fix: register OnyxError exception handler in model_server

Without this, any OnyxError raised in model_server endpoints would
result in an unhandled 500 instead of the proper error response.

.github/workflows/pr-integration-tests.yml

@@ -316,7 +316,6 @@ jobs:
           # Base config shared by both editions
           cat <<EOF > deployment/docker_compose/.env
           COMPOSE_PROFILES=s3-filestore
-          OPENSEARCH_FOR_ONYX_ENABLED=false
           AUTH_TYPE=basic
           POSTGRES_POOL_PRE_PING=true
           POSTGRES_USE_NULL_POOL=true
@@ -419,7 +418,6 @@ jobs:
               -e POSTGRES_POOL_PRE_PING=true \
               -e POSTGRES_USE_NULL_POOL=true \
               -e VESPA_HOST=index \
-              -e ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=false \
               -e REDIS_HOST=cache \
               -e API_SERVER_HOST=api_server \
               -e OPENAI_API_KEY=${OPENAI_API_KEY} \
@@ -639,7 +637,6 @@ jobs:
           ONYX_BACKEND_IMAGE=${ECR_CACHE}:integration-test-backend-test-${RUN_ID} \
           ONYX_MODEL_SERVER_IMAGE=${ECR_CACHE}:integration-test-model-server-test-${RUN_ID} \
           DEV_MODE=true \
-          OPENSEARCH_FOR_ONYX_ENABLED=false \
           docker compose -f docker-compose.multitenant-dev.yml up \
             relational_db \
             index \
@@ -694,7 +691,6 @@ jobs:
             -e POSTGRES_DB=postgres \
             -e POSTGRES_USE_NULL_POOL=true \
             -e VESPA_HOST=index \
-            -e ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=false \
             -e REDIS_HOST=cache \
             -e API_SERVER_HOST=api_server \
             -e OPENAI_API_KEY=${OPENAI_API_KEY} \

.github/workflows/pr-playwright-tests.yml

@@ -12,9 +12,6 @@ on:
   push:
     tags:
       - "v*.*.*"
-    # TODO: Remove this if we enable merge-queues for release branches.
-    branches:
-      - "release/**"
 
 permissions:
   contents: read

.github/workflows/storybook-deploy.yml

@@ -1,69 +0,0 @@
-name: Storybook Deploy
-env:
-  VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
-  VERCEL_PROJECT_ID: prj_sG49mVsA25UsxIPhN2pmBJlikJZM
-  VERCEL_CLI: vercel@50.14.1
-  VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
-
-concurrency:
-  group: storybook-deploy-production
-  cancel-in-progress: true
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths:
-      - "web/lib/opal/**"
-      - "web/src/refresh-components/**"
-      - "web/.storybook/**"
-      - "web/package.json"
-      - "web/package-lock.json"
-permissions:
-  contents: read
-jobs:
-  Deploy-Storybook:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Setup node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # ratchet:actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: "npm"
-          cache-dependency-path: ./web/package-lock.json
-
-      - name: Install dependencies
-        working-directory: web
-        run: npm ci
-
-      - name: Build Storybook
-        working-directory: web
-        run: npm run storybook:build
-
-      - name: Deploy to Vercel (Production)
-        working-directory: web
-        run: npx --yes "$VERCEL_CLI" deploy storybook-static/ --prod --yes
-
-  notify-slack-on-failure:
-    needs: Deploy-Storybook
-    if: always() && needs.Deploy-Storybook.result == 'failure'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4
-        with:
-          persist-credentials: false
-          sparse-checkout: .github/actions/slack-notify
-
-      - name: Send Slack notification
-        uses: ./.github/actions/slack-notify
-        with:
-          webhook-url: ${{ secrets.MONITOR_DEPLOYMENTS_WEBHOOK }}
-          failed-jobs: "• Deploy-Storybook"
-          title: "🚨 Storybook Deploy Failed"

.vscode/env_template.txt

@@ -7,9 +7,6 @@
 
 
 AUTH_TYPE=basic
-# Recommended for basic auth - used for signing password reset and verification tokens
-# Generate a secure value with: openssl rand -hex 32
-USER_AUTH_SECRET=""
 DEV_MODE=true
 
 

AGENTS.md

@@ -598,7 +598,7 @@ Before writing your plan, make sure to do research. Explore the relevant section
 Never hardcode status codes or use `starlette.status` / `fastapi.status` constants directly.**
 
