+    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
+    ulimits:
+      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
+      # how much memory a process can lock from being swapped.
+      memlock:
+        soft: -1 # Set memlock to unlimited (no soft or hard limit).
+        hard: -1
+      nofile:
+        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
+        hard: 65536
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "6"
+
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -380,3 +431,5 @@ volumes:
   # mcp_server_logs:
   # Shared volume for persistent document storage (Craft file-system mode)
   file-system:
+  # Persistent data for OpenSearch.
+  opensearch-data:

deployment/docker_compose/docker-compose.yml

@@ -57,6 +57,9 @@ services:
         condition: service_started
       index:
         condition: service_started
+      opensearch:
+        condition: service_started
+        required: false
       cache:
         condition: service_started
       inference_model_server:
@@ -78,9 +81,10 @@ services:
       - VESPA_HOST=${VESPA_HOST:-index}
       - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
       - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-false}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=${REDIS_HOST:-cache}
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
+      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - S3_ENDPOINT_URL=${S3_ENDPOINT_URL:-http://minio:9000}
       - S3_AWS_ACCESS_KEY_ID=${S3_AWS_ACCESS_KEY_ID:-minioadmin}
       - S3_AWS_SECRET_ACCESS_KEY=${S3_AWS_SECRET_ACCESS_KEY:-minioadmin}
@@ -139,11 +143,19 @@ services:
       - path: .env
         required: false
     depends_on:
-      - relational_db
-      - index
-      - cache
-      - inference_model_server
-      - indexing_model_server
+      relational_db:
+        condition: service_started
+      index:
+        condition: service_started
+      opensearch:
+        condition: service_started
+        required: false
+      cache:
+        condition: service_started
+      inference_model_server:
+        condition: service_started
+      indexing_model_server:
+        condition: service_started
     restart: unless-stopped
     environment:
       - FILE_STORE_BACKEND=${FILE_STORE_BACKEND:-s3}
@@ -151,7 +163,7 @@ services:
       - VESPA_HOST=${VESPA_HOST:-index}
       - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
       - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-false}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=${REDIS_HOST:-cache}
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -406,7 +418,12 @@ services:
     # Controls whether this service runs. In order to enable it, add
     # opensearch-enabled to COMPOSE_PROFILES in the environment for this
     # docker-compose.
-    profiles: ["opensearch-enabled"]
+    # NOTE: Now enabled on by default. To explicitly disable this service,
+    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
+    # list the profile, or when running docker compose, include all desired
+    # service names but this one. Additionally set
+    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
+    # profiles: ["opensearch-enabled"]
     environment:
       # We need discovery.type=single-node so that OpenSearch doesn't try
       # forming a cluster and waiting for other nodes to become live.
@@ -416,11 +433,11 @@ services:
       # We do this to avoid unstable performance from page swaps.
       - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
       # Java heap should be ~50% of memory limit. For now we assume a limit of
-      # 2g although in practice the container can request more than this.
+      # 4g although in practice the container can request more than this.
       # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
       # Xms is the starting size, Xmx is the maximum size. These should be the
       # same.
-      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
     volumes:
       - opensearch-data:/usr/share/opensearch/data
     # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/

deployment/docker_compose/env.template

@@ -67,10 +67,8 @@ POSTGRES_PASSWORD=password
 ## remove s3-filestore from COMPOSE_PROFILES and set FILE_STORE_BACKEND=postgres.
 COMPOSE_PROFILES=s3-filestore
 FILE_STORE_BACKEND=s3
-## Settings for enabling OpenSearch. Uncomment these and comment out
-## COMPOSE_PROFILES above.
-# COMPOSE_PROFILES=s3-filestore,opensearch-enabled
-# OPENSEARCH_FOR_ONYX_ENABLED=true
+## Setting for enabling OpenSearch.
+OPENSEARCH_FOR_ONYX_ENABLED=true
 
 ## MinIO/S3 Configuration (only needed when FILE_STORE_BACKEND=s3)
 S3_ENDPOINT_URL=http://minio:9000

deployment/helm/charts/onyx/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
   - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.4.32
+version: 0.4.33
 appVersion: latest
 annotations:
   category: Productivity

deployment/helm/charts/onyx/values.yaml

@@ -76,7 +76,10 @@ vespa:
       memory: 32000Mi
 
 opensearch:
-  enabled: false
+  # Enabled by default. Override to false and set the appropriate env vars in
+  # the instance-specific values yaml if using AWS-managed OpenSearch, or simply
+  # override to false to entirely disable.
+  enabled: true
   # These values are passed to the opensearch subchart.
   # See https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml
 
