fix(mobile): use fastlane setup_ci for keychain management (official approach)

fix(mobile): use production profiles for PR builds (dev profiles not yet in match repo)
fix(mobile): fix keychain setup - add all WWDR certs and set partition after match import
2026-01-21 09:03:19 -08:00 · 2026-01-06 09:01:24 -06:00 · 2026-01-05 23:22:37 -06:00 · 2026-01-05 22:56:55 -06:00 · 2026-01-05 22:36:39 -06:00 · 2026-01-05 22:27:03 -06:00
702 changed files with 10657 additions and 57215 deletions
--- a/.github/.nvmrc
+++ b/.github/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.12.0
--- a/.github/workflows/build-mobile.yml
+++ b/.github/workflows/build-mobile.yml
@@ -26,9 +26,7 @@ on:
        required: true
      APP_STORE_CONNECT_API_KEY:
        required: true
-      IOS_CERTIFICATE_P12:
-        required: true
-      IOS_CERTIFICATE_PASSWORD:
+      MATCH_PASSWORD:
        required: true
      FASTLANE_TEAM_ID:
        required: true
@@ -84,7 +82,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
@@ -103,7 +101,7 @@ jobs:

      - name: Restore Gradle Cache
        id: cache-gradle-restore
-        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: |
            ~/.gradle/caches
@@ -153,14 +151,14 @@ jobs:
          fi

      - name: Publish Android Artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk

      - name: Save Gradle Cache
        id: cache-gradle-save
-        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        if: github.ref == 'refs/heads/main'
        with:
          path: |
@@ -181,8 +179,25 @@ jobs:
    runs-on: macos-latest

    steps:
+      - name: Generate token for ios-certs repo
+        id: token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
+          owner: immich-app
+          repositories: immich,ios-certs
+
+      - name: Set up match authorization
+        id: match-auth
+        env:
+          TOKEN: ${{ steps.token.outputs.token }}
+        run: |
+          # Create base64-encoded authorization for match
+          echo "base64_token=$(echo -n "x-access-token:${TOKEN}" | base64)" >> $GITHUB_OUTPUT
+
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
@@ -228,43 +243,14 @@ jobs:
          mkdir -p ~/.appstoreconnect/private_keys
          echo "$API_KEY_CONTENT" | base64 --decode > ~/.appstoreconnect/private_keys/AuthKey_${API_KEY_ID}.p8

-      - name: Import Certificate
-        env:
-          IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
-        working-directory: ./mobile/ios
-        run: |
-          # Decode certificate
-          echo "$IOS_CERTIFICATE_P12" | base64 --decode > certificate.p12
-
-      - name: Create keychain and import certificate
-        env:
-          KEYCHAIN_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
-          CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
-        working-directory: ./mobile/ios
-        run: |
-          # Create keychain
-          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
-          security default-keychain -s build.keychain
-          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
-          security set-keychain-settings -t 3600 -u build.keychain
-
-          # Import certificate
-          security import certificate.p12 -k build.keychain -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
-          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain
-
-          # Verify certificate was imported
-          security find-identity -v -p codesigning build.keychain
-
      - name: Build and deploy to TestFlight
        env:
          FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}
-          IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
-          KEYCHAIN_NAME: build.keychain
-          KEYCHAIN_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
+          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+          MATCH_GIT_BASIC_AUTHORIZATION: ${{ steps.match-auth.outputs.base64_token }}
          APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
          APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
          ENVIRONMENT: ${{ inputs.environment || 'development' }}
-          BUNDLE_ID_SUFFIX: ${{ inputs.environment == 'production' && '' || 'development' }}
          GITHUB_REF: ${{ github.ref }}
        working-directory: ./mobile/ios
        run: |
@@ -280,13 +266,8 @@ jobs:
            bundle exec fastlane gha_build_only
          fi

-      - name: Clean up keychain
-        if: always()
-        run: |
-          security delete-keychain build.keychain || true
-
      - name: Upload IPA artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: ios-release-ipa
          path: mobile/ios/Runner.ipa
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -25,7 +25,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -35,7 +35,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -78,7 +78,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -50,7 +50,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/docs-build.yml
+++ b/.github/workflows/docs-build.yml
@@ -60,11 +60,10 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-          fetch-depth: 0

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
@@ -86,7 +85,7 @@ jobs:
        run: pnpm build

      - name: Upload build output
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: docs-build-output
          path: docs/build/
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -125,13 +125,13 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@b868e6e7c8cc212beec876330b4059e661ee44bb # use-mise-action-v1.1.1
+        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0

      - name: Load parameters
        id: parameters
--- a/.github/workflows/docs-destroy.yml
+++ b/.github/workflows/docs-destroy.yml
@@ -23,13 +23,13 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@b868e6e7c8cc212beec876330b4059e661ee44bb # use-mise-action-v1.1.1
+        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0

      - name: Destroy Docs Subdomain
        env:
--- a/.github/workflows/fix-format.yml
+++ b/.github/workflows/fix-format.yml
@@ -22,7 +22,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: 'Checkout'
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -56,7 +56,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
@@ -136,13 +136,13 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false

      - name: Download APK
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -23,7 +23,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
@@ -159,7 +159,7 @@ jobs:

      - name: Create PR
        id: create-pr
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
        with:
          token: ${{ steps.generate-token.outputs.token }}
          commit-message: 'chore: release ${{ steps.bump-type.outputs.next }}'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -58,7 +58,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
@@ -74,7 +74,7 @@ jobs:
          echo "version=$VERSION" >> $GITHUB_OUTPUT

      - name: Download APK
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -22,7 +22,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -55,7 +55,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -69,7 +69,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -114,7 +114,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -161,7 +161,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -203,7 +203,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -247,7 +247,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -285,7 +285,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -298,9 +298,9 @@ jobs:
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install dependencies
-        run: pnpm --filter=immich-i18n install --frozen-lockfile
+        run: pnpm --filter=immich-web install --frozen-lockfile
      - name: Format
-        run: pnpm --filter=immich-i18n format:fix
+        run: pnpm --filter=immich-web format:i18n
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
@@ -333,7 +333,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -379,7 +379,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -418,7 +418,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -473,7 +473,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -505,7 +505,7 @@ jobs:
        run: npx playwright test
        if: ${{ !cancelled() }}
      - name: Archive test results
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: success() || failure()
        with:
          name: e2e-web-test-results-${{ matrix.runner }}
@@ -534,7 +534,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -566,14 +566,17 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Install uv
        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        # TODO: add caching when supported (https://github.com/actions/setup-python/pull/818)
        with:
          python-version: 3.11
+          #cache: 'uv'
      - name: Install dependencies
        run: |
          uv sync --extra cpu
@@ -607,7 +610,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -636,7 +639,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -658,7 +661,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -720,7 +723,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,31 +0,0 @@
-# Contributing to Immich
-
-We appreciate every contribution, and we're happy about every new contributor. So please feel invited to help make Immich a better product!
-
-## Getting started
-
-To get you started quickly we have detailed guides for the dev setup on our [website](https://docs.immich.app/developer/setup). If you prefer, you can also use [Devcontainers](https://docs.immich.app/developer/devcontainers).
-There are also additional resources about Immich's architecture, database migrations, the use of OpenAPI, and more in our [developer documentation](https://docs.immich.app/developer/architecture).
-
-## General
-
-Please try to keep pull requests as focused as possible. A PR should do exactly one thing and not bleed into other, unrelated areas. The smaller a PR, the fewer changes are likely needed, and the quicker it will likely be merged. For larger/more impactful PRs, please reach out to us first to discuss your plans. The best way to do this is through our [Discord](https://discord.immich.app). We have a dedicated `#contributing` channel there. Additionally, please fill out the entire template when opening a PR.
-
-## Finding work
-
-If you are looking for something to work on, there are discussions and issues with a `good-first-issue` label on them. These are always a good starting point. If none of them sound interesting or fit your skill set, feel free to reach out on our Discord. We're happy to help you find something to work on!
-
-## Use of generative AI
-
-We generally discourage PRs entirely generated by an LLM. For any part generated by an LLM, please put extra effort into your self-review. By using generative AI without proper self-review, the time you save ends up being more work we need to put in for proper reviews and code cleanup. Please keep that in mind when submitting code by an LLM. Clearly state the use of LLMs/(generative) AI in your pull request as requested by the template.
-
-## Feature freezes
-
-From time to time, we put a feature freeze on parts of the codebase. For us, this means we won't accept most PRs that make changes in that area. Exempted from this are simple bug fixes that require only minor changes. We will close feature PRs that target a feature-frozen area, even if that feature is highly requested and you put a lot of work into it. Please keep that in mind, and if you're ever uncertain if a PR would be accepted, reach out to us first (e.g., in the aforementioned `#contributing` channel). We hate to throw away work. Currently, we have feature freezes on:
-
-* Sharing/Asset ownership
-* (External) libraries
-
-## Non-code contributions
-
-If you want to contribute to Immich but you don't feel comfortable programming in our tech stack, there are other ways you can help the team. All our translations are done through [Weblate](https://hosted.weblate.org/projects/immich). These rely entirely on the community; if you speak a language that isn't fully translated yet, submitting translations there is greatly appreciated! If you like helping others, answering Q&A discussions here on GitHub and replying to people on our Discord is also always appreciated.
--- a/cli/.nvmrc
+++ b/cli/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.12.0
--- a/cli/package.json
+++ b/cli/package.json
@@ -20,7 +20,7 @@
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.10.8",
+    "@types/node": "^24.10.4",
    "@vitest/coverage-v8": "^3.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -69,6 +69,6 @@
    "micromatch": "^4.0.8"
  },
  "volta": {
-    "node": "24.13.0"
+    "node": "24.12.0"
  }
 }
--- a/docker/docker-compose.prod.yml
+++ b/docker/docker-compose.prod.yml
@@ -85,7 +85,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:1f0f50f06acaceb0f5670d2c8a658a599affe7b0d8e78b898c1035653849a702
+    image: prom/prometheus@sha256:2b6f734e372c1b4717008f7d0a0152316aedd4d13ae17ef1e3268dbfaf68041b
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
--- a/docs/.nvmrc
+++ b/docs/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.12.0
--- a/docs/docs/developer/setup.md
+++ b/docs/docs/developer/setup.md
@@ -4,10 +4,6 @@ sidebar_position: 2

 # Setup

-:::warning
-Make sure to read the [`CONTRIBUTING.md`](https://github.com/immich-app/immich/blob/main/CONTRIBUTING.md) before you dive into the code.
-:::
-
 :::note
 If there's a feature you're planning to work on, just give us a heads up in [#contributing](https://discord.com/channels/979116623879368755/1071165397228855327) on [our Discord](https://discord.immich.app) so we can:

--- a/docs/docs/features/mobile-app.mdx
+++ b/docs/docs/features/mobile-app.mdx
@@ -95,3 +95,11 @@ Enter the cloud on the top right -> cog wheel on the top right -> select the syn
 If you delete/move photos in the local album on your device, it will not be reflected in the album on the server **even if** you click Sync albums
 It will only reflect files you add.
 :::
+
+If the same asset is in more than one album it will only sync to the first album it's in, after that it won't sync again even if the user clicks sync albums manually.
+To overcome this limitation, the files must be removed from the ignore list by
+App settings -> Advanced -> Duplicate Assets -> Clear
+
+:::info
+Cleaning duplicate assets from the list will cause all the previously uploaded duplicate files to be re-uploaded, the files will not actually be uploaded and will be rejected on the server side (due to duplication) but will be synchronized to the album and at the end will be added to the ignore list again at the end of the synchronization.
+:::
--- a/docs/docs/features/sharing.md
+++ b/docs/docs/features/sharing.md
@@ -33,7 +33,7 @@ You can create a public link to share a group of photos or videos, or an album,
 The public shared link is generated with a random URL, which acts as as a secret to avoid the link being guessed by unwanted parties, for instance.

 ```
-https://my.immich.app/share/JUckRMxlgpo7F9BpyqGk_cZEwDzaU_U5LU5_oNZp1ETIBa9dpQ0b5ghNm_22QVJfn3k
+https://immich.yourdomain.com/share/JUckRMxlgpo7F9BpyqGk_cZEwDzaU_U5LU5_oNZp1ETIBa9dpQ0b5ghNm_22QVJfn3k
 ```

 ### Creating a public share link
--- a/docs/docs/install/requirements.md
+++ b/docs/docs/install/requirements.md
@@ -17,17 +17,12 @@ Hardware and software requirements for Immich:
  - Immich runs well in a virtualized environment when running in a full virtual machine.
    The use of Docker in LXC containers is [not recommended](https://pve.proxmox.com/wiki/Linux_Container), but may be possible for advanced users.
    If you have issues, we recommend that you switch to a supported VM deployment.
- **RAM**: Minimum 6GB, recommended 8GB.
+- **RAM**: Minimum 4GB, recommended 6GB.
 - **CPU**: Minimum 2 cores, recommended 4 cores.
 - **Storage**: Recommended Unix-compatible filesystem (EXT4, ZFS, APFS, etc.) with support for user/group ownership and permissions.
  - The generation of thumbnails and transcoded video can increase the size of the photo library by 10-20% on average.

-:::note RAM requirements
-For a smooth experience, especially during asset upload, Immich requires at least 6GB of RAM.
-For systems with only 4GB of RAM, Immich can be run with machine learning features disabled.
-:::
-
-:::tip Postgres setup
+:::tip
 Good performance and a stable connection to the Postgres database is critical to a smooth Immich experience.
 The Postgres database files are typically between 1-3 GB in size.
 For this reason, the Postgres database (`DB_DATA_LOCATION`) should ideally use local SSD storage, and never a network share of any kind.
--- a/docs/docusaurus.config.js
+++ b/docs/docusaurus.config.js
@@ -26,12 +26,6 @@ const config = {
    locales: ['en'],
  },

-  // Mermaid diagrams
-  markdown: {
-    mermaid: true,
-  },
-  themes: ['@docusaurus/theme-mermaid'],
-
  plugins: [
    async function myPlugin(context, options) {
      return {
--- a/docs/package.json
+++ b/docs/package.json
@@ -20,7 +20,6 @@
    "@docusaurus/core": "~3.9.0",
    "@docusaurus/preset-classic": "~3.9.0",
    "@docusaurus/theme-common": "~3.9.0",
-    "@docusaurus/theme-mermaid": "~3.9.0",
    "@mdi/js": "^7.3.67",
    "@mdi/react": "^1.6.1",
    "@mdx-js/react": "^3.0.0",
@@ -58,6 +57,6 @@
    "node": ">=20"
  },
  "volta": {
-    "node": "24.13.0"
+    "node": "24.12.0"
  }
 }
--- a/docs/src/css/custom.css
+++ b/docs/src/css/custom.css
@@ -8,19 +8,19 @@
@tailwind utilities;

@font-face {
-  font-family: 'GoogleSans';
-  src: url('/fonts/GoogleSans/GoogleSans.ttf') format('truetype-variations');
-  font-weight: 410 900;
+  font-family: 'Overpass';
+  src: url('/fonts/overpass/Overpass.ttf') format('truetype-variations');
+  font-weight: 1 999;
  font-style: normal;
  ascent-override: 106.25%;
  size-adjust: 106.25%;
 }

@font-face {
-  font-family: 'GoogleSansCode';
-  src: url('/fonts/GoogleSansCode/GoogleSansCode.ttf') format('truetype-variations');
-  font-weight: 1 900;
-  font-style: monospace;
+  font-family: 'Overpass Mono';
+  src: url('/fonts/overpass/OverpassMono.ttf') format('truetype-variations');
+  font-weight: 1 999;
+  font-style: normal;
  ascent-override: 106.25%;
  size-adjust: 106.25%;
 }
@@ -37,8 +37,7 @@ img {

 /* You can override the default Infima variables here. */
 :root {
-  font-family: 'GoogleSans', sans-serif;
-  letter-spacing: 0.1px;
+  font-family: 'Overpass', sans-serif;
  --ifm-color-primary: #4250af;
  --ifm-color-primary-dark: #4250af;
  --ifm-color-primary-darker: #4250af;
@@ -49,16 +48,6 @@ img {
  --docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.1);
 }

-h1,
-h2,
-h3,
-h4,
-h5,
-h6 {
-  font-family: 'GoogleSans', sans-serif;
-  letter-spacing: 0.1px;
-}
-
 /* For readability concerns, you should choose a lighter palette in dark mode. */
 [data-theme='dark'] {
  --ifm-color-primary: #adcbfa;
@@ -82,22 +71,15 @@ div[class^='announcementBar_'] {
  padding: 10px 10px 10px 16px;
  border-radius: 24px;
  margin-right: 16px;
-  font-weight: 500;
 }

 .menu__list-item-collapsible {
  margin-right: 16px;
  border-radius: 24px;
-  font-weight: 500;
 }

 .menu__link--active {
-  font-weight: 600;
-}
-
-.table-of-contents__link {
-  font-size: 14px;
-  font-weight: 450;
+  font-weight: 500;
 }

 /* workaround for version switcher PR 15894 */
@@ -106,14 +88,13 @@ div[class*='navbar__items'] > li:has(a[class*='version-switcher-34ab39']) {
 }

 code {
-  font-weight: 500;
-  font-family: 'GoogleSansCode';
+  font-weight: 600;
 }