 A global FastAPI exception handler converts `OnyxError` into a JSON response with the standard
-`{"error_code": "...", "detail": "..."}` shape. This eliminates boilerplate and keeps error
+`{"error_code": "...", "message": "..."}` shape. This eliminates boilerplate and keeps error
 handling consistent across the entire backend.
 
 ```python

backend/Dockerfile

@@ -46,9 +46,7 @@ RUN apt-get update && \
         pkg-config \
         gcc \
         nano \
-        vim \
-        libjemalloc2 \
-        && \
+        vim && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get clean
 
@@ -167,13 +165,6 @@ ENV PYTHONPATH=/app
 ARG ONYX_VERSION=0.0.0-dev
 ENV ONYX_VERSION=${ONYX_VERSION}
 
-# Use jemalloc instead of glibc malloc to reduce memory fragmentation
-# in long-running Python processes (API server, Celery workers).
-# The soname is architecture-independent; the dynamic linker resolves
-# the correct path from standard library directories.
-# Placed after all RUN steps so build-time processes are unaffected.
-ENV LD_PRELOAD=libjemalloc.so.2
-
 # Default command which does nothing
 # This container is used by api server and background which specify their own CMD
 CMD ["tail", "-f", "/dev/null"]

backend/alembic/versions/b5c4d7e8f9a1_add_hierarchy_node_cc_pair_table.py

@@ -1,51 +0,0 @@
-"""add hierarchy_node_by_connector_credential_pair table
-
-Revision ID: b5c4d7e8f9a1
-Revises: a3b8d9e2f1c4
-Create Date: 2026-03-04
-
-"""
-
-import sqlalchemy as sa
-from alembic import op
-
-revision = "b5c4d7e8f9a1"
-down_revision = "a3b8d9e2f1c4"
-branch_labels = None
-depends_on = None
-
-
-def upgrade() -> None:
-    op.create_table(
-        "hierarchy_node_by_connector_credential_pair",
-        sa.Column("hierarchy_node_id", sa.Integer(), nullable=False),
-        sa.Column("connector_id", sa.Integer(), nullable=False),
-        sa.Column("credential_id", sa.Integer(), nullable=False),
-        sa.ForeignKeyConstraint(
-            ["hierarchy_node_id"],
-            ["hierarchy_node.id"],
-            ondelete="CASCADE",
-        ),
-        sa.ForeignKeyConstraint(
-            ["connector_id", "credential_id"],
-            [
-                "connector_credential_pair.connector_id",
-                "connector_credential_pair.credential_id",
-            ],
-            ondelete="CASCADE",
-        ),
-        sa.PrimaryKeyConstraint("hierarchy_node_id", "connector_id", "credential_id"),
-    )
-    op.create_index(
-        "ix_hierarchy_node_cc_pair_connector_credential",
-        "hierarchy_node_by_connector_credential_pair",
-        ["connector_id", "credential_id"],
-    )
-
-
-def downgrade() -> None:
-    op.drop_index(
-        "ix_hierarchy_node_cc_pair_connector_credential",
-        table_name="hierarchy_node_by_connector_credential_pair",
-    )
-    op.drop_table("hierarchy_node_by_connector_credential_pair")

backend/ee/onyx/access/access.py

@@ -9,15 +9,12 @@ from onyx.access.access import (
     _get_access_for_documents as get_access_for_documents_without_groups,
 )
 from onyx.access.access import _get_acl_for_user as get_acl_for_user_without_groups
-from onyx.access.access import collect_user_file_access
 from onyx.access.models import DocumentAccess
 from onyx.access.utils import prefix_external_group
 from onyx.access.utils import prefix_user_group
 from onyx.db.document import get_document_sources
 from onyx.db.document import get_documents_by_ids
 from onyx.db.models import User
-from onyx.db.models import UserFile
-from onyx.db.user_file import fetch_user_files_with_access_relationships
 from onyx.utils.logger import setup_logger
 
 
@@ -119,68 +116,6 @@ def _get_access_for_documents(
     return access_map
 
 
-def _collect_user_file_group_names(user_file: UserFile) -> set[str]:
-    """Extract user-group names from the already-loaded Persona.groups
-    relationships on a UserFile (skipping deleted personas)."""
-    groups: set[str] = set()
-    for persona in user_file.assistants:
-        if persona.deleted:
-            continue
-        for group in persona.groups:
-            groups.add(group.name)
-    return groups
-
-
-def get_access_for_user_files_impl(
-    user_file_ids: list[str],
-    db_session: Session,
-) -> dict[str, DocumentAccess]:
-    """EE version: extends the MIT user file ACL with user group names
-    from personas shared via user groups.
-
-    Uses a single DB query (via fetch_user_files_with_access_relationships)
-    that eagerly loads both the MIT-needed and EE-needed relationships.
-
-    NOTE: is imported in onyx.access.access by `fetch_versioned_implementation`
-    DO NOT REMOVE."""
-    user_files = fetch_user_files_with_access_relationships(
-        user_file_ids, db_session, eager_load_groups=True
-    )
-    return build_access_for_user_files_impl(user_files)
-
-
-def build_access_for_user_files_impl(
-    user_files: list[UserFile],
-) -> dict[str, DocumentAccess]:
-    """EE version: works on pre-loaded UserFile objects.
-    Expects Persona.groups to be eagerly loaded.
-
-    NOTE: is imported in onyx.access.access by `fetch_versioned_implementation`
-    DO NOT REMOVE."""
-    result: dict[str, DocumentAccess] = {}
-    for user_file in user_files:
-        if user_file.user is None:
-            result[str(user_file.id)] = DocumentAccess.build(
-                user_emails=[],
-                user_groups=[],
-                is_public=True,
-                external_user_emails=[],
-                external_user_group_ids=[],
-            )
-            continue
-
-        emails, is_public = collect_user_file_access(user_file)
-        group_names = _collect_user_file_group_names(user_file)
-        result[str(user_file.id)] = DocumentAccess.build(
-            user_emails=list(emails),
-            user_groups=list(group_names),
-            is_public=is_public,
-            external_user_emails=[],
-            external_user_group_ids=[],
-        )
-    return result
-
-
 def _get_acl_for_user(user: User, db_session: Session) -> set[str]:
     """Returns a list of ACL entries that the user has access to. This is meant to be
     used downstream to filter out documents that the user does not have access to. The

backend/ee/onyx/auth/users.py

@@ -1,4 +1,3 @@
-import os
 from datetime import datetime
 
 import jwt
@@ -21,13 +20,7 @@ logger = setup_logger()
 
 
 def verify_auth_setting() -> None:
-    # All the Auth flows are valid for EE version, but warn about deprecated 'disabled'
-    raw_auth_type = (os.environ.get("AUTH_TYPE") or "").lower()
-    if raw_auth_type == "disabled":
-        logger.warning(
-            "AUTH_TYPE='disabled' is no longer supported. "
-            "Using 'basic' instead. Please update your configuration."
-        )
+    # All the Auth flows are valid for EE version
     logger.notice(f"Using Auth Type: {AUTH_TYPE.value}")
 
 

backend/ee/onyx/db/hierarchy.py

@@ -18,7 +18,7 @@ from onyx.db.models import HierarchyNode
 
 
 def _build_hierarchy_access_filter(
-    user_email: str,
+    user_email: str | None,
     external_group_ids: list[str],
 ) -> ColumnElement[bool]:
     """Build SQLAlchemy filter for hierarchy node access.
@@ -43,7 +43,7 @@ def _build_hierarchy_access_filter(
 def _get_accessible_hierarchy_nodes_for_source(
     db_session: Session,
     source: DocumentSource,
-    user_email: str,
+    user_email: str | None,
     external_group_ids: list[str],
 ) -> list[HierarchyNode]:
     """

backend/ee/onyx/db/persona.py

@@ -7,7 +7,6 @@ from onyx.db.models import Persona
 from onyx.db.models import Persona__User
 from onyx.db.models import Persona__UserGroup
 from onyx.db.notification import create_notification
-from onyx.db.persona import mark_persona_user_files_for_sync
 from onyx.server.features.persona.models import PersonaSharedNotificationData
 
 
@@ -27,9 +26,7 @@ def update_persona_access(
 
     NOTE: Callers are responsible for committing."""
 
-    needs_sync = False
     if is_public is not None:
-        needs_sync = True
         persona = db_session.query(Persona).filter(Persona.id == persona_id).first()
         if persona:
             persona.is_public = is_public
@@ -38,7 +35,6 @@ def update_persona_access(
     # and a non-empty list means "replace with these shares".
 
     if user_ids is not None:
-        needs_sync = True
         db_session.query(Persona__User).filter(
             Persona__User.persona_id == persona_id
         ).delete(synchronize_session="fetch")
@@ -58,7 +54,6 @@ def update_persona_access(
                 )
 
     if group_ids is not None:
-        needs_sync = True
         db_session.query(Persona__UserGroup).filter(
             Persona__UserGroup.persona_id == persona_id
         ).delete(synchronize_session="fetch")
@@ -68,7 +63,3 @@ def update_persona_access(
             db_session.add(
                 Persona__UserGroup(persona_id=persona_id, user_group_id=group_id)
             )
-
-    # When sharing changes, user file ACLs need to be updated in the vector DB
-    if needs_sync:
-        mark_persona_user_files_for_sync(persona_id, db_session)

backend/ee/onyx/server/seeding.py

@@ -26,7 +26,6 @@ from onyx.db.models import Tool
 from onyx.db.persona import upsert_persona
 from onyx.server.features.persona.models import PersonaUpsertRequest
 from onyx.server.manage.llm.models import LLMProviderUpsertRequest
-from onyx.server.manage.llm.models import LLMProviderView
 from onyx.server.settings.models import Settings
 from onyx.server.settings.store import store_settings as store_base_settings
 from onyx.utils.logger import setup_logger
@@ -126,16 +125,10 @@ def _seed_llms(
         existing = fetch_existing_llm_provider(name=request.name, db_session=db_session)
         if existing:
             request.id = existing.id
-    seeded_providers: list[LLMProviderView] = []
-    for llm_upsert_request in llm_upsert_requests:
-        try:
-            seeded_providers.append(upsert_llm_provider(llm_upsert_request, db_session))
-        except ValueError as e:
-            logger.warning(
-                "Failed to upsert LLM provider '%s' during seeding: %s",
-                llm_upsert_request.name,
-                e,
-            )
+    seeded_providers = [
+        upsert_llm_provider(llm_upsert_request, db_session)
+        for llm_upsert_request in llm_upsert_requests
+    ]
 
     default_provider = next(
         (p for p in seeded_providers if p.model_configurations), None

backend/model_server/encoders.py

@@ -4,10 +4,11 @@ from typing import Any
 from typing import TYPE_CHECKING
 
 from fastapi import APIRouter
-from fastapi import HTTPException
 from fastapi import Request
 
 from model_server.utils import simple_log_function_time
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
 from onyx.utils.logger import setup_logger
 from shared_configs.enums import EmbedTextType
 from shared_configs.model_server_models import Embedding
@@ -188,7 +189,7 @@ async def process_embed_request(
         )
 
     if not embed_request.texts:
-        raise HTTPException(status_code=400, detail="No texts to be embedded")
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "No texts to be embedded")
 
     if not all(embed_request.texts):
         raise ValueError("Empty strings are not allowed for embedding.")
@@ -211,14 +212,12 @@ async def process_embed_request(
         )
         return EmbedResponse(embeddings=embeddings)
     except RateLimitError as e:
-        raise HTTPException(
-            status_code=429,
-            detail=str(e),
-        )
+        raise OnyxError(OnyxErrorCode.RATE_LIMITED, str(e))
     except Exception as e:
         logger.exception(
             f"Error during embedding process: provider={embed_request.provider_type} model={embed_request.model_name}"
         )
-        raise HTTPException(
-            status_code=500, detail=f"Error during embedding process: {e}"
+        raise OnyxError(
+            OnyxErrorCode.INTERNAL_ERROR,
+            f"Error during embedding process: {e}",
         )

backend/model_server/main.py

@@ -18,6 +18,7 @@ from model_server.encoders import router as encoders_router
 from model_server.management_endpoints import router as management_router
 from model_server.utils import get_gpu_type
 from onyx import __version__
+from onyx.error_handling.exceptions import register_onyx_exception_handlers
 from onyx.utils.logger import setup_logger
 from onyx.utils.logger import setup_uvicorn_logger
 from onyx.utils.middleware import add_onyx_request_id_middleware
@@ -108,6 +109,8 @@ def get_model_app() -> FastAPI:
     application.include_router(management_router)
     application.include_router(encoders_router)
 
+    register_onyx_exception_handlers(application)
+
     request_id_prefix = "INF"
     if INDEXING_ONLY:
         request_id_prefix = "IDX"

backend/onyx/access/access.py

@@ -1,6 +1,7 @@
 from collections.abc import Callable
 from typing import cast
 
+from sqlalchemy.orm import joinedload
 from sqlalchemy.orm import Session
 
 from onyx.access.models import DocumentAccess
@@ -11,7 +12,6 @@ from onyx.db.document import get_access_info_for_document
 from onyx.db.document import get_access_info_for_documents
 from onyx.db.models import User
 from onyx.db.models import UserFile
-from onyx.db.user_file import fetch_user_files_with_access_relationships
 from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
 from onyx.utils.variable_functionality import fetch_versioned_implementation
 
@@ -132,61 +132,19 @@ def get_access_for_user_files(
     user_file_ids: list[str],
     db_session: Session,
 ) -> dict[str, DocumentAccess]:
-    versioned_fn = fetch_versioned_implementation(
-        "onyx.access.access", "get_access_for_user_files_impl"
+    user_files = (
+        db_session.query(UserFile)
+        .options(joinedload(UserFile.user))  # Eager load the user relationship
+        .filter(UserFile.id.in_(user_file_ids))
+        .all()
     )
-    return versioned_fn(user_file_ids, db_session)
-
-
-def get_access_for_user_files_impl(
-    user_file_ids: list[str],
-    db_session: Session,
-) -> dict[str, DocumentAccess]:
-    user_files = fetch_user_files_with_access_relationships(user_file_ids, db_session)
-    return build_access_for_user_files_impl(user_files)
-
-
-def build_access_for_user_files(
-    user_files: list[UserFile],
-) -> dict[str, DocumentAccess]:
-    """Compute access from pre-loaded UserFile objects (with relationships).
-    Callers must ensure UserFile.user, Persona.users, and Persona.user are
-    eagerly loaded (and Persona.groups for the EE path)."""
-    versioned_fn = fetch_versioned_implementation(
-        "onyx.access.access", "build_access_for_user_files_impl"
-    )
-    return versioned_fn(user_files)
-
-
-def build_access_for_user_files_impl(
-    user_files: list[UserFile],
-) -> dict[str, DocumentAccess]:
-    result: dict[str, DocumentAccess] = {}
-    for user_file in user_files:
-        emails, is_public = collect_user_file_access(user_file)
-        result[str(user_file.id)] = DocumentAccess.build(
-            user_emails=list(emails),
+    return {
+        str(user_file.id): DocumentAccess.build(
+            user_emails=[user_file.user.email] if user_file.user else [],
             user_groups=[],
-            is_public=is_public,
+            is_public=True if user_file.user is None else False,
             external_user_emails=[],
             external_user_group_ids=[],
         )
-    return result
-
-
-def collect_user_file_access(user_file: UserFile) -> tuple[set[str], bool]:
-    """Collect all user emails that should have access to this user file.
-    Includes the owner plus any users who have access via shared personas.
-    Returns (emails, is_public)."""
-    emails: set[str] = {user_file.user.email}
-    is_public = False
-    for persona in user_file.assistants:
-        if persona.deleted:
-            continue
-        if persona.is_public:
-            is_public = True
-        if persona.user_id is not None and persona.user:
-            emails.add(persona.user.email)
-        for shared_user in persona.users:
-            emails.add(shared_user.email)
-    return emails, is_public
+        for user_file in user_files
+    }

backend/onyx/auth/users.py

@@ -1,5 +1,4 @@
 import json
-import os
 import random
 import secrets
 import string
@@ -146,22 +145,10 @@ def is_user_admin(user: User) -> bool:
 
 
 def verify_auth_setting() -> None:
-    """Log warnings for AUTH_TYPE issues.
-
-    This only runs on app startup not during migrations/scripts.
-    """
-    raw_auth_type = (os.environ.get("AUTH_TYPE") or "").lower()
-
-    if raw_auth_type == "cloud":
+    if AUTH_TYPE == AuthType.CLOUD:
         raise ValueError(
-            "'cloud' is not a valid auth type for self-hosted deployments."
+            f"{AUTH_TYPE.value} is not a valid auth type for self-hosted deployments."
         )
-    if raw_auth_type == "disabled":
-        logger.warning(
-            "AUTH_TYPE='disabled' is no longer supported. "
-            "Using 'basic' instead. Please update your configuration."
-        )
-
     logger.notice(f"Using Auth Type: {AUTH_TYPE.value}")
 
 

backend/onyx/background/celery/celery_utils.py

@@ -115,6 +115,8 @@ def _extract_from_batch(
     for item in doc_list:
         if isinstance(item, HierarchyNode):
             hierarchy_nodes.append(item)
+            if item.raw_node_id not in ids:
+                ids[item.raw_node_id] = None
         elif isinstance(item, ConnectorFailure):
             failed_id = _get_failure_id(item)
             if failed_id:
@@ -123,7 +125,8 @@ def _extract_from_batch(
                 f"Failed to retrieve document {failed_id}: " f"{item.failure_message}"
             )
         else:
-            ids[item.id] = item.parent_hierarchy_raw_node_id
+            parent_raw = getattr(item, "parent_hierarchy_raw_node_id", None)
+            ids[item.id] = parent_raw
     return BatchResult(raw_id_to_parent=ids, hierarchy_nodes=hierarchy_nodes)
 
 
@@ -189,7 +192,9 @@ def extract_ids_from_runnable_connector(
         batch_ids = batch_result.raw_id_to_parent
         batch_nodes = batch_result.hierarchy_nodes
         doc_batch_processing_func(batch_ids)
-        all_raw_id_to_parent.update(batch_ids)
+        for k, v in batch_ids.items():
+            if v is not None or k not in all_raw_id_to_parent:
+                all_raw_id_to_parent[k] = v
         all_hierarchy_nodes.extend(batch_nodes)
 
         if callback:

backend/onyx/background/celery/tasks/hierarchyfetching/tasks.py

@@ -40,7 +40,6 @@ from onyx.db.connector_credential_pair import get_connector_credential_pair_from
 from onyx.db.engine.sql_engine import get_session_with_current_tenant
 from onyx.db.enums import AccessType
 from onyx.db.enums import ConnectorCredentialPairStatus
-from onyx.db.hierarchy import upsert_hierarchy_node_cc_pair_entries
 from onyx.db.hierarchy import upsert_hierarchy_nodes_batch
 from onyx.db.models import ConnectorCredentialPair
 from onyx.redis.redis_hierarchy import cache_hierarchy_nodes_batch
@@ -290,14 +289,6 @@ def _run_hierarchy_extraction(
             is_connector_public=is_connector_public,
         )
 
-        upsert_hierarchy_node_cc_pair_entries(
-            db_session=db_session,
-            hierarchy_node_ids=[n.id for n in upserted_nodes],
-            connector_id=cc_pair.connector_id,
-            credential_id=cc_pair.credential_id,
-            commit=True,
-        )
-
         # Cache in Redis for fast ancestor resolution
         cache_entries = [
             HierarchyNodeCacheEntry.from_db_model(node) for node in upserted_nodes

backend/onyx/background/celery/tasks/pruning/tasks.py

@@ -48,15 +48,10 @@ from onyx.db.enums import AccessType
 from onyx.db.enums import ConnectorCredentialPairStatus
 from onyx.db.enums import SyncStatus
 from onyx.db.enums import SyncType
-from onyx.db.hierarchy import delete_orphaned_hierarchy_nodes
 from onyx.db.hierarchy import link_hierarchy_nodes_to_documents
-from onyx.db.hierarchy import remove_stale_hierarchy_node_cc_pair_entries
-from onyx.db.hierarchy import reparent_orphaned_hierarchy_nodes
 from onyx.db.hierarchy import update_document_parent_hierarchy_nodes
-from onyx.db.hierarchy import upsert_hierarchy_node_cc_pair_entries
 from onyx.db.hierarchy import upsert_hierarchy_nodes_batch
 from onyx.db.models import ConnectorCredentialPair
-from onyx.db.models import HierarchyNode as DBHierarchyNode
 from onyx.db.sync_record import insert_sync_record
 from onyx.db.sync_record import update_sync_record_status
 from onyx.db.tag import delete_orphan_tags__no_commit
@@ -65,7 +60,6 @@ from onyx.redis.redis_connector_prune import RedisConnectorPrune
 from onyx.redis.redis_connector_prune import RedisConnectorPrunePayload
 from onyx.redis.redis_hierarchy import cache_hierarchy_nodes_batch
 from onyx.redis.redis_hierarchy import ensure_source_node_exists
-from onyx.redis.redis_hierarchy import evict_hierarchy_nodes_from_cache
 from onyx.redis.redis_hierarchy import get_node_id_from_raw_id
 from onyx.redis.redis_hierarchy import get_source_node_id_from_cache
 from onyx.redis.redis_hierarchy import HierarchyNodeCacheEntry
@@ -585,12 +579,11 @@ def connector_pruning_generator_task(
             source = cc_pair.connector.source
             redis_client = get_redis_client(tenant_id=tenant_id)
 
-            ensure_source_node_exists(redis_client, db_session, source)
-
-            upserted_nodes: list[DBHierarchyNode] = []
             if extraction_result.hierarchy_nodes:
                 is_connector_public = cc_pair.access_type == AccessType.PUBLIC
 
+                ensure_source_node_exists(redis_client, db_session, source)
+
                 upserted_nodes = upsert_hierarchy_nodes_batch(
                     db_session=db_session,
                     nodes=extraction_result.hierarchy_nodes,
@@ -599,14 +592,6 @@ def connector_pruning_generator_task(
                     is_connector_public=is_connector_public,
                 )
 
-                upsert_hierarchy_node_cc_pair_entries(
-                    db_session=db_session,
-                    hierarchy_node_ids=[n.id for n in upserted_nodes],
-                    connector_id=connector_id,
-                    credential_id=credential_id,
-                    commit=True,
-                )
-
                 cache_entries = [
                     HierarchyNodeCacheEntry.from_db_model(node)
                     for node in upserted_nodes
@@ -622,6 +607,7 @@ def connector_pruning_generator_task(
                     f"hierarchy nodes for cc_pair={cc_pair_id}"
                 )
 
+            ensure_source_node_exists(redis_client, db_session, source)
             # Resolve parent_hierarchy_raw_node_id → parent_hierarchy_node_id
             # and bulk-update documents, mirroring the docfetching resolution
             _resolve_and_update_document_parents(
@@ -678,43 +664,6 @@ def connector_pruning_generator_task(
             )
 
             redis_connector.prune.generator_complete = tasks_generated
-
-            # --- Hierarchy node pruning ---
-            live_node_ids = {n.id for n in upserted_nodes}
-            stale_removed = remove_stale_hierarchy_node_cc_pair_entries(
-                db_session=db_session,
-                connector_id=connector_id,
-                credential_id=credential_id,
-                live_hierarchy_node_ids=live_node_ids,
-                commit=True,
-            )
-            deleted_raw_ids = delete_orphaned_hierarchy_nodes(
-                db_session=db_session,
-                source=source,
-                commit=True,
-            )
-            reparented_nodes = reparent_orphaned_hierarchy_nodes(
-                db_session=db_session,
-                source=source,
-                commit=True,
-            )
-            if deleted_raw_ids:
-                evict_hierarchy_nodes_from_cache(redis_client, source, deleted_raw_ids)
-            if reparented_nodes:
-                reparented_cache_entries = [
-                    HierarchyNodeCacheEntry.from_db_model(node)
-                    for node in reparented_nodes
-                ]
-                cache_hierarchy_nodes_batch(
-                    redis_client, source, reparented_cache_entries
-                )
-            if stale_removed or deleted_raw_ids or reparented_nodes:
-                task_logger.info(
-                    f"Hierarchy node pruning: cc_pair={cc_pair_id} "
-                    f"stale_entries_removed={stale_removed} "
-                    f"nodes_deleted={len(deleted_raw_ids)} "
-                    f"nodes_reparented={len(reparented_nodes)}"
-                )
     except Exception as e:
         task_logger.exception(
             f"Pruning exceptioned: cc_pair={cc_pair_id} "

backend/onyx/background/celery/tasks/user_file_processing/tasks.py

@@ -12,9 +12,9 @@ from redis import Redis
 from redis.lock import Lock as RedisLock
 from retry import retry
 from sqlalchemy import select
+from sqlalchemy.orm import selectinload
 from sqlalchemy.orm import Session
 
-from onyx.access.access import build_access_for_user_files
 from onyx.background.celery.apps.app_base import task_logger
 from onyx.background.celery.celery_redis import celery_get_queue_length
 from onyx.background.celery.celery_utils import httpx_init_vespa_pool
@@ -43,9 +43,7 @@ from onyx.db.enums import UserFileStatus
 from onyx.db.models import UserFile
 from onyx.db.search_settings import get_active_search_settings
 from onyx.db.search_settings import get_active_search_settings_list
-from onyx.db.user_file import fetch_user_files_with_access_relationships
 from onyx.document_index.factory import get_all_document_indices
-from onyx.document_index.interfaces import VespaDocumentFields
 from onyx.document_index.interfaces import VespaDocumentUserFields
 from onyx.document_index.vespa_constants import DOCUMENT_ID_ENDPOINT
 from onyx.file_store.file_store import get_default_file_store
@@ -56,7 +54,6 @@ from onyx.indexing.adapters.user_file_indexing_adapter import UserFileIndexingAd
 from onyx.indexing.embedder import DefaultIndexingEmbedder
 from onyx.indexing.indexing_pipeline import run_indexing_pipeline
 from onyx.redis.redis_pool import get_redis_client
-from onyx.utils.variable_functionality import global_version
 
 
 def _as_uuid(value: str | UUID) -> UUID:
@@ -794,12 +791,11 @@ def project_sync_user_file_impl(
 
     try:
         with get_session_with_current_tenant() as db_session:
-            user_files = fetch_user_files_with_access_relationships(
-                [user_file_id],
-                db_session,
-                eager_load_groups=global_version.is_ee_version(),
-            )
-            user_file = user_files[0] if user_files else None
+            user_file = db_session.execute(
+                select(UserFile)
+                .where(UserFile.id == _as_uuid(user_file_id))
+                .options(selectinload(UserFile.assistants))
+            ).scalar_one_or_none()
             if not user_file:
                 task_logger.info(
                     f"project_sync_user_file_impl - User file not found id={user_file_id}"
@@ -827,21 +823,12 @@ def project_sync_user_file_impl(
 
                 project_ids = [project.id for project in user_file.projects]
                 persona_ids = [p.id for p in user_file.assistants if not p.deleted]
-
-                file_id_str = str(user_file.id)
-                access_map = build_access_for_user_files([user_file])
-                access = access_map.get(file_id_str)
-
                 for retry_document_index in retry_document_indices:
                     retry_document_index.update_single(
-                        doc_id=file_id_str,
+                        doc_id=str(user_file.id),
                         tenant_id=tenant_id,
                         chunk_count=user_file.chunk_count,
-                        fields=(
-                            VespaDocumentFields(access=access)
-                            if access is not None
-                            else None
-                        ),
+                        fields=None,
                         user_fields=VespaDocumentUserFields(
                             user_projects=project_ids,
                             personas=persona_ids,

backend/onyx/background/indexing/run_docfetching.py

@@ -45,7 +45,6 @@ from onyx.db.enums import ConnectorCredentialPairStatus
 from onyx.db.enums import IndexingStatus
 from onyx.db.enums import IndexModelStatus
 from onyx.db.enums import ProcessingMode
-from onyx.db.hierarchy import upsert_hierarchy_node_cc_pair_entries
 from onyx.db.hierarchy import upsert_hierarchy_nodes_batch