@@ -1158,8 +1161,10 @@ auth:
   opensearch:
     # Enable or disable this secret entirely. Will remove from env var
     # configurations and remove any created secrets.
-    # Set to true when opensearch.enabled is true.
-    enabled: false
+    # Enabled by default. Override to false and set the appropriate env vars in
+    # the instance-specific values yaml if using AWS-managed OpenSearch, or
+    # simply override to false to entirely disable.
+    enabled: true
     # Overwrite the default secret name, ignored if existingSecret is defined.
     secretName: 'onyx-opensearch'
     # Use a secret specified elsewhere.
@@ -1261,5 +1266,3 @@ configMap:
   SKIP_USERFILE_THRESHOLD: ""
   # For multi-tenant: comma-separated list of tenant IDs to skip threshold
   SKIP_USERFILE_THRESHOLD_TENANT_IDS: ""
-  # Maximum user upload file size in MB for chat/projects uploads
-  USER_FILE_MAX_UPLOAD_SIZE_MB: ""

pyproject.toml

@@ -153,7 +153,7 @@ dev = [
     "pytest-repeat==0.9.4",
     "pytest-xdist==3.8.0",
     "pytest==8.3.5",
-    "release-tag==0.4.3",
+    "release-tag==0.5.2",
     "reorder-python-imports-black==3.14.0",
     "ruff==0.12.0",
     "types-beautifulsoup4==4.12.0.3",

uv.lock

@@ -4485,7 +4485,7 @@ requires-dist = [
     { name = "pywikibot", marker = "extra == 'backend'", specifier = "==9.0.0" },
     { name = "rapidfuzz", marker = "extra == 'backend'", specifier = "==3.13.0" },
     { name = "redis", marker = "extra == 'backend'", specifier = "==5.0.8" },
-    { name = "release-tag", marker = "extra == 'dev'", specifier = "==0.4.3" },
+    { name = "release-tag", marker = "extra == 'dev'", specifier = "==0.5.2" },
     { name = "reorder-python-imports-black", marker = "extra == 'dev'", specifier = "==3.14.0" },
     { name = "requests", marker = "extra == 'backend'", specifier = "==2.32.5" },
     { name = "requests-oauthlib", marker = "extra == 'backend'", specifier = "==1.3.1" },
@@ -6338,16 +6338,16 @@ wheels = [
 
