re-enable cache

Co-authored-by: bwees <brandonwees@gmail.com>

.github/.nvmrc

@@ -1 +1 @@
-24.11.1
+24.13.0

.github/workflows/build-mobile.yml

@@ -30,18 +30,6 @@ on:
         required: true
       IOS_CERTIFICATE_PASSWORD:
         required: true
-      IOS_PROVISIONING_PROFILE:
-        required: true
-      IOS_PROVISIONING_PROFILE_SHARE_EXTENSION:
-        required: true
-      IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION:
-        required: true
-      IOS_DEVELOPMENT_PROVISIONING_PROFILE:
-        required: true
-      IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION:
-        required: true
-      IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION:
-        required: true
       FASTLANE_TEAM_ID:
         required: true
   pull_request:
@@ -96,7 +84,7 @@ jobs:
           app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ inputs.ref || github.sha }}
           persist-credentials: false
@@ -115,7 +103,7 @@ jobs:
 
       - name: Restore Gradle Cache
         id: cache-gradle-restore
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: |
             ~/.gradle/caches
@@ -165,14 +153,14 @@ jobs:
           fi
 
       - name: Publish Android Artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: release-apk-signed
           path: mobile/build/app/outputs/flutter-apk/*.apk
 
       - name: Save Gradle Cache
         id: cache-gradle-save
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         if: github.ref == 'refs/heads/main'
         with:
           path: |
@@ -194,7 +182,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           ref: ${{ inputs.ref || github.sha }}
           persist-credentials: false
@@ -240,35 +228,14 @@ jobs:
           mkdir -p ~/.appstoreconnect/private_keys
           echo "$API_KEY_CONTENT" | base64 --decode > ~/.appstoreconnect/private_keys/AuthKey_${API_KEY_ID}.p8
 
-      - name: Import Certificate and Provisioning Profiles
+      - name: Import Certificate
         env:
           IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
-          IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
-          IOS_PROVISIONING_PROFILE: ${{ secrets.IOS_PROVISIONING_PROFILE }}
-          IOS_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_SHARE_EXTENSION }}
-          IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
-          IOS_DEVELOPMENT_PROVISIONING_PROFILE: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE }}
-          IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION }}
-          IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
-          ENVIRONMENT: ${{ inputs.environment || 'development' }}
         working-directory: ./mobile/ios
         run: |
           # Decode certificate
           echo "$IOS_CERTIFICATE_P12" | base64 --decode > certificate.p12
 
-          # Decode provisioning profiles based on environment
-          if [[ "$ENVIRONMENT" == "development" ]]; then
-            echo "$IOS_DEVELOPMENT_PROVISIONING_PROFILE" | base64 --decode > profile_dev.mobileprovision
-            echo "$IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION" | base64 --decode > profile_dev_share.mobileprovision
-            echo "$IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION" | base64 --decode > profile_dev_widget.mobileprovision
-            ls -lh profile_dev*.mobileprovision
-          else
-            echo "$IOS_PROVISIONING_PROFILE" | base64 --decode > profile.mobileprovision
-            echo "$IOS_PROVISIONING_PROFILE_SHARE_EXTENSION" | base64 --decode > profile_share.mobileprovision
-            echo "$IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION" | base64 --decode > profile_widget.mobileprovision
-            ls -lh profile*.mobileprovision
-          fi
-
       - name: Create keychain and import certificate
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
@@ -319,7 +286,7 @@ jobs:
           security delete-keychain build.keychain || true
 
       - name: Upload IPA artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ios-release-ipa
           path: mobile/ios/Runner.ipa

.github/workflows/cache-cleanup.yml

@@ -25,7 +25,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check out code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}

.github/workflows/cli.yml

@@ -35,7 +35,7 @@ jobs:
           app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -78,7 +78,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}

.github/workflows/codeql-analysis.yml

@@ -50,7 +50,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}

.github/workflows/docs-build.yml

@@ -60,10 +60,11 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
@@ -85,7 +86,7 @@ jobs:
         run: pnpm build
 
       - name: Upload build output
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: docs-build-output
           path: docs/build/

.github/workflows/docs-deploy.yml

@@ -125,13 +125,13 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
 
       - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0
+        uses: immich-app/devtools/actions/use-mise@b868e6e7c8cc212beec876330b4059e661ee44bb # use-mise-action-v1.1.1
 