 from onyx.db.index_attempt import create_index_attempt_error
 from onyx.db.index_attempt import get_index_attempt
@@ -588,14 +587,6 @@ def connector_document_extraction(
                             is_connector_public=is_connector_public,
                         )
 
-                        upsert_hierarchy_node_cc_pair_entries(
-                            db_session=db_session,
-                            hierarchy_node_ids=[n.id for n in upserted_nodes],
-                            connector_id=db_connector.id,
-                            credential_id=db_credential.id,
-                            commit=True,
-                        )
-
                         # Cache in Redis for fast ancestor resolution during doc processing
                         redis_client = get_redis_client(tenant_id=tenant_id)
                         cache_entries = [

backend/onyx/chat/llm_loop.py

@@ -50,7 +50,6 @@ from onyx.tools.built_in_tools import CITEABLE_TOOLS_NAMES
 from onyx.tools.built_in_tools import STOPPING_TOOLS_NAMES
 from onyx.tools.interface import Tool
 from onyx.tools.models import ChatFile
-from onyx.tools.models import CustomToolCallSummary
 from onyx.tools.models import MemoryToolResponseSnapshot
 from onyx.tools.models import PythonToolRichResponse
 from onyx.tools.models import ToolCallInfo
@@ -981,10 +980,6 @@ def run_llm_loop(
 
                 if memory_snapshot:
                     saved_response = json.dumps(memory_snapshot.model_dump())
-                elif isinstance(tool_response.rich_response, CustomToolCallSummary):
-                    saved_response = json.dumps(
-                        tool_response.rich_response.model_dump()
-                    )
                 elif isinstance(tool_response.rich_response, str):
                     saved_response = tool_response.rich_response
                 else:

backend/onyx/configs/app_configs.py

@@ -96,12 +96,19 @@ WEB_DOMAIN = os.environ.get("WEB_DOMAIN") or "http://localhost:3000"
 #####
 # Auth Configs
 #####
-# Silently default to basic - warnings/errors logged in verify_auth_setting()
-# which only runs on app startup, not during migrations/scripts
-_auth_type_str = (os.environ.get("AUTH_TYPE") or "").lower()
-if _auth_type_str in [auth_type.value for auth_type in AuthType]:
+# Upgrades users from disabled auth to basic auth and shows warning.
+_auth_type_str = (os.environ.get("AUTH_TYPE") or "basic").lower()
+if _auth_type_str == "disabled":
+    logger.warning(
+        "AUTH_TYPE='disabled' is no longer supported. "
+        "Defaulting to 'basic'. Please update your configuration. "
+        "Your existing data will be migrated automatically."
+    )
+    _auth_type_str = AuthType.BASIC.value
+try:
     AUTH_TYPE = AuthType(_auth_type_str)
-else:
+except ValueError:
+    logger.error(f"Invalid AUTH_TYPE: {_auth_type_str}. Defaulting to 'basic'.")
     AUTH_TYPE = AuthType.BASIC
 
 PASSWORD_MIN_LENGTH = int(os.getenv("PASSWORD_MIN_LENGTH", 8))
@@ -204,12 +211,6 @@ JWT_PUBLIC_KEY_URL: str | None = os.getenv("JWT_PUBLIC_KEY_URL", None)
 
 USER_AUTH_SECRET = os.environ.get("USER_AUTH_SECRET", "")
 
-if AUTH_TYPE == AuthType.BASIC and not USER_AUTH_SECRET:
-    logger.warning(
-        "USER_AUTH_SECRET is not set. This is required for secure password reset "
-        "and email verification tokens. Please set USER_AUTH_SECRET in production."
-    )
-
 # Duration (in seconds) for which the FastAPI Users JWT token remains valid in the user's browser.
 # By default, this is set to match the Redis expiry time for consistency.
 AUTH_COOKIE_EXPIRE_TIME_SECONDS = int(
@@ -291,9 +292,8 @@ OPENSEARCH_TEXT_ANALYZER = os.environ.get("OPENSEARCH_TEXT_ANALYZER") or "englis
 # environments we always want to be dual indexing into both OpenSearch and Vespa
 # to stress test the new codepaths. Only enable this if there is some instance
 # of OpenSearch running for the relevant Onyx instance.
-# NOTE: Now enabled on by default, unless the env indicates otherwise.
 ENABLE_OPENSEARCH_INDEXING_FOR_ONYX = (
-    os.environ.get("ENABLE_OPENSEARCH_INDEXING_FOR_ONYX", "true").lower() == "true"
+    os.environ.get("ENABLE_OPENSEARCH_INDEXING_FOR_ONYX", "").lower() == "true"
 )
 # NOTE: This effectively does nothing anymore, admins can now toggle whether
 # retrieval is through OpenSearch. This value is only used as a final fallback

backend/onyx/connectors/discord/connector.py

@@ -1,5 +1,4 @@
 import asyncio
-from collections.abc import AsyncGenerator
 from collections.abc import AsyncIterable
 from collections.abc import Iterable
 from datetime import datetime
@@ -205,7 +204,7 @@ def _manage_async_retrieval(
 
     end_time: datetime | None = end
 
-    async def _async_fetch() -> AsyncGenerator[Document, None]:
+    async def _async_fetch() -> AsyncIterable[Document]:
         intents = Intents.default()
         intents.message_content = True
         async with Client(intents=intents) as discord_client:
@@ -228,23 +227,22 @@ def _manage_async_retrieval(
 
     def run_and_yield() -> Iterable[Document]:
         loop = asyncio.new_event_loop()
-        async_gen = _async_fetch()
         try:
+            # Get the async generator
+            async_gen = _async_fetch()
+            # Convert to AsyncIterator
+            async_iter = async_gen.__aiter__()
             while True:
                 try:
-                    doc = loop.run_until_complete(anext(async_gen))
+                    # Create a coroutine by calling anext with the async iterator
+                    next_coro = anext(async_iter)
+                    # Run the coroutine to get the next document
+                    doc = loop.run_until_complete(next_coro)
                     yield doc
                 except StopAsyncIteration:
                     break
         finally:
-            # Must close the async generator before the loop so the Discord
-            # client's `async with` block can await its shutdown coroutine.
-            # The nested try/finally ensures the loop always closes even if
-            # aclose() raises (same pattern as cursor.close() before conn.close()).
-            try:
-                loop.run_until_complete(async_gen.aclose())
-            finally:
-                loop.close()
+            loop.close()
 
     return run_and_yield()
 

backend/onyx/connectors/google_utils/google_kv.py

@@ -44,7 +44,6 @@ from onyx.connectors.google_utils.shared_constants import (
 from onyx.db.credentials import update_credential_json
 from onyx.db.models import User
 from onyx.key_value_store.factory import get_kv_store
-from onyx.key_value_store.interface import unwrap_str
 from onyx.server.documents.models import CredentialBase
 from onyx.server.documents.models import GoogleAppCredentials
 from onyx.server.documents.models import GoogleServiceAccountKey
@@ -90,7 +89,7 @@ def _get_current_oauth_user(creds: OAuthCredentials, source: DocumentSource) ->
 
 
 def verify_csrf(credential_id: int, state: str) -> None:
-    csrf = unwrap_str(get_kv_store().load(KV_CRED_KEY.format(str(credential_id))))
+    csrf = get_kv_store().load(KV_CRED_KEY.format(str(credential_id)))
     if csrf != state:
         raise PermissionError(
             "State from Google Drive Connector callback does not match expected"
@@ -179,9 +178,7 @@ def get_auth_url(credential_id: int, source: DocumentSource) -> str:
     params = parse_qs(parsed_url.query)
 
     get_kv_store().store(
-        KV_CRED_KEY.format(credential_id),
-        {"value": params.get("state", [None])[0]},
-        encrypt=True,
+        KV_CRED_KEY.format(credential_id), params.get("state", [None])[0], encrypt=True
     )
     return str(auth_url)
 

backend/onyx/db/hierarchy.py

@@ -2,10 +2,7 @@
 
 from collections import defaultdict
 
-from sqlalchemy import delete
 from sqlalchemy import select
-from sqlalchemy.dialects.postgresql import insert as pg_insert
-from sqlalchemy.engine import CursorResult
 from sqlalchemy.orm import Session
 
 from onyx.configs.constants import DocumentSource
@@ -13,7 +10,6 @@ from onyx.connectors.models import HierarchyNode as PydanticHierarchyNode
 from onyx.db.enums import HierarchyNodeType
 from onyx.db.models import Document
 from onyx.db.models import HierarchyNode
-from onyx.db.models import HierarchyNodeByConnectorCredentialPair
 from onyx.utils.logger import setup_logger
 from onyx.utils.variable_functionality import fetch_versioned_implementation
 
@@ -462,7 +458,7 @@ def get_all_hierarchy_nodes_for_source(
 def _get_accessible_hierarchy_nodes_for_source(
     db_session: Session,
     source: DocumentSource,
-    user_email: str,  # noqa: ARG001
+    user_email: str | None,  # noqa: ARG001
     external_group_ids: list[str],  # noqa: ARG001
 ) -> list[HierarchyNode]:
     """
@@ -489,7 +485,7 @@ def _get_accessible_hierarchy_nodes_for_source(
 def get_accessible_hierarchy_nodes_for_source(
     db_session: Session,
     source: DocumentSource,
-    user_email: str,
+    user_email: str | None,
     external_group_ids: list[str],
 ) -> list[HierarchyNode]:
     """
@@ -624,154 +620,3 @@ def update_hierarchy_node_permissions(
         db_session.flush()
 
     return True
-
-
-def upsert_hierarchy_node_cc_pair_entries(
-    db_session: Session,
-    hierarchy_node_ids: list[int],
-    connector_id: int,
-    credential_id: int,
-    commit: bool = True,
-) -> None:
-    """Insert rows into HierarchyNodeByConnectorCredentialPair, ignoring conflicts.
-
-    This records that the given cc_pair "owns" these hierarchy nodes. Used by
-    indexing, pruning, and hierarchy-fetching paths.
-    """
-    if not hierarchy_node_ids:
-        return
-
-    _M = HierarchyNodeByConnectorCredentialPair
-    stmt = pg_insert(_M).values(
-        [
-            {
-                _M.hierarchy_node_id: node_id,
-                _M.connector_id: connector_id,
-                _M.credential_id: credential_id,
-            }
-            for node_id in hierarchy_node_ids
-        ]
-    )
-    stmt = stmt.on_conflict_do_nothing()
-    db_session.execute(stmt)
-
-    if commit:
-        db_session.commit()
-    else:
-        db_session.flush()
-
-
-def remove_stale_hierarchy_node_cc_pair_entries(
-    db_session: Session,
-    connector_id: int,
-    credential_id: int,
-    live_hierarchy_node_ids: set[int],
-    commit: bool = True,
-) -> int:
-    """Delete join-table rows for this cc_pair that are NOT in the live set.
-
-    If ``live_hierarchy_node_ids`` is empty ALL rows for the cc_pair are deleted
-    (i.e. the connector no longer has any hierarchy nodes). Callers that want a
-    no-op when there are no live nodes must guard before calling.
-
-    Returns the number of deleted rows.
-    """
-    stmt = delete(HierarchyNodeByConnectorCredentialPair).where(
-        HierarchyNodeByConnectorCredentialPair.connector_id == connector_id,
-        HierarchyNodeByConnectorCredentialPair.credential_id == credential_id,
-    )
-    if live_hierarchy_node_ids:
-        stmt = stmt.where(
-            HierarchyNodeByConnectorCredentialPair.hierarchy_node_id.notin_(
-                live_hierarchy_node_ids
-            )
-        )
-
-    result: CursorResult = db_session.execute(stmt)  # type: ignore[assignment]
-    deleted = result.rowcount
-
-    if commit:
-        db_session.commit()
-    elif deleted:
-        db_session.flush()
-
-    return deleted
-
-
-def delete_orphaned_hierarchy_nodes(
-    db_session: Session,
-    source: DocumentSource,
-    commit: bool = True,
-) -> list[str]:
-    """Delete hierarchy nodes for a source that have zero cc_pair associations.
-
-    SOURCE-type nodes are excluded (they are synthetic roots).
-
-    Returns the list of raw_node_ids that were deleted (for cache eviction).
-    """
-    # Find orphaned nodes: no rows in the join table
-    orphan_stmt = (
-        select(HierarchyNode.id, HierarchyNode.raw_node_id)
-        .outerjoin(
-            HierarchyNodeByConnectorCredentialPair,
-            HierarchyNode.id
-            == HierarchyNodeByConnectorCredentialPair.hierarchy_node_id,
-        )
-        .where(
-            HierarchyNode.source == source,
-            HierarchyNode.node_type != HierarchyNodeType.SOURCE,
-            HierarchyNodeByConnectorCredentialPair.hierarchy_node_id.is_(None),
-        )
-    )
-    orphans = db_session.execute(orphan_stmt).all()
-    if not orphans:
-        return []
-
-    orphan_ids = [row[0] for row in orphans]
-    deleted_raw_ids = [row[1] for row in orphans]
-
-    db_session.execute(delete(HierarchyNode).where(HierarchyNode.id.in_(orphan_ids)))
-
-    if commit:
-        db_session.commit()
-    else:
-        db_session.flush()
-
-    return deleted_raw_ids
-
-
-def reparent_orphaned_hierarchy_nodes(
-    db_session: Session,
-    source: DocumentSource,
-    commit: bool = True,
-) -> list[HierarchyNode]:
-    """Re-parent hierarchy nodes whose parent_id is NULL to the SOURCE node.
-
-    After pruning deletes stale nodes, their former children get parent_id=NULL
-    via the SET NULL cascade. This function points them back to the SOURCE root.
-
-    Returns the reparented HierarchyNode objects (with updated parent_id)
-    so callers can refresh downstream caches.
-    """
-    source_node = get_source_hierarchy_node(db_session, source)
-    if not source_node:
-        return []
-
-    stmt = select(HierarchyNode).where(
-        HierarchyNode.source == source,
-        HierarchyNode.parent_id.is_(None),
-        HierarchyNode.node_type != HierarchyNodeType.SOURCE,
-    )
-    orphans = list(db_session.execute(stmt).scalars().all())
-    if not orphans:
-        return []
-
-    for node in orphans:
-        node.parent_id = source_node.id
-
-    if commit:
-        db_session.commit()
-    else:
-        db_session.flush()
-
-    return orphans

backend/onyx/db/llm.py

@@ -270,35 +270,10 @@ def upsert_llm_provider(
         mc.name for mc in llm_provider_upsert_request.model_configurations
     }
 
-    # Build a lookup of requested visibility by model name
-    requested_visibility = {
-        mc.name: mc.is_visible
-        for mc in llm_provider_upsert_request.model_configurations
-    }
-
     # Delete removed models
     removed_ids = [
         mc.id for name, mc in existing_by_name.items() if name not in models_to_exist
     ]
-
-    default_model = fetch_default_llm_model(db_session)
-
-    # Prevent removing and hiding the default model
-    if default_model:
-        for name, mc in existing_by_name.items():
-            if mc.id == default_model.id:
-                if default_model.id in removed_ids:
-                    raise ValueError(
-                        f"Cannot remove the default model '{name}'. "
-                        "Please change the default model before removing."
-                    )
-                if not requested_visibility.get(name, True):
-                    raise ValueError(
-                        f"Cannot hide the default model '{name}'. "
-                        "Please change the default model before hiding."
-                    )
-                break
-
     if removed_ids:
         db_session.query(ModelConfiguration).filter(
             ModelConfiguration.id.in_(removed_ids)
@@ -563,6 +538,7 @@ def fetch_default_model(
         .options(selectinload(ModelConfiguration.llm_provider))
         .join(LLMModelFlow)
         .where(
+            ModelConfiguration.is_visible == True,  # noqa: E712
             LLMModelFlow.llm_model_flow_type == flow_type,
             LLMModelFlow.is_default == True,  # noqa: E712
         )
@@ -838,30 +814,44 @@ def sync_auto_mode_models(
             )
             changes += 1
 
-    # Update the default if this provider currently holds the global CHAT default.
-    # We flush (but don't commit) so that _update_default_model can see the new
-    # model rows, then commit everything atomically to avoid a window where the
-    # old default is invisible but still pointed-to.
-    db_session.flush()
+    db_session.commit()
 
+    # Update the default if this provider currently holds the global CHAT default
     recommended_default = llm_recommendations.get_default_model(provider.provider)
     if recommended_default:
-        current_default = fetch_default_llm_model(db_session)
+        current_default_name = db_session.scalar(
+            select(ModelConfiguration.name)
+            .join(
+                LLMModelFlow,
+                LLMModelFlow.model_configuration_id == ModelConfiguration.id,
+            )
+            .where(
+                ModelConfiguration.llm_provider_id == provider.id,
+                LLMModelFlow.llm_model_flow_type == LLMModelFlowType.CHAT,
+                LLMModelFlow.is_default == True,  # noqa: E712
+            )
+        )
 
         if (
-            current_default
-            and current_default.llm_provider_id == provider.id
-            and current_default.name != recommended_default.name
+            current_default_name is not None
+            and current_default_name != recommended_default.name
         ):
-            _update_default_model__no_commit(
-                db_session=db_session,
-                provider_id=provider.id,
-                model=recommended_default.name,
-                flow_type=LLMModelFlowType.CHAT,
-            )
-            changes += 1
+            try:
+                _update_default_model(
+                    db_session=db_session,
+                    provider_id=provider.id,
+                    model=recommended_default.name,
+                    flow_type=LLMModelFlowType.CHAT,
+                )
+                changes += 1
+            except ValueError:
+                logger.warning(
+                    "Recommended default model '%s' not found "
+                    "for provider_id=%s; skipping default update.",
+                    recommended_default.name,
+                    provider.id,
+                )
 
-    db_session.commit()
     return changes
 
 
@@ -992,7 +982,7 @@ def update_model_configuration__no_commit(
     db_session.flush()
 
 
-def _update_default_model__no_commit(
+def _update_default_model(
     db_session: Session,
     provider_id: int,
     model: str,
@@ -1030,14 +1020,6 @@ def _update_default_model__no_commit(
     new_default.is_default = True
     model_config.is_visible = True
 
-
-def _update_default_model(
-    db_session: Session,
-    provider_id: int,
-    model: str,
-    flow_type: LLMModelFlowType,
-) -> None:
-    _update_default_model__no_commit(db_session, provider_id, model, flow_type)
     db_session.commit()
 
 

backend/onyx/db/models.py

@@ -25,7 +25,6 @@ from sqlalchemy import desc
 from sqlalchemy import Enum
 from sqlalchemy import Float
 from sqlalchemy import ForeignKey
-from sqlalchemy import ForeignKeyConstraint
 from sqlalchemy import func
 from sqlalchemy import Index
 from sqlalchemy import Integer
@@ -2426,38 +2425,6 @@ class SyncRecord(Base):
     )
 
 
-class HierarchyNodeByConnectorCredentialPair(Base):
-    """Tracks which cc_pairs reference each hierarchy node.
-
-    During pruning, stale entries are removed for the current cc_pair.
-    Hierarchy nodes with zero remaining entries are then deleted.
-    """
-
-    __tablename__ = "hierarchy_node_by_connector_credential_pair"
-
-    hierarchy_node_id: Mapped[int] = mapped_column(
-        ForeignKey("hierarchy_node.id", ondelete="CASCADE"), primary_key=True
-    )
-    connector_id: Mapped[int] = mapped_column(primary_key=True)
-    credential_id: Mapped[int] = mapped_column(primary_key=True)
-
-    __table_args__ = (
-        ForeignKeyConstraint(
-            ["connector_id", "credential_id"],
-            [
-                "connector_credential_pair.connector_id",
-                "connector_credential_pair.credential_id",
-            ],
-            ondelete="CASCADE",
-        ),
-        Index(
-            "ix_hierarchy_node_cc_pair_connector_credential",
-            "connector_id",
-            "credential_id",
-        ),
-    )
-
-
 class DocumentByConnectorCredentialPair(Base):
     """Represents an indexing of a document by a specific connector / credential pair"""
 

backend/onyx/db/persona.py

@@ -205,9 +205,7 @@ def update_persona_access(
 
     NOTE: Callers are responsible for committing."""
 
-    needs_sync = False
     if is_public is not None:
-        needs_sync = True
         persona = db_session.query(Persona).filter(Persona.id == persona_id).first()
         if persona:
             persona.is_public = is_public
@@ -215,7 +213,6 @@ def update_persona_access(
     # NOTE: For user-ids and group-ids, `None` means "leave unchanged", `[]` means "clear all shares",
     # and a non-empty list means "replace with these shares".
     if user_ids is not None:
-        needs_sync = True
         db_session.query(Persona__User).filter(
             Persona__User.persona_id == persona_id
         ).delete(synchronize_session="fetch")
@@ -236,7 +233,6 @@ def update_persona_access(
     # MIT doesn't support group-based sharing, so we allow clearing (no-op since
     # there shouldn't be any) but raise an error if trying to add actual groups.
     if group_ids is not None:
-        needs_sync = True
         db_session.query(Persona__UserGroup).filter(
             Persona__UserGroup.persona_id == persona_id
         ).delete(synchronize_session="fetch")
@@ -244,10 +240,6 @@ def update_persona_access(
         if group_ids:
             raise NotImplementedError("Onyx MIT does not support group-based sharing")
 
-    # When sharing changes, user file ACLs need to be updated in the vector DB
-    if needs_sync:
-        mark_persona_user_files_for_sync(persona_id, db_session)
-
 
 def create_update_persona(
     persona_id: int | None,
@@ -859,24 +851,6 @@ def update_personas_display_priority(
         db_session.commit()
 
 
-def mark_persona_user_files_for_sync(
-    persona_id: int,
-    db_session: Session,
-) -> None:
-    """When persona sharing changes, mark all of its user files for sync
-    so that their ACLs get updated in the vector DB."""
-    persona = (
-        db_session.query(Persona)
-        .options(selectinload(Persona.user_files))
-        .filter(Persona.id == persona_id)
-        .first()
-    )
-    if not persona:
-        return
-    file_ids = [uf.id for uf in persona.user_files]
-    _mark_files_need_persona_sync(db_session, file_ids)
-
-
 def _mark_files_need_persona_sync(
     db_session: Session,
     user_file_ids: list[UUID],

backend/onyx/db/user_file.py

@@ -3,11 +3,9 @@ from uuid import UUID
 
 from sqlalchemy import func
 from sqlalchemy import select
-from sqlalchemy.orm import joinedload
 from sqlalchemy.orm import selectinload
 from sqlalchemy.orm import Session
 
-from onyx.db.models import Persona
 from onyx.db.models import Project__UserFile
 from onyx.db.models import UserFile
 
@@ -120,31 +118,3 @@ def get_file_ids_by_user_file_ids(
 ) -> list[str]:
     user_files = db_session.query(UserFile).filter(UserFile.id.in_(user_file_ids)).all()
     return [user_file.file_id for user_file in user_files]
-
-
-def fetch_user_files_with_access_relationships(
-    user_file_ids: list[str],
-    db_session: Session,
-    eager_load_groups: bool = False,
-) -> list[UserFile]:
-    """Fetch user files with the owner and assistant relationships
-    eagerly loaded (needed for computing access control).
-
-    When eager_load_groups is True, Persona.groups is also loaded so that
-    callers can extract user-group names without a second DB round-trip."""
-    persona_sub_options = [
-        selectinload(Persona.users),
-        selectinload(Persona.user),
-    ]
-    if eager_load_groups:
-        persona_sub_options.append(selectinload(Persona.groups))
-
-    return (
-        db_session.query(UserFile)
-        .options(
-            joinedload(UserFile.user),
-            selectinload(UserFile.assistants).options(*persona_sub_options),
-        )
-        .filter(UserFile.id.in_(user_file_ids))
-        .all()
-    )

backend/onyx/error_handling/error_codes.py

@@ -91,11 +91,11 @@ class OnyxErrorCode(Enum):
         """Build a structured error detail dict.
 
         Returns a dict like:
-            {"error_code": "UNAUTHENTICATED", "detail": "Token expired"}
+            {"error_code": "UNAUTHENTICATED", "message": "Token expired"}
 
-        If no message is supplied, the error code itself is used as the detail.
+        If no message is supplied, the error code itself is used as the message.
         """
         return {
             "error_code": self.code,
-            "detail": message or self.code,
+            "message": message or self.code,
         }

backend/onyx/error_handling/exceptions.py

@@ -3,7 +3,7 @@
 Raise ``OnyxError`` instead of ``HTTPException`` in business code.  A global
 FastAPI exception handler (registered via ``register_onyx_exception_handlers``)
 converts it into a JSON response with the standard
-``{"error_code": "...", "detail": "..."}`` shape.
+``{"error_code": "...", "message": "..."}`` shape.
 
 Usage::
 
@@ -37,21 +37,21 @@ class OnyxError(Exception):
 
     Attributes:
         error_code: The ``OnyxErrorCode`` enum member.
-        detail: Human-readable detail (defaults to the error code string).
+        message: Human-readable message (defaults to the error code string).
         status_code: HTTP status — either overridden or from the error code.
     """
 
     def __init__(
         self,
         error_code: OnyxErrorCode,
-        detail: str | None = None,
+        message: str | None = None,
         *,
         status_code_override: int | None = None,
     ) -> None:
-        resolved_detail = detail or error_code.code
-        super().__init__(resolved_detail)
+        resolved_message = message or error_code.code
+        super().__init__(resolved_message)
         self.error_code = error_code
-        self.detail = resolved_detail
+        self.message = resolved_message
         self._status_code_override = status_code_override
 
     @property
@@ -73,11 +73,11 @@ def register_onyx_exception_handlers(app: FastAPI) -> None:
     ) -> JSONResponse:
         status_code = exc.status_code
         if status_code >= 500:
-            logger.error(f"OnyxError {exc.error_code.code}: {exc.detail}")
+            logger.error(f"OnyxError {exc.error_code.code}: {exc.message}")
         elif status_code >= 400:
-            logger.warning(f"OnyxError {exc.error_code.code}: {exc.detail}")
+            logger.warning(f"OnyxError {exc.error_code.code}: {exc.message}")
 
         return JSONResponse(
             status_code=status_code,
-            content=exc.error_code.detail(exc.detail),
+            content=exc.error_code.detail(exc.message),
         )

backend/onyx/file_processing/extract_file_text.py

@@ -1,4 +1,3 @@
-import csv
 import gc
 import io
 import json
@@ -20,7 +19,6 @@ from zipfile import BadZipFile
 
 import chardet
 import openpyxl
-from openpyxl.worksheet.worksheet import Worksheet
 from PIL import Image
 
 from onyx.configs.constants import ONYX_METADATA_FILENAME
@@ -354,65 +352,6 @@ def pptx_to_text(file: IO[Any], file_name: str = "") -> str:
     return presentation.markdown
 
 
-def _worksheet_to_matrix(
-    worksheet: Worksheet,
-) -> list[list[str]]:
-    """
-    Converts a singular worksheet to a matrix of values
-    """
-    rows: list[list[str]] = []
-    for worksheet_row in worksheet.iter_rows(min_row=1, values_only=True):
-        row = ["" if cell is None else str(cell) for cell in worksheet_row]
-        rows.append(row)
-
-    return rows
-
-
-def _clean_worksheet_matrix(matrix: list[list[str]]) -> list[list[str]]:
-    """
-    Cleans a worksheet matrix by removing rows if there are N consecutive empty
-    rows and removing cols if there are M consecutive empty columns
-    """
-    MAX_EMPTY_ROWS = 2  # Runs longer than this are capped to max_empty; shorter runs are preserved as-is
-    MAX_EMPTY_COLS = 2
-
-    # Row cleanup
-    matrix = _remove_empty_runs(matrix, max_empty=MAX_EMPTY_ROWS)
-
-    # Column cleanup (transpose, clean, transpose back)
-    transposed = list(map(list, zip(*matrix))) if matrix else []
-    transposed = _remove_empty_runs(transposed, max_empty=MAX_EMPTY_COLS)
-    matrix = list(map(list, zip(*transposed))) if transposed else []
-
-    return matrix
-
-
-def _remove_empty_runs(
-    rows: list[list[str]],
-    max_empty: int,
-) -> list[list[str]]:
-    """Removes entire runs of empty rows when the run length exceeds max_empty.
-
-    Leading and trailing empty rows are always dropped regardless of run length,
-    since there is no adjacent non-empty row to bound the run.
-    """
-    result: list[list[str]] = []
-    empty_buffer: list[list[str]] = []