 [[package]]
 name = "release-tag"
-version = "0.4.3"
+version = "0.5.2"
 source = { registry = "https://pypi.org/simple" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/39/18/c1d17d973f73f0aa7e2c45f852839ab909756e1bd9727d03babe400fcef0/release_tag-0.4.3-py3-none-any.whl", hash = "sha256:4206f4fa97df930c8176bfee4d3976a7385150ed14b317bd6bae7101ac8b66dd", size = 1181112, upload-time = "2025-12-03T00:18:19.445Z" },
-    { url = "https://files.pythonhosted.org/packages/33/c7/ecc443953840ac313856b2181f55eb8d34fa2c733cdd1edd0bcceee0938d/release_tag-0.4.3-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:7a347a9ad3d2af16e5367e52b451fbc88a0b7b666850758e8f9a601554a8fb13", size = 1170517, upload-time = "2025-12-03T00:18:11.663Z" },
-    { url = "https://files.pythonhosted.org/packages/ce/81/2f6ffa0d87c792364ca9958433fe088c8acc3d096ac9734040049c6ad506/release_tag-0.4.3-py3-none-macosx_11_0_arm64.whl", hash = "sha256:2d1603aa37d8e4f5df63676bbfddc802fbc108a744ba28288ad25c997981c164", size = 1101663, upload-time = "2025-12-03T00:18:15.173Z" },
-    { url = "https://files.pythonhosted.org/packages/7c/ed/9e4ebe400fc52e38dda6e6a45d9da9decd4535ab15e170b8d9b229a66730/release_tag-0.4.3-py3-none-manylinux_2_17_aarch64.whl", hash = "sha256:6db7b81a198e3ba6a87496a554684912c13f9297ea8db8600a80f4f971709d37", size = 1079322, upload-time = "2025-12-03T00:18:16.094Z" },
-    { url = "https://files.pythonhosted.org/packages/2a/64/9e0ce6119e091ef9211fa82b9593f564eeec8bdd86eff6a97fe6e2fcb20f/release_tag-0.4.3-py3-none-manylinux_2_17_x86_64.whl", hash = "sha256:d79a9cf191dd2c29e1b3a35453fa364b08a7aadd15aeb2c556a7661c6cf4d5ad", size = 1181129, upload-time = "2025-12-03T00:18:15.82Z" },
-    { url = "https://files.pythonhosted.org/packages/b8/09/d96acf18f0773b6355080a568ba48931faa9dbe91ab1abefc6f8c4df04a8/release_tag-0.4.3-py3-none-win_amd64.whl", hash = "sha256:3958b880375f2241d0cc2b9882363bf54b1d4d7ca8ffc6eecc63ab92f23307f0", size = 1260773, upload-time = "2025-12-03T00:18:14.723Z" },
-    { url = "https://files.pythonhosted.org/packages/51/da/ecb6346df1ffb0752fe213e25062f802c10df2948717f0d5f9816c2df914/release_tag-0.4.3-py3-none-win_arm64.whl", hash = "sha256:7d5b08000e6e398d46f05a50139031046348fba6d47909f01e468bb7600c19df", size = 1142155, upload-time = "2025-12-03T00:18:20.647Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/92/01192a540b29cfadaa23850c8f6a2041d541b83a3fa1dc52a5f55212b3b6/release_tag-0.5.2-py3-none-any.whl", hash = "sha256:1e9ca7618bcfc63ad7a0728c84bbad52ef82d07586c4cc11365b44ea8f588069", size = 1264752, upload-time = "2026-03-11T00:27:18.674Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/77/81fb42a23cd0de61caf84266f7aac1950b1c324883788b7c48e5344f61ae/release_tag-0.5.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:8fbc61ff7bac2b96fab09566ec45c6508c201efc3f081f57702e1761bbc178d5", size = 1255075, upload-time = "2026-03-11T00:27:24.442Z" },
+    { url = "https://files.pythonhosted.org/packages/98/e6/769f8be94304529c1a531e995f2f3ac83f3c54738ce488b0abde75b20851/release_tag-0.5.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:fa3d7e495a0c516858a81878d03803539712677a3d6e015503de21cce19bea5e", size = 1163627, upload-time = "2026-03-11T00:27:26.412Z" },
+    { url = "https://files.pythonhosted.org/packages/45/68/7543e9daa0dfd41c487bf140d91fd5879327bb7c001a96aa5264667c30a1/release_tag-0.5.2-py3-none-manylinux_2_17_aarch64.whl", hash = "sha256:e8b60453218d6926da1fdcb99c2e17c851be0d7ab1975e97951f0bff5f32b565", size = 1140133, upload-time = "2026-03-11T00:27:20.633Z" },
+    { url = "https://files.pythonhosted.org/packages/6a/30/9087825696271012d889d136310dbdf0811976ae2b2f5a490f4e437903e1/release_tag-0.5.2-py3-none-manylinux_2_17_x86_64.whl", hash = "sha256:0e302ed60c2bf8b7ba5634842be28a27d83cec995869e112b0348b3f01a84ff5", size = 1264767, upload-time = "2026-03-11T00:27:28.355Z" },
+    { url = "https://files.pythonhosted.org/packages/79/a3/5b51b0cbdbf2299f545124beab182cfdfe01bf5b615efbc94aee3a64ea67/release_tag-0.5.2-py3-none-win_amd64.whl", hash = "sha256:e3c0629d373a16b9a3da965e89fca893640ce9878ec548865df3609b70989a89", size = 1340816, upload-time = "2026-03-11T00:27:22.622Z" },
+    { url = "https://files.pythonhosted.org/packages/dd/6f/832c2023a8bd8414c93452bd8b43bf61cedfa5b9575f70c06fb911e51a29/release_tag-0.5.2-py3-none-win_arm64.whl", hash = "sha256:5f26b008e0be0c7a122acd8fcb1bb5c822f38e77fed0c0bf6c550cc226c6bf14", size = 1203191, upload-time = "2026-03-11T00:27:29.789Z" },
 ]
 