       - name: Load parameters
         id: parameters

.github/workflows/docs-destroy.yml

@@ -23,13 +23,13 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
 
       - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cd24790a7f5f6439ac32cc94f5523cb2de8bfa8c # use-mise-action-v1.1.0
+        uses: immich-app/devtools/actions/use-mise@b868e6e7c8cc212beec876330b4059e661ee44bb # use-mise-action-v1.1.1
 
       - name: Destroy Docs Subdomain
         env:

.github/workflows/fix-format.yml

@@ -22,7 +22,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: 'Checkout'
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/prepare-release.yml

@@ -56,7 +56,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           persist-credentials: true
@@ -136,13 +136,13 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           persist-credentials: false
 
       - name: Download APK
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: release-apk-signed
           github-token: ${{ steps.generate-token.outputs.token }}

.github/workflows/release-pr.yml

@@ -23,7 +23,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           persist-credentials: true
@@ -159,7 +159,7 @@ jobs:
 
       - name: Create PR
         id: create-pr
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           commit-message: 'chore: release ${{ steps.bump-type.outputs.next }}'

.github/workflows/release.yml

@@ -58,7 +58,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           persist-credentials: false
@@ -74,7 +74,7 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
       - name: Download APK
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: release-apk-signed
           github-token: ${{ steps.generate-token.outputs.token }}

.github/workflows/sdk.yml

@@ -22,7 +22,7 @@ jobs:
           app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}

.github/workflows/static_analysis.yml

@@ -55,7 +55,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}

.github/workflows/test.yml

@@ -69,7 +69,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -114,7 +114,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -161,7 +161,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -203,7 +203,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -247,7 +247,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -285,7 +285,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -298,9 +298,9 @@ jobs:
           cache: 'pnpm'
           cache-dependency-path: '**/pnpm-lock.yaml'
       - name: Install dependencies
-        run: pnpm --filter=immich-web install --frozen-lockfile
+        run: pnpm --filter=immich-i18n install --frozen-lockfile
       - name: Format
-        run: pnpm --filter=immich-web format:i18n
+        run: pnpm --filter=immich-i18n format:fix
       - name: Find file changes
         uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
         id: verify-changed-files
@@ -333,7 +333,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -379,7 +379,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           submodules: 'recursive'
@@ -418,7 +418,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           submodules: 'recursive'
@@ -473,7 +473,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           submodules: 'recursive'
@@ -505,7 +505,7 @@ jobs:
         run: npx playwright test
         if: ${{ !cancelled() }}
       - name: Archive test results
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: success() || failure()
         with:
           name: e2e-web-test-results-${{ matrix.runner }}
@@ -534,7 +534,7 @@ jobs:
           app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -566,17 +566,14 @@ jobs:
           app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
       - name: Install uv
         uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
-      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        # TODO: add caching when supported (https://github.com/actions/setup-python/pull/818)
         with:
           python-version: 3.11
-          #cache: 'uv'
       - name: Install dependencies
         run: |
           uv sync --extra cpu
@@ -610,7 +607,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -639,7 +636,7 @@ jobs:
           app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -661,7 +658,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
@@ -723,7 +720,7 @@ jobs:
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}

CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing to Immich
+
+We appreciate every contribution, and we're happy about every new contributor. So please feel invited to help make Immich a better product!
+
+## Getting started
+
+To get you started quickly we have detailed guides for the dev setup on our [website](https://docs.immich.app/developer/setup). If you prefer, you can also use [Devcontainers](https://docs.immich.app/developer/devcontainers).
+There are also additional resources about Immich's architecture, database migrations, the use of OpenAPI, and more in our [developer documentation](https://docs.immich.app/developer/architecture).
+
+## General
+
+Please try to keep pull requests as focused as possible. A PR should do exactly one thing and not bleed into other, unrelated areas. The smaller a PR, the fewer changes are likely needed, and the quicker it will likely be merged. For larger/more impactful PRs, please reach out to us first to discuss your plans. The best way to do this is through our [Discord](https://discord.immich.app). We have a dedicated `#contributing` channel there. Additionally, please fill out the entire template when opening a PR.
+
+## Finding work
+
+If you are looking for something to work on, there are discussions and issues with a `good-first-issue` label on them. These are always a good starting point. If none of them sound interesting or fit your skill set, feel free to reach out on our Discord. We're happy to help you find something to work on!
+
+## Use of generative AI
+
+We generally discourage PRs entirely generated by an LLM. For any part generated by an LLM, please put extra effort into your self-review. By using generative AI without proper self-review, the time you save ends up being more work we need to put in for proper reviews and code cleanup. Please keep that in mind when submitting code by an LLM. Clearly state the use of LLMs/(generative) AI in your pull request as requested by the template.
+
+## Feature freezes
+
+From time to time, we put a feature freeze on parts of the codebase. For us, this means we won't accept most PRs that make changes in that area. Exempted from this are simple bug fixes that require only minor changes. We will close feature PRs that target a feature-frozen area, even if that feature is highly requested and you put a lot of work into it. Please keep that in mind, and if you're ever uncertain if a PR would be accepted, reach out to us first (e.g., in the aforementioned `#contributing` channel). We hate to throw away work. Currently, we have feature freezes on:
+
+* Sharing/Asset ownership
+* (External) libraries
+
+## Non-code contributions
+
+If you want to contribute to Immich but you don't feel comfortable programming in our tech stack, there are other ways you can help the team. All our translations are done through [Weblate](https://hosted.weblate.org/projects/immich). These rely entirely on the community; if you speak a language that isn't fully translated yet, submitting translations there is greatly appreciated! If you like helping others, answering Q&A discussions here on GitHub and replying to people on our Discord is also always appreciated.

cli/.nvmrc

@@ -1 +1 @@
-24.11.1
+24.13.0

cli/package.json

@@ -20,7 +20,7 @@
     "@types/lodash-es": "^4.17.12",
     "@types/micromatch": "^4.0.9",
     "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.10.3",
+    "@types/node": "^24.10.4",
     "@vitest/coverage-v8": "^3.0.0",
     "byte-size": "^9.0.0",
     "cli-progress": "^3.12.0",
@@ -36,7 +36,7 @@
     "typescript": "^5.3.3",
     "typescript-eslint": "^8.28.0",
     "vite": "^7.0.0",
-    "vite-tsconfig-paths": "^5.0.0",
+    "vite-tsconfig-paths": "^6.0.0",
     "vitest": "^3.0.0",
     "vitest-fetch-mock": "^0.4.0",
     "yaml": "^2.3.1"
@@ -69,6 +69,6 @@
     "micromatch": "^4.0.8"
   },
   "volta": {
-    "node": "24.11.1"
+    "node": "24.13.0"
   }
 }

docker/docker-compose.dev.yml

@@ -127,7 +127,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
     healthcheck:
       test: redis-cli ping || exit 1
 
@@ -146,6 +146,8 @@ services:
     ports:
       - 5432:5432
     shm_size: 128mb
+    healthcheck:
+      disable: false
   # set IMMICH_TELEMETRY_INCLUDE=all in .env to enable metrics
   # immich-prometheus:
   #   container_name: immich_prometheus

docker/docker-compose.prod.yml

@@ -56,7 +56,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
     healthcheck:
       test: redis-cli ping || exit 1
     restart: always
@@ -77,13 +77,15 @@ services:
       - 5432:5432
     shm_size: 128mb
     restart: always
+    healthcheck:
+      disable: false
 
   # set IMMICH_TELEMETRY_INCLUDE=all in .env to enable metrics
   immich-prometheus:
     container_name: immich_prometheus
     ports:
       - 9090:9090
-    image: prom/prometheus@sha256:d936808bdea528155c0154a922cd42fd75716b8bb7ba302641350f9f3eaeba09
+    image: prom/prometheus@sha256:1f0f50f06acaceb0f5670d2c8a658a599affe7b0d8e78b898c1035653849a702
     volumes:
       - ./prometheus.yml:/etc/prometheus/prometheus.yml
       - prometheus-data:/prometheus
@@ -95,7 +97,7 @@ services:
     command: ['./run.sh', '-disable-reporting']
     ports:
       - 3000:3000
-    image: grafana/grafana:12.3.0-ubuntu@sha256:cee936306135e1925ab21dffa16f8a411535d16ab086bef2309339a8e74d62df
+    image: grafana/grafana:12.3.1-ubuntu@sha256:d57f1365197aec34c4d80869d8ca45bb7787c7663904950dab214dfb40c1c2fd
     volumes:
       - grafana-data:/var/lib/grafana
 