-
-    for row in rows:
-        # Check if empty
-        if not any(row):
-            empty_buffer.append(row)
-        else:
-            # Add upto max empty rows onto the result - that's what we allow
-            result.extend(empty_buffer[:max_empty])
-            # Add the new non-empty row
-            result.append(row)
-            empty_buffer = []
-
-    return result
-
-
 def xlsx_to_text(file: IO[Any], file_name: str = "") -> str:
     # TODO: switch back to this approach in a few months when markitdown
     # fixes their handling of excel files
@@ -451,15 +390,30 @@ def xlsx_to_text(file: IO[Any], file_name: str = "") -> str:
                 f"Failed to extract text from {file_name or 'xlsx file'}. This happens due to a bug in openpyxl. {e}"
             )
             return ""
-        raise
+        raise e
 
     text_content = []
     for sheet in workbook.worksheets:
-        sheet_matrix = _clean_worksheet_matrix(_worksheet_to_matrix(sheet))
-        buf = io.StringIO()
-        writer = csv.writer(buf, lineterminator="\n")
-        writer.writerows(sheet_matrix)
-        text_content.append(buf.getvalue().rstrip("\n"))
+        rows = []
+        num_empty_consecutive_rows = 0
+        for row in sheet.iter_rows(min_row=1, values_only=True):
+            row_str = ",".join(str(cell or "") for cell in row)
+
+            # Only add the row if there are any values in the cells
+            if len(row_str) >= len(row):
+                rows.append(row_str)
+                num_empty_consecutive_rows = 0
+            else:
+                num_empty_consecutive_rows += 1
+
+            if num_empty_consecutive_rows > 100:
+                # handle massive excel sheets with mostly empty cells
+                logger.warning(
+                    f"Found {num_empty_consecutive_rows} empty rows in {file_name}, skipping rest of file"
+                )
+                break
+        sheet_str = "\n".join(rows)
+        text_content.append(sheet_str)
     return TEXT_SECTION_SEPARATOR.join(text_content)
 
 

backend/onyx/file_processing/file_types.py

@@ -19,16 +19,12 @@ class OnyxMimeTypes:
         PLAIN_TEXT_MIME_TYPE,
         "text/markdown",
         "text/x-markdown",
-        "text/x-log",
         "text/x-config",
         "text/tab-separated-values",
         "application/json",
         "application/xml",
         "text/xml",
         "application/x-yaml",
-        "application/yaml",
-        "text/yaml",
-        "text/x-yaml",
     }
     DOCUMENT_MIME_TYPES = {
         PDF_MIME_TYPE,

backend/onyx/key_value_store/interface.py

@@ -1,5 +1,4 @@
 import abc
-from typing import cast
 
 from onyx.utils.special_types import JSON_ro
 
@@ -8,19 +7,6 @@ class KvKeyNotFoundError(Exception):
     pass
 
 
-def unwrap_str(val: JSON_ro) -> str:
-    """Unwrap a string stored as {"value": str} in the encrypted KV store.
-    Also handles legacy plain-string values cached in Redis."""
-    if isinstance(val, dict):
-        try:
-            return cast(str, val["value"])
-        except KeyError:
-            raise ValueError(
-                f"Expected dict with 'value' key, got keys: {list(val.keys())}"
-            )
-    return cast(str, val)
-
-
 class KeyValueStore:
     # In the Multi Tenant case, the tenant context is picked up automatically, it does not need to be passed in
     # It's read from the global thread level variable

backend/onyx/redis/redis_hierarchy.py

@@ -16,7 +16,6 @@ Cache Strategy:
   using only the SOURCE-type node as the ancestor
 """
 
-from typing import cast
 from typing import TYPE_CHECKING
 
 from pydantic import BaseModel
@@ -205,30 +204,6 @@ def cache_hierarchy_nodes_batch(
     redis_client.expire(raw_id_key, HIERARCHY_CACHE_TTL_SECONDS)
 
 
-def evict_hierarchy_nodes_from_cache(
-    redis_client: Redis,
-    source: DocumentSource,
-    raw_node_ids: list[str],
-) -> None:
-    """Remove specific hierarchy nodes from the Redis cache.
-
-    Deletes entries from both the parent-chain hash and the raw_id→node_id hash.
-    """
-    if not raw_node_ids:
-        return
-
-    cache_key = _cache_key(source)
-    raw_id_key = _raw_id_cache_key(source)
-
-    # Look up node_ids so we can remove them from the parent-chain hash
-    raw_values = cast(list[str | None], redis_client.hmget(raw_id_key, raw_node_ids))
-    node_id_strs = [v for v in raw_values if v is not None]
-
-    if node_id_strs:
-        redis_client.hdel(cache_key, *node_id_strs)
-    redis_client.hdel(raw_id_key, *raw_node_ids)
-
-
 def get_node_id_from_raw_id(
     redis_client: Redis,
     source: DocumentSource,

backend/onyx/server/documents/connector.py

@@ -1905,7 +1905,7 @@ def get_connector_by_id(
 @router.post("/connector-request")
 def submit_connector_request(
     request_data: ConnectorRequestSubmission,
-    user: User = Depends(current_user),
+    user: User | None = Depends(current_user),
 ) -> StatusResponse:
     """
     Submit a connector request for Cloud deployments.
@@ -1918,7 +1918,7 @@ def submit_connector_request(
         raise HTTPException(status_code=400, detail="Connector name cannot be empty")
 
     # Get user identifier for telemetry
-    user_email = user.email
+    user_email = user.email if user else None
     distinct_id = user_email or tenant_id
 
     # Track connector request via PostHog telemetry (Cloud only)

backend/onyx/server/features/build/api/messages_api.py

@@ -57,6 +57,9 @@ def list_messages(
     db_session: Session = Depends(get_session),
 ) -> MessageListResponse:
     """Get all messages for a build session."""
+    if user is None:
+        raise HTTPException(status_code=401, detail="Authentication required")
+
     session_manager = SessionManager(db_session)
 
     messages = session_manager.list_messages(session_id, user.id)

backend/onyx/server/features/hierarchy/api.py

@@ -54,14 +54,18 @@ def _require_opensearch(db_session: Session) -> None:
         )
 
 
-def _get_user_access_info(user: User, db_session: Session) -> tuple[str, list[str]]:
+def _get_user_access_info(
+    user: User | None, db_session: Session
+) -> tuple[str | None, list[str]]:
+    if not user:
+        return None, []
     return user.email, get_user_external_group_ids(db_session, user)
 
 
 @router.get(HIERARCHY_NODES_LIST_PATH)
 def list_accessible_hierarchy_nodes(
     source: DocumentSource,
-    user: User = Depends(current_user),
+    user: User | None = Depends(current_user),
     db_session: Session = Depends(get_session),
 ) -> HierarchyNodesResponse:
     _require_opensearch(db_session)
@@ -88,7 +92,7 @@ def list_accessible_hierarchy_nodes(
 @router.post(HIERARCHY_NODE_DOCUMENTS_PATH)
 def list_accessible_hierarchy_node_documents(
     documents_request: HierarchyNodeDocumentsRequest,
-    user: User = Depends(current_user),
+    user: User | None = Depends(current_user),
     db_session: Session = Depends(get_session),
 ) -> HierarchyNodeDocumentsResponse:
     _require_opensearch(db_session)

backend/onyx/server/features/mcp/api.py

@@ -1013,7 +1013,7 @@ def get_mcp_servers_for_assistant(
 @router.get("/servers", response_model=MCPServersResponse)
 def get_mcp_servers_for_user(
     db: Session = Depends(get_session),
-    user: User = Depends(current_user),
+    user: User | None = Depends(current_user),
 ) -> MCPServersResponse:
     """List all MCP servers for use in agent configuration and chat UI.
 

backend/onyx/server/manage/llm/api.py

@@ -65,7 +65,6 @@ from onyx.server.manage.llm.models import LLMProviderUpsertRequest
 from onyx.server.manage.llm.models import LLMProviderView
 from onyx.server.manage.llm.models import LMStudioFinalModelResponse
 from onyx.server.manage.llm.models import LMStudioModelsRequest
-from onyx.server.manage.llm.models import ModelConfigurationUpsertRequest
 from onyx.server.manage.llm.models import OllamaFinalModelResponse
 from onyx.server.manage.llm.models import OllamaModelDetails
 from onyx.server.manage.llm.models import OllamaModelsRequest
@@ -446,17 +445,16 @@ def put_llm_provider(
         not existing_provider or not existing_provider.is_auto_mode
     )
 
-    # When transitioning to auto mode, preserve existing model configurations
-    # so the upsert doesn't try to delete them (which would trip the default
-    # model protection guard). sync_auto_mode_models will handle the model
-    # lifecycle afterward — adding new models, hiding removed ones, and
-    # updating the default. This is safe even if sync fails: the provider
-    # keeps its old models and default rather than losing them.
-    if transitioning_to_auto_mode and existing_provider:
-        llm_provider_upsert_request.model_configurations = [
-            ModelConfigurationUpsertRequest.from_model(mc)
-            for mc in existing_provider.model_configurations
-        ]
+    # Before the upsert, check if this provider currently owns the global
+    # CHAT default. The upsert may cascade-delete model_configurations
+    # (and their flow mappings), so we need to remember this beforehand.
+    was_default_provider = False
+    if existing_provider and transitioning_to_auto_mode:
+        current_default = fetch_default_llm_model(db_session)
+        was_default_provider = (
+            current_default is not None
+            and current_default.llm_provider_id == existing_provider.id
+        )
 
     try:
         result = upsert_llm_provider(
@@ -470,6 +468,7 @@ def put_llm_provider(
 
             config = fetch_llm_recommendations_from_github()
             if config and llm_provider_upsert_request.provider in config.providers:
+                # Refetch the provider to get the updated model
                 updated_provider = fetch_existing_llm_provider_by_id(
                     id=result.id, db_session=db_session
                 )
@@ -479,6 +478,20 @@ def put_llm_provider(
                         updated_provider,
                         config,
                     )
+
+                    # If this provider was the default before the transition,
+                    # restore the default using the recommended model.
+                    if was_default_provider:
+                        recommended = config.get_default_model(
+                            llm_provider_upsert_request.provider
+                        )
+                        if recommended:
+                            update_default_provider(
+                                provider_id=updated_provider.id,
+                                model_name=recommended.name,
+                                db_session=db_session,
+                            )
+
                     # Refresh result with synced models
                     result = LLMProviderView.from_model(updated_provider)
 

backend/onyx/server/query_and_chat/session_loading.py

@@ -1,11 +1,9 @@
 from __future__ import annotations
 
 import json
-from typing import Any
 from typing import cast
 from typing import Literal
 
-from pydantic import ValidationError
 from sqlalchemy.orm import Session
 
 from onyx.chat.citation_utils import extract_citation_order_from_text
@@ -22,9 +20,7 @@ from onyx.server.query_and_chat.placement import Placement
 from onyx.server.query_and_chat.streaming_models import AgentResponseDelta
 from onyx.server.query_and_chat.streaming_models import AgentResponseStart
 from onyx.server.query_and_chat.streaming_models import CitationInfo
-from onyx.server.query_and_chat.streaming_models import CustomToolArgs
 from onyx.server.query_and_chat.streaming_models import CustomToolDelta
-from onyx.server.query_and_chat.streaming_models import CustomToolErrorInfo
 from onyx.server.query_and_chat.streaming_models import CustomToolStart
 from onyx.server.query_and_chat.streaming_models import FileReaderResult
 from onyx.server.query_and_chat.streaming_models import FileReaderStart
@@ -184,37 +180,24 @@ def create_custom_tool_packets(
     tab_index: int = 0,
     data: dict | list | str | int | float | bool | None = None,
     file_ids: list[str] | None = None,
-    error: CustomToolErrorInfo | None = None,
-    tool_args: dict[str, Any] | None = None,
-    tool_id: int | None = None,
 ) -> list[Packet]:
     packets: list[Packet] = []
 
     packets.append(
         Packet(
             placement=Placement(turn_index=turn_index, tab_index=tab_index),
-            obj=CustomToolStart(tool_name=tool_name, tool_id=tool_id),
+            obj=CustomToolStart(tool_name=tool_name),
         )
     )
 
-    if tool_args:
-        packets.append(
-            Packet(
-                placement=Placement(turn_index=turn_index, tab_index=tab_index),
-                obj=CustomToolArgs(tool_name=tool_name, tool_args=tool_args),
-            )
-        )
-
     packets.append(
         Packet(
             placement=Placement(turn_index=turn_index, tab_index=tab_index),
             obj=CustomToolDelta(
                 tool_name=tool_name,
-                tool_id=tool_id,
                 response_type=response_type,
                 data=data,
                 file_ids=file_ids,
-                error=error,
             ),
         ),
     )
@@ -674,55 +657,13 @@ def translate_assistant_message_to_packets(
 
                     else:
                         # Custom tool or unknown tool
-                        # Try to parse as structured CustomToolCallSummary JSON
-                        custom_data: dict | list | str | int | float | bool | None = (
-                            tool_call.tool_call_response
-                        )
-                        custom_error: CustomToolErrorInfo | None = None
-                        custom_response_type = "text"
-
-                        try:
-                            parsed = json.loads(tool_call.tool_call_response)
-                            if isinstance(parsed, dict) and "tool_name" in parsed:
-                                custom_data = parsed.get("tool_result")
-                                custom_response_type = parsed.get(
-                                    "response_type", "text"
-                                )
-                                if parsed.get("error"):
-                                    custom_error = CustomToolErrorInfo(
-                                        **parsed["error"]
-                                    )
-                        except (
-                            json.JSONDecodeError,
-                            KeyError,
-                            TypeError,
-                            ValidationError,
-                        ):
-                            pass
-
-                        custom_file_ids: list[str] | None = None
-                        if custom_response_type in ("image", "csv") and isinstance(
-                            custom_data, dict
-                        ):
-                            custom_file_ids = custom_data.get("file_ids")
-                            custom_data = None
-
-                        custom_args = {
-                            k: v
-                            for k, v in (tool_call.tool_call_arguments or {}).items()
-                            if k != "requestBody"
-                        }
                         turn_tool_packets.extend(
                             create_custom_tool_packets(
                                 tool_name=tool.display_name or tool.name,
-                                response_type=custom_response_type,
+                                response_type="text",
                                 turn_index=turn_num,
                                 tab_index=tool_call.tab_index,
-                                data=custom_data,
-                                file_ids=custom_file_ids,
-                                error=custom_error,
-                                tool_args=custom_args if custom_args else None,
-                                tool_id=tool_call.tool_id,
+                                data=tool_call.tool_call_response,
                             )
                         )
 

backend/onyx/server/query_and_chat/streaming_models.py

@@ -33,7 +33,6 @@ class StreamingType(Enum):
     PYTHON_TOOL_START = "python_tool_start"
     PYTHON_TOOL_DELTA = "python_tool_delta"
     CUSTOM_TOOL_START = "custom_tool_start"
-    CUSTOM_TOOL_ARGS = "custom_tool_args"
     CUSTOM_TOOL_DELTA = "custom_tool_delta"
     FILE_READER_START = "file_reader_start"
     FILE_READER_RESULT = "file_reader_result"
@@ -247,20 +246,6 @@ class CustomToolStart(BaseObj):
     type: Literal["custom_tool_start"] = StreamingType.CUSTOM_TOOL_START.value
 
     tool_name: str
-    tool_id: int | None = None
-
-
-class CustomToolArgs(BaseObj):
-    type: Literal["custom_tool_args"] = StreamingType.CUSTOM_TOOL_ARGS.value
-
-    tool_name: str
-    tool_args: dict[str, Any]
-
-
-class CustomToolErrorInfo(BaseModel):
-    is_auth_error: bool = False
-    status_code: int
-    message: str
 
 
 # The allowed streamed packets for a custom tool
@@ -268,13 +253,11 @@ class CustomToolDelta(BaseObj):
     type: Literal["custom_tool_delta"] = StreamingType.CUSTOM_TOOL_DELTA.value
 
     tool_name: str
-    tool_id: int | None = None
     response_type: str
     # For non-file responses
     data: dict | list | str | int | float | bool | None = None
     # For file-based responses like image/csv
     file_ids: list[str] | None = None
-    error: CustomToolErrorInfo | None = None
 
 
 class ToolCallArgumentDelta(BaseObj):
@@ -393,7 +376,6 @@ PacketObj = Union[
     PythonToolStart,
     PythonToolDelta,
     CustomToolStart,
-    CustomToolArgs,
     CustomToolDelta,
     FileReaderStart,
     FileReaderResult,

backend/onyx/server/query_and_chat/streaming_utils.py

@@ -8,6 +8,8 @@ from onyx.server.query_and_chat.placement import Placement
 from onyx.server.query_and_chat.streaming_models import AgentResponseDelta
 from onyx.server.query_and_chat.streaming_models import AgentResponseStart
 from onyx.server.query_and_chat.streaming_models import CitationInfo
+from onyx.server.query_and_chat.streaming_models import CustomToolDelta
+from onyx.server.query_and_chat.streaming_models import CustomToolStart
 from onyx.server.query_and_chat.streaming_models import GeneratedImage
 from onyx.server.query_and_chat.streaming_models import ImageGenerationFinal
 from onyx.server.query_and_chat.streaming_models import ImageGenerationToolStart
@@ -163,6 +165,39 @@ def create_image_generation_packets(
     return packets
 
 
+def create_custom_tool_packets(
+    tool_name: str,
+    response_type: str,
+    turn_index: int,
+    data: dict | list | str | int | float | bool | None = None,
+    file_ids: list[str] | None = None,
+) -> list[Packet]:
+    packets: list[Packet] = []
+
+    packets.append(
+        Packet(
+            placement=Placement(turn_index=turn_index),
+            obj=CustomToolStart(tool_name=tool_name),
+        )
+    )
+
+    packets.append(
+        Packet(
+            placement=Placement(turn_index=turn_index),
+            obj=CustomToolDelta(
+                tool_name=tool_name,
+                response_type=response_type,
+                data=data,
+                file_ids=file_ids,
+            ),
+        ),
+    )
+
+    packets.append(Packet(placement=Placement(turn_index=turn_index), obj=SectionEnd()))
+
+    return packets
+
+
 def create_fetch_packets(
     fetch_docs: list[SavedSearchDoc],
     urls: list[str],

backend/onyx/setup.py

@@ -275,13 +275,9 @@ def setup_postgres(db_session: Session) -> None:
             ],
             api_key_changed=True,
         )
-        try:
-            new_llm_provider = upsert_llm_provider(
-                llm_provider_upsert_request=model_req, db_session=db_session
-            )
-        except ValueError as e:
-            logger.warning("Failed to upsert LLM provider during setup: %s", e)
-            return
+        new_llm_provider = upsert_llm_provider(
+            llm_provider_upsert_request=model_req, db_session=db_session
+        )
         update_default_provider(
             provider_id=new_llm_provider.id, model_name=llm_model, db_session=db_session
         )

backend/onyx/tools/models.py

@@ -18,7 +18,6 @@ from onyx.context.search.models import SearchDoc
 from onyx.context.search.models import SearchDocsResponse
 from onyx.db.memory import UserMemoryContext
 from onyx.server.query_and_chat.placement import Placement
-from onyx.server.query_and_chat.streaming_models import CustomToolErrorInfo
 from onyx.server.query_and_chat.streaming_models import GeneratedImage
 from onyx.tools.tool_implementations.images.models import FinalImageGenerationResponse
 from onyx.tools.tool_implementations.memory.models import MemoryToolResponse
@@ -62,7 +61,6 @@ class CustomToolCallSummary(BaseModel):
     tool_name: str
     response_type: str  # e.g., 'json', 'image', 'csv', 'graph'
     tool_result: Any  # The response data
-    error: CustomToolErrorInfo | None = None
 
 
 class ToolCallKickoff(BaseModel):

backend/onyx/tools/tool_implementations/custom/custom_tool.py

@@ -15,9 +15,7 @@ from onyx.chat.emitter import get_default_emitter
 from onyx.configs.constants import FileOrigin
 from onyx.file_store.file_store import get_default_file_store
 from onyx.server.query_and_chat.placement import Placement
-from onyx.server.query_and_chat.streaming_models import CustomToolArgs
 from onyx.server.query_and_chat.streaming_models import CustomToolDelta
-from onyx.server.query_and_chat.streaming_models import CustomToolErrorInfo
 from onyx.server.query_and_chat.streaming_models import CustomToolStart
 from onyx.server.query_and_chat.streaming_models import Packet
 from onyx.tools.interface import Tool
@@ -141,7 +139,7 @@ class CustomTool(Tool[None]):
         self.emitter.emit(
             Packet(
                 placement=placement,
-                obj=CustomToolStart(tool_name=self._name, tool_id=self._id),
+                obj=CustomToolStart(tool_name=self._name),
             )
         )
 
@@ -151,8 +149,10 @@ class CustomTool(Tool[None]):
         override_kwargs: None = None,  # noqa: ARG002
         **llm_kwargs: Any,
     ) -> ToolResponse:
-        # Build path params
+        request_body = llm_kwargs.get(REQUEST_BODY)
+
         path_params = {}
+
         for path_param_schema in self._method_spec.get_path_param_schemas():
             param_name = path_param_schema["name"]
             if param_name not in llm_kwargs:
@@ -165,7 +165,6 @@ class CustomTool(Tool[None]):
                 )
             path_params[param_name] = llm_kwargs[param_name]
 
-        # Build query params
         query_params = {}
         for query_param_schema in self._method_spec.get_query_param_schemas():
             if query_param_schema["name"] in llm_kwargs:
@@ -173,20 +172,6 @@ class CustomTool(Tool[None]):
                     query_param_schema["name"]
                 ]
 
-        # Emit args packet (path + query params only, no request body)
-        tool_args = {**path_params, **query_params}
-        if tool_args:
-            self.emitter.emit(
-                Packet(
-                    placement=placement,
-                    obj=CustomToolArgs(
-                        tool_name=self._name,
-                        tool_args=tool_args,
-                    ),
-                )
-            )
-
-        request_body = llm_kwargs.get(REQUEST_BODY)
         url = self._method_spec.build_url(self._base_url, path_params, query_params)
         method = self._method_spec.method
 
@@ -195,18 +180,6 @@ class CustomTool(Tool[None]):
         )
         content_type = response.headers.get("Content-Type", "")
 
-        # Detect HTTP errors — only 401/403 are flagged as auth errors
-        error_info: CustomToolErrorInfo | None = None
-        if response.status_code in (401, 403):
-            error_info = CustomToolErrorInfo(
-                is_auth_error=True,
-                status_code=response.status_code,
-                message=f"{self._name} action failed because of authentication error",
-            )
-            logger.warning(
-                f"Auth error from custom tool '{self._name}': HTTP {response.status_code}"
-            )
-
         tool_result: Any
         response_type: str
         file_ids: List[str] | None = None
@@ -249,11 +222,9 @@ class CustomTool(Tool[None]):
                 placement=placement,
                 obj=CustomToolDelta(
                     tool_name=self._name,
-                    tool_id=self._id,
                     response_type=response_type,
                     data=data,
                     file_ids=file_ids,
-                    error=error_info,
                 ),
             )
         )
@@ -265,7 +236,6 @@ class CustomTool(Tool[None]):
                 tool_name=self._name,
                 response_type=response_type,
                 tool_result=tool_result,
-                error=error_info,
             ),
             llm_facing_response=llm_facing_response,
         )

backend/onyx/utils/telemetry.py

@@ -2,6 +2,7 @@ import contextvars
 import threading
 import uuid
 from enum import Enum
+from typing import cast
 
 import requests
 
@@ -14,7 +15,6 @@ from onyx.db.engine.sql_engine import get_session_with_current_tenant
 from onyx.db.models import User
 from onyx.key_value_store.factory import get_kv_store
 from onyx.key_value_store.interface import KvKeyNotFoundError
-from onyx.key_value_store.interface import unwrap_str
 from onyx.utils.logger import setup_logger
 from onyx.utils.variable_functionality import (
     fetch_versioned_implementation_with_fallback,
@@ -25,7 +25,6 @@ from shared_configs.contextvars import get_current_tenant_id
 
 logger = setup_logger()
 
-
 _DANSWER_TELEMETRY_ENDPOINT = "https://telemetry.onyx.app/anonymous_telemetry"
 _CACHED_UUID: str | None = None
 _CACHED_INSTANCE_DOMAIN: str | None = None
@@ -63,10 +62,10 @@ def get_or_generate_uuid() -> str:
     kv_store = get_kv_store()
 
     try:
-        _CACHED_UUID = unwrap_str(kv_store.load(KV_CUSTOMER_UUID_KEY))
+        _CACHED_UUID = cast(str, kv_store.load(KV_CUSTOMER_UUID_KEY))
     except KvKeyNotFoundError:
         _CACHED_UUID = str(uuid.uuid4())
-        kv_store.store(KV_CUSTOMER_UUID_KEY, {"value": _CACHED_UUID}, encrypt=True)
+        kv_store.store(KV_CUSTOMER_UUID_KEY, _CACHED_UUID, encrypt=True)
 
     return _CACHED_UUID
 
@@ -80,16 +79,14 @@ def _get_or_generate_instance_domain() -> str | None:  #
     kv_store = get_kv_store()
 
     try:
-        _CACHED_INSTANCE_DOMAIN = unwrap_str(kv_store.load(KV_INSTANCE_DOMAIN_KEY))
+        _CACHED_INSTANCE_DOMAIN = cast(str, kv_store.load(KV_INSTANCE_DOMAIN_KEY))
     except KvKeyNotFoundError:
         with get_session_with_current_tenant() as db_session:
             first_user = db_session.query(User).first()
             if first_user:
                 _CACHED_INSTANCE_DOMAIN = first_user.email.split("@")[-1]
                 kv_store.store(
-                    KV_INSTANCE_DOMAIN_KEY,
-                    {"value": _CACHED_INSTANCE_DOMAIN},
-                    encrypt=True,
+                    KV_INSTANCE_DOMAIN_KEY, _CACHED_INSTANCE_DOMAIN, encrypt=True
                 )
 
     return _CACHED_INSTANCE_DOMAIN

backend/tests/daily/connectors/gitlab/test_gitlab_basic.py

@@ -48,7 +48,7 @@ def test_gitlab_connector_basic(gitlab_connector: GitlabConnector) -> None:
 
     # --- Specific Document Details to Validate ---
     target_mr_id = f"https://{gitlab_base_url}/{project_path}/-/merge_requests/1"
-    target_issue_id = f"https://{gitlab_base_url}/{project_path}/-/work_items/2"
+    target_issue_id = f"https://{gitlab_base_url}/{project_path}/-/issues/2"
     target_code_file_semantic_id = "README.md"
     # ---
 

backend/tests/external_dependency_unit/celery/test_pruning_hierarchy_nodes.py

@@ -7,8 +7,6 @@ Verifies that:
 3. Upserting is idempotent (running twice doesn't duplicate nodes)
 4. Document-to-hierarchy-node linkage is updated during pruning
 5. link_hierarchy_nodes_to_documents links nodes that are also documents
-6. HierarchyNodeByConnectorCredentialPair join table population and pruning
-7. Orphaned hierarchy node deletion and re-parenting
 
 Uses a mock SlimConnectorWithPermSync that yields known hierarchy nodes and slim documents,
 combined with a real PostgreSQL database for verifying persistence.
@@ -26,27 +24,16 @@ from onyx.connectors.interfaces import GenerateSlimDocumentOutput
 from onyx.connectors.interfaces import SecondsSinceUnixEpoch
 from onyx.connectors.interfaces import SlimConnectorWithPermSync
 from onyx.connectors.models import HierarchyNode as PydanticHierarchyNode
-from onyx.connectors.models import InputType
 from onyx.connectors.models import SlimDocument
-from onyx.db.enums import AccessType