 .buy-button {
  padding: 8px 14px;
  border: 1px solid transparent;
-  font-family: 'GoogleSans', sans-serif;
+  font-family: 'Overpass', sans-serif;
  font-weight: 500;
  cursor: pointer;
  box-shadow: 0 0 5px 2px rgba(181, 206, 254, 0.4);
--- a/docs/static/fonts/GoogleSans/GoogleSans.ttf
+++ b/docs/static/fonts/GoogleSans/GoogleSans.ttf
--- a/docs/static/fonts/GoogleSansCode/GoogleSansCode.ttf
+++ b/docs/static/fonts/GoogleSansCode/GoogleSansCode.ttf
--- a/docs/static/fonts/overpass/Overpass-Italic.ttf
+++ b/docs/static/fonts/overpass/Overpass-Italic.ttf
--- a/docs/static/fonts/overpass/Overpass.ttf
+++ b/docs/static/fonts/overpass/Overpass.ttf
--- a/docs/static/fonts/overpass/OverpassMono.ttf
+++ b/docs/static/fonts/overpass/OverpassMono.ttf
--- a/e2e-auth-server/Dockerfile
+++ b/e2e-auth-server/Dockerfile
@@ -1,6 +0,0 @@
-FROM node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25
-RUN corepack enable
-ADD package.json *.ts ./
-RUN pnpm install
-EXPOSE 2286
-CMD ["pnpm", "run", "start"]
--- a/e2e-auth-server/package.json
+++ b/e2e-auth-server/package.json
@@ -1,15 +0,0 @@
-{
-  "name": "@immich/e2e-auth-server",
-  "version": "0.1.0",
-  "type": "module",
-  "main": "auth-server.ts",
-  "scripts": {
-    "start": "tsx startup.ts"
-  },
-  "devDependencies": {
-    "jose": "^5.6.3",
-    "@types/oidc-provider": "^9.0.0",
-    "oidc-provider": "^9.0.0",
-    "tsx": "^4.20.6"
-  }
-}
--- a/e2e-auth-server/startup.ts
+++ b/e2e-auth-server/startup.ts
@@ -1,8 +0,0 @@
-import setup from './auth-server'
-
-const teardown = await setup()
-process.on('exit', () => {
-  teardown()
-  console.log('[e2e-auth-server] stopped')
-  process.exit(0)
-})
--- a/e2e/.nvmrc
+++ b/e2e/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.12.0
--- a/e2e/docker-compose.yml
+++ b/e2e/docker-compose.yml
@@ -1,12 +1,6 @@
 name: immich-e2e

 services:
-  e2e-auth-server:
-    build:
-      context: ../e2e-auth-server
-    ports:
-      - 2286:2286
-
  immich-server:
    container_name: immich-e2e-server
    image: immich-server:latest
@@ -33,6 +27,8 @@ services:
      - IMMICH_IGNORE_MOUNT_CHECK_ERRORS=true
    volumes:
      - ./test-assets:/test-assets
+    extra_hosts:
+      - 'auth-server:host-gateway'
    depends_on:
      redis:
        condition: service_started
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -22,12 +22,12 @@
    "@eslint/js": "^9.8.0",
    "@faker-js/faker": "^10.1.0",
    "@immich/cli": "file:../cli",
-    "@immich/e2e-auth-server": "file:../e2e-auth-server",
    "@immich/sdk": "file:../open-api/typescript-sdk",
    "@playwright/test": "^1.44.1",
    "@socket.io/component-emitter": "^3.1.2",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^24.10.8",
+    "@types/node": "^24.10.4",
+    "@types/oidc-provider": "^9.0.0",
    "@types/pg": "^8.15.1",
    "@types/pngjs": "^6.0.4",
    "@types/supertest": "^6.0.2",
@@ -38,7 +38,9 @@
    "eslint-plugin-unicorn": "^62.0.0",
    "exiftool-vendored": "^34.3.0",
    "globals": "^16.0.0",
+    "jose": "^5.6.3",
    "luxon": "^3.4.4",
+    "oidc-provider": "^9.0.0",
    "pg": "^8.11.3",
    "pngjs": "^7.0.0",
    "prettier": "^3.7.4",
@@ -52,6 +54,6 @@
    "vitest": "^3.0.0"
  },
  "volta": {
-    "node": "24.13.0"
+    "node": "24.12.0"
  }
 }
--- a/e2e/playwright.config.ts
+++ b/e2e/playwright.config.ts
@@ -8,7 +8,7 @@ dotenv.config({ path: resolve(import.meta.dirname, '.env') });
 export const playwrightHost = process.env.PLAYWRIGHT_HOST ?? '127.0.0.1';
 export const playwrightDbHost = process.env.PLAYWRIGHT_DB_HOST ?? '127.0.0.1';
 export const playwriteBaseUrl = process.env.PLAYWRIGHT_BASE_URL ?? `http://${playwrightHost}:2285`;
-export const playwriteSlowMo = Number.parseInt(process.env.PLAYWRIGHT_SLOW_MO ?? '0');
+export const playwriteSlowMo = parseInt(process.env.PLAYWRIGHT_SLOW_MO ?? '0');
 export const playwrightDisableWebserver = process.env.PLAYWRIGHT_DISABLE_WEBSERVER;

 process.env.PW_EXPERIMENTAL_SERVICE_WORKER_NETWORK_EVENTS = '1';
@@ -39,13 +39,13 @@ const config: PlaywrightTestConfig = {
      testMatch: /.*\.e2e-spec\.ts/,
      workers: 1,
    },
-    // {
-    //   name: 'parallel tests',
-    //   use: { ...devices['Desktop Chrome'] },
-    //   testMatch: /.*\.parallel-e2e-spec\.ts/,
-    //   fullyParallel: true,
-    //   workers: process.env.CI ? 3 : Math.max(1, Math.round(cpus().length * 0.75) - 1),
-    // },
+    {
+      name: 'parallel tests',
+      use: { ...devices['Desktop Chrome'] },
+      testMatch: /.*\.parallel-e2e-spec\.ts/,
+      fullyParallel: true,
+      workers: process.env.CI ? 3 : Math.max(1, Math.round(cpus().length * 0.75) - 1),
+    },

    // {
    //   name: 'firefox',
--- a/e2e/src/api/specs/database-backups.e2e-spec.ts
+++ b/e2e/src/api/specs/database-backups.e2e-spec.ts
@@ -1,350 +0,0 @@
-import { LoginResponseDto, ManualJobName } from '@immich/sdk';
-import { errorDto } from 'src/responses';
-import { app, utils } from 'src/utils';
-import request from 'supertest';
-import { afterAll, beforeAll, describe, expect, it } from 'vitest';
-
-describe('/admin/database-backups', () => {
-  let cookie: string | undefined;
-  let admin: LoginResponseDto;
-
-  beforeAll(async () => {
-    await utils.resetDatabase();
-    admin = await utils.adminSetup();
-    await utils.resetBackups(admin.accessToken);
-  });
-
-  describe('GET /', async () => {
-    it('should succeed and be empty', async () => {
-      const { status, body } = await request(app)
-        .get('/admin/database-backups')
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toEqual({
-        backups: [],
-      });
-    });
-
-    it('should contain a created backup', async () => {
-      await utils.createJob(admin.accessToken, {
-        name: ManualJobName.BackupDatabase,
-      });
-
-      await utils.waitForQueueFinish(admin.accessToken, 'backupDatabase');
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app)
-              .get('/admin/database-backups')
-              .set('Authorization', `Bearer ${admin.accessToken}`);
-
-            expect(status).toBe(200);
-            return body;
-          },
-          {
-            interval: 500,
-            timeout: 10_000,
-          },
-        )
-        .toEqual(
-          expect.objectContaining({
-            backups: [
-              expect.objectContaining({
-                filename: expect.stringMatching(/immich-db-backup-\d{8}T\d{6}-v.*-pg.*\.sql\.gz$/),
-                filesize: expect.any(Number),
-              }),
-            ],
-          }),
-        );
-    });
-  });
-
-  describe('DELETE /', async () => {
-    it('should delete backup', async () => {
-      const filename = await utils.createBackup(admin.accessToken);
-
-      const { status } = await request(app)
-        .delete(`/admin/database-backups`)
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({ backups: [filename] });
-
-      expect(status).toBe(200);
-
-      const { status: listStatus, body } = await request(app)
-        .get('/admin/database-backups')
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-
-      expect(listStatus).toBe(200);
-      expect(body).toEqual(
-        expect.objectContaining({
-          backups: [],
-        }),
-      );
-    });
-  });
-
-  // => action: restore database flow
-
-  describe.sequential('POST /start-restore', () => {
-    afterAll(async () => {
-      await request(app).post('/admin/maintenance').set('cookie', cookie!).send({ action: 'end' });
-      await utils.poll(
-        () => request(app).get('/server/config'),
-        ({ status, body }) => status === 200 && !body.maintenanceMode,
-      );
-
-      admin = await utils.adminSetup();
-    });
-
-    it.sequential('should not work when the server is configured', async () => {
-      const { status, body } = await request(app).post('/admin/database-backups/start-restore').send();
-
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest('The server already has an admin'));
-    });
-
-    it.sequential('should enter maintenance mode in "database restore mode"', async () => {
-      await utils.resetDatabase(); // reset database before running this test
-
-      const { status, headers } = await request(app).post('/admin/database-backups/start-restore').send();
-
-      expect(status).toBe(201);
-
-      cookie = headers['set-cookie'][0].split(';')[0];
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app).get('/server/config');
-            expect(status).toBe(200);
-            return body.maintenanceMode;
-          },
-          {
-            interval: 500,
-            timeout: 10_000,
-          },
-        )
-        .toBeTruthy();
-
-      const { status: status2, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
-      expect(status2).toBe(200);
-      expect(body).toEqual({
-        active: true,
-        action: 'select_database_restore',
-      });
-    });
-  });
-
-  // => action: restore database
-
-  describe.sequential('POST /backups/restore', () => {
-    beforeAll(async () => {
-      await utils.disconnectDatabase();
-    });
-
-    afterAll(async () => {
-      await utils.connectDatabase();
-    });
-
-    it.sequential('should restore a backup', { timeout: 60_000 }, async () => {
-      let filename = await utils.createBackup(admin.accessToken);
-
-      // work-around until test is running on released version
-      await utils.move(
-        `/data/backups/${filename}`,
-        '/data/backups/immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz',
-      );
-      filename = 'immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz';
-
-      const { status } = await request(app)
-        .post('/admin/maintenance')
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({
-          action: 'restore_database',
-          restoreBackupFilename: filename,
-        });
-
-      expect(status).toBe(201);
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app).get('/server/config');
-            expect(status).toBe(200);
-            return body.maintenanceMode;
-          },
-          {
-            interval: 500,
-            timeout: 10_000,
-          },
-        )
-        .toBeTruthy();
-
-      const { status: status2, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
-      expect(status2).toBe(200);
-      expect(body).toEqual(
-        expect.objectContaining({
-          active: true,
-          action: 'restore_database',
-        }),
-      );
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app).get('/server/config');
-            expect(status).toBe(200);
-            return body.maintenanceMode;
-          },
-          {
-            interval: 500,
-            timeout: 60_000,
-          },
-        )
-        .toBeFalsy();
-    });
-
-    it.sequential('fail to restore a corrupted backup', { timeout: 60_000 }, async () => {
-      await utils.prepareTestBackup('corrupted');
-
-      const { status, headers } = await request(app)
-        .post('/admin/maintenance')
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({
-          action: 'restore_database',
-          restoreBackupFilename: 'development-corrupted.sql.gz',
-        });
-
-      expect(status).toBe(201);
-      cookie = headers['set-cookie'][0].split(';')[0];
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app).get('/server/config');
-            expect(status).toBe(200);
-            return body.maintenanceMode;
-          },
-          {
-            interval: 500,
-            timeout: 10_000,
-          },
-        )
-        .toBeTruthy();
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
-            expect(status).toBe(200);
-            return body;
-          },
-          {
-            interval: 500,
-            timeout: 10_000,
-          },
-        )
-        .toEqual(
-          expect.objectContaining({
-            active: true,
-            action: 'restore_database',
-            error: 'Something went wrong, see logs!',
-          }),
-        );
-
-      const { status: status2, body: body2 } = await request(app)
-        .get('/admin/maintenance/status')
-        .set('cookie', cookie!)
-        .send({ token: 'token' });
-      expect(status2).toBe(200);
-      expect(body2).toEqual(
-        expect.objectContaining({
-          active: true,
-          action: 'restore_database',
-          error: expect.stringContaining('IM CORRUPTED'),
-        }),
-      );
-
-      await request(app).post('/admin/maintenance').set('cookie', cookie!).send({
-        action: 'end',
-      });
-
-      await utils.poll(
-        () => request(app).get('/server/config'),
-        ({ status, body }) => status === 200 && !body.maintenanceMode,
-      );
-    });
-
-    it.sequential('rollback to restore point if backup is missing admin', { timeout: 60_000 }, async () => {
-      await utils.prepareTestBackup('empty');
-
-      const { status, headers } = await request(app)
-        .post('/admin/maintenance')
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({
-          action: 'restore_database',
-          restoreBackupFilename: 'development-empty.sql.gz',
-        });
-
-      expect(status).toBe(201);
-      cookie = headers['set-cookie'][0].split(';')[0];
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app).get('/server/config');
-            expect(status).toBe(200);
-            return body.maintenanceMode;
-          },
-          {
-            interval: 500,
-            timeout: 10_000,
-          },
-        )
-        .toBeTruthy();
-
-      await expect
-        .poll(
-          async () => {
-            const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
-            expect(status).toBe(200);
-            return body;
-          },
-          {
-            interval: 500,
-            timeout: 30_000,
-          },
-        )
-        .toEqual(
-          expect.objectContaining({
-            active: true,
-            action: 'restore_database',
-            error: 'Something went wrong, see logs!',
-          }),
-        );
-
-      const { status: status2, body: body2 } = await request(app)
-        .get('/admin/maintenance/status')
-        .set('cookie', cookie!)
-        .send({ token: 'token' });
-      expect(status2).toBe(200);
-      expect(body2).toEqual(
-        expect.objectContaining({
-          active: true,
-          action: 'restore_database',
-          error: expect.stringContaining('Server health check failed, no admin exists.'),
-        }),
-      );
-
-      await request(app).post('/admin/maintenance').set('cookie', cookie!).send({
-        action: 'end',
-      });
-
-      await utils.poll(
-        () => request(app).get('/server/config'),
-        ({ status, body }) => status === 200 && !body.maintenanceMode,
-      );
-    });
-  });
-});
--- a/e2e/src/api/specs/maintenance.e2e-spec.ts
+++ b/e2e/src/api/specs/maintenance.e2e-spec.ts
@@ -14,7 +14,6 @@ describe('/admin/maintenance', () => {
    await utils.resetDatabase();
    admin = await utils.adminSetup();
    nonAdmin = await utils.userSetup(admin.accessToken, createUserDto.user1);
-    await utils.resetBackups(admin.accessToken);
  });

  // => outside of maintenance mode
@@ -27,17 +26,6 @@ describe('/admin/maintenance', () => {
    });
  });

-  describe('GET /status', async () => {
-    it('to always indicate we are not in maintenance mode', async () => {
-      const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
-      expect(status).toBe(200);
-      expect(body).toEqual({
-        active: false,
-        action: 'end',
-      });
-    });
-  });
-
  describe('POST /login', async () => {
    it('should not work out of maintenance mode', async () => {
      const { status, body } = await request(app).post('/admin/maintenance/login').send({ token: 'token' });
@@ -51,7 +39,6 @@ describe('/admin/maintenance', () => {
  describe.sequential('POST /', () => {
    it('should require authentication', async () => {
      const { status, body } = await request(app).post('/admin/maintenance').send({
-        active: false,
        action: 'end',
      });
      expect(status).toBe(401);
@@ -82,7 +69,6 @@ describe('/admin/maintenance', () => {
        .send({
          action: 'start',
        });
-
      expect(status).toBe(201);

      cookie = headers['set-cookie'][0].split(';')[0];
@@ -93,13 +79,12 @@ describe('/admin/maintenance', () => {
      await expect
        .poll(
          async () => {
-            const { status, body } = await request(app).get('/server/config');
-            expect(status).toBe(200);
+            const { body } = await request(app).get('/server/config');
            return body.maintenanceMode;
          },
          {
-            interval: 500,
-            timeout: 10_000,
+            interval: 5e2,
+            timeout: 1e4,
          },
        )
        .toBeTruthy();
@@ -117,17 +102,6 @@ describe('/admin/maintenance', () => {
      });
    });

-    describe('GET /status', async () => {
-      it('to indicate we are in maintenance mode', async () => {
-        const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
-        expect(status).toBe(200);
-        expect(body).toEqual({
-          active: true,
-          action: 'start',
-        });
-      });
-    });
-
    describe('POST /login', async () => {
      it('should fail without cookie or token in body', async () => {
        const { status, body } = await request(app).post('/admin/maintenance/login').send({});
@@ -184,13 +158,12 @@ describe('/admin/maintenance', () => {
      await expect
        .poll(
          async () => {
-            const { status, body } = await request(app).get('/server/config');
-            expect(status).toBe(200);
+            const { body } = await request(app).get('/server/config');
            return body.maintenanceMode;
          },
          {
-            interval: 500,
-            timeout: 10_000,
+            interval: 5e2,
+            timeout: 1e4,
          },
        )
        .toBeFalsy();
--- a/e2e/src/api/specs/oauth.e2e-spec.ts
+++ b/e2e/src/api/specs/oauth.e2e-spec.ts
@@ -1,4 +1,3 @@
-import { OAuthClient, OAuthUser } from '@immich/e2e-auth-server';
 import {
  LoginResponseDto,
  SystemConfigOAuthDto,
@@ -9,12 +8,13 @@ import {
 } from '@immich/sdk';
 import { createHash, randomBytes } from 'node:crypto';
 import { errorDto } from 'src/responses';
+import { OAuthClient, OAuthUser } from 'src/setup/auth-server';
 import { app, asBearerAuth, baseUrl, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeAll, describe, expect, it } from 'vitest';

 const authServer = {
-  internal: 'http://e2e-auth-server:2286',
+  internal: 'http://auth-server:2286',
  external: 'http://127.0.0.1:2286',
 };

--- a/e2e/src/generators.ts
+++ b/e2e/src/generators.ts
@@ -26,5 +26,6 @@ export const makeRandomImage = () => {
  if (!value) {
    throw new Error('Ran out of random asset data');
  }
+
  return value;
 };
--- a/e2e/src/generators/timeline/rest-response.ts
+++ b/e2e/src/generators/timeline/rest-response.ts
@@ -346,9 +346,6 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons
    duplicateId: null,
    resized: true,
    checksum: asset.checksum,
-    width: exifInfo.exifImageWidth ?? 1,
-    height: exifInfo.exifImageHeight ?? 1,
-    isEdited: false,
  };
 }

--- a/e2e/src/mock-network/timeline-network.ts
+++ b/e2e/src/mock-network/timeline-network.ts
@@ -1,4 +1,3 @@
-import { AssetResponseDto } from '@immich/sdk';
 import { BrowserContext, Page, Request, Route } from '@playwright/test';
 import { basename } from 'node:path';
 import {
@@ -64,33 +63,15 @@ export const setupTimelineMockApiRoutes = async (
  });

  await context.route('**/api/assets/*', async (route, request) => {
-    if (request.method() === 'GET') {
-      const url = new URL(request.url());
-      const pathname = url.pathname;
-      const assetId = basename(pathname);
-      let asset = getAsset(timelineRestData, assetId);
-      if (changes.assetDeletions.includes(asset!.id)) {
-        asset = {
-          ...asset,
-          isTrashed: true,
-        } as AssetResponseDto;
-      }
-      return route.fulfill({
-        status: 200,
-        contentType: 'application/json',
-        json: asset,
-      });
-    }
-    await route.fallback();
-  });
-
-  await context.route('**/api/assets', async (route, request) => {
-    if (request.method() === 'DELETE') {
-      return route.fulfill({
-        status: 204,
-      });
-    }
-    await route.fallback();
+    const url = new URL(request.url());
+    const pathname = url.pathname;
+    const assetId = basename(pathname);
+    const asset = getAsset(timelineRestData, assetId);
+    return route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      json: asset,
+    });
  });

  await context.route('**/api/assets/*/ocr', async (route) => {
@@ -136,28 +117,17 @@ export const setupTimelineMockApiRoutes = async (
  });

  await context.route('**/api/albums/**', async (route, request) => {
-    const albumsMatch = request.url().match(/\/api\/albums\/(?<albumId>[^/?]+)/);
-    if (albumsMatch) {
-      const album = getAlbum(timelineRestData, testContext.adminId, albumsMatch.groups?.albumId, changes);
-      return route.fulfill({
-        status: 200,
-        contentType: 'application/json',
-        json: album,
-      });
+    const pattern = /\/api\/albums\/(?<albumId>[^/?]+)/;
+    const match = request.url().match(pattern);
+    if (!match) {
+      return route.continue();
    }
-    return route.fallback();
-  });
-
-  await context.route('**/api/albums**', async (route, request) => {
-    const allAlbums = request.url().match(/\/api\/albums\?assetId=(?<assetId>[^&]+)/);
-    if (allAlbums) {
-      return route.fulfill({
-        status: 200,
-        contentType: 'application/json',
-        json: [],
-      });
-    }
-    return route.fallback();
+    const album = getAlbum(timelineRestData, testContext.adminId, match.groups?.albumId, changes);
+    return route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      json: album,
+    });
  });
 };

--- a/e2e-auth-server/auth-server.ts
+++ b/e2e-auth-server/auth-server.ts
@@ -125,7 +125,7 @@ const setup = async () => {
    ],
  });