docker/docker-compose.yml

@@ -49,7 +49,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
     healthcheck:
       test: redis-cli ping || exit 1
     restart: always
@@ -69,6 +69,8 @@ services:
       - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
     shm_size: 128mb
     restart: always
+    healthcheck:
+      disable: false
 
 volumes:
   model-cache:

docs/.nvmrc

@@ -1 +1 @@
-24.11.1
+24.13.0

docs/docs/developer/setup.md

@@ -4,6 +4,10 @@ sidebar_position: 2
 
 # Setup
 
+:::warning
+Make sure to read the [`CONTRIBUTING.md`](https://github.com/immich-app/immich/blob/main/CONTRIBUTING.md) before you dive into the code.
+:::
+
 :::note
 If there's a feature you're planning to work on, just give us a heads up in [#contributing](https://discord.com/channels/979116623879368755/1071165397228855327) on [our Discord](https://discord.immich.app) so we can:
 

docs/docs/features/hardware-transcoding.md

@@ -71,6 +71,22 @@ For RKMPP to work:
 
 5. (Optional) Enable hardware decoding for optimal performance.
 
+<details>
+<summary>immich.json</summary>
+
+If you use a [configuration file](/install/config-file.md), use the `accel` option to select the hardware (e.g. `qsv` for Intel or `nvenc` for Nvidia). Set `accelDecode` to `true` if you want hardware decoding.
+
+```json
+{
+  "ffmpeg": {
+    "accel": "qsv",
+    "accelDecode": true
+  }
+}
+```
+
+</details>
+
 #### Single Compose File
 
 Some platforms, including Unraid and Portainer, do not support multiple Compose files as of writing. As an alternative, you can "inline" the relevant contents of the [`hwaccel.transcoding.yml`][hw-file] file into the `immich-server` service directly.

docs/docs/features/mobile-app.mdx

@@ -95,11 +95,3 @@ Enter the cloud on the top right -> cog wheel on the top right -> select the syn
 If you delete/move photos in the local album on your device, it will not be reflected in the album on the server **even if** you click Sync albums
 It will only reflect files you add.
 :::
-
-If the same asset is in more than one album it will only sync to the first album it's in, after that it won't sync again even if the user clicks sync albums manually.
-To overcome this limitation, the files must be removed from the ignore list by
-App settings -> Advanced -> Duplicate Assets -> Clear
-
-:::info
-Cleaning duplicate assets from the list will cause all the previously uploaded duplicate files to be re-uploaded, the files will not actually be uploaded and will be rejected on the server side (due to duplication) but will be synchronized to the album and at the end will be added to the ignore list again at the end of the synchronization.
-:::

docs/docs/features/monitoring.md

@@ -112,4 +112,40 @@ You can then make a new panel, specifying Prometheus as the data source for it.
 
 -- TODO: add images and more details here
 
+## Structured Logging
+
+In addition to Prometheus metrics, Immich supports structured JSON logging which is ideal for log aggregation systems like Grafana Loki, ELK Stack, Datadog, Splunk, and others.
+
+### Configuration
+
+By default, Immich outputs human-readable console logs. To enable JSON logging, set the `IMMICH_LOG_FORMAT` environment variable:
+
+```bash
+IMMICH_LOG_FORMAT=json
+```
+
+:::tip
+The default is `IMMICH_LOG_FORMAT=console` for human-readable logs with colors during development. For production deployments using log aggregation, use `IMMICH_LOG_FORMAT=json`.
+:::
+
+### JSON Log Format
+
+When enabled, logs are output in structured JSON format:
+
+```json
+{"level":"log","pid":36,"timestamp":1766533331507,"message":"Initialized websocket server","context":"WebsocketRepository"}
+{"level":"warn","pid":48,"timestamp":1766533331629,"message":"Unable to open /build/www/index.html, skipping SSR.","context":"ApiService"}
+{"level":"error","pid":36,"timestamp":1766533331690,"message":"Failed to load plugin immich-core:","context":"Error"}
+```
+
+This format includes:
+
+- `level`: Log level (log, warn, error, etc.)
+- `pid`: Process ID
+- `timestamp`: Unix timestamp in milliseconds
+- `message`: Log message
+- `context`: Service or component that generated the log
+
+For more information on log formats, see [`IMMICH_LOG_FORMAT`](/install/environment-variables.md#general).
+
 [prom-file]: https://github.com/immich-app/immich/releases/latest/download/prometheus.yml