-from onyx.db.enums import ConnectorCredentialPairStatus
 from onyx.db.enums import HierarchyNodeType
-from onyx.db.hierarchy import delete_orphaned_hierarchy_nodes
 from onyx.db.hierarchy import ensure_source_node_exists
 from onyx.db.hierarchy import get_all_hierarchy_nodes_for_source
 from onyx.db.hierarchy import get_hierarchy_node_by_raw_id
 from onyx.db.hierarchy import link_hierarchy_nodes_to_documents
-from onyx.db.hierarchy import remove_stale_hierarchy_node_cc_pair_entries
-from onyx.db.hierarchy import reparent_orphaned_hierarchy_nodes
 from onyx.db.hierarchy import update_document_parent_hierarchy_nodes
-from onyx.db.hierarchy import upsert_hierarchy_node_cc_pair_entries
 from onyx.db.hierarchy import upsert_hierarchy_nodes_batch
-from onyx.db.models import Connector
-from onyx.db.models import ConnectorCredentialPair
-from onyx.db.models import Credential
 from onyx.db.models import Document as DbDocument
 from onyx.db.models import HierarchyNode as DBHierarchyNode
-from onyx.db.models import HierarchyNodeByConnectorCredentialPair
 from onyx.indexing.indexing_heartbeat import IndexingHeartbeatInterface
 from onyx.kg.models import KGStage
 
@@ -155,80 +142,13 @@ class MockSlimConnectorWithPermSync(SlimConnectorWithPermSync):
 # ---------------------------------------------------------------------------
 
 
-def _create_cc_pair(
-    db_session: Session,
-    source: DocumentSource = TEST_SOURCE,
-) -> ConnectorCredentialPair:
-    """Create a real Connector + Credential + ConnectorCredentialPair for testing."""
-    connector = Connector(
-        name=f"Test {source.value} Connector",
-        source=source,
-        input_type=InputType.LOAD_STATE,
-        connector_specific_config={},
-    )
-    db_session.add(connector)
-    db_session.flush()
-
-    credential = Credential(
-        source=source,
-        credential_json={},
-        admin_public=True,
-    )
-    db_session.add(credential)
-    db_session.flush()
-    db_session.expire(credential)
-
-    cc_pair = ConnectorCredentialPair(
-        connector_id=connector.id,
-        credential_id=credential.id,
-        name=f"Test {source.value} CC Pair",
-        status=ConnectorCredentialPairStatus.ACTIVE,
-        access_type=AccessType.PUBLIC,
-    )
-    db_session.add(cc_pair)
-    db_session.commit()
-    db_session.refresh(cc_pair)
-    return cc_pair
-
-
 def _cleanup_test_data(db_session: Session) -> None:
     """Remove all test hierarchy nodes and documents to isolate tests."""
     for doc_id in SLIM_DOC_IDS:
         db_session.query(DbDocument).filter(DbDocument.id == doc_id).delete()
-
-    test_connector_ids_q = db_session.query(Connector.id).filter(
-        Connector.source == TEST_SOURCE,
-        Connector.name.like("Test %"),
-    )
-
-    db_session.query(HierarchyNodeByConnectorCredentialPair).filter(
-        HierarchyNodeByConnectorCredentialPair.connector_id.in_(test_connector_ids_q)
-    ).delete(synchronize_session="fetch")
     db_session.query(DBHierarchyNode).filter(
         DBHierarchyNode.source == TEST_SOURCE
     ).delete()
-    db_session.flush()
-
-    # Collect credential IDs before deleting cc_pairs (bulk query.delete()
-    # bypasses ORM-level cascade, so credentials won't be auto-removed).
-    credential_ids = [
-        row[0]
-        for row in db_session.query(ConnectorCredentialPair.credential_id)
-        .filter(ConnectorCredentialPair.connector_id.in_(test_connector_ids_q))
-        .all()
-    ]
-
-    db_session.query(ConnectorCredentialPair).filter(
-        ConnectorCredentialPair.connector_id.in_(test_connector_ids_q)
-    ).delete(synchronize_session="fetch")
-    db_session.query(Connector).filter(
-        Connector.source == TEST_SOURCE,
-        Connector.name.like("Test %"),
-    ).delete(synchronize_session="fetch")
-    if credential_ids:
-        db_session.query(Credential).filter(Credential.id.in_(credential_ids)).delete(
-            synchronize_session="fetch"
-        )
     db_session.commit()
 
 
@@ -259,8 +179,15 @@ def test_pruning_extracts_hierarchy_nodes(db_session: Session) -> None:  # noqa:
 
     result = extract_ids_from_runnable_connector(connector, callback=None)
 
-    # raw_id_to_parent should contain ONLY document IDs, not hierarchy node IDs
-    assert result.raw_id_to_parent.keys() == set(SLIM_DOC_IDS)
+    # Doc IDs should include both slim doc IDs and hierarchy node raw_node_ids
+    # (hierarchy node IDs are added to raw_id_to_parent so they aren't pruned)
+    expected_ids = {
+        CHANNEL_A_ID,
+        CHANNEL_B_ID,
+        CHANNEL_C_ID,
+        *SLIM_DOC_IDS,
+    }
+    assert result.raw_id_to_parent.keys() == expected_ids
 
     # Hierarchy nodes should be the 3 channels
     assert len(result.hierarchy_nodes) == 3
@@ -468,9 +395,9 @@ def test_extraction_preserves_parent_hierarchy_raw_node_id(
             result.raw_id_to_parent[doc_id] == expected_parent
         ), f"raw_id_to_parent[{doc_id}] should be {expected_parent}"
 
-    # Hierarchy node IDs should NOT be in raw_id_to_parent
+    # Hierarchy node entries have None parent (they aren't documents)
     for channel_id in [CHANNEL_A_ID, CHANNEL_B_ID, CHANNEL_C_ID]:
-        assert channel_id not in result.raw_id_to_parent
+        assert result.raw_id_to_parent[channel_id] is None
 
 
 def test_update_document_parent_hierarchy_nodes(db_session: Session) -> None:
@@ -638,241 +565,3 @@ def test_link_hierarchy_nodes_skips_non_hierarchy_sources(
         commit=False,
     )
     assert linked == 0
-
-
-# ---------------------------------------------------------------------------
-# Join table + pruning tests
-# ---------------------------------------------------------------------------
-
-
-def test_upsert_hierarchy_node_cc_pair_entries(db_session: Session) -> None:
-    """upsert_hierarchy_node_cc_pair_entries should insert rows and be idempotent."""
-    _cleanup_test_data(db_session)
-    ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
-    cc_pair = _create_cc_pair(db_session)
-
-    upserted = upsert_hierarchy_nodes_batch(
-        db_session=db_session,
-        nodes=_make_hierarchy_nodes(),
-        source=TEST_SOURCE,
-        commit=True,
-        is_connector_public=False,
-    )
-    node_ids = [n.id for n in upserted]
-
-    # First call — should insert rows
-    upsert_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        hierarchy_node_ids=node_ids,
-        connector_id=cc_pair.connector_id,
-        credential_id=cc_pair.credential_id,
-        commit=True,
-    )
-
-    rows = (
-        db_session.query(HierarchyNodeByConnectorCredentialPair)
-        .filter(
-            HierarchyNodeByConnectorCredentialPair.connector_id == cc_pair.connector_id,
-            HierarchyNodeByConnectorCredentialPair.credential_id
-            == cc_pair.credential_id,
-        )
-        .all()
-    )
-    assert len(rows) == 3
-
-    # Second call — idempotent, same count
-    upsert_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        hierarchy_node_ids=node_ids,
-        connector_id=cc_pair.connector_id,
-        credential_id=cc_pair.credential_id,
-        commit=True,
-    )
-    rows_after = (
-        db_session.query(HierarchyNodeByConnectorCredentialPair)
-        .filter(
-            HierarchyNodeByConnectorCredentialPair.connector_id == cc_pair.connector_id,
-            HierarchyNodeByConnectorCredentialPair.credential_id
-            == cc_pair.credential_id,
-        )
-        .all()
-    )
-    assert len(rows_after) == 3
-
-
-def test_remove_stale_entries_and_delete_orphans(db_session: Session) -> None:
-    """After removing stale join-table entries, orphaned hierarchy nodes should
-    be deleted and the SOURCE node should survive."""
-    _cleanup_test_data(db_session)
-    source_node = ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
-    cc_pair = _create_cc_pair(db_session)
-
-    upserted = upsert_hierarchy_nodes_batch(
-        db_session=db_session,
-        nodes=_make_hierarchy_nodes(),
-        source=TEST_SOURCE,
-        commit=True,
-        is_connector_public=False,
-    )
-    all_ids = [n.id for n in upserted]
-    upsert_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        hierarchy_node_ids=all_ids,
-        connector_id=cc_pair.connector_id,
-        credential_id=cc_pair.credential_id,
-        commit=True,
-    )
-
-    # Now simulate a pruning run where only channel A survived
-    channel_a = get_hierarchy_node_by_raw_id(db_session, CHANNEL_A_ID, TEST_SOURCE)
-    assert channel_a is not None
-    live_ids = {channel_a.id}
-
-    stale_removed = remove_stale_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        connector_id=cc_pair.connector_id,
-        credential_id=cc_pair.credential_id,
-        live_hierarchy_node_ids=live_ids,
-        commit=True,
-    )
-    assert stale_removed == 2
-
-    # Delete orphaned nodes
-    deleted_raw_ids = delete_orphaned_hierarchy_nodes(
-        db_session=db_session,
-        source=TEST_SOURCE,
-        commit=True,
-    )
-    assert set(deleted_raw_ids) == {CHANNEL_B_ID, CHANNEL_C_ID}
-
-    # Verify only channel A + SOURCE remain
-    remaining = get_all_hierarchy_nodes_for_source(db_session, TEST_SOURCE)
-    remaining_raw = {n.raw_node_id for n in remaining}
-    assert remaining_raw == {CHANNEL_A_ID, source_node.raw_node_id}
-
-
-def test_multi_cc_pair_prevents_premature_deletion(db_session: Session) -> None:
-    """A hierarchy node shared by two cc_pairs should NOT be deleted when only
-    one cc_pair removes its association."""
-    _cleanup_test_data(db_session)
-    ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
-    cc_pair_1 = _create_cc_pair(db_session)
-    cc_pair_2 = _create_cc_pair(db_session)
-
-    upserted = upsert_hierarchy_nodes_batch(
-        db_session=db_session,
-        nodes=_make_hierarchy_nodes(),
-        source=TEST_SOURCE,
-        commit=True,
-        is_connector_public=False,
-    )
-    all_ids = [n.id for n in upserted]
-
-    # cc_pair 1 owns all 3
-    upsert_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        hierarchy_node_ids=all_ids,
-        connector_id=cc_pair_1.connector_id,
-        credential_id=cc_pair_1.credential_id,
-        commit=True,
-    )
-    # cc_pair 2 also owns all 3
-    upsert_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        hierarchy_node_ids=all_ids,
-        connector_id=cc_pair_2.connector_id,
-        credential_id=cc_pair_2.credential_id,
-        commit=True,
-    )
-
-    # cc_pair 1 prunes — keeps none
-    remove_stale_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        connector_id=cc_pair_1.connector_id,
-        credential_id=cc_pair_1.credential_id,
-        live_hierarchy_node_ids=set(),
-        commit=True,
-    )
-
-    # Orphan deletion should find nothing because cc_pair 2 still references them
-    deleted = delete_orphaned_hierarchy_nodes(
-        db_session=db_session,
-        source=TEST_SOURCE,
-        commit=True,
-    )
-    assert deleted == []
-
-    # All 3 nodes + SOURCE should still exist
-    remaining = get_all_hierarchy_nodes_for_source(db_session, TEST_SOURCE)
-    assert len(remaining) == 4
-
-
-def test_reparent_orphaned_children(db_session: Session) -> None:
-    """After deleting a parent hierarchy node, its children should be
-    re-parented to the SOURCE node."""
-    _cleanup_test_data(db_session)
-    source_node = ensure_source_node_exists(db_session, TEST_SOURCE, commit=True)
-    cc_pair = _create_cc_pair(db_session)
-
-    # Create a parent node and a child node
-    parent_node = PydanticHierarchyNode(
-        raw_node_id="PARENT",
-        raw_parent_id=None,
-        display_name="Parent",
-        node_type=HierarchyNodeType.CHANNEL,
-    )
-    child_node = PydanticHierarchyNode(
-        raw_node_id="CHILD",
-        raw_parent_id="PARENT",
-        display_name="Child",
-        node_type=HierarchyNodeType.CHANNEL,
-    )
-    upserted = upsert_hierarchy_nodes_batch(
-        db_session=db_session,
-        nodes=[parent_node, child_node],
-        source=TEST_SOURCE,
-        commit=True,
-        is_connector_public=False,
-    )
-    assert len(upserted) == 2
-
-    parent_db = get_hierarchy_node_by_raw_id(db_session, "PARENT", TEST_SOURCE)
-    child_db = get_hierarchy_node_by_raw_id(db_session, "CHILD", TEST_SOURCE)
-    assert parent_db is not None and child_db is not None
-    assert child_db.parent_id == parent_db.id
-
-    # Associate only the child with a cc_pair (parent is orphaned)
-    upsert_hierarchy_node_cc_pair_entries(
-        db_session=db_session,
-        hierarchy_node_ids=[child_db.id],
-        connector_id=cc_pair.connector_id,
-        credential_id=cc_pair.credential_id,
-        commit=True,
-    )
-
-    # Delete orphaned nodes (parent has no cc_pair entry)
-    deleted = delete_orphaned_hierarchy_nodes(
-        db_session=db_session,
-        source=TEST_SOURCE,
-        commit=True,
-    )
-    assert "PARENT" in deleted
-
-    # Child should now have parent_id=NULL (SET NULL cascade)
-    db_session.expire_all()
-    child_db = get_hierarchy_node_by_raw_id(db_session, "CHILD", TEST_SOURCE)
-    assert child_db is not None
-    assert child_db.parent_id is None
-
-    # Re-parent orphans to SOURCE
-    reparented = reparent_orphaned_hierarchy_nodes(
-        db_session=db_session,
-        source=TEST_SOURCE,
-        commit=True,
-    )
-    assert len(reparented) == 1
-
-    db_session.expire_all()
-    child_db = get_hierarchy_node_by_raw_id(db_session, "CHILD", TEST_SOURCE)
-    assert child_db is not None
-    assert child_db.parent_id == source_node.id

backend/tests/external_dependency_unit/hierarchy/test_hierarchy_access_filter.py

@@ -85,7 +85,7 @@ def test_group_overlap_filter(
     results = _get_accessible_hierarchy_nodes_for_source(
         db_session,
         source=DocumentSource.GOOGLE_DRIVE,
-        user_email="",
+        user_email=None,
         external_group_ids=["group_engineering"],
     )
     result_ids = {n.raw_node_id for n in results}
@@ -124,7 +124,7 @@ def test_no_credentials_returns_only_public(
     results = _get_accessible_hierarchy_nodes_for_source(
         db_session,
         source=DocumentSource.GOOGLE_DRIVE,
-        user_email="",
+        user_email=None,
         external_group_ids=[],
     )
     result_ids = {n.raw_node_id for n in results}

backend/tests/external_dependency_unit/llm/test_llm_provider.py

@@ -158,7 +158,7 @@ class TestLLMConfigurationEndpoint:
                     )
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
-                assert exc_info.value.detail == error_message
+                assert exc_info.value.message == error_message
 
         finally:
             db_session.rollback()
@@ -540,7 +540,7 @@ class TestDefaultProviderEndpoint:
                 run_test_default_provider(_=_create_mock_admin())
 
             assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
-            assert "No LLM Provider setup" in exc_info.value.detail
+            assert "No LLM Provider setup" in exc_info.value.message
 
         finally:
             db_session.rollback()
@@ -585,7 +585,7 @@ class TestDefaultProviderEndpoint:
                     run_test_default_provider(_=_create_mock_admin())
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
-                assert exc_info.value.detail == error_message
+                assert exc_info.value.message == error_message
 
         finally:
             db_session.rollback()

backend/tests/external_dependency_unit/llm/test_llm_provider_api_base.py

@@ -111,7 +111,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.detail
+                    exc_info.value.message
                 )
         finally:
             _cleanup_provider(db_session, provider_name)
@@ -247,7 +247,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.detail
+                    exc_info.value.message
                 )
         finally:
             _cleanup_provider(db_session, provider_name)
@@ -350,7 +350,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.detail
+                    exc_info.value.message
                 )
         finally:
             _cleanup_provider(db_session, provider_name)
@@ -386,7 +386,7 @@ class TestLLMProviderChanges:
 
                 assert exc_info.value.error_code == OnyxErrorCode.VALIDATION_ERROR
                 assert "cannot be changed without changing the API key" in str(
-                    exc_info.value.detail
+                    exc_info.value.message
                 )
         finally:
             _cleanup_provider(db_session, provider_name)

backend/tests/external_dependency_unit/llm/test_llm_provider_auto_mode.py

@@ -1152,179 +1152,3 @@ class TestAutoModeTransitionsAndResync:
         finally:
             db_session.rollback()
             _cleanup_provider(db_session, provider_name)
-
-    def test_sync_updates_default_when_recommended_default_changes(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """When the provider owns the CHAT default and a sync arrives with a
-        different recommended default model (both models still in config),
-        the global default should be updated to the new recommendation.
-
-        Steps:
-        1. Create auto-mode provider with config v1: default=gpt-4o.
-        2. Set gpt-4o as the global CHAT default.
-        3. Re-sync with config v2: default=gpt-4o-mini (gpt-4o still present).
-        4. Verify the CHAT default switched to gpt-4o-mini and both models
-           remain visible.
-        """
-        config_v1 = _create_mock_llm_recommendations(
-            provider=LlmProviderNames.OPENAI,
-            default_model_name="gpt-4o",
-            additional_models=["gpt-4o-mini"],
-        )
-        config_v2 = _create_mock_llm_recommendations(
-            provider=LlmProviderNames.OPENAI,
-            default_model_name="gpt-4o-mini",
-            additional_models=["gpt-4o"],
-        )
-
-        try:
-            with patch(
-                "onyx.server.manage.llm.api.fetch_llm_recommendations_from_github",
-                return_value=config_v1,
-            ):
-                put_llm_provider(
-                    llm_provider_upsert_request=LLMProviderUpsertRequest(
-                        name=provider_name,
-                        provider=LlmProviderNames.OPENAI,
-                        api_key="sk-test-key-00000000000000000000000000000000000",
-                        api_key_changed=True,
-                        is_auto_mode=True,
-                        model_configurations=[],
-                    ),
-                    is_creation=True,
-                    _=_create_mock_admin(),
-                    db_session=db_session,
-                )
-
-            # Set gpt-4o as the global CHAT default
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            update_default_provider(provider.id, "gpt-4o", db_session)
-
-            default_before = fetch_default_llm_model(db_session)
-            assert default_before is not None
-            assert default_before.name == "gpt-4o"
-
-            # Re-sync with config v2 (recommended default changed)
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-
-            changes = sync_auto_mode_models(
-                db_session=db_session,
-                provider=provider,
-                llm_recommendations=config_v2,
-            )
-            assert changes > 0, "Sync should report changes when default switches"
-
-            # Both models should remain visible
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            visibility = {
-                mc.name: mc.is_visible for mc in provider.model_configurations
-            }
-            assert visibility["gpt-4o"] is True
-            assert visibility["gpt-4o-mini"] is True
-
-            # The CHAT default should now be gpt-4o-mini
-            default_after = fetch_default_llm_model(db_session)
-            assert default_after is not None
-            assert (
-                default_after.name == "gpt-4o-mini"
-            ), f"Default should be updated to 'gpt-4o-mini', got '{default_after.name}'"
-
-        finally:
-            db_session.rollback()
-            _cleanup_provider(db_session, provider_name)
-
-    def test_sync_idempotent_when_default_already_matches(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """When the provider owns the CHAT default and it already matches the
-        recommended default, re-syncing should report zero changes.
-
-        This is a regression test for the bug where changes was unconditionally
-        incremented even when the default was already correct.
-        """
-        config = _create_mock_llm_recommendations(
-            provider=LlmProviderNames.OPENAI,
-            default_model_name="gpt-4o",
-            additional_models=["gpt-4o-mini"],
-        )
-
-        try:
-            with patch(
-                "onyx.server.manage.llm.api.fetch_llm_recommendations_from_github",
-                return_value=config,
-            ):
-                put_llm_provider(
-                    llm_provider_upsert_request=LLMProviderUpsertRequest(
-                        name=provider_name,
-                        provider=LlmProviderNames.OPENAI,
-                        api_key="sk-test-key-00000000000000000000000000000000000",
-                        api_key_changed=True,
-                        is_auto_mode=True,
-                        model_configurations=[],
-                    ),
-                    is_creation=True,
-                    _=_create_mock_admin(),
-                    db_session=db_session,
-                )
-
-            # Set gpt-4o (the recommended default) as global CHAT default
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            update_default_provider(provider.id, "gpt-4o", db_session)
-
-            # First sync to stabilize state
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            sync_auto_mode_models(
-                db_session=db_session,
-                provider=provider,
-                llm_recommendations=config,
-            )
-
-            # Second sync — default already matches, should be a no-op
-            db_session.expire_all()
-            provider = fetch_existing_llm_provider(
-                name=provider_name, db_session=db_session
-            )
-            assert provider is not None
-            changes = sync_auto_mode_models(
-                db_session=db_session,
-                provider=provider,
-                llm_recommendations=config,
-            )
-            assert changes == 0, (
-                f"Expected 0 changes when default already matches recommended, "
-                f"got {changes}"
-            )
-
-            # Default should still be gpt-4o
-            default_model = fetch_default_llm_model(db_session)
-            assert default_model is not None
-            assert default_model.name == "gpt-4o"
-
-        finally:
-            db_session.rollback()
-            _cleanup_provider(db_session, provider_name)

backend/tests/external_dependency_unit/llm/test_llm_provider_default_model_protection.py

@@ -1,220 +0,0 @@
-"""
-This should act as the main point of reference for testing that default model
-logic is consisten.
-
- -
-"""
-
-from collections.abc import Generator
-from uuid import uuid4
-
-import pytest
-from sqlalchemy.orm import Session
-
-from onyx.db.llm import fetch_existing_llm_provider
-from onyx.db.llm import remove_llm_provider
-from onyx.db.llm import update_default_provider
-from onyx.db.llm import update_default_vision_provider
-from onyx.db.llm import upsert_llm_provider
-from onyx.llm.constants import LlmProviderNames
-from onyx.server.manage.llm.models import LLMProviderUpsertRequest
-from onyx.server.manage.llm.models import LLMProviderView
-from onyx.server.manage.llm.models import ModelConfigurationUpsertRequest
-
-
-def _create_test_provider(
-    db_session: Session,
-    name: str,
-    models: list[ModelConfigurationUpsertRequest] | None = None,
-) -> LLMProviderView:
-    """Helper to create a test LLM provider with multiple models."""
-    if models is None:
-        models = [
-            ModelConfigurationUpsertRequest(
-                name="gpt-4o", is_visible=True, supports_image_input=True
-            ),
-            ModelConfigurationUpsertRequest(
-                name="gpt-4o-mini", is_visible=True, supports_image_input=False
-            ),
-        ]
-    return upsert_llm_provider(
-        LLMProviderUpsertRequest(
-            name=name,
-            provider=LlmProviderNames.OPENAI,
-            api_key="sk-test-key-00000000000000000000000000000000000",
-            api_key_changed=True,
-            model_configurations=models,
-        ),
-        db_session=db_session,
-    )
-
-
-def _cleanup_provider(db_session: Session, name: str) -> None:
-    """Helper to clean up a test provider by name."""
-    provider = fetch_existing_llm_provider(name=name, db_session=db_session)
-    if provider:
-        remove_llm_provider(db_session, provider.id)
-
-
-@pytest.fixture
-def provider_name(db_session: Session) -> Generator[str, None, None]:
-    """Generate a unique provider name for each test, with automatic cleanup."""
-    name = f"test-provider-{uuid4().hex[:8]}"
-    yield name
-    db_session.rollback()
-    _cleanup_provider(db_session, name)
-
-
-class TestDefaultModelProtection:
-    """Tests that the default model cannot be removed or hidden."""
-
-    def test_cannot_remove_default_text_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Removing the default text model from a provider should raise ValueError."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Try to update the provider without the default model
-        with pytest.raises(ValueError, match="Cannot remove the default model"):
-            upsert_llm_provider(
-                LLMProviderUpsertRequest(
-                    id=provider.id,
-                    name=provider_name,
-                    provider=LlmProviderNames.OPENAI,
-                    api_key="sk-test-key-00000000000000000000000000000000000",
-                    api_key_changed=True,
-                    model_configurations=[
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o-mini", is_visible=True
-                        ),
-                    ],
-                ),
-                db_session=db_session,
-            )
-
-    def test_cannot_hide_default_text_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Setting is_visible=False on the default text model should raise ValueError."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Try to hide the default model
-        with pytest.raises(ValueError, match="Cannot hide the default model"):
-            upsert_llm_provider(
-                LLMProviderUpsertRequest(
-                    id=provider.id,
-                    name=provider_name,
-                    provider=LlmProviderNames.OPENAI,
-                    api_key="sk-test-key-00000000000000000000000000000000000",
-                    api_key_changed=True,
-                    model_configurations=[
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o", is_visible=False
-                        ),
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o-mini", is_visible=True
-                        ),
-                    ],
-                ),
-                db_session=db_session,
-            )
-
-    def test_cannot_remove_default_vision_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Removing the default vision model from a provider should raise ValueError."""
-        provider = _create_test_provider(db_session, provider_name)
-        # Set gpt-4o as both the text and vision default
-        update_default_provider(provider.id, "gpt-4o", db_session)
-        update_default_vision_provider(provider.id, "gpt-4o", db_session)
-
-        # Try to remove the default vision model
-        with pytest.raises(ValueError, match="Cannot remove the default model"):
-            upsert_llm_provider(
-                LLMProviderUpsertRequest(
-                    id=provider.id,
-                    name=provider_name,
-                    provider=LlmProviderNames.OPENAI,
-                    api_key="sk-test-key-00000000000000000000000000000000000",
-                    api_key_changed=True,
-                    model_configurations=[
-                        ModelConfigurationUpsertRequest(
-                            name="gpt-4o-mini", is_visible=True
-                        ),
-                    ],
-                ),
-                db_session=db_session,
-            )
-