-  const onStart = () => console.log(`[e2e-auth-server] http://${host}:${port}/.well-known/openid-configuration`);
+  const onStart = () => console.log(`[auth-server] http://${host}:${port}/.well-known/openid-configuration`);
  const app = oidc.listen(port, host, onStart);
  return () => app.close();
 };
--- a/e2e/src/utils.ts
+++ b/e2e/src/utils.ts
@@ -6,9 +6,7 @@ import {
  CheckExistingAssetsDto,
  CreateAlbumDto,
  CreateLibraryDto,
-  JobCreateDto,
  MaintenanceAction,
-  ManualJobName,
  MetadataSearchDto,
  Permission,
  PersonCreateDto,
@@ -23,7 +21,6 @@ import {
  checkExistingAssets,
  createAlbum,
  createApiKey,
-  createJob,
  createLibrary,
  createPartner,
  createPerson,
@@ -31,12 +28,10 @@ import {
  createStack,
  createUserAdmin,
  deleteAssets,
-  deleteDatabaseBackup,
  getAssetInfo,
  getConfig,
  getConfigDefaults,
  getQueuesLegacy,
-  listDatabaseBackups,
  login,
  runQueueCommandLegacy,
  scanLibrary,
@@ -57,15 +52,11 @@ import {
 import { BrowserContext } from '@playwright/test';
 import { exec, spawn } from 'node:child_process';
 import { createHash } from 'node:crypto';
-import { createWriteStream, existsSync, mkdirSync, renameSync, rmSync, writeFileSync } from 'node:fs';
-import { mkdtemp } from 'node:fs/promises';
+import { existsSync, mkdirSync, renameSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
-import { dirname, join, resolve } from 'node:path';
-import { Readable } from 'node:stream';
-import { pipeline } from 'node:stream/promises';
+import { dirname, resolve } from 'node:path';
 import { setTimeout as setAsyncTimeout } from 'node:timers/promises';
 import { promisify } from 'node:util';
-import { createGzip } from 'node:zlib';
 import pg from 'pg';
 import { io, type Socket } from 'socket.io-client';
 import { loginDto, signupDto } from 'src/fixtures';
@@ -93,9 +84,8 @@ export const asBearerAuth = (accessToken: string) => ({ Authorization: `Bearer $
 export const asKeyAuth = (key: string) => ({ 'x-api-key': key });
 export const immichCli = (args: string[]) =>
  executeCommand('pnpm', ['exec', 'immich', '-d', `/${tempDir}/immich/`, ...args], { cwd: '../cli' }).promise;
-export const dockerExec = (args: string[]) =>
-  executeCommand('docker', ['exec', '-i', 'immich-e2e-server', '/bin/bash', '-c', args.join(' ')]);
-export const immichAdmin = (args: string[]) => dockerExec([`immich-admin ${args.join(' ')}`]);
+export const immichAdmin = (args: string[]) =>
+  executeCommand('docker', ['exec', '-i', 'immich-e2e-server', '/bin/bash', '-c', `immich-admin ${args.join(' ')}`]);
 export const specialCharStrings = ["'", '"', ',', '{', '}', '*'];
 export const TEN_TIMES = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9];

@@ -159,26 +149,12 @@ const onEvent = ({ event, id }: { event: EventType; id: string }) => {
 };

 export const utils = {
-  connectDatabase: async () => {
-    if (!client) {
-      client = new pg.Client(dbUrl);
-      client.on('end', () => (client = null));
-      client.on('error', () => (client = null));
-      await client.connect();
-    }
-
-    return client;
-  },
-
-  disconnectDatabase: async () => {
-    if (client) {
-      await client.end();
-    }
-  },
-
  resetDatabase: async (tables?: string[]) => {
    try {
-      client = await utils.connectDatabase();
+      if (!client) {
+        client = new pg.Client(dbUrl);
+        await client.connect();
+      }

      tables = tables || [
        // TODO e2e test for deleting a stack, since it is quite complex
@@ -505,9 +481,6 @@ export const utils = {
  tagAssets: (accessToken: string, tagId: string, assetIds: string[]) =>
    tagAssets({ id: tagId, bulkIdsDto: { ids: assetIds } }, { headers: asBearerAuth(accessToken) }),

-  createJob: async (accessToken: string, jobCreateDto: JobCreateDto) =>
-    createJob({ jobCreateDto }, { headers: asBearerAuth(accessToken) }),
-
  queueCommand: async (accessToken: string, name: QueueName, queueCommandDto: QueueCommandDto) =>
    runQueueCommandLegacy({ name, queueCommandDto }, { headers: asBearerAuth(accessToken) }),

@@ -586,45 +559,6 @@ export const utils = {
    mkdirSync(`${testAssetDir}/temp`, { recursive: true });
  },

-  async move(source: string, dest: string) {
-    return executeCommand('docker', ['exec', 'immich-e2e-server', 'mv', source, dest]).promise;
-  },
-
-  createBackup: async (accessToken: string) => {
-    await utils.createJob(accessToken, {
-      name: ManualJobName.BackupDatabase,
-    });
-
-    return utils.poll(
-      () => request(app).get('/admin/database-backups').set('Authorization', `Bearer ${accessToken}`),
-      ({ status, body }) => status === 200 && body.backups.length === 1,
-      ({ body }) => body.backups[0].filename,
-    );
-  },
-
-  resetBackups: async (accessToken: string) => {
-    const { backups } = await listDatabaseBackups({ headers: asBearerAuth(accessToken) });
-
-    const backupFiles = backups.map((b) => b.filename);
-    await deleteDatabaseBackup(
-      { databaseBackupDeleteDto: { backups: backupFiles } },
-      { headers: asBearerAuth(accessToken) },
-    );
-  },
-
-  prepareTestBackup: async (generate: 'empty' | 'corrupted') => {
-    const dir = await mkdtemp(join(tmpdir(), 'test-'));
-    const fn = join(dir, 'file');
-
-    const sql = Readable.from(generate === 'corrupted' ? 'IM CORRUPTED;' : 'SELECT 1;');
-    const gzip = createGzip();
-    const writeStream = createWriteStream(fn);
-    await pipeline(sql, gzip, writeStream);
-
-    await executeCommand('docker', ['cp', fn, `immich-e2e-server:/data/backups/development-${generate}.sql.gz`])
-      .promise;
-  },
-
  resetAdminConfig: async (accessToken: string) => {
    const defaultConfig = await getConfigDefaults({ headers: asBearerAuth(accessToken) });
    await updateConfig({ systemConfigDto: defaultConfig }, { headers: asBearerAuth(accessToken) });
@@ -667,25 +601,6 @@ export const utils = {
    await utils.waitForQueueFinish(accessToken, 'sidecar');
    await utils.waitForQueueFinish(accessToken, 'metadataExtraction');
  },
-
-  async poll<T>(cb: () => Promise<T>, validate: (value: T) => boolean, map?: (value: T) => any) {
-    let timeout = 0;
-    while (true) {
-      try {
-        const data = await cb();
-        if (validate(data)) {
-          return map ? map(data) : data;
-        }
-        timeout++;
-        if (timeout >= 10) {
-          throw 'Could not clean up test.';
-        }
-        await new Promise((resolve) => setTimeout(resolve, 5e2));
-      } catch {
-        // no-op
-      }
-    }
-  },
 };

 utils.initSdk();
--- a/e2e/src/web/specs/asset-viewer/asset-viewer.parallel-e2e-spec.ts
+++ b/e2e/src/web/specs/asset-viewer/asset-viewer.parallel-e2e-spec.ts
@@ -1,269 +0,0 @@
-import { faker } from '@faker-js/faker';
-import { expect, test } from '@playwright/test';
-import {
-  Changes,
-  createDefaultTimelineConfig,
-  generateTimelineData,
-  SeededRandom,
-  selectRandom,
-  TimelineAssetConfig,
-  TimelineData,
-} from 'src/generators/timeline';
-import { setupBaseMockApiRoutes } from 'src/mock-network/base-network';
-import { setupTimelineMockApiRoutes, TimelineTestContext } from 'src/mock-network/timeline-network';
-import { utils } from 'src/utils';
-import { assetViewerUtils } from 'src/web/specs/timeline/utils';
-
-test.describe.configure({ mode: 'parallel' });
-test.describe('asset-viewer', () => {
-  const rng = new SeededRandom(529);
-  let adminUserId: string;
-  let timelineRestData: TimelineData;
-  const assets: TimelineAssetConfig[] = [];
-  const yearMonths: string[] = [];
-  const testContext = new TimelineTestContext();
-  const changes: Changes = {
-    albumAdditions: [],
-    assetDeletions: [],
-    assetArchivals: [],
-    assetFavorites: [],
-  };
-
-  test.beforeAll(async () => {
-    utils.initSdk();
-    adminUserId = faker.string.uuid();
-    testContext.adminId = adminUserId;
-    timelineRestData = generateTimelineData({ ...createDefaultTimelineConfig(), ownerId: adminUserId });
-    for (const timeBucket of timelineRestData.buckets.values()) {
-      assets.push(...timeBucket);
-    }
-    for (const yearMonth of timelineRestData.buckets.keys()) {
-      const [year, month] = yearMonth.split('-');
-      yearMonths.push(`${year}-${Number(month)}`);
-    }
-  });
-
-  test.beforeEach(async ({ context }) => {
-    await setupBaseMockApiRoutes(context, adminUserId);
-    await setupTimelineMockApiRoutes(context, timelineRestData, changes, testContext);
-  });
-
-  test.afterEach(() => {
-    testContext.slowBucket = false;
-    changes.albumAdditions = [];
-    changes.assetDeletions = [];
-    changes.assetArchivals = [];
-    changes.assetFavorites = [];
-  });
-
-  test.describe('/photos/:id', () => {
-    test('Navigate to next asset via button', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
-
-      await page.getByLabel('View next asset').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + 1].id}`);
-    });
-
-    test('Navigate to previous asset via button', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
-
-      await page.getByLabel('View previous asset').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - 1].id}`);
-    });
-
-    test('Navigate to next asset via keyboard (ArrowRight)', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
-
-      await page.keyboard.press('ArrowRight');
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + 1].id}`);
-    });
-
-    test('Navigate to previous asset via keyboard (ArrowLeft)', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
-
-      await page.keyboard.press('ArrowLeft');
-      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - 1].id}`);
-    });
-
-    test('Navigate forward 5 times via button', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-
-      for (let i = 1; i <= 5; i++) {
-        await page.getByLabel('View next asset').click();
-        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
-        await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + i].id}`);
-      }
-    });
-
-    test('Navigate backward 5 times via button', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-
-      for (let i = 1; i <= 5; i++) {
-        await page.getByLabel('View previous asset').click();
-        await assetViewerUtils.waitForViewerLoad(page, assets[index - i]);
-        await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - i].id}`);
-      }
-    });
-
-    test('Navigate forward then backward via keyboard', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-
-      // Navigate forward 3 times
-      for (let i = 1; i <= 3; i++) {
-        await page.keyboard.press('ArrowRight');
-        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
-      }
-
-      // Navigate backward 3 times to return to original
-      for (let i = 2; i >= 0; i--) {
-        await page.keyboard.press('ArrowLeft');
-        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
-      }
-
-      // Verify we're back at the original asset
-      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
-    });
-
-    test('Verify no next button on last asset', async ({ page }) => {
-      const lastAsset = assets.at(-1)!;
-      await page.goto(`/photos/${lastAsset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, lastAsset);
-
-      // Verify next button doesn't exist
-      await expect(page.getByLabel('View next asset')).toHaveCount(0);
-    });
-
-    test('Verify no previous button on first asset', async ({ page }) => {
-      const firstAsset = assets[0];
-      await page.goto(`/photos/${firstAsset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, firstAsset);
-
-      // Verify previous button doesn't exist
-      await expect(page.getByLabel('View previous asset')).toHaveCount(0);
-    });
-
-    test('Delete photo advances to next', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await page.getByLabel('Delete').click();
-      const index = assets.indexOf(asset);
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
-    });
-    test('Delete photo advances to next (2x)', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await page.getByLabel('Delete').click();
-      const index = assets.indexOf(asset);
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
-      await page.getByLabel('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 2]);
-    });
-    test('Delete last photo advances to prev', async ({ page }) => {
-      const asset = assets.at(-1)!;
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await page.getByLabel('Delete').click();
-      const index = assets.indexOf(asset);
-      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
-    });
-    test('Delete last photo advances to prev (2x)', async ({ page }) => {
-      const asset = assets.at(-1)!;
-      await page.goto(`/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await page.getByLabel('Delete').click();
-      const index = assets.indexOf(asset);
-      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
-      await page.getByLabel('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index - 2]);
-    });
-  });
-  test.describe('/trash/photos/:id', () => {
-    test('Delete trashed photo advances to next', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
-      changes.assetDeletions.push(...deletedAssets);
-      await page.goto(`/trash/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await page.getByLabel('Delete').click();
-      // confirm dialog
-      await page.getByRole('button').getByText('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
-    });
-    test('Delete trashed photo advances to next 2x', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
-      changes.assetDeletions.push(...deletedAssets);
-      await page.goto(`/trash/photos/${asset.id}`);
-      await assetViewerUtils.waitForViewerLoad(page, asset);
-      await page.getByLabel('Delete').click();
-      // confirm dialog
-      await page.getByRole('button').getByText('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
-      await page.getByLabel('Delete').click();
-      // confirm dialog
-      await page.getByRole('button').getByText('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 2]);
-    });
-    test('Delete trashed photo advances to prev', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
-      changes.assetDeletions.push(...deletedAssets);
-      await page.goto(`/trash/photos/${assets[index + 9].id}`);
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 9]);
-      await page.getByLabel('Delete').click();
-      // confirm dialog
-      await page.getByRole('button').getByText('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 8]);
-    });
-    test('Delete trashed photo advances to prev 2x', async ({ page }) => {
-      const asset = selectRandom(assets, rng);
-      const index = assets.indexOf(asset);
-      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
-      changes.assetDeletions.push(...deletedAssets);
-      await page.goto(`/trash/photos/${assets[index + 9].id}`);
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 9]);
-      await page.getByLabel('Delete').click();
-      // confirm dialog
-      await page.getByRole('button').getByText('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 8]);
-      await page.getByLabel('Delete').click();
-      // confirm dialog
-      await page.getByRole('button').getByText('Delete').click();
-      await assetViewerUtils.waitForViewerLoad(page, assets[index + 7]);
-    });
-  });
-});
--- a/e2e/src/web/specs/database-backups.e2e-spec.ts
+++ b/e2e/src/web/specs/database-backups.e2e-spec.ts
@@ -1,105 +0,0 @@
-import { LoginResponseDto } from '@immich/sdk';
-import { expect, test } from '@playwright/test';
-import { utils } from 'src/utils';
-
-test.describe.configure({ mode: 'serial' });
-
-test.describe('Database Backups', () => {
-  let admin: LoginResponseDto;
-
-  test.beforeAll(async () => {
-    utils.initSdk();
-    await utils.resetDatabase();
-    admin = await utils.adminSetup();
-  });
-
-  test('restore a backup from settings', async ({ context, page }) => {
-    test.setTimeout(60_000);
-
-    await utils.resetBackups(admin.accessToken);
-    const filename = await utils.createBackup(admin.accessToken);
-    await utils.setAuthCookies(context, admin.accessToken);
-
-    // work-around until test is running on released version
-    await utils.move(
-      `/data/backups/${filename}`,
-      '/data/backups/immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz',
-    );
-
-    await page.goto('/admin/maintenance?isOpen=backups');
-    await page.getByRole('button', { name: 'Restore', exact: true }).click();
-    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
-
-    await page.waitForURL('/maintenance?**');
-    await page.waitForURL('/admin/maintenance**', { timeout: 60_000 });
-  });
-
-  test('handle backup restore failure', async ({ context, page }) => {
-    test.setTimeout(60_000);
-
-    await utils.resetBackups(admin.accessToken);
-    await utils.prepareTestBackup('corrupted');
-    await utils.setAuthCookies(context, admin.accessToken);
-
-    await page.goto('/admin/maintenance?isOpen=backups');
-    await page.getByRole('button', { name: 'Restore', exact: true }).click();
-    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
-
-    await page.waitForURL('/maintenance?**');
-    await expect(page.getByText('IM CORRUPTED')).toBeVisible({ timeout: 60_000 });
-    await page.getByRole('button', { name: 'End maintenance mode' }).click();
-    await page.waitForURL('/admin/maintenance**');
-  });
-
-  test('rollback to restore point if backup is missing admin', async ({ context, page }) => {
-    test.setTimeout(60_000);
-
-    await utils.resetBackups(admin.accessToken);
-    await utils.prepareTestBackup('empty');
-    await utils.setAuthCookies(context, admin.accessToken);
-
-    await page.goto('/admin/maintenance?isOpen=backups');
-    await page.getByRole('button', { name: 'Restore', exact: true }).click();
-    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
-
-    await page.waitForURL('/maintenance?**');
-    await expect(page.getByText('Server health check failed, no admin exists.')).toBeVisible({ timeout: 60_000 });
-    await page.getByRole('button', { name: 'End maintenance mode' }).click();
-    await page.waitForURL('/admin/maintenance**');
-  });
-
-  test('restore a backup from onboarding', async ({ context, page }) => {
-    test.setTimeout(60_000);
-
-    await utils.resetBackups(admin.accessToken);
-    const filename = await utils.createBackup(admin.accessToken);
-    await utils.setAuthCookies(context, admin.accessToken);
-
-    // work-around until test is running on released version
-    await utils.move(
-      `/data/backups/${filename}`,
-      '/data/backups/immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz',
-    );
-
-    await utils.resetDatabase();
-
-    await page.goto('/');
-    await page.getByRole('button', { name: 'Restore from backup' }).click();
-
-    try {
-      await page.waitForURL('/maintenance**');
-    } catch {
-      // when chained with the rest of the tests
-      // this navigation may fail..? not sure why...
-      await page.goto('/maintenance');
-      await page.waitForURL('/maintenance**');
-    }
-
-    await page.getByRole('button', { name: 'Next' }).click();
-    await page.getByRole('button', { name: 'Restore', exact: true }).click();
-    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
-
-    await page.waitForURL('/maintenance?**');
-    await page.waitForURL('/photos', { timeout: 60_000 });
-  });
-});
--- a/e2e/src/web/specs/maintenance.e2e-spec.ts
+++ b/e2e/src/web/specs/maintenance.e2e-spec.ts
@@ -16,12 +16,12 @@ test.describe('Maintenance', () => {
  test('enter and exit maintenance mode', async ({ context, page }) => {
    await utils.setAuthCookies(context, admin.accessToken);

-    await page.goto('/admin/maintenance');
-    await page.getByRole('button', { name: 'Switch to maintenance mode' }).click();
+    await page.goto('/admin/system-settings?isOpen=maintenance');
+    await page.getByRole('button', { name: 'Start maintenance mode' }).click();

    await expect(page.getByText('Temporarily Unavailable')).toBeVisible({ timeout: 10_000 });
    await page.getByRole('button', { name: 'End maintenance mode' }).click();
-    await page.waitForURL('**/admin/maintenance*', { timeout: 10_000 });
+    await page.waitForURL('**/admin/system-settings*', { timeout: 10_000 });
  });

  test('maintenance shows no options to users until they authenticate', async ({ page }) => {
--- a/e2e/src/web/specs/photo-viewer.e2e-spec.ts
+++ b/e2e/src/web/specs/photo-viewer.e2e-spec.ts
@@ -3,7 +3,7 @@ import { Page, expect, test } from '@playwright/test';
 import { utils } from 'src/utils';

 function imageLocator(page: Page) {
-  return page.getByAltText('Image taken').locator('visible=true');
+  return page.getByAltText('Image taken on').locator('visible=true');
 }
 test.describe('Photo Viewer', () => {
  let admin: LoginResponseDto;
--- a/e2e/src/web/specs/timeline/timeline.parallel-e2e-spec.ts
+++ b/e2e/src/web/specs/timeline/timeline.parallel-e2e-spec.ts
@@ -18,6 +18,7 @@ import { pageRoutePromise, setupTimelineMockApiRoutes, TimelineTestContext } fro
 import { utils } from 'src/utils';
 import {
  assetViewerUtils,
+  cancelAllPollers,
  padYearMonth,
  pageUtils,
  poll,
@@ -63,6 +64,7 @@ test.describe('Timeline', () => {
  });

  test.afterEach(() => {
+    cancelAllPollers();
    testContext.slowBucket = false;
    changes.albumAdditions = [];
    changes.assetDeletions = [];
@@ -461,7 +463,7 @@ test.describe('Timeline', () => {
        });
        changes.albumAdditions.push(...requestJson.ids);
      });
-      await page.getByText('Add assets').click();
+      await page.getByText('Done').click();
      await expect(put).resolves.toEqual({
        ids: [
          'c077ea7b-cfa1-45e4-8554-f86c00ee5658',
--- a/e2e/src/web/specs/timeline/utils.ts
+++ b/e2e/src/web/specs/timeline/utils.ts
@@ -23,6 +23,13 @@ export async function throttlePage(context: BrowserContext, page: Page) {
  await session.send('Emulation.setCPUThrottlingRate', { rate: 10 });
 }