docs/docs/features/sharing.md

@@ -33,7 +33,7 @@ You can create a public link to share a group of photos or videos, or an album,
 The public shared link is generated with a random URL, which acts as as a secret to avoid the link being guessed by unwanted parties, for instance.
 
 ```
-https://immich.yourdomain.com/share/JUckRMxlgpo7F9BpyqGk_cZEwDzaU_U5LU5_oNZp1ETIBa9dpQ0b5ghNm_22QVJfn3k
+https://my.immich.app/share/JUckRMxlgpo7F9BpyqGk_cZEwDzaU_U5LU5_oNZp1ETIBa9dpQ0b5ghNm_22QVJfn3k
 ```
 
 ### Creating a public share link

docs/docs/install/environment-variables.md

@@ -34,6 +34,7 @@ These environment variables are used by the `docker-compose.yml` file and do **N
 | `TZ`                                | Timezone                                                                                  |        <sup>\*1</sup>        | server                   | microservices      |
 | `IMMICH_ENV`                        | Environment (production, development)                                                     |         `production`         | server, machine learning | api, microservices |
 | `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                              |            `log`             | server, machine learning | api, microservices |
+| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                     |          `console`           | server                   | api, microservices |
 | `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️ |           `/data`            | server                   | api, microservices |
 | `IMMICH_CONFIG_FILE`                | Path to config file                                                                       |                              | server                   | api, microservices |
 | `NO_COLOR`                          | Set to `true` to disable color-coded log output                                           |           `false`            | server, machine learning |                    |

docs/docusaurus.config.js

@@ -26,6 +26,12 @@ const config = {
     locales: ['en'],
   },
 
+  // Mermaid diagrams
+  markdown: {
+    mermaid: true,
+  },
+  themes: ['@docusaurus/theme-mermaid'],
+
   plugins: [
     async function myPlugin(context, options) {
       return {

docs/package.json

@@ -20,6 +20,7 @@
     "@docusaurus/core": "~3.9.0",
     "@docusaurus/preset-classic": "~3.9.0",
     "@docusaurus/theme-common": "~3.9.0",
+    "@docusaurus/theme-mermaid": "~3.9.0",
     "@mdi/js": "^7.3.67",
     "@mdi/react": "^1.6.1",
     "@mdx-js/react": "^3.0.0",
@@ -57,6 +58,6 @@
     "node": ">=20"
   },
   "volta": {
-    "node": "24.11.1"
+    "node": "24.13.0"
   }
 }

docs/src/css/custom.css

@@ -8,19 +8,19 @@
 @tailwind utilities;
 
 @font-face {
-  font-family: 'Overpass';
-  src: url('/fonts/overpass/Overpass.ttf') format('truetype-variations');
-  font-weight: 1 999;
+  font-family: 'GoogleSans';
+  src: url('/fonts/GoogleSans/GoogleSans.ttf') format('truetype-variations');
+  font-weight: 410 900;
   font-style: normal;
   ascent-override: 106.25%;
   size-adjust: 106.25%;
 }
 
 @font-face {
-  font-family: 'Overpass Mono';
-  src: url('/fonts/overpass/OverpassMono.ttf') format('truetype-variations');
-  font-weight: 1 999;
-  font-style: normal;
+  font-family: 'GoogleSansCode';
+  src: url('/fonts/GoogleSansCode/GoogleSansCode.ttf') format('truetype-variations');
+  font-weight: 1 900;
+  font-style: monospace;
   ascent-override: 106.25%;
   size-adjust: 106.25%;
 }
@@ -37,7 +37,8 @@ img {
 
 /* You can override the default Infima variables here. */
 :root {
-  font-family: 'Overpass', sans-serif;
+  font-family: 'GoogleSans', sans-serif;
+  letter-spacing: 0.1px;
   --ifm-color-primary: #4250af;
   --ifm-color-primary-dark: #4250af;
   --ifm-color-primary-darker: #4250af;
@@ -48,6 +49,16 @@ img {
   --docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.1);
 }
 