-    def test_can_remove_non_default_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Removing a non-default model should succeed."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Remove gpt-4o-mini (not default) — should succeed
-        updated = upsert_llm_provider(
-            LLMProviderUpsertRequest(
-                id=provider.id,
-                name=provider_name,
-                provider=LlmProviderNames.OPENAI,
-                api_key="sk-test-key-00000000000000000000000000000000000",
-                api_key_changed=True,
-                model_configurations=[
-                    ModelConfigurationUpsertRequest(
-                        name="gpt-4o", is_visible=True, supports_image_input=True
-                    ),
-                ],
-            ),
-            db_session=db_session,
-        )
-
-        model_names = {mc.name for mc in updated.model_configurations}
-        assert "gpt-4o" in model_names
-        assert "gpt-4o-mini" not in model_names
-
-    def test_can_hide_non_default_model(
-        self,
-        db_session: Session,
-        provider_name: str,
-    ) -> None:
-        """Hiding a non-default model should succeed."""
-        provider = _create_test_provider(db_session, provider_name)
-        update_default_provider(provider.id, "gpt-4o", db_session)
-
-        # Hide gpt-4o-mini (not default) — should succeed
-        updated = upsert_llm_provider(
-            LLMProviderUpsertRequest(
-                id=provider.id,
-                name=provider_name,
-                provider=LlmProviderNames.OPENAI,
-                api_key="sk-test-key-00000000000000000000000000000000000",
-                api_key_changed=True,
-                model_configurations=[
-                    ModelConfigurationUpsertRequest(
-                        name="gpt-4o", is_visible=True, supports_image_input=True
-                    ),
-                    ModelConfigurationUpsertRequest(
-                        name="gpt-4o-mini", is_visible=False
-                    ),
-                ],
-            ),
-            db_session=db_session,
-        )
-
-        model_visibility = {
-            mc.name: mc.is_visible for mc in updated.model_configurations
-        }
-        assert model_visibility["gpt-4o"] is True
-        assert model_visibility["gpt-4o-mini"] is False

backend/tests/integration/tests/llm_provider/test_llm_provider.py

@@ -427,7 +427,7 @@ def test_delete_default_llm_provider_rejected(reset: None) -> None:  # noqa: ARG
         headers=admin_user.headers,
     )
     assert delete_response.status_code == 400
-    assert "Cannot delete the default LLM provider" in delete_response.json()["detail"]
+    assert "Cannot delete the default LLM provider" in delete_response.json()["message"]
 
     # Verify provider still exists
     provider_data = _get_provider_by_id(admin_user, created_provider["id"])
@@ -674,7 +674,7 @@ def test_duplicate_provider_name_rejected(reset: None) -> None:  # noqa: ARG001
         json=base_payload,
     )
     assert response.status_code == 409
-    assert "already exists" in response.json()["detail"]
+    assert "already exists" in response.json()["message"]
 
 
 def test_rename_provider_rejected(reset: None) -> None:  # noqa: ARG001
@@ -711,7 +711,7 @@ def test_rename_provider_rejected(reset: None) -> None:  # noqa: ARG001
         json=update_payload,
     )
     assert response.status_code == 400
-    assert "not currently supported" in response.json()["detail"]
+    assert "not currently supported" in response.json()["message"]
 
     # Verify no duplicate was created — only the original provider should exist
     provider = _get_provider_by_id(admin_user, provider_id)

backend/tests/integration/tests/llm_provider/test_llm_provider_persona_access.py

@@ -69,7 +69,7 @@ def test_unauthorized_persona_access_returns_403(
 
     # Should return 403 Forbidden
     assert response.status_code == 403
-    assert "don't have access to this assistant" in response.json()["detail"]
+    assert "don't have access to this assistant" in response.json()["message"]
 
 
 def test_authorized_persona_access_returns_filtered_providers(
@@ -245,4 +245,4 @@ def test_nonexistent_persona_returns_404(
 
     # Should return 404
     assert response.status_code == 404
-    assert "Persona not found" in response.json()["detail"]
+    assert "Persona not found" in response.json()["message"]

backend/tests/unit/ee/onyx/server/billing/test_billing_api.py

@@ -107,7 +107,7 @@ class TestCreateCheckoutSession:
 
         assert exc_info.value.status_code == 502
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert exc_info.value.detail == "Stripe error"
+        assert exc_info.value.message == "Stripe error"
 
 
 class TestCreateCustomerPortalSession:
@@ -137,7 +137,7 @@ class TestCreateCustomerPortalSession:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.VALIDATION_ERROR
-        assert exc_info.value.detail == "No license found"
+        assert exc_info.value.message == "No license found"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.api.create_portal_service")
@@ -243,7 +243,7 @@ class TestUpdateSeats:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.VALIDATION_ERROR
-        assert exc_info.value.detail == "No license found"
+        assert exc_info.value.message == "No license found"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.api.get_used_seats")
@@ -317,7 +317,7 @@ class TestUpdateSeats:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert exc_info.value.detail == "Cannot reduce below 10 seats"
+        assert exc_info.value.message == "Cannot reduce below 10 seats"
 
 
 class TestCircuitBreaker:
@@ -346,7 +346,7 @@ class TestCircuitBreaker:
 
         assert exc_info.value.status_code == 503
         assert exc_info.value.error_code is OnyxErrorCode.SERVICE_UNAVAILABLE
-        assert "Connect to Stripe" in exc_info.value.detail
+        assert "Connect to Stripe" in exc_info.value.message
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.api.MULTI_TENANT", False)

backend/tests/unit/ee/onyx/server/billing/test_billing_service.py

@@ -101,7 +101,7 @@ class TestMakeBillingRequest:
 
         assert exc_info.value.status_code == 400
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert "Bad request" in exc_info.value.detail
+        assert "Bad request" in exc_info.value.message
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.billing.service._get_headers")
@@ -152,7 +152,7 @@ class TestMakeBillingRequest:
 
         assert exc_info.value.status_code == 502
         assert exc_info.value.error_code is OnyxErrorCode.BAD_GATEWAY
-        assert "Failed to connect" in exc_info.value.detail
+        assert "Failed to connect" in exc_info.value.message
 
 
 class TestCreateCheckoutSession:

backend/tests/unit/ee/onyx/server/tenants/test_billing_api.py

@@ -72,7 +72,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert exc_info.value.detail == "Invalid Stripe publishable key format"
+        assert exc_info.value.message == "Invalid Stripe publishable key format"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.tenants.billing_api.STRIPE_PUBLISHABLE_KEY_OVERRIDE", None)
@@ -97,7 +97,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert exc_info.value.detail == "Invalid Stripe publishable key format"
+        assert exc_info.value.message == "Invalid Stripe publishable key format"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.tenants.billing_api.STRIPE_PUBLISHABLE_KEY_OVERRIDE", None)
@@ -118,7 +118,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert exc_info.value.detail == "Failed to fetch Stripe publishable key"
+        assert exc_info.value.message == "Failed to fetch Stripe publishable key"
 
     @pytest.mark.asyncio
     @patch("ee.onyx.server.tenants.billing_api.STRIPE_PUBLISHABLE_KEY_OVERRIDE", None)
@@ -132,7 +132,7 @@ class TestGetStripePublishableKey:
 
         assert exc_info.value.status_code == 500
         assert exc_info.value.error_code is OnyxErrorCode.INTERNAL_ERROR
-        assert "not configured" in exc_info.value.detail
+        assert "not configured" in exc_info.value.message
 
     @pytest.mark.asyncio
     @patch(

backend/tests/unit/onyx/access/test_user_file_access.py

@@ -1,163 +0,0 @@
-"""Tests for user file ACL computation, including shared persona access."""
-
-from unittest.mock import MagicMock
-from unittest.mock import patch
-from uuid import uuid4
-
-from onyx.access.access import collect_user_file_access
-from onyx.access.access import get_access_for_user_files_impl
-from onyx.access.utils import prefix_user_email
-from onyx.configs.constants import PUBLIC_DOC_PAT
-
-
-def _make_user(email: str) -> MagicMock:
-    user = MagicMock()
-    user.email = email
-    user.id = uuid4()
-    return user
-
-
-def _make_persona(
-    *,
-    owner: MagicMock | None = None,
-    shared_users: list[MagicMock] | None = None,
-    is_public: bool = False,
-    deleted: bool = False,
-) -> MagicMock:
-    persona = MagicMock()
-    persona.deleted = deleted
-    persona.is_public = is_public
-    persona.user_id = owner.id if owner else None
-    persona.user = owner
-    persona.users = shared_users or []
-    return persona
-
-
-def _make_user_file(
-    *,
-    owner: MagicMock,
-    assistants: list[MagicMock] | None = None,
-) -> MagicMock:
-    uf = MagicMock()
-    uf.id = uuid4()
-    uf.user = owner
-    uf.user_id = owner.id
-    uf.assistants = assistants or []
-    return uf
-
-
-class TestCollectUserFileAccess:
-    def test_owner_only(self) -> None:
-        owner = _make_user("owner@test.com")
-        uf = _make_user_file(owner=owner)
-
-        emails, is_public = collect_user_file_access(uf)
-
-        assert emails == {"owner@test.com"}
-        assert is_public is False
-
-    def test_shared_persona_adds_users(self) -> None:
-        owner = _make_user("owner@test.com")
-        shared = _make_user("shared@test.com")
-        persona = _make_persona(owner=owner, shared_users=[shared])
-        uf = _make_user_file(owner=owner, assistants=[persona])
-
-        emails, is_public = collect_user_file_access(uf)
-
-        assert emails == {"owner@test.com", "shared@test.com"}
-        assert is_public is False
-
-    def test_persona_owner_added(self) -> None:
-        """Persona owner (different from file owner) gets access too."""
-        file_owner = _make_user("file-owner@test.com")
-        persona_owner = _make_user("persona-owner@test.com")
-        persona = _make_persona(owner=persona_owner)
-        uf = _make_user_file(owner=file_owner, assistants=[persona])
-
-        emails, is_public = collect_user_file_access(uf)
-
-        assert "file-owner@test.com" in emails
-        assert "persona-owner@test.com" in emails
-
-    def test_public_persona_makes_file_public(self) -> None:
-        owner = _make_user("owner@test.com")
-        persona = _make_persona(owner=owner, is_public=True)
-        uf = _make_user_file(owner=owner, assistants=[persona])
-
-        emails, is_public = collect_user_file_access(uf)
-
-        assert is_public is True
-        assert "owner@test.com" in emails
-
-    def test_deleted_persona_ignored(self) -> None:
-        owner = _make_user("owner@test.com")
-        shared = _make_user("shared@test.com")
-        persona = _make_persona(owner=owner, shared_users=[shared], deleted=True)
-        uf = _make_user_file(owner=owner, assistants=[persona])
-
-        emails, is_public = collect_user_file_access(uf)
-
-        assert emails == {"owner@test.com"}
-        assert is_public is False
-
-    def test_multiple_personas_combine(self) -> None:
-        owner = _make_user("owner@test.com")
-        user_a = _make_user("a@test.com")
-        user_b = _make_user("b@test.com")
-        p1 = _make_persona(owner=owner, shared_users=[user_a])
-        p2 = _make_persona(owner=owner, shared_users=[user_b])
-        uf = _make_user_file(owner=owner, assistants=[p1, p2])
-
-        emails, is_public = collect_user_file_access(uf)
-
-        assert emails == {"owner@test.com", "a@test.com", "b@test.com"}
-
-    def test_deduplication(self) -> None:
-        owner = _make_user("owner@test.com")
-        shared = _make_user("shared@test.com")
-        p1 = _make_persona(owner=owner, shared_users=[shared])
-        p2 = _make_persona(owner=owner, shared_users=[shared])
-        uf = _make_user_file(owner=owner, assistants=[p1, p2])
-
-        emails, _ = collect_user_file_access(uf)
-
-        assert emails == {"owner@test.com", "shared@test.com"}
-
-
-class TestGetAccessForUserFiles:
-    def test_shared_user_in_acl(self) -> None:
-        """Shared persona users should appear in the ACL."""
-        owner = _make_user("owner@test.com")
-        shared = _make_user("shared@test.com")
-        persona = _make_persona(owner=owner, shared_users=[shared])
-        uf = _make_user_file(owner=owner, assistants=[persona])
-
-        db_session = MagicMock()
-        with patch(
-            "onyx.access.access.fetch_user_files_with_access_relationships",
-            return_value=[uf],
-        ):
-            result = get_access_for_user_files_impl([str(uf.id)], db_session)
-
-        access = result[str(uf.id)]
-        acl = access.to_acl()
-        assert prefix_user_email("owner@test.com") in acl
-        assert prefix_user_email("shared@test.com") in acl
-        assert access.is_public is False
-
-    def test_public_persona_sets_public_acl(self) -> None:
-        owner = _make_user("owner@test.com")
-        persona = _make_persona(owner=owner, is_public=True)
-        uf = _make_user_file(owner=owner, assistants=[persona])
-
-        db_session = MagicMock()
-        with patch(
-            "onyx.access.access.fetch_user_files_with_access_relationships",
-            return_value=[uf],
-        ):
-            result = get_access_for_user_files_impl([str(uf.id)], db_session)
-
-        access = result[str(uf.id)]
-        assert access.is_public is True
-        acl = access.to_acl()
-        assert PUBLIC_DOC_PAT in acl

backend/tests/unit/onyx/auth/test_verify_auth_setting.py

@@ -1,54 +0,0 @@
-from unittest.mock import MagicMock
-
-import pytest
-
-import onyx.auth.users as users
-from onyx.auth.users import verify_auth_setting
-from onyx.configs.constants import AuthType
-
-
-def test_verify_auth_setting_raises_for_cloud(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    """Cloud auth type is not valid for self-hosted deployments."""
-    monkeypatch.setenv("AUTH_TYPE", "cloud")
-
-    with pytest.raises(ValueError, match="'cloud' is not a valid auth type"):
-        verify_auth_setting()
-
-
-def test_verify_auth_setting_warns_for_disabled(
-    monkeypatch: pytest.MonkeyPatch,
-) -> None:
-    """Disabled auth type logs a deprecation warning."""
-    monkeypatch.setenv("AUTH_TYPE", "disabled")
-
-    mock_logger = MagicMock()
-    monkeypatch.setattr(users, "logger", mock_logger)
-    monkeypatch.setattr(users, "AUTH_TYPE", AuthType.BASIC)
-
-    verify_auth_setting()
-
-    mock_logger.warning.assert_called_once()
-    assert "no longer supported" in mock_logger.warning.call_args[0][0]
-
-
-@pytest.mark.parametrize(
-    "auth_type",
-    [AuthType.BASIC, AuthType.GOOGLE_OAUTH, AuthType.OIDC, AuthType.SAML],
-)
-def test_verify_auth_setting_valid_auth_types(
-    monkeypatch: pytest.MonkeyPatch,
-    auth_type: AuthType,
-) -> None:
-    """Valid auth types work without errors or warnings."""
-    monkeypatch.setenv("AUTH_TYPE", auth_type.value)
-
-    mock_logger = MagicMock()
-    monkeypatch.setattr(users, "logger", mock_logger)
-    monkeypatch.setattr(users, "AUTH_TYPE", auth_type)
-
-    verify_auth_setting()
-
-    mock_logger.warning.assert_not_called()
-    mock_logger.notice.assert_called_once_with(f"Using Auth Type: {auth_type.value}")

backend/tests/unit/onyx/background/celery/tasks/test_user_file_impl_redis_locking.py

@@ -27,6 +27,7 @@ def _mock_session_returning_none() -> MagicMock:
     """Return a mock session whose .get() returns None (file not found)."""
     session = MagicMock()
     session.get.return_value = None
+    session.execute.return_value.scalar_one_or_none.return_value = None
     return session
 
 
@@ -219,10 +220,6 @@ class TestDeleteUserFileImpl:
 # ------------------------------------------------------------------
 
 
-@patch(
-    f"{TASKS_MODULE}.fetch_user_files_with_access_relationships",
-    return_value=[],
-)
 class TestProjectSyncUserFileImpl:
     @patch(f"{TASKS_MODULE}.get_session_with_current_tenant")
     @patch(f"{TASKS_MODULE}.get_redis_client")
@@ -230,7 +227,6 @@ class TestProjectSyncUserFileImpl:
         self,
         mock_get_redis: MagicMock,
         mock_get_session: MagicMock,
-        _mock_fetch: MagicMock,
     ) -> None:
         redis_client = MagicMock()
         lock = MagicMock()
@@ -259,7 +255,6 @@ class TestProjectSyncUserFileImpl:
         self,
         mock_get_redis: MagicMock,
         mock_get_session: MagicMock,
-        _mock_fetch: MagicMock,
     ) -> None:
         redis_client = MagicMock()
         lock = MagicMock()
@@ -282,7 +277,6 @@ class TestProjectSyncUserFileImpl:
         self,
         mock_get_redis: MagicMock,
         mock_get_session: MagicMock,
-        _mock_fetch: MagicMock,
     ) -> None:
         session = _mock_session_returning_none()
         mock_get_session.return_value.__enter__.return_value = session

backend/tests/unit/onyx/background/celery/tasks/test_user_file_processing_no_vectordb.py

@@ -379,13 +379,10 @@ class TestProjectSyncImplNoVectorDb:
     ) -> None:
         uf = _make_user_file(status=UserFileStatus.COMPLETED)
         session = MagicMock()
+        session.execute.return_value.scalar_one_or_none.return_value = uf
         mock_get_session.return_value.__enter__.return_value = session
 
         with (
-            patch(
-                f"{TASKS_MODULE}.fetch_user_files_with_access_relationships",
-                return_value=[uf],
-            ),
             patch(f"{TASKS_MODULE}.get_all_document_indices") as mock_get_indices,
             patch(f"{TASKS_MODULE}.get_active_search_settings") as mock_get_ss,
             patch(f"{TASKS_MODULE}.httpx_init_vespa_pool") as mock_vespa_pool,
@@ -408,17 +405,14 @@ class TestProjectSyncImplNoVectorDb:
     ) -> None:
         uf = _make_user_file(status=UserFileStatus.COMPLETED)
         session = MagicMock()
+        session.execute.return_value.scalar_one_or_none.return_value = uf
         mock_get_session.return_value.__enter__.return_value = session
 
-        with patch(
-            f"{TASKS_MODULE}.fetch_user_files_with_access_relationships",
-            return_value=[uf],
-        ):
-            project_sync_user_file_impl(
-                user_file_id=str(uf.id),
-                tenant_id="test-tenant",
-                redis_locking=False,
-            )
+        project_sync_user_file_impl(
+            user_file_id=str(uf.id),
+            tenant_id="test-tenant",
+            redis_locking=False,
+        )
 
         assert uf.needs_project_sync is False
         assert uf.needs_persona_sync is False

backend/tests/unit/onyx/error_handling/test_exceptions.py

@@ -15,12 +15,12 @@ class TestOnyxError:
     def test_basic_construction(self) -> None:
         err = OnyxError(OnyxErrorCode.NOT_FOUND, "Session not found")
         assert err.error_code is OnyxErrorCode.NOT_FOUND
-        assert err.detail == "Session not found"
+        assert err.message == "Session not found"
         assert err.status_code == 404
 
     def test_message_defaults_to_code(self) -> None:
         err = OnyxError(OnyxErrorCode.UNAUTHENTICATED)
-        assert err.detail == "UNAUTHENTICATED"
+        assert err.message == "UNAUTHENTICATED"
         assert str(err) == "UNAUTHENTICATED"
 
     def test_status_code_override(self) -> None:
@@ -73,18 +73,18 @@ class TestExceptionHandler:
         assert resp.status_code == 404
         body = resp.json()
         assert body["error_code"] == "NOT_FOUND"
-        assert body["detail"] == "Thing not found"
+        assert body["message"] == "Thing not found"
 
     def test_status_code_override_in_response(self, client: TestClient) -> None:
         resp = client.get("/boom-override")
         assert resp.status_code == 503
         body = resp.json()
         assert body["error_code"] == "BAD_GATEWAY"
-        assert body["detail"] == "upstream 503"
+        assert body["message"] == "upstream 503"
 
     def test_default_message(self, client: TestClient) -> None:
         resp = client.get("/boom-default-msg")
         assert resp.status_code == 401
         body = resp.json()
         assert body["error_code"] == "UNAUTHENTICATED"
-        assert body["detail"] == "UNAUTHENTICATED"
+        assert body["message"] == "UNAUTHENTICATED"

backend/tests/unit/onyx/file_processing/test_xlsx_to_text.py

@@ -1,196 +0,0 @@
-import io
-
-import openpyxl
-
-from onyx.file_processing.extract_file_text import xlsx_to_text
-
-
-def _make_xlsx(sheets: dict[str, list[list[str]]]) -> io.BytesIO:
-    """Create an in-memory xlsx file from a dict of sheet_name -> matrix of strings."""
-    wb = openpyxl.Workbook()
-    if wb.active is not None:
-        wb.remove(wb.active)
-    for sheet_name, rows in sheets.items():
-        ws = wb.create_sheet(title=sheet_name)
-        for row in rows:
-            ws.append(row)
-    buf = io.BytesIO()
-    wb.save(buf)
-    buf.seek(0)
-    return buf
-
-
-class TestXlsxToText:
-    def test_single_sheet_basic(self) -> None:
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ["Name", "Age"],
-                    ["Alice", "30"],
-                    ["Bob", "25"],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        lines = [line for line in result.strip().split("\n") if line.strip()]
-        assert len(lines) == 3
-        assert "Name" in lines[0]
-        assert "Age" in lines[0]
-        assert "Alice" in lines[1]
-        assert "30" in lines[1]
-        assert "Bob" in lines[2]
-
-    def test_multiple_sheets_separated(self) -> None:
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [["a", "b"]],
-                "Sheet2": [["c", "d"]],
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        # TEXT_SECTION_SEPARATOR is "\n\n"
-        assert "\n\n" in result
-        parts = result.split("\n\n")
-        assert any("a" in p for p in parts)
-        assert any("c" in p for p in parts)
-
-    def test_empty_cells(self) -> None:
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ["a", "", "b"],
-                    ["", "c", ""],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        lines = [line for line in result.strip().split("\n") if line.strip()]
-        assert len(lines) == 2
-
-    def test_commas_in_cells_are_quoted(self) -> None:
-        """Cells containing commas should be quoted in CSV output."""
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ["hello, world", "normal"],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        assert '"hello, world"' in result
-
-    def test_empty_workbook(self) -> None:
-        xlsx = _make_xlsx({"Sheet1": []})
-        result = xlsx_to_text(xlsx)
-        assert result.strip() == ""
-
-    def test_long_empty_row_run_capped(self) -> None:
-        """Runs of >2 empty rows should be capped to 2."""
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ["header"],
-                    [""],
-                    [""],
-                    [""],
-                    [""],
-                    ["data"],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        lines = [line for line in result.strip().split("\n") if line.strip()]
-        # 4 empty rows capped to 2, so: header + 2 empty + data = 4 lines
-        assert len(lines) == 4
-        assert "header" in lines[0]
-        assert "data" in lines[-1]
-
-    def test_long_empty_col_run_capped(self) -> None:
-        """Runs of >2 empty columns should be capped to 2."""
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ["a", "", "", "", "b"],
-                    ["c", "", "", "", "d"],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        lines = [line for line in result.strip().split("\n") if line.strip()]
-        assert len(lines) == 2
-        # Each row should have 4 fields (a + 2 empty + b), not 5
-        # csv format: a,,,b (3 commas = 4 fields)
-        first_line = lines[0].strip()
-        # Count commas to verify column reduction
-        assert first_line.count(",") == 3
-
-    def test_short_empty_runs_kept(self) -> None:
-        """Runs of <=2 empty rows/cols should be preserved."""
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ["a", "b"],
-                    ["", ""],
-                    ["", ""],
-                    ["c", "d"],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        lines = [line for line in result.strip().split("\n") if line.strip()]
-        # All 4 rows preserved (2 empty rows <= threshold)
-        assert len(lines) == 4
-
-    def test_bad_zip_file_returns_empty(self) -> None:
-        bad_file = io.BytesIO(b"not a zip file")
-        result = xlsx_to_text(bad_file, file_name="test.xlsx")
-        assert result == ""
-
-    def test_bad_zip_tilde_file_returns_empty(self) -> None:
-        bad_file = io.BytesIO(b"not a zip file")
-        result = xlsx_to_text(bad_file, file_name="~$temp.xlsx")
-        assert result == ""
-
-    def test_large_sparse_sheet(self) -> None:
-        """A sheet with data, a big empty gap, and more data — gap is capped to 2."""
-        rows: list[list[str]] = [["row1_data"]]
-        rows.extend([[""] for _ in range(10)])
-        rows.append(["row2_data"])
-        xlsx = _make_xlsx({"Sheet1": rows})
-        result = xlsx_to_text(xlsx)
-        lines = [line for line in result.strip().split("\n") if line.strip()]
-        # 10 empty rows capped to 2: row1_data + 2 empty + row2_data = 4
-        assert len(lines) == 4
-        assert "row1_data" in lines[0]
-        assert "row2_data" in lines[-1]
-
-    def test_quotes_in_cells(self) -> None:
-        """Cells containing quotes should be properly escaped."""
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ['say "hello"', "normal"],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        # csv.writer escapes quotes by doubling them
-        assert '""hello""' in result
-
-    def test_each_row_is_separate_line(self) -> None:
-        """Each row should produce its own line (regression for writerow vs writerows)."""
-        xlsx = _make_xlsx(
-            {
-                "Sheet1": [
-                    ["r1c1", "r1c2"],
-                    ["r2c1", "r2c2"],
-                    ["r3c1", "r3c2"],
-                ]
-            }
-        )
-        result = xlsx_to_text(xlsx)
-        lines = [line for line in result.strip().split("\n") if line.strip()]
-        assert len(lines) == 3
-        assert "r1c1" in lines[0] and "r1c2" in lines[0]
-        assert "r2c1" in lines[1] and "r2c2" in lines[1]
-        assert "r3c1" in lines[2] and "r3c2" in lines[2]

backend/tests/unit/onyx/server/features/hierarchy/test_user_access_info.py

@@ -1,43 +0,0 @@
-"""Unit tests for _get_user_access_info helper function.
-
-These tests mock all database operations and don't require a real database.
-"""
-
-from unittest.mock import MagicMock
-from unittest.mock import patch
-
-from sqlalchemy.orm import Session
-
-from onyx.server.features.hierarchy.api import _get_user_access_info
-
-
-def test_get_user_access_info_returns_email_and_groups() -> None:
-    """_get_user_access_info returns the user's email and external group IDs."""
-    mock_user = MagicMock()
-    mock_user.email = "test@example.com"
-    mock_db_session = MagicMock(spec=Session)
-
-    with patch(
-        "onyx.server.features.hierarchy.api.get_user_external_group_ids",
-        return_value=["group1", "group2"],
-    ):
-        email, groups = _get_user_access_info(mock_user, mock_db_session)
-
-    assert email == "test@example.com"
-    assert groups == ["group1", "group2"]
-
-
-def test_get_user_access_info_with_no_groups() -> None:
-    """User with no external groups returns empty list."""
-    mock_user = MagicMock()
-    mock_user.email = "solo@example.com"
-    mock_db_session = MagicMock(spec=Session)
-
-    with patch(
-        "onyx.server.features.hierarchy.api.get_user_external_group_ids",
-        return_value=[],
-    ):
-        email, groups = _get_user_access_info(mock_user, mock_db_session)
-
-    assert email == "solo@example.com"
-    assert groups == []

contributing_guides/dev_setup.md

@@ -158,14 +158,14 @@ python ./scripts/dev_run_background_jobs.py
 To run the backend API server, navigate back to `onyx/backend` and run:
 