 [[package]]

web/jest.config.js

@@ -144,6 +144,7 @@ module.exports = {
         "**/src/app/**/hooks/*.test.ts", // Pure packet processor tests
         "**/src/refresh-components/**/*.test.ts",
         "**/src/sections/**/*.test.ts",
+        "**/src/components/**/*.test.ts",
         // Add more patterns here as you add more unit tests
       ],
     },
@@ -156,7 +157,6 @@ module.exports = {
         "**/src/app/**/*.test.tsx",
         "**/src/components/**/*.test.tsx",
         "**/src/lib/**/*.test.tsx",
-        "**/src/providers/**/*.test.tsx",
         "**/src/refresh-components/**/*.test.tsx",
         "**/src/hooks/**/*.test.tsx",
         "**/src/sections/**/*.test.tsx",

web/lib/opal/src/components/buttons/button/components.tsx

@@ -39,7 +39,7 @@ type ButtonProps = InteractiveStatelessProps &
     /** Tooltip text shown on hover. */
     tooltip?: string;
 
-    /** Width preset. `"fit"` shrink-wraps, `"full"` stretches to parent width. */
+    /** Width preset. `"auto"` shrink-wraps, `"full"` stretches to parent width. */
     width?: WidthVariant;
 
     /** Which side the tooltip appears on. */

web/lib/opal/src/components/buttons/line-item-button/README.md

@@ -1,83 +0,0 @@
-# LineItemButton
-
-**Import:** `import { LineItemButton, type LineItemButtonProps } from "@opal/components";`
-
-A composite component that wraps `Interactive.Stateful > Interactive.Container > ContentAction` into a single API. Use it for selectable list rows such as model pickers, menu items, or any row that acts like a button.
-
-## Architecture
-
-```
-Interactive.Stateful         <- selectVariant, state, interaction, onClick, href, ref
-  └─ Interactive.Container   <- type, width, roundingVariant
-       └─ ContentAction      <- withInteractive, paddingVariant="lg"
-            ├─ Content       <- icon, title, description, sizePreset, variant, ...
-            └─ rightChildren
-```
-
-`paddingVariant` is hardcoded to `"lg"` and `withInteractive` is always `true`. These are not exposed as props.
-
-## Props
-
-### Interactive surface
-
-| Prop | Type | Default | Description |
-|------|------|---------|-------------|
-| `selectVariant` | `"select-light" \| "select-heavy"` | `"select-light"` | Interactive select variant |
-| `state` | `InteractiveStatefulState` | `"empty"` | Value state (`"empty"`, `"filled"`, `"selected"`) |
-| `interaction` | `InteractiveStatefulInteraction` | `"rest"` | JS-controlled interaction state override |
-| `onClick` | `MouseEventHandler<HTMLElement>` | — | Click handler |
-| `href` | `string` | — | Renders an anchor instead of a div |
-| `target` | `string` | — | Anchor target (e.g. `"_blank"`) |
-| `group` | `string` | — | Interactive group key |
-| `ref` | `React.Ref<HTMLElement>` | — | Forwarded ref |
-
-### Sizing
-
-| Prop | Type | Default | Description |
-|------|------|---------|-------------|
-| `roundingVariant` | `InteractiveContainerRoundingVariant` | `"default"` | Corner rounding preset (height is content-driven) |
-| `width` | `WidthVariant` | `"full"` | Container width |
-| `type` | `"submit" \| "button" \| "reset"` | `"button"` | HTML button type |
-| `tooltip` | `string` | — | Tooltip text shown on hover |
-| `tooltipSide` | `TooltipSide` | `"top"` | Tooltip side |
-
-### Content (pass-through to ContentAction)
-
-| Prop | Type | Default | Description |
-|------|------|---------|-------------|
-| `title` | `string` | **(required)** | Row label |
-| `icon` | `IconFunctionComponent` | — | Left icon |
-| `description` | `string` | — | Description below the title |
-| `sizePreset` | `SizePreset` | `"headline"` | Content size preset |
-| `variant` | `ContentVariant` | `"heading"` | Content layout variant |
-| `rightChildren` | `ReactNode` | — | Content after the label (e.g. action button) |
-
-All other `ContentAction` / `Content` props (`editable`, `onTitleChange`, `optional`, `auxIcon`, `tag`, etc.) are also passed through. Note: `withInteractive` is always `true` inside `LineItemButton` and cannot be overridden.
-
-## Usage
-
-```tsx
-import { LineItemButton } from "@opal/components";
-
-// Simple selectable row
-<LineItemButton
-  selectVariant="select-heavy"
-  state={isSelected ? "selected" : "empty"}
-  roundingVariant="compact"
-  onClick={handleClick}
-  title="gpt-4o"
-  sizePreset="main-ui"
-  variant="section"
-/>
-
-// With right-side action
-<LineItemButton
-  selectVariant="select-heavy"
-  state={isSelected ? "selected" : "empty"}
-  onClick={handleClick}
-  title="claude-opus-4"
-  sizePreset="main-ui"
-  variant="section"
-  rightChildren={<Tag title="Default" color="blue" />}
-/>
-```