+h1,
+h2,
+h3,
+h4,
+h5,
+h6 {
+  font-family: 'GoogleSans', sans-serif;
+  letter-spacing: 0.1px;
+}
+
 /* For readability concerns, you should choose a lighter palette in dark mode. */
 [data-theme='dark'] {
   --ifm-color-primary: #adcbfa;
@@ -71,15 +82,22 @@ div[class^='announcementBar_'] {
   padding: 10px 10px 10px 16px;
   border-radius: 24px;
   margin-right: 16px;
+  font-weight: 500;
 }
 
 .menu__list-item-collapsible {
   margin-right: 16px;
   border-radius: 24px;
+  font-weight: 500;
 }
 
 .menu__link--active {
-  font-weight: 500;
+  font-weight: 600;
+}
+
+.table-of-contents__link {
+  font-size: 14px;
+  font-weight: 450;
 }
 
 /* workaround for version switcher PR 15894 */
@@ -88,13 +106,14 @@ div[class*='navbar__items'] > li:has(a[class*='version-switcher-34ab39']) {
 }
 
 code {
-  font-weight: 600;
+  font-weight: 500;
+  font-family: 'GoogleSansCode';
 }
 
 .buy-button {
   padding: 8px 14px;
   border: 1px solid transparent;
-  font-family: 'Overpass', sans-serif;
+  font-family: 'GoogleSans', sans-serif;
   font-weight: 500;
   cursor: pointer;
   box-shadow: 0 0 5px 2px rgba(181, 206, 254, 0.4);

e2e-auth-server/Dockerfile

@@ -0,0 +1,6 @@
+FROM node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25
+RUN corepack enable
+ADD package.json *.ts ./
+RUN pnpm install
+EXPOSE 2286
+CMD ["pnpm", "run", "start"]

e2e-auth-server/auth-server.ts

@@ -125,7 +125,7 @@ const setup = async () => {
     ],
   });
 
-  const onStart = () => console.log(`[auth-server] http://${host}:${port}/.well-known/openid-configuration`);
+  const onStart = () => console.log(`[e2e-auth-server] http://${host}:${port}/.well-known/openid-configuration`);
   const app = oidc.listen(port, host, onStart);
   return () => app.close();
 };

e2e-auth-server/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "@immich/e2e-auth-server",
+  "version": "0.1.0",
+  "type": "module",
+  "main": "auth-server.ts",
+  "scripts": {
+    "start": "tsx startup.ts"
+  },
+  "devDependencies": {
+    "jose": "^5.6.3",
+    "@types/oidc-provider": "^9.0.0",
+    "oidc-provider": "^9.0.0",
+    "tsx": "^4.20.6"
+  }
+}

e2e-auth-server/startup.ts

@@ -0,0 +1,8 @@
+import setup from './auth-server'
+
+const teardown = await setup()
+process.on('exit', () => {
+  teardown()
+  console.log('[e2e-auth-server] stopped')
+  process.exit(0)
+})

e2e/.nvmrc

@@ -1 +1 @@
-24.11.1
+24.13.0

e2e/docker-compose.yml

@@ -1,6 +1,12 @@
 name: immich-e2e
 
 services:
+  e2e-auth-server:
+    build:
+      context: ../e2e-auth-server
+    ports:
+      - 2286:2286
+
   immich-server:
     container_name: immich-e2e-server
     image: immich-server:latest
@@ -27,8 +33,6 @@ services:
       - IMMICH_IGNORE_MOUNT_CHECK_ERRORS=true
     volumes:
       - ./test-assets:/test-assets
-    extra_hosts:
-      - 'auth-server:host-gateway'
     depends_on:
       redis:
         condition: service_started