 ```bash
-AUTH_TYPE=basic uvicorn onyx.main:app --reload --port 8080
+AUTH_TYPE=disabled uvicorn onyx.main:app --reload --port 8080
 ```
 
 _For Windows (for compatibility with both PowerShell and Command Prompt):_
 
 ```bash
 powershell -Command "
-    $env:AUTH_TYPE='basic'
+    $env:AUTH_TYPE='disabled'
     uvicorn onyx.main:app --reload --port 8080
 "
 ```

deployment/docker_compose/docker-compose.multitenant-dev.yml

@@ -61,9 +61,6 @@ services:
       - POSTGRES_HOST=relational_db
       - POSTGRES_DEFAULT_SCHEMA=${POSTGRES_DEFAULT_SCHEMA:-}
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - WEB_DOMAIN=${WEB_DOMAIN:-}
       # MinIO configuration
@@ -80,7 +77,6 @@ services:
       - DISABLE_RERANK_FOR_STREAMING=${DISABLE_RERANK_FOR_STREAMING:-}
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - MODEL_SERVER_PORT=${MODEL_SERVER_PORT:-}
-      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - LOG_ONYX_MODEL_INTERACTIONS=${LOG_ONYX_MODEL_INTERACTIONS:-}
       - LOG_VESPA_TIMING_INFORMATION=${LOG_VESPA_TIMING_INFORMATION:-}
       - LOG_ENDPOINT_LATENCY=${LOG_ENDPOINT_LATENCY:-}
@@ -172,9 +168,6 @@ services:
       - POSTGRES_DB=${POSTGRES_DB:-}
       - POSTGRES_DEFAULT_SCHEMA=${POSTGRES_DEFAULT_SCHEMA:-}
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - WEB_DOMAIN=${WEB_DOMAIN:-}
       # MinIO configuration
@@ -431,50 +424,6 @@ services:
         max-size: "50m"
         max-file: "6"
 
-  opensearch:
-    image: opensearchproject/opensearch:3.4.0
-    restart: unless-stopped
-    # Controls whether this service runs. In order to enable it, add
-    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
-    # docker-compose.
-    # NOTE: Now enabled on by default. To explicitly disable this service,
-    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
-    # list the profile, or when running docker compose, include all desired
-    # service names but this one. Additionally set
-    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
-    # profiles: ["opensearch-enabled"]
-    environment:
-      # We need discovery.type=single-node so that OpenSearch doesn't try
-      # forming a cluster and waiting for other nodes to become live.
-      - discovery.type=single-node
-      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-      # We do this to avoid unstable performance from page swaps.
-      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
-      # Java heap should be ~50% of memory limit. For now we assume a limit of
-      # 4g although in practice the container can request more than this.
-      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
-      # Xms is the starting size, Xmx is the maximum size. These should be the
-      # same.
-      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
-    volumes:
-      - opensearch-data:/usr/share/opensearch/data
-    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-    ulimits:
-      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
-      # how much memory a process can lock from being swapped.
-      memlock:
-        soft: -1 # Set memlock to unlimited (no soft or hard limit).
-        hard: -1
-      nofile:
-        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
-        hard: 65536
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "6"
-
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -559,5 +508,3 @@ volumes:
   model_cache_huggingface:
   indexing_huggingface_model_cache:
   # mcp_server_logs:
-  # Persistent data for OpenSearch.
-  opensearch-data:

deployment/docker_compose/docker-compose.prod-cloud.yml

@@ -21,9 +21,6 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       # MinIO configuration
@@ -58,9 +55,6 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -234,50 +228,6 @@ services:
         max-size: "50m"
         max-file: "6"
 
-  opensearch:
-    image: opensearchproject/opensearch:3.4.0
-    restart: unless-stopped
-    # Controls whether this service runs. In order to enable it, add
-    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
-    # docker-compose.
-    # NOTE: Now enabled on by default. To explicitly disable this service,
-    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
-    # list the profile, or when running docker compose, include all desired
-    # service names but this one. Additionally set
-    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
-    # profiles: ["opensearch-enabled"]
-    environment:
-      # We need discovery.type=single-node so that OpenSearch doesn't try
-      # forming a cluster and waiting for other nodes to become live.
-      - discovery.type=single-node
-      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-      # We do this to avoid unstable performance from page swaps.
-      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
-      # Java heap should be ~50% of memory limit. For now we assume a limit of
-      # 4g although in practice the container can request more than this.
-      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
-      # Xms is the starting size, Xmx is the maximum size. These should be the
-      # same.
-      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
-    volumes:
-      - opensearch-data:/usr/share/opensearch/data
-    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-    ulimits:
-      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
-      # how much memory a process can lock from being swapped.
-      memlock:
-        soft: -1 # Set memlock to unlimited (no soft or hard limit).
-        hard: -1
-      nofile:
-        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
-        hard: 65536
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "6"
-
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -365,5 +315,3 @@ volumes:
   model_cache_huggingface:
   indexing_huggingface_model_cache:
   # mcp_server_logs:
-  # Persistent data for OpenSearch.
-  opensearch-data:

deployment/docker_compose/docker-compose.prod-no-letsencrypt.yml

@@ -21,12 +21,8 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
-      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - USE_IAM_AUTH=${USE_IAM_AUTH}
       - AWS_REGION_NAME=${AWS_REGION_NAME-}
       - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID-}
@@ -72,9 +68,6 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -258,50 +251,6 @@ services:
         max-size: "50m"
         max-file: "6"
 
-  opensearch:
-    image: opensearchproject/opensearch:3.4.0
-    restart: unless-stopped
-    # Controls whether this service runs. In order to enable it, add
-    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
-    # docker-compose.
-    # NOTE: Now enabled on by default. To explicitly disable this service,
-    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
-    # list the profile, or when running docker compose, include all desired
-    # service names but this one. Additionally set
-    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
-    # profiles: ["opensearch-enabled"]
-    environment:
-      # We need discovery.type=single-node so that OpenSearch doesn't try
-      # forming a cluster and waiting for other nodes to become live.
-      - discovery.type=single-node
-      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-      # We do this to avoid unstable performance from page swaps.
-      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
-      # Java heap should be ~50% of memory limit. For now we assume a limit of
-      # 4g although in practice the container can request more than this.
-      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
-      # Xms is the starting size, Xmx is the maximum size. These should be the
-      # same.
-      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
-    volumes:
-      - opensearch-data:/usr/share/opensearch/data
-    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-    ulimits:
-      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
-      # how much memory a process can lock from being swapped.
-      memlock:
-        soft: -1 # Set memlock to unlimited (no soft or hard limit).
-        hard: -1
-      nofile:
-        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
-        hard: 65536
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "6"
-
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -394,5 +343,3 @@ volumes:
   # mcp_server_logs:
   # Shared volume for persistent document storage (Craft file-system mode)
   file-system:
-  # Persistent data for OpenSearch.
-  opensearch-data:

deployment/docker_compose/docker-compose.prod.yml

@@ -22,12 +22,8 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
-      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - USE_IAM_AUTH=${USE_IAM_AUTH}
       - AWS_REGION_NAME=${AWS_REGION_NAME-}
       - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID-}
@@ -77,9 +73,6 @@ services:
       - AUTH_TYPE=${AUTH_TYPE:-oidc}
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
-      - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
-      - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
       - REDIS_HOST=cache
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -277,50 +270,6 @@ services:
         max-size: "50m"
         max-file: "6"
 
-  opensearch:
-    image: opensearchproject/opensearch:3.4.0
-    restart: unless-stopped
-    # Controls whether this service runs. In order to enable it, add
-    # opensearch-enabled to COMPOSE_PROFILES in the environment for this
-    # docker-compose.
-    # NOTE: Now enabled on by default. To explicitly disable this service,
-    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
-    # list the profile, or when running docker compose, include all desired
-    # service names but this one. Additionally set
-    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
-    # profiles: ["opensearch-enabled"]
-    environment:
-      # We need discovery.type=single-node so that OpenSearch doesn't try
-      # forming a cluster and waiting for other nodes to become live.
-      - discovery.type=single-node
-      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      # This and the JVM config below come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-      # We do this to avoid unstable performance from page swaps.
-      - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
-      # Java heap should be ~50% of memory limit. For now we assume a limit of
-      # 4g although in practice the container can request more than this.
-      # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
-      # Xms is the starting size, Xmx is the maximum size. These should be the
-      # same.
-      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
-    volumes:
-      - opensearch-data:/usr/share/opensearch/data
-    # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/
-    ulimits:
-      # Similarly to bootstrap.memory_lock, we don't want to impose limits on
-      # how much memory a process can lock from being swapped.
-      memlock:
-        soft: -1 # Set memlock to unlimited (no soft or hard limit).
-        hard: -1
-      nofile:
-        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536.
-        hard: 65536
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "6"
-
   nginx:
     image: nginx:1.25.5-alpine
     restart: unless-stopped
@@ -431,5 +380,3 @@ volumes:
   # mcp_server_logs:
   # Shared volume for persistent document storage (Craft file-system mode)
   file-system:
-  # Persistent data for OpenSearch.
-  opensearch-data:

deployment/docker_compose/docker-compose.search-testing.yml

@@ -21,7 +21,7 @@ services:
     env_file:
       - .env_eval
     environment:
-      - AUTH_TYPE=basic
+      - AUTH_TYPE=disabled
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
       - REDIS_HOST=cache
@@ -58,7 +58,7 @@ services:
     env_file:
       - .env_eval
     environment:
-      - AUTH_TYPE=basic
+      - AUTH_TYPE=disabled
       - POSTGRES_HOST=relational_db
       - VESPA_HOST=index
       - REDIS_HOST=cache

deployment/docker_compose/docker-compose.yml

@@ -57,9 +57,6 @@ services:
         condition: service_started
       index:
         condition: service_started
-      opensearch:
-        condition: service_started
-        required: false
       cache:
         condition: service_started
       inference_model_server:
@@ -81,10 +78,9 @@ services:
       - VESPA_HOST=${VESPA_HOST:-index}
       - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
       - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-false}
       - REDIS_HOST=${REDIS_HOST:-cache}
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
-      - CODE_INTERPRETER_BASE_URL=${CODE_INTERPRETER_BASE_URL:-http://code-interpreter:8000}
       - S3_ENDPOINT_URL=${S3_ENDPOINT_URL:-http://minio:9000}
       - S3_AWS_ACCESS_KEY_ID=${S3_AWS_ACCESS_KEY_ID:-minioadmin}
       - S3_AWS_SECRET_ACCESS_KEY=${S3_AWS_SECRET_ACCESS_KEY:-minioadmin}
@@ -143,19 +139,11 @@ services:
       - path: .env
         required: false
     depends_on:
-      relational_db:
-        condition: service_started
-      index:
-        condition: service_started
-      opensearch:
-        condition: service_started
-        required: false
-      cache:
-        condition: service_started
-      inference_model_server:
-        condition: service_started
-      indexing_model_server:
-        condition: service_started
+      - relational_db
+      - index
+      - cache
+      - inference_model_server
+      - indexing_model_server
     restart: unless-stopped
     environment:
       - FILE_STORE_BACKEND=${FILE_STORE_BACKEND:-s3}
@@ -163,7 +151,7 @@ services:
       - VESPA_HOST=${VESPA_HOST:-index}
       - OPENSEARCH_HOST=${OPENSEARCH_HOST:-opensearch}
       - OPENSEARCH_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:-StrongPassword123!}
-      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-true}
+      - ENABLE_OPENSEARCH_INDEXING_FOR_ONYX=${OPENSEARCH_FOR_ONYX_ENABLED:-false}
       - REDIS_HOST=${REDIS_HOST:-cache}
       - MODEL_SERVER_HOST=${MODEL_SERVER_HOST:-inference_model_server}
       - INDEXING_MODEL_SERVER_HOST=${INDEXING_MODEL_SERVER_HOST:-indexing_model_server}
@@ -418,12 +406,7 @@ services:
     # Controls whether this service runs. In order to enable it, add
     # opensearch-enabled to COMPOSE_PROFILES in the environment for this
     # docker-compose.
-    # NOTE: Now enabled on by default. To explicitly disable this service,
-    # uncomment this profile and ensure COMPOSE_PROFILES in your env does not
-    # list the profile, or when running docker compose, include all desired
-    # service names but this one. Additionally set
-    # OPENSEARCH_FOR_ONYX_ENABLED=false in your env.
-    # profiles: ["opensearch-enabled"]
+    profiles: ["opensearch-enabled"]
     environment:
       # We need discovery.type=single-node so that OpenSearch doesn't try
       # forming a cluster and waiting for other nodes to become live.
@@ -433,11 +416,11 @@ services:
       # We do this to avoid unstable performance from page swaps.
       - bootstrap.memory_lock=true # Disable JVM heap memory swapping.
       # Java heap should be ~50% of memory limit. For now we assume a limit of
-      # 4g although in practice the container can request more than this.
+      # 2g although in practice the container can request more than this.
       # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
       # Xms is the starting size, Xmx is the maximum size. These should be the
       # same.
-      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
     volumes:
       - opensearch-data:/usr/share/opensearch/data
     # These come from the example in https://docs.opensearch.org/latest/install-and-configure/install-opensearch/docker/

deployment/docker_compose/env.template

@@ -20,12 +20,8 @@ IMAGE_TAG=latest
 
 ## Auth Settings
 ### https://docs.onyx.app/deployment/authentication
-AUTH_TYPE=basic
+AUTH_TYPE=disabled
 # SESSION_EXPIRE_TIME_SECONDS=
-### Recommended for basic auth - used for signing password reset and verification tokens
-### If using install.sh, this will be auto-generated
-### If setting manually, run: openssl rand -hex 32
-USER_AUTH_SECRET=""
 ### Recommend to set this for security
 # ENCRYPTION_KEY_SECRET=
 ### Optional
@@ -71,8 +67,10 @@ POSTGRES_PASSWORD=password
 ## remove s3-filestore from COMPOSE_PROFILES and set FILE_STORE_BACKEND=postgres.
 COMPOSE_PROFILES=s3-filestore
 FILE_STORE_BACKEND=s3
-## Setting for enabling OpenSearch.
-OPENSEARCH_FOR_ONYX_ENABLED=true
+## Settings for enabling OpenSearch. Uncomment these and comment out
+## COMPOSE_PROFILES above.
+# COMPOSE_PROFILES=s3-filestore,opensearch-enabled
+# OPENSEARCH_FOR_ONYX_ENABLED=true
 
 ## MinIO/S3 Configuration (only needed when FILE_STORE_BACKEND=s3)
 S3_ENDPOINT_URL=http://minio:9000

deployment/docker_compose/install.sh

@@ -654,20 +654,17 @@ else
     sed -i.bak "s/^IMAGE_TAG=.*/IMAGE_TAG=$VERSION/" "$ENV_FILE"
     print_success "IMAGE_TAG set to $VERSION"
 
-    # Configure basic authentication (default)
-    sed -i.bak 's/^AUTH_TYPE=.*/AUTH_TYPE=basic/' "$ENV_FILE" 2>/dev/null || true
-    print_success "Basic authentication enabled in configuration"
-
-    # Check if openssl is available
-    if ! command -v openssl &> /dev/null; then
-        print_error "openssl is required to generate secure secrets but was not found."
-        exit 1
+    # Configure authentication settings based on selection
+    if [ "$AUTH_SCHEMA" = "disabled" ]; then
+        # Disable authentication in .env file
+        sed -i.bak 's/^AUTH_TYPE=.*/AUTH_TYPE=disabled/' "$ENV_FILE" 2>/dev/null || true
+        print_success "Authentication disabled in configuration"
+    else
+        # Enable basic authentication
+        sed -i.bak 's/^AUTH_TYPE=.*/AUTH_TYPE=basic/' "$ENV_FILE" 2>/dev/null || true
+        print_success "Basic authentication enabled in configuration"
     fi
 
-    # Generate a secure USER_AUTH_SECRET
-    USER_AUTH_SECRET=$(openssl rand -hex 32)
-    sed -i.bak "s/^USER_AUTH_SECRET=.*/USER_AUTH_SECRET=\"$USER_AUTH_SECRET\"/" "$ENV_FILE" 2>/dev/null || true
-
     # Configure Craft based on flag or if using a craft-* image tag
     # By default, env.template has Craft commented out (disabled)
     if [ "$INCLUDE_CRAFT" = true ] || [[ "$VERSION" == craft-* ]]; then

deployment/helm/charts/onyx/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
   - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.4.33
+version: 0.4.32
 appVersion: latest
 annotations:
   category: Productivity

deployment/helm/charts/onyx/values.yaml

@@ -76,10 +76,7 @@ vespa:
       memory: 32000Mi
 
 opensearch:
-  # Enabled by default. Override to false and set the appropriate env vars in
-  # the instance-specific values yaml if using AWS-managed OpenSearch, or simply
-  # override to false to entirely disable.
-  enabled: true
+  enabled: false
   # These values are passed to the opensearch subchart.
   # See https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml
 
@@ -1161,10 +1158,8 @@ auth:
   opensearch:
     # Enable or disable this secret entirely. Will remove from env var
     # configurations and remove any created secrets.
-    # Enabled by default. Override to false and set the appropriate env vars in
-    # the instance-specific values yaml if using AWS-managed OpenSearch, or
-    # simply override to false to entirely disable.
-    enabled: true
+    # Set to true when opensearch.enabled is true.
+    enabled: false
     # Overwrite the default secret name, ignored if existingSecret is defined.
     secretName: 'onyx-opensearch'
     # Use a secret specified elsewhere.

web/.gitignore

@@ -47,6 +47,3 @@ next-env.d.ts
 # generated clients ... in particular, the API to the Onyx backend itself!
 /src/lib/generated
 .jest-cache
-
-# storybook
-storybook-static

web/.storybook/Introduction.mdx

@@ -1,115 +0,0 @@
-import { Meta } from "@storybook/blocks";
-
-<Meta title="Getting Started" />
-
-# Onyx Storybook
-
-A living catalog for browsing, testing, and documenting Onyx UI components in isolation.
-
----
-
-## What is this?
-
-This Storybook contains interactive examples of every reusable UI component in the Onyx frontend. Each component has a dedicated page with:
-
-- **Live demos** you can interact with directly
-- **Controls** to tweak props and see how the component responds
-- **Auto-generated docs** showing the full props API
-- **Dark mode toggle** in the toolbar to preview both themes
-
----
-
-## Navigating Storybook
-
-### Sidebar
-
-The left sidebar organizes components by layer:
-
-- **opal/core** — Low-level primitives (`Interactive`, `Hoverable`)
-- **opal/components** — Design system atoms (`Button`, `OpenButton`, `Tag`)
-- **Layouts** — Structural layouts (`Content`, `ContentAction`, `IllustrationContent`)
-- **refresh-components** — App-level components (inputs, modals, tables, text, etc.)
-
-Click any component to see its stories. Click **Docs** to see the auto-generated props table.
-
-### Controls panel
-
-At the bottom of each story, the **Controls** panel lets you change props in real time. Toggle booleans, pick from enums, type in strings — the preview updates instantly.
-
-### Theme toggle
-
-Use the paint roller icon in the top toolbar to switch between **light** and **dark** mode. All components use CSS variables that automatically adapt.
-
----
-
-## Running locally
-
-```bash
-cd web
-npm run storybook        # dev server on :6006
-npm run storybook:build  # static build to storybook-static/
-```
-
----
-
-## Adding a new story
-
-Stories are **co-located** next to their component:
-
-```
-lib/opal/src/components/buttons/Button/
-├── components.tsx       ← the component
-├── Button.stories.tsx   ← the story
-├── styles.css
-└── README.md
-```
-
-### Minimal template
-
-```tsx
-import type { Meta, StoryObj } from "@storybook/react";
-import { MyComponent } from "./MyComponent";
-
-const meta: Meta<typeof MyComponent> = {
-  title: "opal/components/MyComponent",  // sidebar path
-  component: MyComponent,
-  tags: ["autodocs"],                     // auto-generate docs page
-};
-
-export default meta;
-type Story = StoryObj<typeof MyComponent>;
-
-export const Default: Story = {
-  args: {
-    title: "Hello",
-  },
-};
-
-export const WithCustomLayout: Story = {
-  render: () => (
-    <div className="flex gap-2">
-      <MyComponent title="One" />
-      <MyComponent title="Two" />
-    </div>
-  ),
-};
-```
-
-### Conventions
-
-- **Title format:** `opal/core/Name`, `opal/components/Name`, `Layouts/Name`, or `refresh-components/Name`
-- **Tags:** Add `tags: ["autodocs"]` to auto-generate a docs page from props
-- **Decorators:** If your component needs `TooltipPrimitive.Provider` (anything with tooltips), add it as a decorator
-- **Layout:** Use `parameters: { layout: "fullscreen" }` for modals/popovers that use portals
-
----
-
-## Deployment
-
-Production builds deploy to [onyx-storybook.vercel.app](https://onyx-storybook.vercel.app) automatically when PRs touching component files merge to `main`.
-
-Monitored paths:
-
-- `web/lib/opal/**`
-- `web/src/refresh-components/**`
-- `web/.storybook/**`

web/.storybook/README.md

@@ -1,80 +0,0 @@
-# Onyx Storybook
-
-Storybook is an isolated development environment for UI components. It renders each component in a standalone "story" outside of the main app, so you can visually verify appearance, interact with props, and catch regressions without navigating through the full application.
-
-The Onyx Storybook covers the full component library — from low-level `@opal/core` primitives up through `refresh-components` — giving designers and engineers a shared reference for every visual state.
-
-**Production:** [onyx-storybook.vercel.app](https://onyx-storybook.vercel.app)
-
-## Running Locally
-
-```bash
-cd web
-npm run storybook        # dev server on http://localhost:6006
-npm run storybook:build  # static build to storybook-static/
-```
-
-The dev server hot-reloads when you edit a component or story file.
-
-## Writing Stories
-
-Stories are **co-located** next to their component source:
-
-```
-lib/opal/src/core/interactive/
-├── components.tsx              ← the component
-├── Interactive.stories.tsx     ← the story
-└── styles.css
-
-src/refresh-components/buttons/
-├── Button.tsx
-└── Button.stories.tsx
-```
-
-### Minimal Template
-
-```tsx
-import type { Meta, StoryObj } from "@storybook/react";
-import { MyComponent } from "./MyComponent";
-
-const meta: Meta<typeof MyComponent> = {
-  title: "Category/MyComponent",   // sidebar path
-  component: MyComponent,
-  tags: ["autodocs"],               // generates a docs page from props
-};
-
-export default meta;
-type Story = StoryObj<typeof MyComponent>;
-
-export const Default: Story = {
-  args: { label: "Hello" },
-};
-```
-
-### Conventions
-
-- **Title format:** `Core/Name`, `Components/Name`, `Layouts/Name`, or `refresh-components/category/Name`
-- **Tags:** Add `tags: ["autodocs"]` to auto-generate a props docs page
-- **Decorators:** Components that use Radix tooltips need a `TooltipPrimitive.Provider` decorator
-- **Layout:** Use `parameters: { layout: "fullscreen" }` for modals/popovers that use portals
-
-## Dark Mode
-
-Use the theme toggle (paint roller icon) in the Storybook toolbar to switch between light and dark modes. This adds/removes the `dark` class on the preview body, matching the app's `darkMode: "class"` Tailwind config. All color tokens from `colors.css` adapt automatically.
-
-## Deployment
-
-The production Storybook is deployed as a static site on Vercel. The build runs `npm run storybook:build` which outputs to `storybook-static/`, and Vercel serves that directory.
-
-Deploys are triggered on merges to `main` when files in `web/lib/opal/`, `web/src/refresh-components/`, or `web/.storybook/` change.
-
-## Component Layers
-
-The sidebar organizes components by their layer in the design system:
-
-| Layer | Path | Examples |
-|-------|------|----------|
-| **Core** | `lib/opal/src/core/` | Interactive, Hoverable |
-| **Components** | `lib/opal/src/components/` | Button, OpenButton, Tag |
-| **Layouts** | `lib/opal/src/layouts/` | Content, ContentAction, IllustrationContent |
-| **refresh-components** | `src/refresh-components/` | Inputs, tables, modals, text, cards, tiles, etc. |

web/.storybook/main.ts

@@ -1,43 +0,0 @@
-import type { StorybookConfig } from "@storybook/react-vite";
-import path from "path";
-
-const config: StorybookConfig = {
-  stories: [
-    "./*.mdx",
-    "../lib/opal/src/**/*.stories.@(ts|tsx)",
-    "../src/refresh-components/**/*.stories.@(ts|tsx)",
-  ],
-  addons: ["@storybook/addon-essentials", "@storybook/addon-themes"],
-  framework: {
-    name: "@storybook/react-vite",
-    options: {},
-  },
-  staticDirs: ["../public"],
-  docs: {
-    autodocs: "tag",
-  },
-  typescript: {
-    reactDocgen: "react-docgen-typescript",
-  },
-  viteFinal: async (config) => {
-    config.resolve = config.resolve ?? {};
-    config.resolve.alias = {
-      ...config.resolve.alias,
-      "@": path.resolve(__dirname, "../src"),
-      "@opal": path.resolve(__dirname, "../lib/opal/src"),
-      "@public": path.resolve(__dirname, "../public"),
-      // Next.js module stubs for Vite
-      "next/link": path.resolve(__dirname, "mocks/next-link.tsx"),
-      "next/navigation": path.resolve(__dirname, "mocks/next-navigation.tsx"),
-      "next/image": path.resolve(__dirname, "mocks/next-image.tsx"),
-    };
-
-    // Process CSS with Tailwind via PostCSS
-    config.css = config.css ?? {};
-    config.css.postcss = path.resolve(__dirname, "..");
-
-    return config;
-  },
-};
-
-export default config;

web/.storybook/mocks/next-image.tsx

@@ -1,28 +0,0 @@
-import React from "react";
-
-interface ImageProps {
-  src: string;
-  alt: string;
-  width?: number;
-  height?: number;
-  fill?: boolean;
-  [key: string]: unknown;
-}
-
-function Image({ src, alt, width, height, fill, ...props }: ImageProps) {
-  const fillStyle: React.CSSProperties = fill
-    ? { position: "absolute", inset: 0, width: "100%", height: "100%" }
-    : {};
-  return (
-    <img
-      {...(props as React.ImgHTMLAttributes<HTMLImageElement>)}
-      src={src}
-      alt={alt}
-      width={fill ? undefined : width}
-      height={fill ? undefined : height}
-      style={{ ...(props.style as React.CSSProperties), ...fillStyle }}
-    />
-  );
-}
-
-export default Image;

web/.storybook/mocks/next-link.tsx

@@ -1,28 +0,0 @@
-import React from "react";
-
-interface LinkProps {
-  href: string;
-  children: React.ReactNode;
-  [key: string]: unknown;
-}
-
-function Link({
-  href,
-  children,
-  prefetch: _prefetch,
-  scroll: _scroll,
-  shallow: _shallow,
-  replace: _replace,
-  passHref: _passHref,
-  locale: _locale,
-  legacyBehavior: _legacyBehavior,
-  ...props
-}: LinkProps) {
-  return (
-    <a href={href} {...props}>
-      {children}
-    </a>
-  );
-}
-
-export default Link;

web/.storybook/mocks/next-navigation.tsx

@@ -1,30 +0,0 @@
-export function useRouter() {
-  return {
-    push: (_url: string) => {},
-    replace: (_url: string) => {},
-    back: () => {},
-    forward: () => {},
-    refresh: () => {},
-    prefetch: (_url: string) => Promise.resolve(),
-  };
-}
-
-export function usePathname() {
-  return "/";
-}
-
-export function useSearchParams() {
-  return new URLSearchParams() as ReadonlyURLSearchParams;
-}
-
-export function useParams() {
-  return {};
-}
-
-export function redirect(_url: string): never {
-  throw new Error("redirect() called in Storybook");
-}
-
-export function notFound(): never {
-  throw new Error("notFound() called in Storybook");
-}

web/.storybook/preview-head.html

@@ -1,11 +0,0 @@
-<!-- Preconnect for fonts loaded via globals.css @import -->
-<link
-  rel="preconnect"
-  href="https://fonts.googleapis.com"
-  crossorigin="anonymous"
-/>
-<link
-  rel="preconnect"
-  href="https://fonts.gstatic.com"
-  crossorigin="anonymous"
-/>

web/.storybook/preview.ts

@@ -1,27 +0,0 @@
-import type { Preview } from "@storybook/react";
-import { withThemeByClassName } from "@storybook/addon-themes";
-import "../src/app/globals.css";
-
-const preview: Preview = {
-  parameters: {
-    layout: "centered",
-    backgrounds: { disable: true },
-    controls: {
-      matchers: {
-        color: /(background|color)$/i,
-        date: /Date$/i,
-      },
-    },
-  },
-  decorators: [
-    withThemeByClassName({
-      themes: {
-        light: "",
-        dark: "dark",
-      },
-      defaultTheme: "light",
-    }),
-  ],
-};
-
-export default preview;

web/lib/opal/src/components/buttons/Button/Button.stories.tsx

@@ -1,171 +0,0 @@
-import React from "react";
-import type { Meta, StoryObj } from "@storybook/react";
-import { Button } from "@opal/components";
-import { SvgPlus, SvgArrowRight, SvgSettings } from "@opal/icons";
-import * as TooltipPrimitive from "@radix-ui/react-tooltip";
-
-const meta: Meta<typeof Button> = {
-  title: "opal/components/Button",
-  component: Button,
-  tags: ["autodocs"],
-  decorators: [
-    (Story) => (
-      <TooltipPrimitive.Provider>
-        <Story />
-      </TooltipPrimitive.Provider>
-    ),
-  ],
-};
-
-export default meta;
-type Story = StoryObj<typeof Button>;
-
-export const Default: Story = {
-  args: {
-    children: "Button",
-    variant: "default",
-    prominence: "primary",
-  },
-};
-
-const VARIANTS = ["default", "action", "danger"] as const;
-const PROMINENCES = ["primary", "secondary", "tertiary"] as const;
-
-export const VariantProminenceGrid: Story = {
-  render: () => (
-    <div
-      style={{
-        display: "grid",
-        gridTemplateColumns: "auto repeat(3, 1fr)",
-        gap: 12,
-        alignItems: "center",
-      }}
-    >
-      {/* Header row */}
-      <div />
-      {PROMINENCES.map((p) => (
-        <div
-          key={p}
-          style={{
-            fontWeight: 600,
-            textAlign: "center",
-            textTransform: "capitalize",
-          }}
-        >
-          {p}
-        </div>
-      ))}
-
-      {/* Variant rows */}
-      {VARIANTS.map((variant) => (
-        <React.Fragment key={variant}>
-          <div style={{ fontWeight: 600, textTransform: "capitalize" }}>
-            {variant}
-          </div>
-          {PROMINENCES.map((prominence) => (
-            <Button
-              key={`${variant}-${prominence}`}
-              variant={variant}
-              prominence={prominence}
-            >
-              {`${variant} ${prominence}`}
-            </Button>
-          ))}
-        </React.Fragment>
-      ))}
-    </div>
-  ),
-};