+let activePollsAbortController = new AbortController();
+
+export const cancelAllPollers = () => {
+  activePollsAbortController.abort();
+  activePollsAbortController = new AbortController();
+};
+
 export const poll = async <T>(
  page: Page,
  query: () => Promise<T>,
@@ -30,14 +37,21 @@ export const poll = async <T>(
 ) => {
  let result;
  const timeout = Date.now() + 10_000;
+  const signal = activePollsAbortController.signal;

  const terminate = callback || ((result: Awaited<T> | undefined) => !!result);
  while (!terminate(result) && Date.now() < timeout) {
+    if (signal.aborted) {
+      return;
+    }
    try {
      result = await query();
    } catch {
      // ignore
    }
+    if (signal.aborted) {
+      return;
+    }
    if (page.isClosed()) {
      return;
    }
@@ -167,12 +181,8 @@ export const assetViewerUtils = {
  },
  async waitForViewerLoad(page: Page, asset: TimelineAssetConfig) {
    await page
-      .locator(
-        `img[draggable="false"][src="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}&edited=true"]`,
-      )
-      .or(
-        page.locator(`video[poster="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}&edited=true"]`),
-      )
+      .locator(`img[draggable="false"][src="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}"]`)
+      .or(page.locator(`video[poster="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}"]`))
      .waitFor();
  },
  async expectActiveAssetToBe(page: Page, assetId: string) {
--- a/e2e/src/web/specs/user-admin.e2e-spec.ts
+++ b/e2e/src/web/specs/user-admin.e2e-spec.ts
@@ -56,7 +56,7 @@ test.describe('User Administration', () => {
    await expect(page.getByLabel('Admin User')).not.toBeChecked();
    await page.getByLabel('Admin User').click();
    await expect(page.getByLabel('Admin User')).toBeChecked();
-    await page.getByRole('button', { name: 'Save' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();

    await expect
      .poll(async () => {
@@ -85,7 +85,7 @@ test.describe('User Administration', () => {
    await expect(page.getByLabel('Admin User')).toBeChecked();
    await page.getByLabel('Admin User').click();
    await expect(page.getByLabel('Admin User')).not.toBeChecked();
-    await page.getByRole('button', { name: 'Save' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();

    await expect
      .poll(async () => {
--- a/e2e/vitest.config.ts
+++ b/e2e/vitest.config.ts
@@ -1,7 +1,7 @@
 import { defineConfig } from 'vitest/config';

 // skip `docker compose up` if `make e2e` was already run
-const globalSetup: string[] = [];
+const globalSetup: string[] = ['src/setup/auth-server.ts'];
 try {
  await fetch('http://127.0.0.1:2285/api/server-info/ping');
 } catch {
--- a/i18n/.prettierrc
+++ b/i18n/.prettierrc
@@ -1,5 +0,0 @@
-{
-  "jsonRecursiveSort": true,
-  "jsonSortOrder": "{\"/.*/\": \"lexical\"}",
-  "plugins": ["prettier-plugin-sort-json"]
-}
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -18,7 +18,6 @@
  "add_a_title": "Add a title",
  "add_action": "Add action",
  "add_action_description": "Click to add an action to perform",
-  "add_assets": "Add assets",
  "add_birthday": "Add a birthday",
  "add_endpoint": "Add endpoint",
  "add_exclusion_pattern": "Add exclusion pattern",
@@ -188,21 +187,10 @@
    "machine_learning_smart_search_enabled": "Enable smart search",
    "machine_learning_smart_search_enabled_description": "If disabled, images will not be encoded for smart search.",
    "machine_learning_url_description": "The URL of the machine learning server. If more than one URL is provided, each server will be attempted one-at-a-time until one responds successfully, in order from first to last. Servers that don't respond will be temporarily ignored until they come back online.",
-    "maintenance_delete_backup": "Delete Backup",
-    "maintenance_delete_backup_description": "This file will be irrevocably deleted.",
-    "maintenance_delete_error": "Failed to delete backup.",
-    "maintenance_restore_backup": "Restore Backup",
-    "maintenance_restore_backup_description": "Immich will be wiped and restored from the chosen backup. A backup will be created before continuing.",
-    "maintenance_restore_backup_different_version": "This backup was created with a different version of Immich!",
-    "maintenance_restore_backup_unknown_version": "Couldn't determine backup version.",
-    "maintenance_restore_database_backup": "Restore database backup",
-    "maintenance_restore_database_backup_description": "Rollback to an earlier database state using a backup file",
    "maintenance_settings": "Maintenance",
    "maintenance_settings_description": "Put Immich into maintenance mode.",
-    "maintenance_start": "Switch to maintenance mode",
+    "maintenance_start": "Start maintenance mode",
    "maintenance_start_error": "Failed to start maintenance mode.",
-    "maintenance_upload_backup": "Upload database backup file",
-    "maintenance_upload_backup_error": "Could not upload backup, is it an .sql/.sql.gz file?",
    "manage_concurrency": "Manage Concurrency",
    "manage_concurrency_description": "Navigate to the jobs page to manage job concurrency",
    "manage_log_settings": "Manage log settings",
@@ -490,7 +478,6 @@
  "album_summary": "Album summary",
  "album_updated": "Album updated",
  "album_updated_setting_description": "Receive an email notification when a shared album has new assets",
-  "album_upload_assets": "Upload assets from your computer and add to album",
  "album_user_left": "Left {album}",
  "album_user_removed": "Removed {user}",
  "album_viewer_appbar_delete_confirm": "Are you sure you want to delete this album from your account?",
@@ -614,7 +601,7 @@
  "backup_album_selection_page_select_albums": "Select albums",
  "backup_album_selection_page_selection_info": "Selection Info",
  "backup_album_selection_page_total_assets": "Total unique assets",
-  "backup_albums_sync": "Backup Albums Synchronization",
+  "backup_albums_sync": "Backup albums synchronization",
  "backup_all": "All",
  "backup_background_service_backup_failed_message": "Failed to backup assets. Retrying…",
  "backup_background_service_complete_notification": "Asset backup complete",
@@ -747,18 +734,6 @@
  "checksum": "Checksum",
  "choose_matching_people_to_merge": "Choose matching people to merge",
  "city": "City",
-  "cleanup_confirm_description": "Immich found {count} assets (created before {date}) safely backed up to the server. Remove the local copies from this device?",
-  "cleanup_confirm_prompt_title": "Remove from this device?",
-  "cleanup_deleted_assets": "Moved {count} assets to device trash",
-  "cleanup_deleting": "Moving to trash...",
-  "cleanup_filter_description": "Choose which types of assets to remove in the cleanup",
-  "cleanup_found_assets": "Found {count} backed up assets",
-  "cleanup_icloud_shared_albums_excluded": "iCloud Shared Albums are excluded from the scan",
-  "cleanup_no_assets_found": "No backed up assets found matching your criteria",
-  "cleanup_preview_title": "Assets to remove ({count})",
-  "cleanup_step3_description": "Scan for photos and videos that have been backed up to the server with the selected cutoff date and filter options",
-  "cleanup_step4_summary": "{count} assets created before {date} are queued for removal from your device",
-  "cleanup_trash_hint": "To fully reclaim storage space, open the system gallery app and empty the trash",
  "clear": "Clear",
  "clear_all": "Clear all",
  "clear_all_recent_searches": "Clear all recent searches",
@@ -844,20 +819,13 @@
  "created_at": "Created",
  "creating_linked_albums": "Creating linked albums...",
  "crop": "Crop",
-  "crop_aspect_ratio_fixed": "Fixed",
-  "crop_aspect_ratio_free": "Free",
-  "crop_aspect_ratio_original": "Original",
  "curated_object_page_title": "Things",
  "current_device": "Current device",
  "current_pin_code": "Current PIN code",
  "current_server_address": "Current server address",
-  "custom_date": "Custom date",
  "custom_locale": "Custom Locale",
  "custom_locale_description": "Format dates and numbers based on the language and the region",
  "custom_url": "Custom URL",
-  "cutoff_date_description": "Remove photos and videos older than",
-  "cutoff_day": "{count, plural, one {day} other {days}}",
-  "cutoff_year": "{count, plural, one {year} other {years}}",
  "daily_title_text_date": "E, MMM dd",
  "daily_title_text_date_year": "E, MMM dd, yyyy",
  "dark": "Dark",
@@ -939,7 +907,6 @@
  "download_include_embedded_motion_videos": "Embedded videos",
  "download_include_embedded_motion_videos_description": "Include videos embedded in motion photos as a separate file",
  "download_notfound": "Download not found",
-  "download_original": "Download original",
  "download_paused": "Download paused",
  "download_settings": "Download",
  "download_settings_description": "Manage settings related to asset download",
@@ -949,7 +916,6 @@
  "download_waiting_to_retry": "Waiting to retry",
  "downloading": "Downloading",
  "downloading_asset_filename": "Downloading asset {filename}",
-  "downloading_from_icloud": "Downloading from iCloud",
  "downloading_media": "Downloading media",
  "drop_files_to_upload": "Drop files anywhere to upload",
  "duplicates": "Duplicates",
@@ -982,13 +948,9 @@
  "editor": "Editor",
  "editor_close_without_save_prompt": "The changes will not be saved",
  "editor_close_without_save_title": "Close editor?",
-  "editor_confirm_reset_all_changes": "Are you sure you want to reset all changes?",
-  "editor_flip_horizontal": "Flip horizontal",
-  "editor_flip_vertical": "Flip vertical",
-  "editor_orientation": "Orientation",
-  "editor_reset_all_changes": "Reset changes",
-  "editor_rotate_left": "Rotate 90° counterclockwise",
-  "editor_rotate_right": "Rotate 90° clockwise",
+  "editor_crop_tool_h2_aspect_ratios": "Aspect ratios",
+  "editor_crop_tool_h2_rotation": "Rotation",
+  "editor_mode": "Editor mode",
  "email": "Email",
  "email_notifications": "Email notifications",
  "empty_folder": "This folder is empty",
@@ -1120,7 +1082,6 @@
    "unable_to_scan_library": "Unable to scan library",
    "unable_to_set_feature_photo": "Unable to set feature photo",
    "unable_to_set_profile_picture": "Unable to set profile picture",
-    "unable_to_set_rating": "Unable to set rating",
    "unable_to_submit_job": "Unable to submit job",
    "unable_to_trash_asset": "Unable to trash asset",
    "unable_to_unlink_account": "Unable to unlink account",
@@ -1135,7 +1096,6 @@
    "unable_to_update_workflow": "Unable to update workflow",
    "unable_to_upload_file": "Unable to upload file"
  },
-  "errors_text": "Errors",
  "exclusion_pattern": "Exclusion pattern",
  "exif": "Exif",
  "exif_bottom_sheet_description": "Add Description...",
@@ -1180,14 +1140,13 @@
  "features": "Features",
  "features_in_development": "Features in Development",
  "features_setting_description": "Manage the app features",
-  "file_name": "File name: {file_name}",
+  "file_name": "File name",
  "file_name_or_extension": "File name or extension",
  "file_size": "File size",
  "filename": "Filename",
  "filetype": "Filetype",
  "filter": "Filter",
  "filter_description": "Conditions to filter the target assets",
-  "filter_options": "Filter options",
  "filter_people": "Filter people",
  "filter_places": "Filter places",
  "filters": "Filters",
@@ -1200,9 +1159,6 @@
  "folders_feature_description": "Browsing the folder view for the photos and videos on the file system",
  "forgot_pin_code_question": "Forgot your PIN?",
  "forward": "Forward",
-  "free_up_space": "Free Up Space",
-  "free_up_space_description": "Move backed-up photos and videos to your device's trash to free up space. Your copies on the server remain safe",
-  "free_up_space_settings_subtitle": "Free up device storage",
  "full_path": "Full path: {path}",
  "gcast_enabled": "Google Cast",
  "gcast_enabled_description": "This feature loads external resources from Google in order to work.",
@@ -1319,8 +1275,6 @@
  "json_error": "JSON error",
  "keep": "Keep",
  "keep_all": "Keep All",
-  "keep_favorites": "Keep favorites",
-  "keep_favorites_description": "Favorite assets will not be deleted from your device",
  "keep_this_delete_others": "Keep this, delete others",
  "kept_this_deleted_others": "Kept this asset and deleted {count, plural, one {# asset} other {# assets}}",
  "keyboard_shortcuts": "Keyboard shortcuts",
@@ -1415,28 +1369,10 @@
  "loop_videos_description": "Enable to automatically loop a video in the detail viewer.",
  "main_branch_warning": "You're using a development version; we strongly recommend using a release version!",
  "main_menu": "Main menu",
-  "maintenance_action_restore": "Restoring Database",
  "maintenance_description": "Immich has been put into <link>maintenance mode</link>.",
  "maintenance_end": "End maintenance mode",
  "maintenance_end_error": "Failed to end maintenance mode.",
  "maintenance_logged_in_as": "Currently logged in as {user}",
-  "maintenance_restore_from_backup": "Restore From Backup",
-  "maintenance_restore_library": "Restore Your Library",
-  "maintenance_restore_library_confirm": "If this looks correct, continue to restoring a backup!",
-  "maintenance_restore_library_description": "Restoring Database",
-  "maintenance_restore_library_folder_has_files": "{folder} has {count} folder(s)",
-  "maintenance_restore_library_folder_no_files": "{folder} is missing files!",
-  "maintenance_restore_library_folder_pass": "readable and writable",
-  "maintenance_restore_library_folder_read_fail": "not readable",
-  "maintenance_restore_library_folder_write_fail": "not writable",
-  "maintenance_restore_library_hint_missing_files": "You may be missing important files",
-  "maintenance_restore_library_hint_regenerate_later": "You can regenerate these later in settings",
-  "maintenance_restore_library_hint_storage_template_missing_files": "Using storage template? You may be missing files",
-  "maintenance_restore_library_loading": "Loading integrity checks and heuristics…",
-  "maintenance_task_backup": "Creating a backup of the existing database…",
-  "maintenance_task_migrations": "Running database migrations…",
-  "maintenance_task_restore": "Restoring the chosen backup…",
-  "maintenance_task_rollback": "Restore failed, rolling back to restore point…",
  "maintenance_title": "Temporarily Unavailable",
  "make": "Make",
  "manage_geolocation": "Manage location",
@@ -1498,8 +1434,6 @@
  "minimize": "Minimize",
  "minute": "Minute",
  "minutes": "Minutes",
-  "mirror_horizontal": "Horizontal",
-  "mirror_vertical": "Vertical",
  "missing": "Missing",
  "mobile_app": "Mobile App",
  "mobile_app_download_onboarding_note": "Download the companion mobile app using the following options",
@@ -1511,7 +1445,6 @@
  "move_down": "Move down",
  "move_off_locked_folder": "Move out of locked folder",
  "move_to": "Move to",
-  "move_to_device_trash": "Move to device trash",
  "move_to_lock_folder_action_prompt": "{count} added to the locked folder",
  "move_to_locked_folder": "Move to locked folder",
  "move_to_locked_folder_confirmation": "These photos and video will be removed from all albums, and only viewable from the locked folder",
@@ -1694,7 +1627,6 @@
  "photos_and_videos": "Photos & Videos",
  "photos_count": "{count, plural, one {{count, number} Photo} other {{count, number} Photos}}",
  "photos_from_previous_years": "Photos from previous years",
-  "photos_only": "Photos only",
  "pick_a_location": "Pick a location",
  "pick_custom_range": "Custom range",
  "pick_date_range": "Select a date range",
@@ -1770,12 +1702,10 @@
  "purchase_settings_server_activated": "The server product key is managed by the admin",
  "query_asset_id": "Query Asset ID",
  "queue_status": "Queuing {count}/{total}",
-  "rate_asset": "Rate Asset",
  "rating": "Star rating",
  "rating_clear": "Clear rating",
  "rating_count": "{count, plural, one {# star} other {# stars}}",
  "rating_description": "Display the EXIF rating in the info panel",
-  "rating_set": "Rating set to {rating, plural, one {# star} other {# stars}}",
  "reaction_options": "Reaction options",
  "read_changelog": "Read Changelog",
  "readonly_mode_disabled": "Read-only mode disabled",
@@ -1875,11 +1805,9 @@
  "saved_settings": "Saved settings",
  "say_something": "Say something",
  "scaffold_body_error_occurred": "Error occurred",
-  "scan": "Scan",
  "scan_all_libraries": "Scan All Libraries",
  "scan_library": "Scan",
  "scan_settings": "Scan Settings",
-  "scanning": "Scanning",
  "scanning_for_album": "Scanning for album...",
  "search": "Search",
  "search_albums": "Search albums",
@@ -1951,7 +1879,6 @@
  "select_all_in": "Select all in {group}",
  "select_avatar_color": "Select avatar color",
  "select_count": "{count, plural, one {Select #} other {Select #}}",
-  "select_cutoff_date": "Select cutoff date",
  "select_face": "Select face",
  "select_featured_photo": "Select featured photo",
  "select_from_computer": "Select from computer",
@@ -2244,7 +2171,6 @@
  "unhide_person": "Unhide person",
  "unknown": "Unknown",
  "unknown_country": "Unknown Country",
-  "unknown_date": "Unknown date",
  "unknown_year": "Unknown Year",
  "unlimited": "Unlimited",
  "unlink_motion_video": "Unlink motion video",
@@ -2269,6 +2195,7 @@
  "updated_at": "Updated",
  "updated_password": "Updated password",
  "upload": "Upload",
+  "upload_action_prompt": "{count} queued for upload",
  "upload_concurrency": "Upload concurrency",
  "upload_details": "Upload Details",
  "upload_dialog_info": "Do you want to backup the selected Asset(s) to the server?",
@@ -2287,7 +2214,7 @@
  "url": "URL",
  "usage": "Usage",
  "use_biometric": "Use biometric",
-  "use_current_connection": "Use current connection",
+  "use_current_connection": "use current connection",
  "use_custom_date_range": "Use custom date range instead",
  "user": "User",
  "user_has_been_deleted": "This user has been deleted.",
@@ -2320,7 +2247,6 @@
  "video_hover_setting_description": "Play video thumbnail when mouse is hovering over item. Even when disabled, playback can be started by hovering over the play icon.",
  "videos": "Videos",
  "videos_count": "{count, plural, one {# Video} other {# Videos}}",
-  "videos_only": "Videos only",
  "view": "View",
  "view_album": "View Album",
  "view_all": "View All",
@@ -2370,7 +2296,6 @@
  "yes": "Yes",
  "you_dont_have_any_shared_links": "You don't have any shared links",
  "your_wifi_name": "Your Wi-Fi name",
-  "zero_to_clear_rating": "press 0 to clear asset rating",
  "zoom_image": "Zoom Image",
  "zoom_to_bounds": "Zoom to bounds"
 }
--- a/i18n/package.json
+++ b/i18n/package.json
@@ -1,13 +0,0 @@
-{
-  "name": "immich-i18n",
-  "version": "1.0.0",
-  "private": true,
-  "scripts": {
-    "format": "prettier --check .",
-    "format:fix": "prettier --write ."
-  },
-  "devDependencies": {
-    "prettier": "^3.7.4",
-    "prettier-plugin-sort-json": "^4.1.1"
-  }
-}
--- a/machine-learning/Dockerfile
+++ b/machine-learning/Dockerfile
@@ -92,14 +92,14 @@ FROM python:3.13-slim-trixie@sha256:0222b795db95bf7412cede36ab46a266cfb31f632e64