e2e/package.json

@@ -22,12 +22,12 @@
     "@eslint/js": "^9.8.0",
     "@faker-js/faker": "^10.1.0",
     "@immich/cli": "file:../cli",
+    "@immich/e2e-auth-server": "file:../e2e-auth-server",
     "@immich/sdk": "file:../open-api/typescript-sdk",
     "@playwright/test": "^1.44.1",
     "@socket.io/component-emitter": "^3.1.2",
     "@types/luxon": "^3.4.2",
-    "@types/node": "^24.10.3",
-    "@types/oidc-provider": "^9.0.0",
+    "@types/node": "^24.10.4",
     "@types/pg": "^8.15.1",
     "@types/pngjs": "^6.0.4",
     "@types/supertest": "^6.0.2",
@@ -38,9 +38,7 @@
     "eslint-plugin-unicorn": "^62.0.0",
     "exiftool-vendored": "^34.3.0",
     "globals": "^16.0.0",
-    "jose": "^5.6.3",
     "luxon": "^3.4.4",
-    "oidc-provider": "^9.0.0",
     "pg": "^8.11.3",
     "pngjs": "^7.0.0",
     "prettier": "^3.7.4",
@@ -54,6 +52,6 @@
     "vitest": "^3.0.0"
   },
   "volta": {
-    "node": "24.11.1"
+    "node": "24.13.0"
   }
 }

e2e/src/api/specs/oauth.e2e-spec.ts

@@ -1,3 +1,4 @@
+import { OAuthClient, OAuthUser } from '@immich/e2e-auth-server';
 import {
   LoginResponseDto,
   SystemConfigOAuthDto,
@@ -8,13 +9,12 @@ import {
 } from '@immich/sdk';
 import { createHash, randomBytes } from 'node:crypto';
 import { errorDto } from 'src/responses';
-import { OAuthClient, OAuthUser } from 'src/setup/auth-server';
 import { app, asBearerAuth, baseUrl, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeAll, describe, expect, it } from 'vitest';
 
 const authServer = {
-  internal: 'http://auth-server:2286',
+  internal: 'http://e2e-auth-server:2286',
   external: 'http://127.0.0.1:2286',
 };
 

e2e/src/api/specs/shared-link.e2e-spec.ts

@@ -20,7 +20,6 @@ describe('/shared-links', () => {
   let user1: LoginResponseDto;
   let user2: LoginResponseDto;
   let album: AlbumResponseDto;
-  let metadataAlbum: AlbumResponseDto;
   let deletedAlbum: AlbumResponseDto;
   let linkWithDeletedAlbum: SharedLinkResponseDto;
   let linkWithPassword: SharedLinkResponseDto;
@@ -41,18 +40,9 @@ describe('/shared-links', () => {
 
     [asset1, asset2] = await Promise.all([utils.createAsset(user1.accessToken), utils.createAsset(user1.accessToken)]);
 
-    [album, deletedAlbum, metadataAlbum] = await Promise.all([
+    [album, deletedAlbum] = await Promise.all([
       createAlbum({ createAlbumDto: { albumName: 'album' } }, { headers: asBearerAuth(user1.accessToken) }),
       createAlbum({ createAlbumDto: { albumName: 'deleted album' } }, { headers: asBearerAuth(user2.accessToken) }),
-      createAlbum(
-        {
-          createAlbumDto: {
-            albumName: 'metadata album',
-            assetIds: [asset1.id],
-          },
-        },
-        { headers: asBearerAuth(user1.accessToken) },
-      ),
     ]);
 
     [linkWithDeletedAlbum, linkWithAlbum, linkWithAssets, linkWithPassword, linkWithMetadata, linkWithoutMetadata] =
@@ -75,14 +65,14 @@ describe('/shared-links', () => {
           password: 'foo',
         }),
         utils.createSharedLink(user1.accessToken, {
-          type: SharedLinkType.Album,
-          albumId: metadataAlbum.id,
+          type: SharedLinkType.Individual,
+          assetIds: [asset1.id],
           showMetadata: true,
-          slug: 'metadata-album',
+          slug: 'metadata-slug',
         }),
         utils.createSharedLink(user1.accessToken, {
-          type: SharedLinkType.Album,
-          albumId: metadataAlbum.id,
+          type: SharedLinkType.Individual,
+          assetIds: [asset1.id],
           showMetadata: false,
         }),
       ]);
@@ -95,9 +85,7 @@ describe('/shared-links', () => {
       const resp = await request(shareUrl).get(`/${linkWithMetadata.key}`);
       expect(resp.status).toBe(200);
       expect(resp.header['content-type']).toContain('text/html');
-      expect(resp.text).toContain(
-        `<meta name="description" content="${metadataAlbum.assets.length} shared photos &amp; videos" />`,
-      );
+      expect(resp.text).toContain(`<meta name="description" content="1 shared photos &amp; videos" />`);
     });
 