-
-export const WithLeftIcon: Story = {
-  args: {
-    icon: SvgPlus,
-    children: "Add item",
-  },
-};
-
-export const WithRightIcon: Story = {
-  args: {
-    rightIcon: SvgArrowRight,
-    children: "Continue",
-  },
-};
-
-export const IconOnly: Story = {
-  args: {
-    icon: SvgSettings,
-  },
-};
-
-export const Sizes: Story = {
-  render: () => (
-    <div style={{ display: "flex", alignItems: "center", gap: 12 }}>
-      {(["lg", "md", "sm", "xs", "2xs", "fit"] as const).map((size) => (
-        <Button key={size} size={size} icon={SvgPlus}>
-          {size}
-        </Button>
-      ))}
-    </div>
-  ),
-};
-
-export const Foldable: Story = {
-  args: {
-    foldable: true,
-    icon: SvgPlus,
-    children: "Add item",
-  },
-};
-
-export const Disabled: Story = {
-  args: {
-    disabled: true,
-    children: "Disabled",
-  },
-};
-
-export const WidthFull: Story = {
-  args: {
-    width: "full",
-    children: "Full width",
-  },
-  decorators: [
-    (Story) => (
-      <div style={{ width: 400 }}>
-        <Story />
-      </div>
-    ),
-  ],
-};
-
-export const AsLink: Story = {
-  args: {
-    href: "https://example.com",
-    children: "Visit site",
-    rightIcon: SvgArrowRight,
-  },
-};
-
-export const WithTooltip: Story = {
-  args: {
-    icon: SvgSettings,
-    tooltip: "Open settings",
-    tooltipSide: "bottom",
-  },
-};
-
-export const ResponsiveHideText: Story = {
-  args: {
-    icon: SvgPlus,
-    children: "Create",
-    responsiveHideText: true,
-  },
-};
-
-export const InternalProminence: Story = {
-  args: {
-    variant: "default",
-    prominence: "internal",
-    children: "Internal",
-  },
-};

web/lib/opal/src/components/buttons/OpenButton/OpenButton.stories.tsx

@@ -1,80 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { OpenButton } from "@opal/components";
-import { SvgSettings } from "@opal/icons";
-import * as TooltipPrimitive from "@radix-ui/react-tooltip";
-
-const meta: Meta<typeof OpenButton> = {
-  title: "opal/components/OpenButton",
-  component: OpenButton,
-  tags: ["autodocs"],
-  decorators: [
-    (Story) => (
-      <TooltipPrimitive.Provider>
-        <Story />
-      </TooltipPrimitive.Provider>
-    ),
-  ],
-};
-
-export default meta;
-type Story = StoryObj<typeof OpenButton>;
-
-export const Default: Story = {
-  args: {
-    children: "Select option",
-  },
-};
-
-export const WithIcon: Story = {
-  args: {
-    icon: SvgSettings,
-    children: "Settings",
-  },
-};
-
-export const Selected: Story = {
-  args: {
-    selected: true,
-    children: "Selected",
-  },
-};
-
-export const Open: Story = {
-  args: {
-    transient: true,
-    children: "Open state",
-  },
-};
-
-export const Disabled: Story = {
-  args: {
-    disabled: true,
-    children: "Disabled",
-  },
-};
-
-export const LightProminence: Story = {
-  args: {
-    prominence: "light",
-    children: "Light prominence",
-  },
-};
-
-export const HeavyProminence: Story = {
-  args: {
-    prominence: "heavy",
-    children: "Heavy prominence",
-  },
-};
-
-export const Sizes: Story = {
-  render: () => (
-    <div style={{ display: "flex", alignItems: "center", gap: 12 }}>
-      {(["lg", "md", "sm", "xs", "2xs"] as const).map((size) => (
-        <OpenButton key={size} size={size}>
-          {size}
-        </OpenButton>
-      ))}
-    </div>
-  ),
-};

web/lib/opal/src/components/tag/Tag.stories.tsx

@@ -1,47 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { Tag } from "@opal/components";
-import { SvgAlertCircle } from "@opal/icons";
-
-const TAG_COLORS = ["green", "purple", "blue", "gray", "amber"] as const;
-
-const meta: Meta<typeof Tag> = {
-  title: "opal/components/Tag",
-  component: Tag,
-  tags: ["autodocs"],
-};
-
-export default meta;
-type Story = StoryObj<typeof Tag>;
-
-export const Default: Story = {
-  args: {
-    title: "Label",
-  },
-};
-
-export const AllColors: Story = {
-  render: () => (
-    <div className="flex items-center gap-2">
-      {TAG_COLORS.map((color) => (
-        <Tag key={color} title={color} color={color} />
-      ))}
-    </div>
-  ),
-};
-
-export const WithIcon: Story = {
-  args: {
-    title: "Alert",
-    icon: SvgAlertCircle,
-  },
-};
-
-export const AllColorsWithIcon: Story = {
-  render: () => (
-    <div className="flex items-center gap-2">
-      {TAG_COLORS.map((color) => (
-        <Tag key={color} title={color} color={color} icon={SvgAlertCircle} />
-      ))}
-    </div>
-  ),
-};

web/lib/opal/src/core/hoverable/Hoverable.stories.tsx

@@ -1,127 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { Hoverable } from "@opal/core";
-import SvgX from "@opal/icons/x";
-
-// ---------------------------------------------------------------------------
-// Shared styles
-// ---------------------------------------------------------------------------
-
-const cardStyle: React.CSSProperties = {
-  display: "flex",
-  alignItems: "center",
-  justifyContent: "space-between",
-  gap: "1rem",
-  padding: "0.75rem 1rem",
-  borderRadius: "0.5rem",
-  border: "1px solid var(--border-02)",
-  background: "var(--background-neutral-01)",
-  minWidth: 220,
-};
-
-const labelStyle: React.CSSProperties = {
-  fontSize: "0.875rem",
-  fontWeight: 500,
-};
-
-// ---------------------------------------------------------------------------
-// Meta
-// ---------------------------------------------------------------------------
-
-const meta: Meta = {
-  title: "Core/Hoverable",
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-  },
-};
-
-export default meta;
-
-// ---------------------------------------------------------------------------
-// Stories
-// ---------------------------------------------------------------------------
-
-/**
- * Local hover mode -- no `group` prop on the Item.
- * The icon only appears when you hover directly over the Item element itself.
- */
-export const LocalHover: StoryObj = {
-  render: () => (
-    <div style={cardStyle}>
-      <span style={labelStyle}>Hover this card area</span>
-
-      <Hoverable.Item variant="opacity-on-hover">
-        <SvgX width={16} height={16} />
-      </Hoverable.Item>
-    </div>
-  ),
-};
-
-/**
- * Group hover mode -- hovering anywhere inside the Root reveals the Item.
- */
-export const GroupHover: StoryObj = {
-  render: () => (
-    <Hoverable.Root group="card">
-      <div style={cardStyle}>
-        <span style={labelStyle}>Hover anywhere on this card</span>
-
-        <Hoverable.Item group="card" variant="opacity-on-hover">
-          <SvgX width={16} height={16} />
-        </Hoverable.Item>
-      </div>
-    </Hoverable.Root>
-  ),
-};
-
-/**
- * Nested groups demonstrating isolation.
- *
- * - Hovering the outer card reveals only the outer icon.
- * - Hovering the inner card reveals only the inner icon.
- */
-export const NestedGroups: StoryObj = {
-  render: () => (
-    <Hoverable.Root group="outer">
-      <div
-        style={{
-          ...cardStyle,
-          flexDirection: "column",
-          alignItems: "stretch",
-          gap: "0.75rem",
-          padding: "1rem",
-          minWidth: 300,
-        }}
-      >
-        <div
-          style={{
-            display: "flex",
-            alignItems: "center",
-            justifyContent: "space-between",
-          }}
-        >
-          <span style={labelStyle}>Outer card</span>
-
-          <Hoverable.Item group="outer" variant="opacity-on-hover">
-            <SvgX width={16} height={16} />
-          </Hoverable.Item>
-        </div>
-
-        <Hoverable.Root group="inner">
-          <div
-            style={{
-              ...cardStyle,
-              background: "var(--background-neutral-02)",
-            }}
-          >
-            <span style={labelStyle}>Inner card</span>
-
-            <Hoverable.Item group="inner" variant="opacity-on-hover">
-              <SvgX width={16} height={16} />
-            </Hoverable.Item>
-          </div>
-        </Hoverable.Root>
-      </div>
-    </Hoverable.Root>
-  ),
-};

web/lib/opal/src/core/interactive/Interactive.stories.tsx

@@ -1,329 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { Interactive } from "@opal/core";
-
-// ---------------------------------------------------------------------------
-// Variant / Prominence mappings for the matrix story
-// ---------------------------------------------------------------------------
-
-const VARIANT_PROMINENCE_MAP: Record<string, string[]> = {
-  default: ["primary", "secondary", "tertiary", "internal"],
-  action: ["primary", "secondary", "tertiary", "internal"],
-  danger: ["primary", "secondary", "tertiary", "internal"],
-  select: ["light", "heavy"],
-  sidebar: ["light"],
-  none: [],
-};
-
-const SIZE_VARIANTS = ["lg", "md", "sm", "xs", "2xs", "fit"] as const;
-const ROUNDING_VARIANTS = ["default", "compact", "mini"] as const;
-
-// ---------------------------------------------------------------------------
-// Meta
-// ---------------------------------------------------------------------------
-
-const meta: Meta = {
-  title: "Core/Interactive",
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-  },
-};
-
-export default meta;
-
-// ---------------------------------------------------------------------------
-// Stories
-// ---------------------------------------------------------------------------
-
-/** Basic Interactive.Base + Container with text content. */
-export const Default: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", gap: "0.75rem", alignItems: "center" }}>
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>Secondary</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base
-        variant="default"
-        prominence="primary"
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>Primary</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base
-        variant="default"
-        prominence="tertiary"
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>Tertiary</span>
-        </Interactive.Container>
-      </Interactive.Base>
-    </div>
-  ),
-};
-
-/** All variant x prominence combinations displayed in a grid. */
-export const VariantMatrix: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", flexDirection: "column", gap: "1.5rem" }}>
-      {Object.entries(VARIANT_PROMINENCE_MAP).map(([variant, prominences]) => (
-        <div key={variant}>
-          <div
-            style={{
-              fontSize: "0.75rem",
-              fontWeight: 600,
-              textTransform: "uppercase",
-              letterSpacing: "0.05em",
-              paddingBottom: "0.5rem",
-            }}
-          >
-            {variant}
-          </div>
-
-          {prominences.length === 0 ? (
-            <Interactive.Base variant="none" onClick={() => {}}>
-              <Interactive.Container border>
-                <span>none (no prominence)</span>
-              </Interactive.Container>
-            </Interactive.Base>
-          ) : (
-            <div style={{ display: "flex", gap: "0.5rem", flexWrap: "wrap" }}>
-              {prominences.map((prominence) => (
-                <div
-                  key={prominence}
-                  style={{
-                    display: "flex",
-                    flexDirection: "column",
-                    alignItems: "center",
-                    gap: "0.25rem",
-                  }}
-                >
-                  <Interactive.Base
-                    // Cast required because the discriminated union can't be
-                    // resolved from dynamic strings at the type level.
-                    {...({ variant, prominence } as any)}
-                    onClick={() => {}}
-                  >
-                    <Interactive.Container border>
-                      <span>{prominence}</span>
-                    </Interactive.Container>
-                  </Interactive.Base>
-                  <span
-                    style={{
-                      fontSize: "0.625rem",
-                      opacity: 0.6,
-                    }}
-                  >
-                    {prominence}
-                  </span>
-                </div>
-              ))}
-            </div>
-          )}
-        </div>
-      ))}
-    </div>
-  ),
-};
-
-/** All heightVariant sizes (lg, md, sm, xs, 2xs, fit). */
-export const Sizes: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", alignItems: "center", gap: "0.75rem" }}>
-      {SIZE_VARIANTS.map((size) => (
-        <Interactive.Base
-          key={size}
-          variant="default"
-          prominence="secondary"
-          onClick={() => {}}
-        >
-          <Interactive.Container border heightVariant={size}>
-            <span>{size}</span>
-          </Interactive.Container>
-        </Interactive.Base>
-      ))}
-    </div>
-  ),
-};
-
-/** Container with widthVariant="full" stretching to fill its parent. */
-export const WidthFull: StoryObj = {
-  render: () => (
-    <div style={{ width: 400 }}>
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-      >
-        <Interactive.Container border widthVariant="full">
-          <span>Full width container</span>
-        </Interactive.Container>
-      </Interactive.Base>
-    </div>
-  ),
-};
-
-/** All rounding variants side by side. */
-export const Rounding: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", gap: "0.75rem" }}>
-      {ROUNDING_VARIANTS.map((rounding) => (
-        <Interactive.Base
-          key={rounding}
-          variant="default"
-          prominence="secondary"
-          onClick={() => {}}
-        >
-          <Interactive.Container border roundingVariant={rounding}>
-            <span>{rounding}</span>
-          </Interactive.Container>
-        </Interactive.Base>
-      ))}
-    </div>
-  ),
-};
-
-/** Disabled state prevents clicks and shows disabled styling. */
-export const Disabled: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", gap: "0.75rem" }}>
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-        disabled
-      >
-        <Interactive.Container border>
-          <span>Disabled</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>Enabled</span>
-        </Interactive.Container>
-      </Interactive.Base>
-    </div>
-  ),
-};
-
-/** Transient prop forces the hover/active visual state. */
-export const Transient: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", gap: "0.75rem" }}>
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-        transient
-      >
-        <Interactive.Container border>
-          <span>Forced hover</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>Normal</span>
-        </Interactive.Container>
-      </Interactive.Base>
-    </div>
-  ),
-};
-
-/** Container with border={true}. */
-export const WithBorder: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", gap: "0.75rem" }}>
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>With border</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base
-        variant="default"
-        prominence="secondary"
-        onClick={() => {}}
-      >
-        <Interactive.Container>
-          <span>Without border</span>
-        </Interactive.Container>
-      </Interactive.Base>
-    </div>
-  ),
-};
-
-/** Using href to render as a link. */
-export const AsLink: StoryObj = {
-  render: () => (
-    <Interactive.Base variant="action" href="/settings">
-      <Interactive.Container border>
-        <span>Go to Settings</span>
-      </Interactive.Container>
-    </Interactive.Base>
-  ),
-};
-
-/** Select variant with selected and unselected states. */
-export const SelectVariant: StoryObj = {
-  render: () => (
-    <div style={{ display: "flex", gap: "0.75rem" }}>
-      <Interactive.Base
-        variant="select"
-        prominence="light"
-        selected
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>Selected (light)</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base variant="select" prominence="light" onClick={() => {}}>
-        <Interactive.Container border>
-          <span>Unselected (light)</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base
-        variant="select"
-        prominence="heavy"
-        selected
-        onClick={() => {}}
-      >
-        <Interactive.Container border>
-          <span>Selected (heavy)</span>
-        </Interactive.Container>
-      </Interactive.Base>
-
-      <Interactive.Base variant="select" prominence="heavy" onClick={() => {}}>
-        <Interactive.Container border>
-          <span>Unselected (heavy)</span>
-        </Interactive.Container>
-      </Interactive.Base>
-    </div>
-  ),
-};

web/lib/opal/src/layouts/Content/BodyLayout.stories.tsx

@@ -1,87 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { BodyLayout } from "./BodyLayout";
-import { SvgSettings, SvgStar, SvgRefreshCw } from "@opal/icons";
-
-const meta = {
-  title: "Layouts/BodyLayout",
-  component: BodyLayout,
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-  },
-} satisfies Meta<typeof BodyLayout>;
-
-export default meta;
-
-type Story = StoryObj<typeof meta>;
-
-// ---------------------------------------------------------------------------
-// Size presets
-// ---------------------------------------------------------------------------
-
-export const MainContent: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "Last synced 2 minutes ago",
-  },
-};
-
-export const MainUi: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Document count: 1,234",
-  },
-};
-
-export const Secondary: Story = {
-  args: {
-    sizePreset: "secondary",
-    title: "Updated 5 min ago",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// With icon
-// ---------------------------------------------------------------------------
-
-export const WithIcon: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Settings",
-    icon: SvgSettings,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Orientations
-// ---------------------------------------------------------------------------
-
-export const Vertical: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Stacked layout",
-    icon: SvgStar,
-    orientation: "vertical",
-  },
-};
-
-export const Reverse: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Reverse layout",
-    icon: SvgRefreshCw,
-    orientation: "reverse",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Prominence
-// ---------------------------------------------------------------------------
-
-export const Muted: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Muted body text",
-    prominence: "muted",
-  },
-};

web/lib/opal/src/layouts/Content/Content.stories.tsx

@@ -1,204 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { Content } from "@opal/layouts";
-import { SvgSettings, SvgStar, SvgRefreshCw } from "@opal/icons";
-import * as TooltipPrimitive from "@radix-ui/react-tooltip";
-
-const meta = {
-  title: "Layouts/Content",
-  component: Content,
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-  },
-  decorators: [
-    (Story) => (
-      <TooltipPrimitive.Provider>
-        <Story />
-      </TooltipPrimitive.Provider>
-    ),
-  ],
-} satisfies Meta<typeof Content>;
-
-export default meta;
-
-type Story = StoryObj<typeof meta>;
-
-// ---------------------------------------------------------------------------
-// XL stories (sizePreset: headline | section, variant: heading)
-// ---------------------------------------------------------------------------
-
-export const XlHeadline: Story = {
-  args: {
-    sizePreset: "headline",
-    variant: "heading",
-    title: "Welcome to Onyx",
-    description: "Your enterprise search and AI assistant platform.",
-  },
-};
-
-export const XlSection: Story = {
-  args: {
-    sizePreset: "section",
-    variant: "heading",
-    title: "Configuration",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// LG stories (sizePreset: headline | section, variant: section)
-// ---------------------------------------------------------------------------
-
-export const LgHeadline: Story = {
-  args: {
-    sizePreset: "headline",
-    variant: "section",
-    title: "Connectors Overview",
-  },
-};
-
-export const LgSection: Story = {
-  args: {
-    sizePreset: "section",
-    variant: "section",
-    title: "Data Sources",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// MD stories (sizePreset: main-content | main-ui | secondary, variant: section)
-// ---------------------------------------------------------------------------
-
-export const MdMainContent: Story = {
-  args: {
-    sizePreset: "main-content",
-    variant: "section",
-    title: "General Settings",
-    description: "Manage your workspace preferences.",
-    icon: SvgSettings,
-  },
-};
-
-export const MdWithTag: Story = {
-  args: {
-    sizePreset: "main-ui",
-    variant: "section",
-    title: "Knowledge Graph",
-    tag: { title: "Beta", color: "blue" },
-  },
-};
-
-export const MdMuted: Story = {
-  args: {
-    sizePreset: "secondary",
-    variant: "section",
-    title: "Advanced Options",
-    description: "Fine-tune model behavior and parameters.",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// SM stories (sizePreset: main-content | main-ui | secondary, variant: body)
-// ---------------------------------------------------------------------------
-
-export const SmBody: Story = {
-  args: {
-    sizePreset: "secondary",
-    variant: "body",
-    title: "Last synced 2 minutes ago",
-  },
-};
-
-export const SmStacked: Story = {
-  args: {
-    sizePreset: "secondary",
-    variant: "body",
-    title: "Document count",
-    orientation: "stacked",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Editable
-// ---------------------------------------------------------------------------
-
-export const Editable: Story = {
-  args: {
-    sizePreset: "main-ui",
-    variant: "section",
-    title: "Editable Title",
-    editable: true,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// MD — optional prop
-// ---------------------------------------------------------------------------
-
-export const MdWithOptional: Story = {
-  args: {
-    sizePreset: "main-content",
-    variant: "section",
-    title: "API Key",
-    optional: true,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// MD — auxIcon prop
-// ---------------------------------------------------------------------------
-
-export const MdWithAuxIcon: Story = {
-  args: {
-    sizePreset: "main-content",
-    variant: "section",
-    title: "Connection Status",
-    auxIcon: "warning",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// XL — moreIcon1 / moreIcon2 props
-// ---------------------------------------------------------------------------
-
-export const XlWithMoreIcons: Story = {
-  args: {
-    sizePreset: "headline",
-    variant: "heading",
-    title: "Dashboard",
-    moreIcon1: SvgStar,
-    moreIcon2: SvgRefreshCw,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// SM — prominence: muted
-// ---------------------------------------------------------------------------
-
-export const SmMuted: Story = {
-  args: {
-    sizePreset: "secondary",
-    variant: "body",
-    title: "Updated 5 min ago",
-    prominence: "muted",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// widthVariant: full
-// ---------------------------------------------------------------------------
-
-export const WidthFull: Story = {
-  args: {
-    sizePreset: "main-content",
-    variant: "section",
-    title: "Full Width Content",
-    widthVariant: "full",
-  },
-  decorators: [
-    (Story) => (
-      <div style={{ width: 600, border: "1px dashed gray" }}>
-        <Story />
-      </div>
-    ),
-  ],
-};

web/lib/opal/src/layouts/Content/HeadingLayout.stories.tsx

@@ -1,98 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { HeadingLayout } from "./HeadingLayout";
-import { SvgSettings, SvgStar } from "@opal/icons";
-import * as TooltipPrimitive from "@radix-ui/react-tooltip";
-
-const meta = {
-  title: "Layouts/HeadingLayout",
-  component: HeadingLayout,
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-  },
-  decorators: [
-    (Story) => (
-      <TooltipPrimitive.Provider>
-        <Story />
-      </TooltipPrimitive.Provider>
-    ),
-  ],
-} satisfies Meta<typeof HeadingLayout>;
-
-export default meta;
-
-type Story = StoryObj<typeof meta>;
-
-// ---------------------------------------------------------------------------
-// Size presets
-// ---------------------------------------------------------------------------
-
-export const Headline: Story = {
-  args: {
-    sizePreset: "headline",
-    title: "Welcome to Onyx",
-    description: "Your enterprise search and AI assistant platform.",
-  },
-};
-
-export const Section: Story = {
-  args: {
-    sizePreset: "section",
-    title: "Configuration",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// With icon
-// ---------------------------------------------------------------------------
-
-export const WithIcon: Story = {
-  args: {
-    sizePreset: "headline",
-    title: "Settings",
-    icon: SvgSettings,
-  },
-};
-
-export const SectionWithIcon: Story = {
-  args: {
-    sizePreset: "section",
-    variant: "section",
-    title: "Favorites",
-    icon: SvgStar,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Variants
-// ---------------------------------------------------------------------------
-
-export const SectionVariant: Story = {
-  args: {
-    sizePreset: "headline",
-    variant: "section",
-    title: "Inline Icon Heading",
-    icon: SvgSettings,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Editable
-// ---------------------------------------------------------------------------
-
-export const Editable: Story = {
-  args: {
-    sizePreset: "headline",
-    title: "Click to edit me",
-    editable: true,
-  },
-};
-
-export const EditableSection: Story = {
-  args: {
-    sizePreset: "section",
-    title: "Editable Section Title",
-    editable: true,
-    description: "This title can be edited inline.",
-  },
-};

web/lib/opal/src/layouts/Content/LabelLayout.stories.tsx

@@ -1,154 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { LabelLayout } from "./LabelLayout";
-import { SvgSettings, SvgStar } from "@opal/icons";
-import * as TooltipPrimitive from "@radix-ui/react-tooltip";
-
-const meta = {
-  title: "Layouts/LabelLayout",
-  component: LabelLayout,
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-  },
-  decorators: [
-    (Story) => (
-      <TooltipPrimitive.Provider>
-        <Story />
-      </TooltipPrimitive.Provider>
-    ),
-  ],
-} satisfies Meta<typeof LabelLayout>;
-
-export default meta;
-
-type Story = StoryObj<typeof meta>;
-
-// ---------------------------------------------------------------------------
-// Size presets
-// ---------------------------------------------------------------------------
-
-export const MainContent: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "Display Name",
-  },
-};
-
-export const MainUi: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Email Address",
-  },
-};
-
-export const SecondaryPreset: Story = {
-  args: {
-    sizePreset: "secondary",
-    title: "API Key",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// With description
-// ---------------------------------------------------------------------------
-
-export const WithDescription: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "Workspace Name",
-    description: "The name displayed across your organization.",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// With icon
-// ---------------------------------------------------------------------------
-
-export const WithIcon: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Settings",
-    icon: SvgSettings,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Optional
-// ---------------------------------------------------------------------------
-
-export const Optional: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "Phone Number",
-    optional: true,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Aux icons
-// ---------------------------------------------------------------------------
-
-export const AuxInfoGray: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "Connection Status",
-    auxIcon: "info-gray",
-  },
-};
-
-export const AuxWarning: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "Rate Limit",
-    auxIcon: "warning",
-  },
-};
-
-export const AuxError: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "API Key",
-    auxIcon: "error",
-  },
-};
-
-// ---------------------------------------------------------------------------
-// With tag
-// ---------------------------------------------------------------------------
-
-export const WithTag: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Knowledge Graph",
-    tag: { title: "Beta", color: "blue" },
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Editable
-// ---------------------------------------------------------------------------
-
-export const Editable: Story = {
-  args: {
-    sizePreset: "main-ui",
-    title: "Click to edit",
-    editable: true,
-  },
-};
-
-// ---------------------------------------------------------------------------
-// Combined
-// ---------------------------------------------------------------------------
-
-export const FullFeatured: Story = {
-  args: {
-    sizePreset: "main-content",
-    title: "Custom Field",
-    icon: SvgStar,
-    description: "A custom field with all extras enabled.",
-    optional: true,
-    auxIcon: "info-blue",
-    tag: { title: "New", color: "green" },
-    editable: true,
-  },
-};

web/lib/opal/src/layouts/ContentAction/ContentAction.stories.tsx

@@ -1,69 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { ContentAction } from "@opal/layouts";
-import { Button } from "@opal/components";
-import { SvgSettings } from "@opal/icons";
-import * as TooltipPrimitive from "@radix-ui/react-tooltip";
-import type { Decorator } from "@storybook/react";
-
-const withTooltipProvider: Decorator = (Story) => (
-  <TooltipPrimitive.Provider>
-    <Story />
-  </TooltipPrimitive.Provider>
-);
-
-const meta = {
-  title: "Layouts/ContentAction",
-  component: ContentAction,
-  tags: ["autodocs"],
-  decorators: [withTooltipProvider],
-  parameters: {
-    layout: "centered",
-  },
-} satisfies Meta<typeof ContentAction>;
-
-export default meta;
-
-type Story = StoryObj<typeof meta>;
-
-// ---------------------------------------------------------------------------
-// Stories
-// ---------------------------------------------------------------------------
-
-export const Default: Story = {
-  args: {
-    sizePreset: "main-content",
-    variant: "section",
-    title: "OpenAI",
-    description: "GPT-4o language model provider.",
-    icon: SvgSettings,
-    rightChildren: <Button prominence="tertiary">Edit</Button>,
-  },
-};
-
-export const MultipleActions: Story = {
-  args: {
-    sizePreset: "main-content",
-    variant: "section",
-    title: "Connector",
-    description: "Manage your data source connector.",
-    rightChildren: (
-      <div className="flex items-center gap-2">
-        <Button prominence="tertiary" icon={SvgSettings} />
-        <Button variant="danger" prominence="primary">
-          Delete
-        </Button>
-      </div>
-    ),
-  },
-};
-
-export const NoPadding: Story = {
-  args: {
-    sizePreset: "main-content",
-    variant: "section",
-    title: "Compact Row",
-    description: "No padding around content area.",
-    paddingVariant: "fit",
-    rightChildren: <Button prominence="tertiary">Action</Button>,
-  },
-};

web/lib/opal/src/layouts/IllustrationContent/IllustrationContent.stories.tsx

@@ -1,42 +0,0 @@
-import type { Meta, StoryObj } from "@storybook/react";
-import { IllustrationContent } from "@opal/layouts";
-import { SvgEmpty } from "@opal/illustrations";
-
-const meta = {
-  title: "Layouts/IllustrationContent",
-  component: IllustrationContent,
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-  },
-} satisfies Meta<typeof IllustrationContent>;
-
-export default meta;
-
-type Story = StoryObj<typeof meta>;
-
-// ---------------------------------------------------------------------------
-// Stories
-// ---------------------------------------------------------------------------
-
-export const Default: Story = {
-  args: {
-    illustration: SvgEmpty,
-    title: "No results found",
-    description: "Try adjusting your search or filters to find what you need.",
-  },
-};
-
-export const TitleOnly: Story = {
-  args: {
-    title: "Nothing here yet",
-  },
-};
-
-export const NoIllustration: Story = {
-  args: {
-    title: "No documents available",
-    description:
-      "Connect a data source to start indexing documents into your workspace.",
-  },
-};