 RUN apt-get update && \
    apt-get install --no-install-recommends -yqq ocl-icd-libopencl1 wget && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.27.10/intel-igc-core-2_2.27.10+20617_amd64.deb && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.27.10/intel-igc-opencl-2_2.27.10+20617_amd64.deb && \
-    wget -nv https://github.com/intel/compute-runtime/releases/download/26.01.36711.4/intel-opencl-icd_26.01.36711.4-0_amd64.deb &&  \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.24.8/intel-igc-core-2_2.24.8+20344_amd64.deb && \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.24.8/intel-igc-opencl-2_2.24.8+20344_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/25.48.36300.8/intel-opencl-icd_25.48.36300.8-0_amd64.deb &&  \
    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-core_1.0.17537.24_amd64.deb && \
    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-opencl_1.0.17537.24_amd64.deb && \
    wget -nv https://github.com/intel/compute-runtime/releases/download/24.35.30872.36/intel-opencl-icd-legacy1_24.35.30872.36_amd64.deb && \
    # TODO: Figure out how to get renovate to manage this differently versioned libigdgmm file
-    wget -nv https://github.com/intel/compute-runtime/releases/download/26.01.36711.4/libigdgmm12_22.9.0_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/25.48.36300.8/libigdgmm12_22.8.2_amd64.deb && \
    dpkg -i *.deb && \
    rm *.deb && \
    apt-get remove wget -yqq && \
--- a/mise.toml
+++ b/mise.toml
@@ -1,9 +1,9 @@
 experimental_monorepo_root = true

 [tools]
-node = "24.13.0"
+node = "24.12.0"
 flutter = "3.35.7"
-pnpm = "10.28.0"
+pnpm = "10.27.0"
 terragrunt = "0.93.10"
 opentofu = "1.10.7"
 java = "25.0.1"
@@ -34,4 +34,4 @@ run = { task = ":i18n:format-fix" }

 [tasks."i18n:format-fix"]
 dir = "i18n"
-run = "pnpm run format:fix"
+run = "pnpm dlx sort-json *.json"
--- a/mobile/android/app/src/main/AndroidManifest.xml
+++ b/mobile/android/app/src/main/AndroidManifest.xml
@@ -117,9 +117,6 @@
        <data
          android:host="my.immich.app"
          android:pathPrefix="/memories/" />
-        <data
-          android:host="my.immich.app"
-          android:path="/memory" />
        <data
          android:host="my.immich.app"
          android:pathPrefix="/photos/" />
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/Messages.g.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/Messages.g.kt
@@ -252,40 +252,6 @@ data class HashResult (

  override fun hashCode(): Int = toList().hashCode()
 }
-
-/** Generated class from Pigeon that represents data sent in messages. */
-data class CloudIdResult (
-  val assetId: String,
-  val error: String? = null,
-  val cloudId: String? = null
-)
- {
-  companion object {
-    fun fromList(pigeonVar_list: List<Any?>): CloudIdResult {
-      val assetId = pigeonVar_list[0] as String
-      val error = pigeonVar_list[1] as String?
-      val cloudId = pigeonVar_list[2] as String?
-      return CloudIdResult(assetId, error, cloudId)
-    }
-  }
-  fun toList(): List<Any?> {
-    return listOf(
-      assetId,
-      error,
-      cloudId,
-    )
-  }
-  override fun equals(other: Any?): Boolean {
-    if (other !is CloudIdResult) {
-      return false
-    }
-    if (this === other) {
-      return true
-    }
-    return MessagesPigeonUtils.deepEquals(toList(), other.toList())  }
-
-  override fun hashCode(): Int = toList().hashCode()
-}
 private open class MessagesPigeonCodec : StandardMessageCodec() {
  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
    return when (type) {
@@ -309,11 +275,6 @@ private open class MessagesPigeonCodec : StandardMessageCodec() {
          HashResult.fromList(it)
        }
      }
-      133.toByte() -> {
-        return (readValue(buffer) as? List<Any?>)?.let {
-          CloudIdResult.fromList(it)
-        }
-      }
      else -> super.readValueOfType(type, buffer)
    }
  }
@@ -335,10 +296,6 @@ private open class MessagesPigeonCodec : StandardMessageCodec() {
        stream.write(132)
        writeValue(stream, value.toList())
      }
-      is CloudIdResult -> {
-        stream.write(133)
-        writeValue(stream, value.toList())
-      }
      else -> super.writeValue(stream, value)
    }
  }
@@ -358,7 +315,6 @@ interface NativeSyncApi {
  fun hashAssets(assetIds: List<String>, allowNetworkAccess: Boolean, callback: (Result<List<HashResult>>) -> Unit)
  fun cancelHashing()
  fun getTrashedAssets(): Map<String, List<PlatformAsset>>
-  fun getCloudIdForAssetIds(assetIds: List<String>): List<CloudIdResult>

  companion object {
    /** The codec used by NativeSyncApi. */
@@ -552,23 +508,6 @@ interface NativeSyncApi {
          channel.setMessageHandler(null)
        }
      }
-      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds$separatedMessageChannelSuffix", codec, taskQueue)
-        if (api != null) {
-          channel.setMessageHandler { message, reply ->
-            val args = message as List<Any?>
-            val assetIdsArg = args[0] as List<String>
-            val wrapped: List<Any?> = try {
-              listOf(api.getCloudIdForAssetIds(assetIdsArg))
-            } catch (exception: Throwable) {
-              MessagesPigeonUtils.wrapError(exception)
-            }
-            reply.reply(wrapped)
-          }
-        } else {
-          channel.setMessageHandler(null)
-        }
-      }
    }
  }
 }
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/MessagesImplBase.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/MessagesImplBase.kt
@@ -14,7 +14,6 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.async
 import kotlinx.coroutines.awaitAll
-import kotlinx.coroutines.currentCoroutineContext
 import kotlinx.coroutines.ensureActive
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.sync.Semaphore
@@ -22,6 +21,7 @@ import kotlinx.coroutines.sync.withPermit
 import java.io.File
 import java.security.MessageDigest
 import kotlin.coroutines.cancellation.CancellationException
+import kotlin.coroutines.coroutineContext

 sealed class AssetResult {
  data class ValidAsset(val asset: PlatformAsset, val albumId: String) : AssetResult()
@@ -298,7 +298,7 @@ open class NativeSyncApiImplBase(context: Context) : ImmichPlugin() {
        var bytesRead: Int
        val buffer = ByteArray(HASH_BUFFER_SIZE)
        while (inputStream.read(buffer).also { bytesRead = it } > 0) {
-          currentCoroutineContext().ensureActive()
+          coroutineContext.ensureActive()
          digest.update(buffer, 0, bytesRead)
        }
      } ?: return HashResult(assetId, "Cannot open input stream for asset", null)
@@ -316,10 +316,4 @@ open class NativeSyncApiImplBase(context: Context) : ImmichPlugin() {
    hashTask?.cancel()
    hashTask = null
  }
-
-  // This method is only implemented on iOS; on Android, we do not have a concept of cloud IDs
-  @Suppress("unused", "UNUSED_PARAMETER")
-  fun getCloudIdForAssetIds(assetIds: List<String>): List<CloudIdResult> {
-    return emptyList()
-  }
 }
--- a/mobile/drift_schemas/main/drift_schema_v15.json
+++ b/mobile/drift_schemas/main/drift_schema_v15.json
--- a/mobile/drift_schemas/main/drift_schema_v16.json
+++ b/mobile/drift_schemas/main/drift_schema_v16.json
--- a/mobile/drift_schemas/main/drift_schema_v17.json
+++ b/mobile/drift_schemas/main/drift_schema_v17.json
--- a/mobile/fonts/GoogleSans/GoogleSans-Bold.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Bold.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-Italic.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Italic.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-Medium.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Medium.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-Regular.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Regular.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-SemiBold.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-SemiBold.ttf
--- a/mobile/fonts/GoogleSansCode/GoogleSansCode-Medium.ttf
+++ b/mobile/fonts/GoogleSansCode/GoogleSansCode-Medium.ttf
--- a/mobile/fonts/GoogleSansCode/GoogleSansCode-Regular.ttf
+++ b/mobile/fonts/GoogleSansCode/GoogleSansCode-Regular.ttf
--- a/mobile/fonts/GoogleSansCode/GoogleSansCode-SemiBold.ttf
+++ b/mobile/fonts/GoogleSansCode/GoogleSansCode-SemiBold.ttf
--- a/mobile/ios/.gitignore
+++ b/mobile/ios/.gitignore
@@ -33,5 +33,4 @@ Runner/GeneratedPluginRegistrant.*
 !default.perspectivev3

 fastlane/report.xml
-Gemfile.lock
-certs/
+Gemfile.lock
--- a/mobile/ios/Runner/AppDelegate.swift
+++ b/mobile/ios/Runner/AppDelegate.swift
@@ -55,7 +55,6 @@ import UIKit
    NativeSyncApiImpl.register(with: engine.registrar(forPlugin: NativeSyncApiImpl.name)!)
    ThumbnailApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: ThumbnailApiImpl())
    BackgroundWorkerFgHostApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: BackgroundWorkerApiImpl())
-    ConnectivityApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: ConnectivityApiImpl())
  }
  
  public static func cancelPlugins(with engine: FlutterEngine) {
--- a/mobile/ios/Runner/Connectivity/ConnectivityApiImpl.swift
+++ b/mobile/ios/Runner/Connectivity/ConnectivityApiImpl.swift
@@ -1,60 +1,6 @@
-import Network

 class ConnectivityApiImpl: ConnectivityApi {
-  private let monitor = NWPathMonitor()
-  private let queue = DispatchQueue(label: "ConnectivityMonitor")
-  private var currentPath: NWPath?
-  
-  init() {
-    monitor.pathUpdateHandler = { [weak self] path in
-      self?.currentPath = path
-    }
-    monitor.start(queue: queue)
-    // Get initial state synchronously
-    currentPath = monitor.currentPath
-  }
-  
-  deinit {
-    monitor.cancel()
-  }
-  
  func getCapabilities() throws -> [NetworkCapability] {
-    guard let path = currentPath else {
-      return []
-    }
-    
-    guard path.status == .satisfied else {
-      return []
-    }
-    
-    var capabilities: [NetworkCapability] = []
-    
-    if path.usesInterfaceType(.wifi) {
-      capabilities.append(.wifi)
-    }
-    
-    if path.usesInterfaceType(.cellular) {
-      capabilities.append(.cellular)
-    }
-    
-    // Check for VPN - iOS reports VPN as .other interface type in many cases
-    // or through the path's expensive property when on cellular with VPN
-    if path.usesInterfaceType(.other) {
-      capabilities.append(.vpn)
-    }
-    
-    // Determine if connection is unmetered:
-    // - Must be on WiFi (not cellular)
-    // - Must not be expensive (rules out personal hotspot)
-    // - Must not be constrained (Low Data Mode)
-    // Note: VPN over cellular should still be considered metered
-    let isOnCellular = path.usesInterfaceType(.cellular)
-    let isOnWifi = path.usesInterfaceType(.wifi)
-    
-    if isOnWifi && !isOnCellular && !path.isExpensive && !path.isConstrained {
-      capabilities.append(.unmetered)
-    }
-    
-    return capabilities
+    []
  }
 }
--- a/mobile/ios/Runner/Sync/Messages.g.swift
+++ b/mobile/ios/Runner/Sync/Messages.g.swift
@@ -312,39 +312,6 @@ struct HashResult: Hashable {
  }
 }

-/// Generated class from Pigeon that represents data sent in messages.
-struct CloudIdResult: Hashable {
-  var assetId: String
-  var error: String? = nil
-  var cloudId: String? = nil
-
-
-  // swift-format-ignore: AlwaysUseLowerCamelCase
-  static func fromList(_ pigeonVar_list: [Any?]) -> CloudIdResult? {
-    let assetId = pigeonVar_list[0] as! String
-    let error: String? = nilOrValue(pigeonVar_list[1])
-    let cloudId: String? = nilOrValue(pigeonVar_list[2])
-
-    return CloudIdResult(
-      assetId: assetId,
-      error: error,
-      cloudId: cloudId
-    )
-  }
-  func toList() -> [Any?] {
-    return [
-      assetId,
-      error,
-      cloudId,
-    ]
-  }
-  static func == (lhs: CloudIdResult, rhs: CloudIdResult) -> Bool {
-    return deepEqualsMessages(lhs.toList(), rhs.toList())  }
-  func hash(into hasher: inout Hasher) {
-    deepHashMessages(value: toList(), hasher: &hasher)
-  }
-}
-
 private class MessagesPigeonCodecReader: FlutterStandardReader {
  override func readValue(ofType type: UInt8) -> Any? {
    switch type {
@@ -356,8 +323,6 @@ private class MessagesPigeonCodecReader: FlutterStandardReader {
      return SyncDelta.fromList(self.readValue() as! [Any?])
    case 132:
      return HashResult.fromList(self.readValue() as! [Any?])
-    case 133:
-      return CloudIdResult.fromList(self.readValue() as! [Any?])
    default:
      return super.readValue(ofType: type)
    }
@@ -378,9 +343,6 @@ private class MessagesPigeonCodecWriter: FlutterStandardWriter {
    } else if let value = value as? HashResult {
      super.writeByte(132)
      super.writeValue(value.toList())
-    } else if let value = value as? CloudIdResult {
-      super.writeByte(133)
-      super.writeValue(value.toList())
    } else {
      super.writeValue(value)
    }
@@ -415,7 +377,6 @@ protocol NativeSyncApi {
  func hashAssets(assetIds: [String], allowNetworkAccess: Bool, completion: @escaping (Result<[HashResult], Error>) -> Void)
  func cancelHashing() throws
  func getTrashedAssets() throws -> [String: [PlatformAsset]]
-  func getCloudIdForAssetIds(assetIds: [String]) throws -> [CloudIdResult]
 }

 /// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
@@ -599,22 +560,5 @@ class NativeSyncApiSetup {
    } else {
      getTrashedAssetsChannel.setMessageHandler(nil)
    }
-    let getCloudIdForAssetIdsChannel = taskQueue == nil
-      ? FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
-      : FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec, taskQueue: taskQueue)
-    if let api = api {
-      getCloudIdForAssetIdsChannel.setMessageHandler { message, reply in
-        let args = message as! [Any?]
-        let assetIdsArg = args[0] as! [String]
-        do {
-          let result = try api.getCloudIdForAssetIds(assetIds: assetIdsArg)
-          reply(wrapResult(result))
-        } catch {
-          reply(wrapError(error))
-        }
-      }
-    } else {
-      getCloudIdForAssetIdsChannel.setMessageHandler(nil)
-    }
  }
 }
--- a/mobile/ios/Runner/Sync/MessagesImpl.swift
+++ b/mobile/ios/Runner/Sync/MessagesImpl.swift
@@ -19,31 +19,31 @@ struct AssetWrapper: Hashable, Equatable {