web/lib/opal/src/components/buttons/line-item-button/components.tsx

@@ -1,137 +0,0 @@
-import "@opal/components/tooltip.css";
-import {
-  Interactive,
-  type InteractiveStatefulState,
-  type InteractiveStatefulInteraction,
-  type InteractiveStatefulProps,
-  InteractiveContainerRoundingVariant,
-} from "@opal/core";
-import { type WidthVariant } from "@opal/shared";
-import type { TooltipSide } from "@opal/components";
-import type { DistributiveOmit } from "@opal/types";
-import type { ContentActionProps } from "@opal/layouts/content-action/components";
-import { ContentAction } from "@opal/layouts";
-import * as TooltipPrimitive from "@radix-ui/react-tooltip";
-
-// ---------------------------------------------------------------------------
-// Types
-// ---------------------------------------------------------------------------
-
-type ContentPassthroughProps = DistributiveOmit<
-  ContentActionProps,
-  "paddingVariant" | "widthVariant" | "ref" | "withInteractive"
->;
-
-type LineItemButtonOwnProps = {
-  /** Interactive select variant. @default "select-light" */
-  selectVariant?: "select-light" | "select-heavy";
-
-  /** Value state. @default "empty" */
-  state?: InteractiveStatefulState;
-
-  /** JS-controllable interaction state override. @default "rest" */
-  interaction?: InteractiveStatefulInteraction;
-
-  /** Click handler. */
-  onClick?: InteractiveStatefulProps["onClick"];
-
-  /** When provided, renders an anchor instead of a div. */
-  href?: string;
-
-  /** Anchor target (e.g. "_blank"). */
-  target?: string;
-
-  /** Interactive group key. */
-  group?: string;
-
-  /** Forwarded ref. */
-  ref?: React.Ref<HTMLElement>;
-
-  /** Corner rounding preset (height is always content-driven). @default "default" */
-  roundingVariant?: InteractiveContainerRoundingVariant;
-
-  /** Container width. @default "full" */
-  width?: WidthVariant;
-
-  /** HTML button type. @default "button" */
-  type?: "submit" | "button" | "reset";
-
-  /** Tooltip text shown on hover. */
-  tooltip?: string;
-
-  /** Which side the tooltip appears on. @default "top" */
-  tooltipSide?: TooltipSide;
-};
-
-type LineItemButtonProps = ContentPassthroughProps & LineItemButtonOwnProps;
-
-// ---------------------------------------------------------------------------
-// LineItemButton
-// ---------------------------------------------------------------------------
-
-function LineItemButton({
-  // Interactive surface
-  selectVariant = "select-light",
-  state,
-  interaction,
-  onClick,
-  href,
-  target,
-  group,
-  ref,
-
-  // Sizing
-  roundingVariant = "default",
-  width = "full",
-  type = "button",
-  tooltip,
-  tooltipSide = "top",
-
-  // ContentAction pass-through
-  ...contentActionProps
-}: LineItemButtonProps) {
-  const item = (
-    <Interactive.Stateful
-      variant={selectVariant}
-      state={state}
-      interaction={interaction}
-      onClick={onClick}
-      href={href}
-      target={target}
-      group={group}
-      ref={ref}
-    >
-      <Interactive.Container
-        type={type}
-        widthVariant={width}
-        heightVariant="lg"
-        roundingVariant={roundingVariant}
-      >
-        <ContentAction
-          {...(contentActionProps as ContentActionProps)}
-          withInteractive
-          paddingVariant="fit"
-        />
-      </Interactive.Container>
-    </Interactive.Stateful>
-  );
-
-  if (!tooltip) return item;
-
-  return (
-    <TooltipPrimitive.Root>
-      <TooltipPrimitive.Trigger asChild>{item}</TooltipPrimitive.Trigger>
-      <TooltipPrimitive.Portal>
-        <TooltipPrimitive.Content
-          className="opal-tooltip"
-          side={tooltipSide}
-          sideOffset={4}
-        >
-          {tooltip}
-        </TooltipPrimitive.Content>
-      </TooltipPrimitive.Portal>
-    </TooltipPrimitive.Root>
-  );
-}
-
-export { LineItemButton, type LineItemButtonProps };

web/lib/opal/src/components/buttons/select-button/components.tsx

@@ -56,7 +56,7 @@ type SelectButtonProps = InteractiveStatefulProps &
     /** Tooltip text shown on hover. */
     tooltip?: string;
 