 class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
  static let name = "NativeSyncApi"
-  
+
  static func register(with registrar: any FlutterPluginRegistrar) {
    let instance = NativeSyncApiImpl()
    NativeSyncApiSetup.setUp(binaryMessenger: registrar.messenger(), api: instance)
    registrar.publish(instance)
  }
-  
+
  func detachFromEngine(for registrar: any FlutterPluginRegistrar) {
    super.detachFromEngine()
  }
-  
+
  private let defaults: UserDefaults
  private let changeTokenKey = "immich:changeToken"
  private let albumTypes: [PHAssetCollectionType] = [.album, .smartAlbum]
  private let recoveredAlbumSubType = 1000000219
-  
+
  private var hashTask: Task<Void?, Error>?
  private static let hashCancelledCode = "HASH_CANCELLED"
  private static let hashCancelled = Result<[HashResult], Error>.failure(PigeonError(code: hashCancelledCode, message: "Hashing cancelled", details: nil))
-  
-  
+
+
  init(with defaults: UserDefaults = .standard) {
    self.defaults = defaults
  }
-  
+
  @available(iOS 16, *)
  private func getChangeToken() -> PHPersistentChangeToken? {
    guard let data = defaults.data(forKey: changeTokenKey) else {
@@ -51,7 +51,7 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    return try? NSKeyedUnarchiver.unarchivedObject(ofClass: PHPersistentChangeToken.self, from: data)
  }
-  
+
  @available(iOS 16, *)
  private func saveChangeToken(token: PHPersistentChangeToken) -> Void {
    guard let data = try? NSKeyedArchiver.archivedData(withRootObject: token, requiringSecureCoding: true) else {
@@ -59,18 +59,18 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    defaults.set(data, forKey: changeTokenKey)
  }
-  
+
  func clearSyncCheckpoint() -> Void {
    defaults.removeObject(forKey: changeTokenKey)
  }
-  
+
  func checkpointSync() {
    guard #available(iOS 16, *) else {
      return
    }
    saveChangeToken(token: PHPhotoLibrary.shared().currentChangeToken)
  }
-  
+
  func shouldFullSync() -> Bool {
    guard #available(iOS 16, *),
          PHPhotoLibrary.authorizationStatus(for: .readWrite) == .authorized,
@@ -78,36 +78,36 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      // When we do not have access to photo library, older iOS version or No token available, fallback to full sync
      return true
    }
-    
+
    guard let _ = try? PHPhotoLibrary.shared().fetchPersistentChanges(since: storedToken) else {
      // Cannot fetch persistent changes
      return true
    }
-    
+
    return false
  }
-  
+
  func getAlbums() throws -> [PlatformAlbum] {
    var albums: [PlatformAlbum] = []
-    
+
    albumTypes.forEach { type in
      let collections = PHAssetCollection.fetchAssetCollections(with: type, subtype: .any, options: nil)
      for i in 0..<collections.count {
        let album = collections.object(at: i)
-        
+
        // Ignore recovered album
        if(album.assetCollectionSubtype.rawValue == self.recoveredAlbumSubType) {
          continue;
        }
-        
+
        let options = PHFetchOptions()
        options.sortDescriptors = [NSSortDescriptor(key: "modificationDate", ascending: false)]
        options.includeHiddenAssets = false
-        
+
        let assets = getAssetsFromAlbum(in: album, options: options)
-        
+
        let isCloud = album.assetCollectionSubtype == .albumCloudShared || album.assetCollectionSubtype == .albumMyPhotoStream
-        
+
        var domainAlbum = PlatformAlbum(
          id: album.localIdentifier,
          name: album.localizedTitle!,
@@ -115,57 +115,57 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
          isCloud: isCloud,
          assetCount: Int64(assets.count)
        )
-        
+
        if let firstAsset = assets.firstObject {
          domainAlbum.updatedAt = firstAsset.modificationDate.map { Int64($0.timeIntervalSince1970) }
        }
-        
+
        albums.append(domainAlbum)
      }
    }
    return albums.sorted { $0.id < $1.id }
  }
-  
+
  func getMediaChanges() throws -> SyncDelta {
    guard #available(iOS 16, *) else {
      throw PigeonError(code: "UNSUPPORTED_OS", message: "This feature requires iOS 16 or later.", details: nil)
    }
-    
+
    guard PHPhotoLibrary.authorizationStatus(for: .readWrite) == .authorized else {
      throw PigeonError(code: "NO_AUTH", message: "No photo library access", details: nil)
    }
-    
+
    guard let storedToken = getChangeToken() else {
      // No token exists, definitely need a full sync
      print("MediaManager::getMediaChanges: No token found")
      throw PigeonError(code: "NO_TOKEN", message: "No stored change token", details: nil)
    }
-    
+
    let currentToken = PHPhotoLibrary.shared().currentChangeToken
    if storedToken == currentToken {
      return SyncDelta(hasChanges: false, updates: [], deletes: [], assetAlbums: [:])
    }
-    
+
    do {
      let changes = try PHPhotoLibrary.shared().fetchPersistentChanges(since: storedToken)
-      
+
      var updatedAssets: Set<AssetWrapper> = []
      var deletedAssets: Set<String> = []
-      
+
      for change in changes {
        guard let details = try? change.changeDetails(for: PHObjectType.asset) else { continue }
-        
+
        let updated = details.updatedLocalIdentifiers.union(details.insertedLocalIdentifiers)
        deletedAssets.formUnion(details.deletedLocalIdentifiers)
-        
+
        if (updated.isEmpty) { continue }
-        
+
        let options = PHFetchOptions()
        options.includeHiddenAssets = false
        let result = PHAsset.fetchAssets(withLocalIdentifiers: Array(updated), options: options)
        for i in 0..<result.count {
          let asset = result.object(at: i)
-          
+
          // Asset wrapper only uses the id for comparison. Multiple change can contain the same asset, skip duplicate changes
          let predicate = PlatformAsset(
            id: asset.localIdentifier,
@@ -178,25 +178,25 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
          if (updatedAssets.contains(AssetWrapper(with: predicate))) {
            continue
          }
-          
+
          let domainAsset = AssetWrapper(with: asset.toPlatformAsset())
          updatedAssets.insert(domainAsset)
        }
      }
-      
+
      let updates = Array(updatedAssets.map { $0.asset })
      return SyncDelta(hasChanges: true, updates: updates, deletes: Array(deletedAssets), assetAlbums: buildAssetAlbumsMap(assets: updates))
    }
  }
-  
-  
+
+
  private func buildAssetAlbumsMap(assets: Array<PlatformAsset>) -> [String: [String]] {
    guard !assets.isEmpty else {
      return [:]
    }
-    
+
    var albumAssets: [String: [String]] = [:]
-    
+
    for type in albumTypes {
      let collections = PHAssetCollection.fetchAssetCollections(with: type, subtype: .any, options: nil)
      collections.enumerateObjects { (album, _, _) in
@@ -211,13 +211,13 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    return albumAssets
  }
-  
+
  func getAssetIdsForAlbum(albumId: String) throws -> [String] {
    let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
    guard let album = collections.firstObject else {
      return []
    }
-    
+
    var ids: [String] = []
    let options = PHFetchOptions()
    options.includeHiddenAssets = false
@@ -227,13 +227,13 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    return ids
  }
-  
+
  func getAssetsCountSince(albumId: String, timestamp: Int64) throws -> Int64 {
    let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
    guard let album = collections.firstObject else {
      return 0
    }
-    
+
    let date = NSDate(timeIntervalSince1970: TimeInterval(timestamp))
    let options = PHFetchOptions()
    options.predicate = NSPredicate(format: "creationDate > %@ OR modificationDate > %@", date, date)
@@ -241,32 +241,32 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    let assets = getAssetsFromAlbum(in: album, options: options)
    return Int64(assets.count)
  }
-  
+
  func getAssetsForAlbum(albumId: String, updatedTimeCond: Int64?) throws -> [PlatformAsset] {
    let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
    guard let album = collections.firstObject else {
      return []
    }
-    
+
    let options = PHFetchOptions()
    options.includeHiddenAssets = false
    if(updatedTimeCond != nil) {
      let date = NSDate(timeIntervalSince1970: TimeInterval(updatedTimeCond!))
      options.predicate = NSPredicate(format: "creationDate > %@ OR modificationDate > %@", date, date)
    }
-    
+
    let result = getAssetsFromAlbum(in: album, options: options)
    if(result.count == 0) {
      return []
    }
-    
+
    var assets: [PlatformAsset] = []
    result.enumerateObjects { (asset, _, _) in
      assets.append(asset.toPlatformAsset())
    }
    return assets
  }
-  
+
  func hashAssets(assetIds: [String], allowNetworkAccess: Bool, completion: @escaping (Result<[HashResult], Error>) -> Void) {
    if let prevTask = hashTask {
      prevTask.cancel()
@@ -284,11 +284,11 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
        missingAssetIds.remove(asset.localIdentifier)
        assets.append(asset)
      }
-      
+
      if Task.isCancelled {
        return self?.completeWhenActive(for: completion, with: Self.hashCancelled)
      }
-      
+
      await withTaskGroup(of: HashResult?.self) { taskGroup in
        var results = [HashResult]()
        results.reserveCapacity(assets.count)
@@ -301,28 +301,28 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
            return await self.hashAsset(asset, allowNetworkAccess: allowNetworkAccess)
          }
        }
-        
+
        for await result in taskGroup {
          guard let result = result else {
            return self?.completeWhenActive(for: completion, with: Self.hashCancelled)
          }
          results.append(result)
        }
-        
+
        for missing in missingAssetIds {
          results.append(HashResult(assetId: missing, error: "Asset not found in library", hash: nil))
        }
-        
+
        return self?.completeWhenActive(for: completion, with: .success(results))
      }
    }
  }
-  
+
  func cancelHashing() {
    hashTask?.cancel()
    hashTask = nil
  }
-  
+
  private func hashAsset(_ asset: PHAsset, allowNetworkAccess: Bool) async -> HashResult? {
    class RequestRef {
      var id: PHAssetResourceDataRequestID?
@@ -332,21 +332,21 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      if Task.isCancelled {
        return nil
      }
-      
+
      guard let resource = asset.getResource() else {
        return HashResult(assetId: asset.localIdentifier, error: "Cannot get asset resource", hash: nil)
      }
-      
+
      if Task.isCancelled {
        return nil
      }
-      
+
      let options = PHAssetResourceRequestOptions()
      options.isNetworkAccessAllowed = allowNetworkAccess
-      
+
      return await withCheckedContinuation { continuation in
        var hasher = Insecure.SHA1()
-        
+
        requestRef.id = PHAssetResourceManager.default().requestData(
          for: resource,
          options: options,
@@ -377,11 +377,11 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      PHAssetResourceManager.default().cancelDataRequest(requestId)
    })
  }
-  
+
  func getTrashedAssets() throws -> [String: [PlatformAsset]] {
    throw PigeonError(code: "UNSUPPORTED_OS", message: "This feature not supported on iOS.", details: nil)
  }
-  
+
  private func getAssetsFromAlbum(in album: PHAssetCollection, options: PHFetchOptions) -> PHFetchResult<PHAsset> {
    // Ensure to actually getting all assets for the Recents album
    if (album.assetCollectionSubtype == .smartAlbumUserLibrary) {
@@ -390,28 +390,4 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      return PHAsset.fetchAssets(in: album, options: options)
    }
  }
-  
-  func getCloudIdForAssetIds(assetIds: [String]) throws -> [CloudIdResult] {
-    guard #available(iOS 16, *) else {
-      return assetIds.map { CloudIdResult(assetId: $0) }
-    }
-    
-    var mappings: [CloudIdResult] = []
-    let result = PHPhotoLibrary.shared().cloudIdentifierMappings(forLocalIdentifiers: assetIds)
-    for (key, value) in result {
-      switch value {
-      case .success(let cloudIdentifier):
-        let cloudId = cloudIdentifier.stringValue
-        // Ignores invalid cloud ids of the format "GUID:ID:". Valid Ids are of the form "GUID:ID:HASH"
-        if !cloudId.hasSuffix(":") {
-          mappings.append(CloudIdResult(assetId: key, cloudId: cloudId))
-        } else {
-          mappings.append(CloudIdResult(assetId: key, error: "Incomplete Cloud Id: \(cloudId)"))
-        }
-      case .failure(let error):
-        mappings.append(CloudIdResult(assetId: key, error: "Error getting Cloud Id: \(error.localizedDescription)"))
-      }
-    }
-    return mappings;
-  }
 }
--- a/mobile/ios/fastlane/Fastfile
+++ b/mobile/ios/fastlane/Fastfile
@@ -21,6 +21,20 @@ platform :ios do
  CODE_SIGN_IDENTITY = "Apple Distribution: Hau Tran (#{TEAM_ID})"
  BASE_BUNDLE_ID = "app.alextran.immich"
  
+  # App identifiers for production
+  PROD_APP_IDENTIFIERS = [
+    "app.alextran.immich",
+    "app.alextran.immich.ShareExtension",
+    "app.alextran.immich.Widget"
+  ]
+  
+  # App identifiers for development
+  DEV_APP_IDENTIFIERS = [
+    "app.alextran.immich.development",
+    "app.alextran.immich.development.ShareExtension",
+    "app.alextran.immich.development.Widget"
+  ]
+  
  # Helper method to get App Store Connect API key
  def get_api_key
    app_store_connect_api_key(
@@ -32,6 +46,20 @@ platform :ios do
    )
  end
  
+  # Helper method to sync certificates and profiles using match
+  def sync_code_signing(app_identifiers:, readonly: true)
+    # Use fastlane's setup_ci which creates a temporary keychain and handles everything
+    if ENV["CI"]
+      setup_ci
+    end
+    
+    match(
+      type: "appstore",
+      app_identifier: app_identifiers,
+      readonly: readonly
+    )
+  end
+  
  # Helper method to get version from pubspec.yaml
 def get_version_from_pubspec
  require 'yaml'
@@ -44,7 +72,7 @@ def get_version_from_pubspec
 end
  
  # Helper method to configure code signing for all targets
-  def configure_code_signing(bundle_id_suffix: "", profile_name_main:, profile_name_share:, profile_name_widget:)
+  def configure_code_signing(bundle_id_suffix: "")
    bundle_suffix = bundle_id_suffix.empty? ? "" : ".#{bundle_id_suffix}"
    
    # Runner (main app)
@@ -54,7 +82,7 @@ end
      team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
      code_sign_identity: CODE_SIGN_IDENTITY,
      bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}",
-      profile_name: profile_name_main,
+      profile_name: "match AppStore #{BASE_BUNDLE_ID}#{bundle_suffix}",
      targets: ["Runner"]
    )
    
@@ -65,7 +93,7 @@ end
      team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
      code_sign_identity: CODE_SIGN_IDENTITY,
      bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}.ShareExtension",
-      profile_name: profile_name_share,
+      profile_name: "match AppStore #{BASE_BUNDLE_ID}#{bundle_suffix}.ShareExtension",
      targets: ["ShareExtension"]
    )
    
@@ -76,7 +104,7 @@ end
      team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
      code_sign_identity: CODE_SIGN_IDENTITY,
      bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}.Widget",
-      profile_name: profile_name_widget,
+      profile_name: "match AppStore #{BASE_BUNDLE_ID}#{bundle_suffix}.Widget",
      targets: ["WidgetExtension"]
    )
  end
@@ -87,10 +115,7 @@ end
    bundle_id_suffix: "",
    configuration: "Release",
    distribute_external: true,
-    version_number: nil,
-    profile_name_main:,
-    profile_name_share:,
-    profile_name_widget:
+    version_number: nil
  )
    bundle_suffix = bundle_id_suffix.empty? ? "" : ".#{bundle_id_suffix}"
    app_identifier = "#{BASE_BUNDLE_ID}#{bundle_suffix}"
@@ -118,9 +143,9 @@ end
      xcargs: "-skipMacroValidation CODE_SIGN_IDENTITY='#{CODE_SIGN_IDENTITY}' CODE_SIGN_STYLE=Manual",
      export_options: {
        provisioningProfiles: {
-          "#{app_identifier}" => profile_name_main,
-          "#{app_identifier}.ShareExtension" => profile_name_share,
-          "#{app_identifier}.Widget" => profile_name_widget
+          "#{app_identifier}" => "match AppStore #{app_identifier}",
+          "#{app_identifier}.ShareExtension" => "match AppStore #{app_identifier}.ShareExtension",
+          "#{app_identifier}.Widget" => "match AppStore #{app_identifier}.Widget"
        },
        signingStyle: "manual",
        signingCertificate: CODE_SIGN_IDENTITY
@@ -139,35 +164,18 @@ end
  lane :gha_testflight_dev do
    api_key = get_api_key
    
-    # Download and install provisioning profiles from App Store Connect
-    # Certificate is imported by GHA workflow into build.keychain
-    # Capture profile names after each sigh call
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development", force: true)
-    main_profile_name = lane_context[SharedValues::SIGH_NAME]
+    # Sync certificates and profiles using match
+    sync_code_signing(app_identifiers: DEV_APP_IDENTIFIERS)
    
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.ShareExtension", force: true)
-    share_profile_name = lane_context[SharedValues::SIGH_NAME]
-    
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.Widget", force: true)
-    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
-    
-    # Configure code signing for dev bundle IDs using the downloaded profile names
-    configure_code_signing(
-      bundle_id_suffix: "development",
-      profile_name_main: main_profile_name,
-      profile_name_share: share_profile_name,
-      profile_name_widget: widget_profile_name
-    )
+    # Configure code signing for dev bundle IDs
+    configure_code_signing(bundle_id_suffix: "development")
    
    # Build and upload
    build_and_upload(
      api_key: api_key,
      bundle_id_suffix: "development",
      configuration: "Profile",
-      distribute_external: false,
-      profile_name_main: main_profile_name,
-      profile_name_share: share_profile_name,
-      profile_name_widget: widget_profile_name
+      distribute_external: false
    )
  end

@@ -175,33 +183,17 @@ end
  lane :gha_release_prod do
    api_key = get_api_key
    
-    # Download and install provisioning profiles from App Store Connect
-    # Certificate is imported by GHA workflow into build.keychain
-    sigh(api_key: api_key, app_identifier: BASE_BUNDLE_ID, force: true)
-    main_profile_name = lane_context[SharedValues::SIGH_NAME]
-    
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.ShareExtension", force: true)
-    share_profile_name = lane_context[SharedValues::SIGH_NAME]
-    
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.Widget", force: true)
-    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
-    
+    # Sync certificates and profiles using match
+    sync_code_signing(app_identifiers: PROD_APP_IDENTIFIERS)
    
    # Configure code signing for production bundle IDs
-    configure_code_signing(
-      profile_name_main: main_profile_name,
-      profile_name_share: share_profile_name,
-      profile_name_widget: widget_profile_name
-    )
+    configure_code_signing

    # Build and upload with version number
    build_and_upload(
      api_key: api_key,
      version_number: get_version_from_pubspec,
      distribute_external: false,
-      profile_name_main: main_profile_name,
-      profile_name_share: share_profile_name,
-      profile_name_widget: widget_profile_name
    )
  end

@@ -246,28 +238,13 @@ end
    # Use the same build process as production, just skip the upload
    # This ensures PR builds validate the same way as production builds
    
-    api_key = get_api_key
+    # Sync certificates and profiles using match (use production profiles)
+    sync_code_signing(app_identifiers: PROD_APP_IDENTIFIERS)
    
-    # Download and install provisioning profiles from App Store Connect
-    # Certificate is imported by GHA workflow into build.keychain
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development", force: true)
-    main_profile_name = lane_context[SharedValues::SIGH_NAME]
+    # Configure code signing for production bundle IDs
+    configure_code_signing
    
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.ShareExtension", force: true)
-    share_profile_name = lane_context[SharedValues::SIGH_NAME]
-    
-    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.Widget", force: true)
-    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
-    
-    # Configure code signing for dev bundle IDs
-    configure_code_signing(
-      bundle_id_suffix: "development",
-      profile_name_main: main_profile_name,
-      profile_name_share: share_profile_name,
-      profile_name_widget: widget_profile_name
-    )
-    
-    # Build the app (same as gha_testflight_dev but without upload)
+    # Build the app (same as production but without upload)
    build_app(
      scheme: "Runner",
      workspace: "Runner.xcworkspace",
@@ -277,9 +254,9 @@ end
      xcargs: "-skipMacroValidation CODE_SIGN_IDENTITY='#{CODE_SIGN_IDENTITY}' CODE_SIGN_STYLE=Manual",
      export_options: {
        provisioningProfiles: {
-          "#{BASE_BUNDLE_ID}.development" => main_profile_name,
-          "#{BASE_BUNDLE_ID}.development.ShareExtension" => share_profile_name,
-          "#{BASE_BUNDLE_ID}.development.Widget" => widget_profile_name
+          "#{BASE_BUNDLE_ID}" => "match AppStore #{BASE_BUNDLE_ID}",
+          "#{BASE_BUNDLE_ID}.ShareExtension" => "match AppStore #{BASE_BUNDLE_ID}.ShareExtension",
+          "#{BASE_BUNDLE_ID}.Widget" => "match AppStore #{BASE_BUNDLE_ID}.Widget"
        },
        signingStyle: "manual",
        signingCertificate: CODE_SIGN_IDENTITY
@@ -287,4 +264,30 @@ end
    )
  end

+  desc "Sync all certificates and profiles (run locally to update match repo)"
+  lane :sync_certificates do
+    # Sync production certificates and profiles
+    match(
+      type: "appstore",
+      app_identifier: PROD_APP_IDENTIFIERS,
+      readonly: false
+    )
+    
+    # Sync development certificates and profiles
+    match(
+      type: "appstore",
+      app_identifier: DEV_APP_IDENTIFIERS,
+      readonly: false
+    )
+  end
+
+  desc "Regenerate all certificates and profiles (use when expired)"
+  lane :regenerate_certificates do
+    # Nuke existing certificates
+    match_nuke(type: "appstore")
+    
+    # Generate new ones
+    sync_certificates
+  end
+
 end
--- a/mobile/ios/fastlane/Matchfile
+++ b/mobile/ios/fastlane/Matchfile
@@ -0,0 +1,19 @@
+git_url(ENV["MATCH_GIT_URL"] || "https://github.com/immich-app/ios-certs")
+
+storage_mode("git")
+
+type("appstore")
+
+team_id("2F67MQ8R79")
+
+app_identifier([
+  "app.alextran.immich",
+  "app.alextran.immich.ShareExtension",
+  "app.alextran.immich.Widget",
+  "app.alextran.immich.development",
+  "app.alextran.immich.development.ShareExtension",
+  "app.alextran.immich.development.Widget"
+])
+
+# For all available options run `fastlane match --help`
+# The docs are available on https://docs.fastlane.tools/actions/match
--- a/mobile/ios/fastlane/README.md
+++ b/mobile/ios/fastlane/README.md
@@ -39,6 +39,30 @@ iOS Release to TestFlight

 iOS Manual Release

+### ios gha_build_only
+
+```sh
+[bundle exec] fastlane ios gha_build_only
+```
+
+iOS Build Only (no TestFlight upload)
+
+### ios sync_certificates
+
+```sh
+[bundle exec] fastlane ios sync_certificates
+```
+
+Sync all certificates and profiles (run locally to update match repo)
+
+### ios regenerate_certificates
+
+```sh
+[bundle exec] fastlane ios regenerate_certificates
+```
+
+Regenerate all certificates and profiles (use when expired)
+
 ----

 This README.md is auto-generated and will be re-generated every time [_fastlane_](https://fastlane.tools) is run.
--- a/mobile/lib/constants/constants.dart
+++ b/mobile/lib/constants/constants.dart
@@ -4,8 +4,6 @@ const int noDbId = -9223372036854775808; // from Isar
 const double downloadCompleted = -1;
 const double downloadFailed = -2;

-const String kMobileMetadataKey = "mobile-app";
-
 // Number of log entries to retain on app start
 const int kLogTruncateLimit = 2000;

--- a/mobile/lib/constants/enums.dart
+++ b/mobile/lib/constants/enums.dart
@@ -7,7 +7,3 @@ enum AssetVisibilityEnum { timeline, hidden, archive, locked }
 enum SortUserBy { id }

 enum ActionSource { timeline, viewer }
-
-enum CleanupStep { selectDate, filterOptions, scan, delete }
-
-enum AssetFilterType { all, photosOnly, videosOnly }
--- a/mobile/lib/constants/locales.dart
+++ b/mobile/lib/constants/locales.dart
@@ -51,4 +51,4 @@ const Map<String, Locale> locales = {

 const String translationsPath = 'assets/i18n';

-const List<Locale> localesNotSupportedByAppFont = [Locale('el', 'GR'), Locale('sr', 'Cyrl')];
+const List<Locale> localesNotSupportedByOverpass = [Locale('el', 'GR'), Locale('sr', 'Cyrl')];
--- a/mobile/lib/domain/models/asset/asset_metadata.model.dart
+++ b/mobile/lib/domain/models/asset/asset_metadata.model.dart
@@ -1,62 +0,0 @@
-enum RemoteAssetMetadataKey {
-  mobileApp("mobile-app");
-
-  final String key;
-
-  const RemoteAssetMetadataKey(this.key);
-}
-
-abstract class RemoteAssetMetadataValue {
-  const RemoteAssetMetadataValue();
-
-  Map<String, dynamic> toJson();
-}
-
-class RemoteAssetMetadataItem {
-  final RemoteAssetMetadataKey key;
-  final RemoteAssetMetadataValue value;
-
-  const RemoteAssetMetadataItem({required this.key, required this.value});
-
-  Map<String, Object?> toJson() {
-    return {'key': key.key, 'value': value};
-  }
-}
-
-class RemoteAssetMobileAppMetadata extends RemoteAssetMetadataValue {
-  final String? cloudId;
-  final String? createdAt;
-  final String? adjustmentTime;
-  final String? latitude;
-  final String? longitude;
-
-  const RemoteAssetMobileAppMetadata({
-    this.cloudId,
-    this.createdAt,
-    this.adjustmentTime,
-    this.latitude,
-    this.longitude,
-  });
-
-  @override
-  Map<String, dynamic> toJson() {
-    final map = <String, Object?>{};
-    if (cloudId != null) {
-      map["iCloudId"] = cloudId;
-    }
-    if (createdAt != null) {
-      map["createdAt"] = createdAt;
-    }
-    if (adjustmentTime != null) {
-      map["adjustmentTime"] = adjustmentTime;
-    }
-    if (latitude != null) {
-      map["latitude"] = latitude;
-    }
-    if (longitude != null) {
-      map["longitude"] = longitude;
-    }
-
-    return map;
-  }
-}
--- a/mobile/lib/domain/models/asset/base_asset.model.dart
+++ b/mobile/lib/domain/models/asset/base_asset.model.dart
@@ -22,7 +22,6 @@ sealed class BaseAsset {
  final int? durationInSeconds;
  final bool isFavorite;
  final String? livePhotoVideoId;
-  final bool isEdited;

  const BaseAsset({
    required this.name,
@@ -35,7 +34,6 @@ sealed class BaseAsset {
    this.durationInSeconds,
    this.isFavorite = false,
    this.livePhotoVideoId,
-    required this.isEdited,
  });

  bool get isImage => type == AssetType.image;
@@ -73,7 +71,6 @@ sealed class BaseAsset {
  height: ${height ?? "<NA>"},
  durationInSeconds: ${durationInSeconds ?? "<NA>"},
  isFavorite: $isFavorite,
-  isEdited: $isEdited,
 }''';
  }

@@ -88,8 +85,7 @@ sealed class BaseAsset {
          width == other.width &&
          height == other.height &&
          durationInSeconds == other.durationInSeconds &&
-          isFavorite == other.isFavorite &&
-          isEdited == other.isEdited;
+          isFavorite == other.isFavorite;
    }
    return false;
  }
@@ -103,7 +99,6 @@ sealed class BaseAsset {
        width.hashCode ^
        height.hashCode ^
        durationInSeconds.hashCode ^
-        isFavorite.hashCode ^
-        isEdited.hashCode;
+        isFavorite.hashCode;
  }
 }
--- a/mobile/lib/domain/models/asset/local_asset.model.dart
+++ b/mobile/lib/domain/models/asset/local_asset.model.dart
@@ -3,7 +3,6 @@ part of 'base_asset.model.dart';
 class LocalAsset extends BaseAsset {
  final String id;
  final String? remoteAssetId;
-  final String? cloudId;
  final int orientation;

  final DateTime? adjustmentTime;
@@ -13,7 +12,6 @@ class LocalAsset extends BaseAsset {
  const LocalAsset({
    required this.id,
    String? remoteId,
-    this.cloudId,
    required super.name,
    super.checksum,
    required super.type,
@@ -28,7 +26,6 @@ class LocalAsset extends BaseAsset {
    this.adjustmentTime,
    this.latitude,
    this.longitude,
-    required super.isEdited,
  }) : remoteAssetId = remoteId;

  @override
@@ -56,14 +53,12 @@ class LocalAsset extends BaseAsset {
   width: ${width ?? "<NA>"},
   height: ${height ?? "<NA>"},
   durationInSeconds: ${durationInSeconds ?? "<NA>"},
-   remoteId: ${remoteId ?? "<NA>"},
-   cloudId: ${cloudId ?? "<NA>"},
-   checksum: ${checksum ?? "<NA>"},
+   remoteId: ${remoteId ?? "<NA>"}
   isFavorite: $isFavorite,
-   orientation: $orientation,
-   adjustmentTime: $adjustmentTime,
-   latitude: ${latitude ?? "<NA>"},
-   longitude: ${longitude ?? "<NA>"},
+  orientation: $orientation,
+  adjustmentTime: $adjustmentTime,
+  latitude: ${latitude ?? "<NA>"},
+  longitude: ${longitude ?? "<NA>"},
 }''';
  }

@@ -74,7 +69,6 @@ class LocalAsset extends BaseAsset {
    if (identical(this, other)) return true;
    return super == other &&
        id == other.id &&
-        cloudId == other.cloudId &&
        orientation == other.orientation &&
        adjustmentTime == other.adjustmentTime &&
        latitude == other.latitude &&
@@ -94,7 +88,6 @@ class LocalAsset extends BaseAsset {
  LocalAsset copyWith({
    String? id,
    String? remoteId,
-    String? cloudId,
    String? name,
    String? checksum,
    AssetType? type,
@@ -108,12 +101,10 @@ class LocalAsset extends BaseAsset {
    DateTime? adjustmentTime,
    double? latitude,
    double? longitude,
-    bool? isEdited,
  }) {
    return LocalAsset(
      id: id ?? this.id,
      remoteId: remoteId ?? this.remoteId,
-      cloudId: cloudId ?? this.cloudId,
      name: name ?? this.name,
      checksum: checksum ?? this.checksum,
      type: type ?? this.type,
@@ -127,7 +118,6 @@ class LocalAsset extends BaseAsset {
      adjustmentTime: adjustmentTime ?? this.adjustmentTime,
      latitude: latitude ?? this.latitude,
      longitude: longitude ?? this.longitude,
-      isEdited: isEdited ?? this.isEdited,
    );
  }
 }
--- a/mobile/lib/domain/models/asset/remote_asset.model.dart
+++ b/mobile/lib/domain/models/asset/remote_asset.model.dart
@@ -28,7 +28,6 @@ class RemoteAsset extends BaseAsset {
    this.visibility = AssetVisibility.timeline,
    super.livePhotoVideoId,
    this.stackId,
-    required super.isEdited,
  }) : localAssetId = localId;

  @override
@@ -105,7 +104,6 @@ class RemoteAsset extends BaseAsset {
    AssetVisibility? visibility,
    String? livePhotoVideoId,
    String? stackId,
-    bool? isEdited,
  }) {
    return RemoteAsset(
      id: id ?? this.id,
@@ -124,7 +122,6 @@ class RemoteAsset extends BaseAsset {
      visibility: visibility ?? this.visibility,
      livePhotoVideoId: livePhotoVideoId ?? this.livePhotoVideoId,
      stackId: stackId ?? this.stackId,
-      isEdited: isEdited ?? this.isEdited,
    );
  }
 }
--- a/mobile/lib/domain/services/asset.service.dart
+++ b/mobile/lib/domain/services/asset.service.dart
@@ -4,6 +4,7 @@ import 'package:immich_mobile/domain/models/exif.model.dart';
 import 'package:immich_mobile/extensions/platform_extensions.dart';
 import 'package:immich_mobile/infrastructure/repositories/local_asset.repository.dart';
 import 'package:immich_mobile/infrastructure/repositories/remote_asset.repository.dart';
+import 'package:immich_mobile/infrastructure/utils/exif.converter.dart';

 typedef _AssetVideoDimension = ({double? width, double? height, bool isFlipped});

@@ -98,7 +99,9 @@ class AssetService {
      height = fetched?.height?.toDouble();
    }

-    return (width: width, height: height, isFlipped: false);
+    final exif = await getExif(asset);
+    final isFlipped = ExifDtoConverter.isOrientationFlipped(exif?.orientation);
+    return (width: width, height: height, isFlipped: isFlipped);
  }

  Future<List<(String, String)>> getPlaces(String userId) {
--- a/mobile/lib/domain/services/background_worker.service.dart
+++ b/mobile/lib/domain/services/background_worker.service.dart
@@ -9,6 +9,7 @@ import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:immich_mobile/constants/constants.dart';
 import 'package:immich_mobile/domain/services/log.service.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
+import 'package:immich_mobile/extensions/network_capability_extensions.dart';
 import 'package:immich_mobile/extensions/platform_extensions.dart';
 import 'package:immich_mobile/infrastructure/repositories/db.repository.dart';
 import 'package:immich_mobile/infrastructure/repositories/logger_db.repository.dart';
@@ -19,13 +20,13 @@ import 'package:immich_mobile/providers/background_sync.provider.dart';
 import 'package:immich_mobile/providers/backup/drift_backup.provider.dart';
 import 'package:immich_mobile/providers/db.provider.dart';
 import 'package:immich_mobile/providers/infrastructure/db.provider.dart';
-import 'package:immich_mobile/providers/infrastructure/platform.provider.dart' show nativeSyncApiProvider;
+import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
 import 'package:immich_mobile/providers/user.provider.dart';
 import 'package:immich_mobile/repositories/file_media.repository.dart';
 import 'package:immich_mobile/services/app_settings.service.dart';
 import 'package:immich_mobile/services/auth.service.dart';
 import 'package:immich_mobile/services/localization.service.dart';
-import 'package:immich_mobile/services/foreground_upload.service.dart';
+import 'package:immich_mobile/services/upload.service.dart';
 import 'package:immich_mobile/utils/bootstrap.dart';
 import 'package:immich_mobile/utils/debug_print.dart';
 import 'package:immich_mobile/utils/http_ssl_options.dart';
@@ -242,12 +243,13 @@ class BackgroundWorkerBgService extends BackgroundWorkerFlutterApi {
        }

        if (Platform.isIOS) {
-          return _ref?.read(driftBackupProvider.notifier).startBackupWithURLSession(currentUser.id);
+          return _ref?.read(driftBackupProvider.notifier).handleBackupResume(currentUser.id);
        }

+        final networkCapabilities = await _ref?.read(connectivityApiProvider).getCapabilities() ?? [];
        return _ref
-            ?.read(foregroundUploadServiceProvider)
-            .uploadCandidates(currentUser.id, _cancellationToken, useSequentialUpload: true);
+            ?.read(uploadServiceProvider)
+            .startBackupWithHttpClient(currentUser.id, networkCapabilities.isUnmetered, _cancellationToken);
      },
      (error, stack) {
        dPrint(() => "Error in backup zone $error, $stack");
--- a/mobile/lib/domain/services/hash.service.dart
+++ b/mobile/lib/domain/services/hash.service.dart
@@ -40,9 +40,6 @@ class HashService {
    _log.info("Starting hashing of assets");
    final Stopwatch stopwatch = Stopwatch()..start();
    try {
-      // Migrate hashes from cloud ID to local ID so we don't have to re-hash them
-      await _migrateHashes();
-
      // Sorted by backupSelection followed by isCloud
      final localAlbums = await _localAlbumRepository.getBackupAlbums();

@@ -78,15 +75,6 @@ class HashService {
    _log.info("Hashing took - ${stopwatch.elapsedMilliseconds}ms");
  }

-  Future<void> _migrateHashes() async {
-    final hashMappings = await _localAssetRepository.getHashMappingFromCloudId();
-    if (hashMappings.isEmpty) {
-      return;
-    }
-
-    await _localAssetRepository.updateHashes(hashMappings);
-  }
-
  /// Processes a list of [LocalAsset]s, storing their hash and updating the assets in the DB
  /// with hash for those that were successfully hashed. Hashes are looked up in a table
  /// [LocalAssetHashEntity] by local id. Only missing entries are newly hashed and added to the DB.
--- a/mobile/lib/domain/services/local_sync.service.dart
+++ b/mobile/lib/domain/services/local_sync.service.dart
@@ -8,7 +8,6 @@ import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/extensions/platform_extensions.dart';
 import 'package:immich_mobile/infrastructure/repositories/local_album.repository.dart';
-import 'package:immich_mobile/infrastructure/repositories/local_asset.repository.dart';
 import 'package:immich_mobile/infrastructure/repositories/storage.repository.dart';
 import 'package:immich_mobile/infrastructure/repositories/trashed_local_asset.repository.dart';
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
@@ -19,7 +18,6 @@ import 'package:logging/logging.dart';

 class LocalSyncService {
  final DriftLocalAlbumRepository _localAlbumRepository;
-  final DriftLocalAssetRepository _localAssetRepository;
  final NativeSyncApi _nativeSyncApi;
  final DriftTrashedLocalAssetRepository _trashedLocalAssetRepository;
  final LocalFilesManagerRepository _localFilesManager;
@@ -28,13 +26,11 @@ class LocalSyncService {

  LocalSyncService({
    required DriftLocalAlbumRepository localAlbumRepository,
-    required DriftLocalAssetRepository localAssetRepository,
    required DriftTrashedLocalAssetRepository trashedLocalAssetRepository,
    required LocalFilesManagerRepository localFilesManager,
    required StorageRepository storageRepository,
    required NativeSyncApi nativeSyncApi,
  }) : _localAlbumRepository = localAlbumRepository,
-       _localAssetRepository = localAssetRepository,
       _trashedLocalAssetRepository = trashedLocalAssetRepository,
       _localFilesManager = localFilesManager,
       _storageRepository = storageRepository,
@@ -51,12 +47,6 @@ class LocalSyncService {
          _log.warning("syncTrashedAssets cannot proceed because MANAGE_MEDIA permission is missing");
        }
      }
-
-      if (CurrentPlatform.isIOS) {
-        final assets = await _localAssetRepository.getEmptyCloudIdAssets();
-        await _mapIosCloudIds(assets);
-      }
-
      if (full || await _nativeSyncApi.shouldFullSync()) {
        _log.fine("Full sync request from ${full ? "user" : "native"}");
        return await fullSync();
@@ -73,9 +63,8 @@ class LocalSyncService {

      final deviceAlbums = await _nativeSyncApi.getAlbums();
      await _localAlbumRepository.updateAll(deviceAlbums.toLocalAlbums());
-      final newAssets = delta.updates.toLocalAssets();
      await _localAlbumRepository.processDelta(
-        updates: newAssets,
+        updates: delta.updates.toLocalAssets(),
        deletes: delta.deletes,
        assetAlbums: delta.assetAlbums,
      );
@@ -103,8 +92,6 @@ class LocalSyncService {
          }
          await updateAlbum(dbAlbum, album);
        }
-
-        await _mapIosCloudIds(newAssets);
      }
      await _nativeSyncApi.checkpointSync();
    } catch (e, s) {
@@ -143,12 +130,9 @@ class LocalSyncService {
    try {
      _log.fine("Adding device album ${album.name}");

-      final assets = album.assetCount > 0
-          ? await _nativeSyncApi.getAssetsForAlbum(album.id).then((a) => a.toLocalAssets())
-          : <LocalAsset>[];
+      final assets = album.assetCount > 0 ? await _nativeSyncApi.getAssetsForAlbum(album.id) : <PlatformAsset>[];

-      await _localAlbumRepository.upsert(album, toUpsert: assets);
-      await _mapIosCloudIds(assets);
+      await _localAlbumRepository.upsert(album, toUpsert: assets.toLocalAssets());
      _log.fine("Successfully added device album ${album.name}");
    } catch (e, s) {
      _log.warning("Error while adding device album", e, s);
@@ -218,16 +202,13 @@ class LocalSyncService {
        return false;
      }

-      final newAssets = await _nativeSyncApi
-          .getAssetsForAlbum(deviceAlbum.id, updatedTimeCond: updatedTime)
-          .then((a) => a.toLocalAssets());
+      final newAssets = await _nativeSyncApi.getAssetsForAlbum(deviceAlbum.id, updatedTimeCond: updatedTime);

      await _localAlbumRepository.upsert(
        deviceAlbum.copyWith(backupSelection: dbAlbum.backupSelection),
-        toUpsert: newAssets,
+        toUpsert: newAssets.toLocalAssets(),
      );

-      await _mapIosCloudIds(newAssets);
      return true;
    } catch (e, s) {
      _log.warning("Error on fast syncing local album: ${dbAlbum.name}", e, s);
@@ -259,7 +240,6 @@ class LocalSyncService {
      if (dbAlbum.assetCount == 0) {
        _log.fine("Device album ${deviceAlbum.name} is empty. Adding assets to DB.");
        await _localAlbumRepository.upsert(updatedDeviceAlbum, toUpsert: assetsInDevice);
-        await _mapIosCloudIds(assetsInDevice);
        return true;
      }

@@ -297,7 +277,6 @@ class LocalSyncService {
      }

      await _localAlbumRepository.upsert(updatedDeviceAlbum, toUpsert: assetsToUpsert, toDelete: assetsToDelete);
-      await _mapIosCloudIds(assetsToUpsert);

      return true;
    } catch (e, s) {
@@ -306,29 +285,6 @@ class LocalSyncService {
    return true;
  }

-  Future<void> _mapIosCloudIds(List<LocalAsset> assets) async {
-    if (!CurrentPlatform.isIOS || assets.isEmpty) {
-      return;
-    }
-
-    final assetIds = assets.map((a) => a.id).toList();
-    final cloudMapping = <String, String>{};
-    final cloudIds = await _nativeSyncApi.getCloudIdForAssetIds(assetIds);
-    for (int i = 0; i < cloudIds.length; i++) {
-      final cloudIdResult = cloudIds[i];
-      if (cloudIdResult.cloudId != null) {
-        cloudMapping[cloudIdResult.assetId] = cloudIdResult.cloudId!;
-      } else {
-        final asset = assets.firstWhereOrNull((a) => a.id == cloudIdResult.assetId);
-        _log.fine(
-          "Cannot fetch cloudId for asset with id: ${cloudIdResult.assetId}, name: ${asset?.name}, createdAt: ${asset?.createdAt}. Error: ${cloudIdResult.error ?? "unknown"}",
-        );
-      }
-    }
-
-    await _localAlbumRepository.updateCloudMapping(cloudMapping);
-  }
-
  bool _assetsEqual(LocalAsset a, LocalAsset b) {
    if (CurrentPlatform.isAndroid) {
      return a.updatedAt.isAtSameMomentAs(b.updatedAt) &&
@@ -404,7 +360,6 @@ extension on Iterable<PlatformAlbum> {
        name: e.name,
        updatedAt: tryFromSecondsSinceEpoch(e.updatedAt, isUtc: true) ?? DateTime.timestamp(),
        assetCount: e.assetCount,
-        isIosSharedAlbum: e.isCloud,
      ),
    ).toList();
  }
@@ -436,6 +391,5 @@ extension PlatformToLocalAsset on PlatformAsset {
    adjustmentTime: tryFromSecondsSinceEpoch(adjustmentTime, isUtc: true),
    latitude: latitude,
    longitude: longitude,
-    isEdited: false,
  );
 }
--- a/mobile/lib/domain/services/search.service.dart
+++ b/mobile/lib/domain/services/search.service.dart
@@ -77,7 +77,6 @@ extension on AssetResponseDto {
      thumbHash: thumbhash,
      localId: null,
      type: type.toAssetType(),
-      isEdited: isEdited,
    );
  }
 }
--- a/mobile/lib/domain/services/sync_stream.service.dart
+++ b/mobile/lib/domain/services/sync_stream.service.dart
@@ -118,10 +118,6 @@ class SyncStreamService {
        return _syncStreamRepository.deleteAssetsV1(data.cast());
      case SyncEntityType.assetExifV1:
        return _syncStreamRepository.updateAssetsExifV1(data.cast());
-      case SyncEntityType.assetMetadataV1:
-        return _syncStreamRepository.updateAssetsMetadataV1(data.cast());
-      case SyncEntityType.assetMetadataDeleteV1:
-        return _syncStreamRepository.deleteAssetsMetadataV1(data.cast());
      case SyncEntityType.partnerAssetV1:
        return _syncStreamRepository.updateAssetsV1(data.cast(), debugLabel: 'partner');
      case SyncEntityType.partnerAssetBackfillV1:
@@ -247,42 +243,6 @@ class SyncStreamService {
    }
  }