-    /** Width preset. `"fit"` shrink-wraps, `"full"` stretches to parent width. */
+    /** Width preset. `"auto"` shrink-wraps, `"full"` stretches to parent width. */
     width?: WidthVariant;
 
     /** Which side the tooltip appears on. */

web/lib/opal/src/components/index.ts

@@ -19,12 +19,6 @@ export {
   type OpenButtonProps,
 } from "@opal/components/buttons/open-button/components";
 
-/* LineItemButton */
-export {
-  LineItemButton,
-  type LineItemButtonProps,
-} from "@opal/components/buttons/line-item-button/components";
-
 /* Tag */
 export {
   Tag,

web/lib/opal/src/core/animations/components.tsx

@@ -2,7 +2,6 @@ import "@opal/core/animations/styles.css";
 import React, { createContext, useContext, useState, useCallback } from "react";
 import { cn } from "@opal/utils";
 import type { WithoutStyles } from "@opal/types";
-import { widthVariants, type WidthVariant } from "@opal/shared";
 
 // ---------------------------------------------------------------------------
 // Context-per-group registry
@@ -39,10 +38,6 @@ interface HoverableRootProps
   extends WithoutStyles<React.HTMLAttributes<HTMLDivElement>> {
   children: React.ReactNode;
   group: string;
-  /** Width preset. @default "auto" */
-  widthVariant?: WidthVariant;
-  /** Ref forwarded to the root `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 type HoverableItemVariant = "opacity-on-hover";
@@ -52,8 +47,6 @@ interface HoverableItemProps
   children: React.ReactNode;
   group?: string;
   variant?: HoverableItemVariant;
-  /** Ref forwarded to the item `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 // ---------------------------------------------------------------------------
@@ -84,8 +77,6 @@ interface HoverableItemProps
 function HoverableRoot({
   group,
   children,
-  widthVariant = "auto",
-  ref,
   onMouseEnter: consumerMouseEnter,
   onMouseLeave: consumerMouseLeave,
   ...props
@@ -112,13 +103,7 @@ function HoverableRoot({
 
   return (
     <GroupContext.Provider value={hovered}>
-      <div
-        {...props}
-        ref={ref}
-        className={cn(widthVariants[widthVariant])}
-        onMouseEnter={onMouseEnter}
-        onMouseLeave={onMouseLeave}
-      >
+      <div {...props} onMouseEnter={onMouseEnter} onMouseLeave={onMouseLeave}>
         {children}
       </div>
     </GroupContext.Provider>
@@ -162,7 +147,6 @@ function HoverableItem({
   group,
   variant = "opacity-on-hover",
   children,
-  ref,
   ...props
 }: HoverableItemProps) {
   const contextValue = useContext(
@@ -181,7 +165,6 @@ function HoverableItem({
   return (
     <div
       {...props}
-      ref={ref}
       className={cn("hoverable-item")}
       data-hoverable-variant={variant}
       data-hoverable-active={

web/lib/opal/src/core/interactive/container/README.md

@@ -10,7 +10,7 @@ Structural container shared by both `Interactive.Stateless` and `Interactive.Sta
 |------|------|---------|-------------|
 | `heightVariant` | `SizeVariant` | `"lg"` | Height preset (`2xs`–`lg`, `fit`) |
 | `roundingVariant` | `"default" \| "compact" \| "mini"` | `"default"` | Border-radius preset |
-| `widthVariant` | `WidthVariant` | — | Width preset (`"auto"`, `"fit"`, `"full"`) |
+| `widthVariant` | `WidthVariant` | — | Width preset (`auto`, `full`) |
 | `border` | `boolean` | `false` | Renders a 1px border |
 | `type` | `"submit" \| "button" \| "reset"` | — | When set, renders a `<button>` element |
 