-  Future<void> handleWsAssetEditReadyV1Batch(List<dynamic> batchData) async {
-    if (batchData.isEmpty) return;
-
-    _logger.info('Processing batch of ${batchData.length} AssetEditReadyV1 events');
-
-    final List<SyncAssetV1> assets = [];
-
-    try {
-      for (final data in batchData) {
-        if (data is! Map<String, dynamic>) {
-          continue;
-        }
-
-        final payload = data;
-        final assetData = payload['asset'];
-
-        if (assetData == null) {
-          continue;
-        }
-
-        final asset = SyncAssetV1.fromJson(assetData);
-
-        if (asset != null) {
-          assets.add(asset);
-        }
-      }
-
-      if (assets.isNotEmpty) {
-        await _syncStreamRepository.updateAssetsV1(assets, debugLabel: 'websocket-edit');
-        _logger.info('Successfully processed ${assets.length} edited assets');
-      }
-    } catch (error, stackTrace) {
-      _logger.severe("Error processing AssetEditReadyV1 websocket batch events", error, stackTrace);
-    }
-  }
-
  Future<void> _handleRemoteTrashed(Iterable<String> checksums) async {
    if (checksums.isEmpty) {
      return Future.value();
--- a/mobile/lib/domain/services/timeline.service.dart
+++ b/mobile/lib/domain/services/timeline.service.dart
@@ -79,9 +79,6 @@ class TimelineFactory {
  TimelineService fromAssets(List<BaseAsset> assets, TimelineOrigin type) =>
      TimelineService(_timelineRepository.fromAssets(assets, type));

-  TimelineService fromAssetsWithBuckets(List<BaseAsset> assets, TimelineOrigin type) =>
-      TimelineService(_timelineRepository.fromAssetsWithBuckets(assets, type));
-
  TimelineService map(String userId, LatLngBounds bounds) =>
      TimelineService(_timelineRepository.map(userId, bounds, groupBy));
 }
--- a/mobile/lib/domain/utils/background_sync.dart
+++ b/mobile/lib/domain/utils/background_sync.dart
@@ -1,6 +1,5 @@
 import 'dart:async';

-import 'package:immich_mobile/domain/utils/migrate_cloud_ids.dart' as m;
 import 'package:immich_mobile/domain/utils/sync_linked_album.dart';
 import 'package:immich_mobile/providers/infrastructure/sync.provider.dart';
 import 'package:immich_mobile/utils/isolate.dart';
@@ -23,13 +22,8 @@ class BackgroundSyncManager {
  final SyncCallback? onHashingComplete;
  final SyncErrorCallback? onHashingError;

-  final SyncCallback? onCloudIdSyncStart;
-  final SyncCallback? onCloudIdSyncComplete;
-  final SyncErrorCallback? onCloudIdSyncError;
-
  Cancelable<bool?>? _syncTask;
  Cancelable<void>? _syncWebsocketTask;
-  Cancelable<void>? _cloudIdSyncTask;
  Cancelable<void>? _deviceAlbumSyncTask;
  Cancelable<void>? _linkedAlbumSyncTask;
  Cancelable<void>? _hashTask;
@@ -44,9 +38,6 @@ class BackgroundSyncManager {
    this.onHashingStart,
    this.onHashingComplete,
    this.onHashingError,
-    this.onCloudIdSyncStart,
-    this.onCloudIdSyncComplete,
-    this.onCloudIdSyncError,
  });

  Future<void> cancel() async {
@@ -64,12 +55,6 @@ class BackgroundSyncManager {
    _syncWebsocketTask?.cancel();
    _syncWebsocketTask = null;

-    if (_cloudIdSyncTask != null) {
-      futures.add(_cloudIdSyncTask!.future);
-    }
-    _cloudIdSyncTask?.cancel();
-    _cloudIdSyncTask = null;
-
    if (_linkedAlbumSyncTask != null) {
      futures.add(_linkedAlbumSyncTask!.future);
    }
@@ -136,6 +121,7 @@ class BackgroundSyncManager {
        });
  }

+  // No need to cancel the task, as it can also be run when the user logs out
  Future<void> hashAssets() {
    if (_hashTask != null) {
      return _hashTask!.future;
@@ -196,16 +182,6 @@ class BackgroundSyncManager {
    });
  }

-  Future<void> syncWebsocketEditBatch(List<dynamic> batchData) {
-    if (_syncWebsocketTask != null) {
-      return _syncWebsocketTask!.future;
-    }
-    _syncWebsocketTask = _handleWsAssetEditReadyV1Batch(batchData);
-    return _syncWebsocketTask!.whenComplete(() {
-      _syncWebsocketTask = null;
-    });
-  }
-
  Future<void> syncLinkedAlbum() {
    if (_linkedAlbumSyncTask != null) {
      return _linkedAlbumSyncTask!.future;
@@ -216,33 +192,9 @@ class BackgroundSyncManager {
      _linkedAlbumSyncTask = null;
    });
  }
-
-  Future<void> syncCloudIds() {
-    if (_cloudIdSyncTask != null) {
-      return _cloudIdSyncTask!.future;
-    }
-
-    onCloudIdSyncStart?.call();
-
-    _cloudIdSyncTask = runInIsolateGentle(computation: m.syncCloudIds);
-    return _cloudIdSyncTask!
-        .whenComplete(() {
-          onCloudIdSyncComplete?.call();
-          _cloudIdSyncTask = null;
-        })
-        .catchError((error) {
-          onCloudIdSyncError?.call(error.toString());
-          _cloudIdSyncTask = null;
-        });
-  }
 }

 Cancelable<void> _handleWsAssetUploadReadyV1Batch(List<dynamic> batchData) => runInIsolateGentle(
  computation: (ref) => ref.read(syncStreamServiceProvider).handleWsAssetUploadReadyV1Batch(batchData),
  debugLabel: 'websocket-batch',
 );
-
-Cancelable<void> _handleWsAssetEditReadyV1Batch(List<dynamic> batchData) => runInIsolateGentle(
-  computation: (ref) => ref.read(syncStreamServiceProvider).handleWsAssetEditReadyV1Batch(batchData),
-  debugLabel: 'websocket-edit',
-);
--- a/mobile/lib/domain/utils/migrate_cloud_ids.dart
+++ b/mobile/lib/domain/utils/migrate_cloud_ids.dart
@@ -1,175 +0,0 @@
-import 'package:drift/drift.dart';
-import 'package:hooks_riverpod/hooks_riverpod.dart';
-import 'package:immich_mobile/constants/constants.dart';
-import 'package:immich_mobile/domain/models/asset/asset_metadata.model.dart';
-import 'package:immich_mobile/domain/models/asset/base_asset.model.dart';
-import 'package:immich_mobile/extensions/platform_extensions.dart';
-import 'package:immich_mobile/infrastructure/entities/local_asset.entity.dart';
-import 'package:immich_mobile/infrastructure/repositories/db.repository.dart';
-import 'package:immich_mobile/infrastructure/repositories/local_album.repository.dart';
-import 'package:immich_mobile/platform/native_sync_api.g.dart';
-import 'package:immich_mobile/providers/api.provider.dart';
-import 'package:immich_mobile/providers/infrastructure/db.provider.dart';
-import 'package:immich_mobile/providers/infrastructure/sync.provider.dart';
-import 'package:immich_mobile/providers/server_info.provider.dart';
-import 'package:immich_mobile/providers/user.provider.dart';
-import 'package:logging/logging.dart';
-// ignore: import_rule_openapi
-import 'package:openapi/api.dart' hide AssetVisibility;
-
-Future<void> syncCloudIds(ProviderContainer ref) async {
-  if (!CurrentPlatform.isIOS) {
-    return;
-  }
-  final logger = Logger('migrateCloudIds');
-
-  final db = ref.read(driftProvider);
-  // Populate cloud IDs for local assets that don't have one yet
-  await _populateCloudIds(db);
-
-  final serverInfo = await ref.read(serverInfoProvider.notifier).getServerInfo();
-  final canUpdateMetadata = serverInfo.serverVersion.isAtLeast(major: 2, minor: 4);
-  if (!canUpdateMetadata) {
-    logger.fine('Server version does not support asset metadata updates. Skipping cloudId migration.');
-    return;
-  }
-  final canBulkUpdateMetadata = serverInfo.serverVersion.isAtLeast(major: 2, minor: 5);
-
-  // Wait for remote sync to complete, so we have up-to-date asset metadata entries
-  try {
-    await ref.read(syncStreamServiceProvider).sync();
-  } catch (e, s) {
-    logger.fine('Failed to complete remote sync before cloudId migration.', e, s);
-    return;
-  }
-
-  // Fetch the mapping for backed up assets that have a cloud ID locally but do not have a cloud ID on the server
-  final currentUser = ref.read(currentUserProvider);
-  if (currentUser == null) {
-    logger.warning('Current user is null. Aborting cloudId migration.');
-    return;
-  }
-
-  final mappingsToUpdate = await _fetchCloudIdMappings(db, currentUser.id);
-  // Deduplicate mappings as a single remote asset ID can match multiple local assets
-  final seenRemoteAssetIds = <String>{};
-  final uniqueMapping = mappingsToUpdate.where((mapping) {
-    if (!seenRemoteAssetIds.add(mapping.remoteAssetId)) {
-      logger.fine('Duplicate remote asset ID found: ${mapping.remoteAssetId}. Skipping duplicate entry.');
-      return false;
-    }
-    return true;
-  }).toList();
-
-  final assetApi = ref.read(apiServiceProvider).assetsApi;
-
-  if (canBulkUpdateMetadata) {
-    await _bulkUpdateCloudIds(assetApi, uniqueMapping);
-    return;
-  }
-  await _sequentialUpdateCloudIds(assetApi, uniqueMapping);
-}
-
-Future<void> _sequentialUpdateCloudIds(AssetsApi assetsApi, List<_CloudIdMapping> mappings) async {
-  for (final mapping in mappings) {
-    final item = AssetMetadataUpsertItemDto(
-      key: kMobileMetadataKey,
-      value: RemoteAssetMobileAppMetadata(
-        cloudId: mapping.localAsset.cloudId,
-        createdAt: mapping.localAsset.createdAt.toIso8601String(),
-        adjustmentTime: mapping.localAsset.adjustmentTime?.toIso8601String(),
-        latitude: mapping.localAsset.latitude?.toString(),
-        longitude: mapping.localAsset.longitude?.toString(),
-      ),
-    );
-    try {
-      await assetsApi.updateAssetMetadata(mapping.remoteAssetId, AssetMetadataUpsertDto(items: [item]));
-    } catch (error, stack) {
-      Logger('migrateCloudIds').warning('Failed to update metadata for asset ${mapping.remoteAssetId}', error, stack);
-    }
-  }
-}
-
-Future<void> _bulkUpdateCloudIds(AssetsApi assetsApi, List<_CloudIdMapping> mappings) async {
-  const batchSize = 10000;
-  for (int i = 0; i < mappings.length; i += batchSize) {
-    final endIndex = (i + batchSize > mappings.length) ? mappings.length : i + batchSize;
-    final batch = mappings.sublist(i, endIndex);
-    final items = <AssetMetadataBulkUpsertItemDto>[];
-    for (final mapping in batch) {
-      items.add(
-        AssetMetadataBulkUpsertItemDto(
-          assetId: mapping.remoteAssetId,
-          key: kMobileMetadataKey,
-          value: RemoteAssetMobileAppMetadata(
-            cloudId: mapping.localAsset.cloudId,
-            createdAt: mapping.localAsset.createdAt.toIso8601String(),
-            adjustmentTime: mapping.localAsset.adjustmentTime?.toIso8601String(),
-            latitude: mapping.localAsset.latitude?.toString(),
-            longitude: mapping.localAsset.longitude?.toString(),
-          ),
-        ),
-      );
-    }
-    try {
-      await assetsApi.updateBulkAssetMetadata(AssetMetadataBulkUpsertDto(items: items));
-    } catch (error, stack) {
-      Logger('migrateCloudIds').warning('Failed to bulk update metadata', error, stack);
-    }
-  }
-}
-
-Future<void> _populateCloudIds(Drift drift) async {
-  final query = drift.localAssetEntity.selectOnly()
-    ..addColumns([drift.localAssetEntity.id])
-    ..where(drift.localAssetEntity.iCloudId.isNull());
-  final ids = await query.map((row) => row.read(drift.localAssetEntity.id)!).get();
-  final cloudMapping = <String, String>{};
-  final cloudIds = await NativeSyncApi().getCloudIdForAssetIds(ids);
-  for (int i = 0; i < cloudIds.length; i++) {
-    final cloudIdResult = cloudIds[i];
-    if (cloudIdResult.cloudId != null) {
-      cloudMapping[cloudIdResult.assetId] = cloudIdResult.cloudId!;
-    } else {
-      Logger('migrateCloudIds').fine(
-        "Cannot fetch cloudId for asset with id: ${cloudIdResult.assetId}. Error: ${cloudIdResult.error ?? "unknown"}",
-      );
-    }
-  }
-  await DriftLocalAlbumRepository(drift).updateCloudMapping(cloudMapping);
-}
-
-typedef _CloudIdMapping = ({String remoteAssetId, LocalAsset localAsset});
-
-Future<List<_CloudIdMapping>> _fetchCloudIdMappings(Drift drift, String userId) async {
-  final query =
-      drift.remoteAssetEntity.select().join([
-        leftOuterJoin(
-          drift.localAssetEntity,
-          drift.localAssetEntity.checksum.equalsExp(drift.remoteAssetEntity.checksum),
-        ),
-        leftOuterJoin(
-          drift.remoteAssetCloudIdEntity,
-          drift.remoteAssetEntity.id.equalsExp(drift.remoteAssetCloudIdEntity.assetId),
-          useColumns: false,
-        ),
-      ])..where(
-        // Only select assets that have a local cloud ID but either no remote cloud ID or a mismatched eTag
-        drift.localAssetEntity.id.isNotNull() &
-            drift.localAssetEntity.iCloudId.isNotNull() &
-            drift.remoteAssetEntity.ownerId.equals(userId) &
-            // Skip locked assets as we cannot update them without unlocking first
-            drift.remoteAssetEntity.visibility.isNotValue(AssetVisibility.locked.index) &
-            (drift.remoteAssetCloudIdEntity.cloudId.isNull() |
-                drift.remoteAssetCloudIdEntity.adjustmentTime.isNotExp(drift.localAssetEntity.adjustmentTime) |
-                drift.remoteAssetCloudIdEntity.latitude.isNotExp(drift.localAssetEntity.latitude) |
-                drift.remoteAssetCloudIdEntity.longitude.isNotExp(drift.localAssetEntity.longitude) |
-                drift.remoteAssetCloudIdEntity.createdAt.isNotExp(drift.localAssetEntity.createdAt)),
-      );
-  return query.map((row) {
-    return (
-      remoteAssetId: row.read(drift.remoteAssetEntity.id)!,
-      localAsset: row.readTable(drift.localAssetEntity).toDto(),
-    );
-  }).get();
-}
--- a/mobile/lib/infrastructure/entities/local_album.entity.dart
+++ b/mobile/lib/infrastructure/entities/local_album.entity.dart
@@ -33,7 +33,6 @@ extension LocalAlbumEntityDataHelper on LocalAlbumEntityData {
      assetCount: assetCount,
      backupSelection: backupSelection,
      linkedRemoteAlbumId: linkedRemoteAlbumId,
-      isIosSharedAlbum: isIosSharedAlbum,
    );
  }
 }
--- a/mobile/lib/infrastructure/entities/local_asset.entity.dart
+++ b/mobile/lib/infrastructure/entities/local_asset.entity.dart
@@ -5,7 +5,6 @@ import 'package:immich_mobile/infrastructure/utils/asset.mixin.dart';
 import 'package:immich_mobile/infrastructure/utils/drift_default.mixin.dart';

@TableIndex.sql('CREATE INDEX IF NOT EXISTS idx_local_asset_checksum ON local_asset_entity (checksum)')
-@TableIndex.sql('CREATE INDEX IF NOT EXISTS idx_local_asset_cloud_id ON local_asset_entity (i_cloud_id)')
 class LocalAssetEntity extends Table with DriftDefaultsMixin, AssetEntityMixin {
  const LocalAssetEntity();

@@ -17,8 +16,6 @@ class LocalAssetEntity extends Table with DriftDefaultsMixin, AssetEntityMixin {

  IntColumn get orientation => integer().withDefault(const Constant(0))();

-  TextColumn get iCloudId => text().nullable()();
-
  DateTimeColumn get adjustmentTime => dateTime().nullable()();

  RealColumn get latitude => real().nullable()();
@@ -46,7 +43,5 @@ extension LocalAssetEntityDataDomainExtension on LocalAssetEntityData {
    adjustmentTime: adjustmentTime,
    latitude: latitude,
    longitude: longitude,
-    cloudId: iCloudId,
-    isEdited: false,
  );
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alex	2ab379592f	fix(mobile): use fastlane setup_ci for keychain management (official approach)	2026-01-06 09:01:24 -06:00
Alex	478d9f1a15	fix(mobile): use production profiles for PR builds (dev profiles not yet in match repo)	2026-01-05 23:22:37 -06:00
Alex	fe8cc89e44	fix(mobile): fix keychain setup - add all WWDR certs and set partition after match import	2026-01-05 22:56:55 -06:00
Alex	b24f1b31fb	fix(mobile): improve keychain setup for match certificate import	2026-01-05 22:36:39 -06:00
Alex	fc6f55b46f	feat(mobile): switch iOS code signing to fastlane match - Replace manual certificate and provisioning profile handling with fastlane match - Match automatically syncs certificates and profiles from a private git repository - Simplifies CI/CD workflow by removing 8 secrets (replaced with 2: MATCH_PASSWORD and MATCH_GIT_BASIC_AUTHORIZATION) - Add new lanes: sync_certificates and regenerate_certificates for easier maintenance - When certificates expire, just run 'fastlane regenerate_certificates' locally Benefits: - Single source of truth for code signing - Automatic certificate/profile management - Easier onboarding for new team members - Simpler secret rotation when certificates expire Required new GitHub secrets: - MATCH_PASSWORD: Encryption password for the match repository - MATCH_GIT_BASIC_AUTHORIZATION: base64(username:token) for repo access Removed secrets (no longer needed): - IOS_CERTIFICATE_P12 - IOS_CERTIFICATE_PASSWORD - IOS_PROVISIONING_PROFILE - IOS_PROVISIONING_PROFILE_SHARE_EXTENSION - IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION - IOS_DEVELOPMENT_PROVISIONING_PROFILE - IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION - IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION	2026-01-05 22:27:03 -06:00
@@ -1 +1 @@
 .13.0
 .12.0