web/lib/opal/src/core/interactive/container/components.tsx

@@ -78,7 +78,7 @@ interface InteractiveContainerProps
   /**
    * Width preset controlling the container's horizontal size.
    *
-   * @default "fit"
+   * @default "auto"
    */
   widthVariant?: WidthVariant;
 }
@@ -101,7 +101,7 @@ function InteractiveContainer({
   border,
   roundingVariant = "default",
   heightVariant = "lg",
-  widthVariant = "fit",
+  widthVariant = "auto",
   ...props
 }: InteractiveContainerProps) {
   const { allowClick } = useDisabled();

web/lib/opal/src/core/interactive/stateful/styles.css

@@ -59,8 +59,8 @@
    --------------------------------------------------------------------------- */
 .interactive[data-interactive-variant="select-heavy"][data-interactive-state="filled"] {
   @apply bg-transparent;
-  --interactive-foreground: var(--action-link-05);
-  --interactive-foreground-icon: var(--action-link-05);
+  --interactive-foreground: var(--text-04);
+  --interactive-foreground-icon: var(--text-04);
 }
 .interactive[data-interactive-variant="select-heavy"][data-interactive-state="filled"]:hover:not(
     [data-disabled]
@@ -76,7 +76,9 @@
 .interactive[data-interactive-variant="select-heavy"][data-interactive-state="filled"][data-interaction="active"]:not(
     [data-disabled]
   ) {
-  @apply bg-background-tint-00;
+  @apply bg-background-neutral-00;
+  --interactive-foreground: var(--text-05);
+  --interactive-foreground-icon: var(--text-05);
 }
 .interactive[data-interactive-variant="select-heavy"][data-interactive-state="filled"][data-disabled] {
   @apply bg-transparent;
@@ -156,8 +158,8 @@
    --------------------------------------------------------------------------- */
 .interactive[data-interactive-variant="select-light"][data-interactive-state="filled"] {
   @apply bg-transparent;
-  --interactive-foreground: var(--action-link-05);
-  --interactive-foreground-icon: var(--action-link-05);
+  --interactive-foreground: var(--text-04);
+  --interactive-foreground-icon: var(--text-04);
 }
 .interactive[data-interactive-variant="select-light"][data-interactive-state="filled"]:hover:not(
     [data-disabled]
@@ -173,7 +175,9 @@
 .interactive[data-interactive-variant="select-light"][data-interactive-state="filled"][data-interaction="active"]:not(
     [data-disabled]
   ) {
-  @apply bg-background-tint-00;
+  @apply bg-background-neutral-00;
+  --interactive-foreground: var(--text-05);
+  --interactive-foreground-icon: var(--text-05);
 }
 .interactive[data-interactive-variant="select-light"][data-interactive-state="filled"][data-disabled] {
   @apply bg-transparent;

web/lib/opal/src/layouts/content/BodyLayout.tsx

@@ -40,9 +40,6 @@ interface BodyLayoutProps {
 
   /** Title prominence. Default: `"default"`. */
   prominence?: BodyProminence;
-
-  /** Ref forwarded to the root `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 // ---------------------------------------------------------------------------
@@ -83,7 +80,6 @@ function BodyLayout({
   sizePreset = "main-ui",
   orientation = "inline",
   prominence = "default",
-  ref,
 }: BodyLayoutProps) {
   const config = BODY_PRESETS[sizePreset];
   const titleColorClass =
@@ -91,7 +87,6 @@ function BodyLayout({
 
   return (
     <div
-      ref={ref}
       className="opal-content-body"
       data-orientation={orientation}
       style={{ gap: config.gap }}

web/lib/opal/src/layouts/content/ContentLg.tsx

@@ -48,12 +48,6 @@ interface ContentLgProps {
 
   /** Size preset. Default: `"headline"`. */
   sizePreset?: ContentLgSizePreset;
-
-  /** When `true`, the title color hooks into `Interactive`'s `--interactive-foreground` variable. */
-  withInteractive?: boolean;
-
-  /** Ref forwarded to the root `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 // ---------------------------------------------------------------------------
@@ -92,8 +86,6 @@ function ContentLg({
   description,
   editable,
   onTitleChange,
-  withInteractive,
-  ref,
 }: ContentLgProps) {
   const [editing, setEditing] = useState(false);
   const [editValue, setEditValue] = useState(title);
@@ -112,12 +104,7 @@ function ContentLg({
   }
 
   return (
-    <div
-      ref={ref}
-      className="opal-content-lg"
-      data-interactive={withInteractive || undefined}
-      style={{ gap: config.gap }}
-    >
+    <div className="opal-content-lg" style={{ gap: config.gap }}>
       {Icon && (
         <div
           className={cn(

web/lib/opal/src/layouts/content/ContentMd.tsx

@@ -61,12 +61,6 @@ interface ContentMdProps {
 
   /** Size preset. Default: `"main-ui"`. */
   sizePreset?: ContentMdSizePreset;
-
-  /** When `true`, the title color hooks into `Interactive`'s `--interactive-foreground` variable. */
-  withInteractive?: boolean;
-
-  /** Ref forwarded to the root `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 // ---------------------------------------------------------------------------
@@ -136,8 +130,6 @@ function ContentMd({
   auxIcon,
   tag,
   sizePreset = "main-ui",
-  withInteractive,
-  ref,
 }: ContentMdProps) {
   const [editing, setEditing] = useState(false);
   const [editValue, setEditValue] = useState(title);
@@ -157,12 +149,7 @@ function ContentMd({
   }
 
   return (
-    <div
-      ref={ref}
-      className="opal-content-md"
-      data-interactive={withInteractive || undefined}
-      style={{ gap: config.gap }}
-    >
+    <div className="opal-content-md" style={{ gap: config.gap }}>
       {Icon && (
         <div
           className={cn(

web/lib/opal/src/layouts/content/ContentSm.tsx

@@ -40,12 +40,6 @@ interface ContentSmProps {
 
   /** Title prominence. Default: `"default"`. */
   prominence?: ContentSmProminence;
-
-  /** When `true`, the title color hooks into `Interactive`'s `--interactive-foreground` variable. */
-  withInteractive?: boolean;
-
-  /** Ref forwarded to the root `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 // ---------------------------------------------------------------------------
@@ -86,18 +80,14 @@ function ContentSm({
   sizePreset = "main-ui",
   orientation = "inline",
   prominence = "default",
-  withInteractive,
-  ref,
 }: ContentSmProps) {
   const config = CONTENT_SM_PRESETS[sizePreset];
 
   return (
     <div
-      ref={ref}
       className="opal-content-sm"
       data-orientation={orientation}
       data-prominence={prominence}
-      data-interactive={withInteractive || undefined}
       style={{ gap: config.gap }}
     >
       {Icon && (

web/lib/opal/src/layouts/content/ContentXl.tsx

@@ -60,12 +60,6 @@ interface ContentXlProps {
 
   /** Optional tertiary icon rendered in the icon row. */
   moreIcon2?: IconFunctionComponent;
-
-  /** When `true`, the title color hooks into `Interactive`'s `--interactive-foreground` variable. */
-  withInteractive?: boolean;
-
-  /** Ref forwarded to the root `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 // ---------------------------------------------------------------------------
@@ -112,8 +106,6 @@ function ContentXl({
   onTitleChange,
   moreIcon1: MoreIcon1,
   moreIcon2: MoreIcon2,
-  withInteractive,
-  ref,
 }: ContentXlProps) {
   const [editing, setEditing] = useState(false);
   const [editValue, setEditValue] = useState(title);
@@ -132,11 +124,7 @@ function ContentXl({
   }
 
   return (
-    <div
-      ref={ref}
-      className="opal-content-xl"
-      data-interactive={withInteractive || undefined}
-    >
+    <div className="opal-content-xl">
       {(Icon || MoreIcon1 || MoreIcon2) && (
         <div className="opal-content-xl-icon-row">
           {Icon && (

web/lib/opal/src/layouts/content/HeadingLayout.tsx

@@ -52,9 +52,6 @@ interface HeadingLayoutProps {
 
   /** Variant controls icon placement. `"heading"` = top, `"section"` = inline. Default: `"heading"`. */
   variant?: HeadingVariant;
-
-  /** Ref forwarded to the root `<div>`. */
-  ref?: React.Ref<HTMLDivElement>;
 }
 
 // ---------------------------------------------------------------------------
@@ -94,7 +91,6 @@ function HeadingLayout({
   description,
   editable,
   onTitleChange,
-  ref,
 }: HeadingLayoutProps) {
   const [editing, setEditing] = useState(false);
   const [editValue, setEditValue] = useState(title);
@@ -116,7 +112,6 @@ function HeadingLayout({
 
   return (
     <div
-      ref={ref}
       className="opal-content-heading"
       data-icon-placement={iconPlacement}
       style={{ gap: iconPlacement === "left" ? config.gap : undefined }}