     it('should have correct asset count in meta tag for empty album', async () => {
@@ -144,9 +132,7 @@ describe('/shared-links', () => {
       const resp = await request(baseUrl).get(`/s/${linkWithMetadata.slug}`);
       expect(resp.status).toBe(200);
       expect(resp.header['content-type']).toContain('text/html');
-      expect(resp.text).toContain(
-        `<meta name="description" content="${metadataAlbum.assets.length} shared photos &amp; videos" />`,
-      );
+      expect(resp.text).toContain(`<meta name="description" content="1 shared photos &amp; videos" />`);
     });
   });
 
@@ -271,12 +257,12 @@ describe('/shared-links', () => {
       );
     });
 
-    it('should return metadata for album shared link', async () => {
+    it('should return metadata for individual shared link', async () => {
       const { status, body } = await request(app).get('/shared-links/me').query({ key: linkWithMetadata.key });
 
       expect(status).toBe(200);
-      expect(body.assets).toHaveLength(0);
-      expect(body.album).toBeDefined();
+      expect(body.assets).toHaveLength(1);
+      expect(body.album).not.toBeDefined();
     });
 
     it('should not return metadata for album shared link without metadata', async () => {
@@ -284,7 +270,7 @@ describe('/shared-links', () => {
 
       expect(status).toBe(200);
       expect(body.assets).toHaveLength(1);
-      expect(body.album).toBeDefined();
+      expect(body.album).not.toBeDefined();
 
       const asset = body.assets[0];
       expect(asset).not.toHaveProperty('exifInfo');

e2e/src/generators.ts

@@ -26,6 +26,5 @@ export const makeRandomImage = () => {
   if (!value) {
     throw new Error('Ran out of random asset data');
   }
-
   return value;
 };

e2e/src/generators/timeline/rest-response.ts

@@ -346,6 +346,8 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons
     duplicateId: null,
     resized: true,
     checksum: asset.checksum,
+    width: exifInfo.exifImageWidth ?? 1,
+    height: exifInfo.exifImageHeight ?? 1,
   };
 }
 

e2e/src/mock-network/timeline-network.ts

@@ -1,3 +1,4 @@
+import { AssetResponseDto } from '@immich/sdk';
 import { BrowserContext, Page, Request, Route } from '@playwright/test';
 import { basename } from 'node:path';
 import {
@@ -63,15 +64,33 @@ export const setupTimelineMockApiRoutes = async (
   });
 
   await context.route('**/api/assets/*', async (route, request) => {
-    const url = new URL(request.url());
-    const pathname = url.pathname;
-    const assetId = basename(pathname);
-    const asset = getAsset(timelineRestData, assetId);
-    return route.fulfill({
-      status: 200,
-      contentType: 'application/json',
-      json: asset,
-    });
+    if (request.method() === 'GET') {
+      const url = new URL(request.url());
+      const pathname = url.pathname;
+      const assetId = basename(pathname);
+      let asset = getAsset(timelineRestData, assetId);
+      if (changes.assetDeletions.includes(asset!.id)) {
+        asset = {
+          ...asset,
+          isTrashed: true,
+        } as AssetResponseDto;
+      }
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: asset,
+      });
+    }
+    await route.fallback();
+  });
+
+  await context.route('**/api/assets', async (route, request) => {
+    if (request.method() === 'DELETE') {
+      return route.fulfill({
+        status: 204,
+      });
+    }
+    await route.fallback();
   });
 
   await context.route('**/api/assets/*/ocr', async (route) => {
@@ -117,17 +136,28 @@ export const setupTimelineMockApiRoutes = async (
   });
 
   await context.route('**/api/albums/**', async (route, request) => {
-    const pattern = /\/api\/albums\/(?<albumId>[^/?]+)/;
-    const match = request.url().match(pattern);
-    if (!match) {
-      return route.continue();
+    const albumsMatch = request.url().match(/\/api\/albums\/(?<albumId>[^/?]+)/);
+    if (albumsMatch) {
+      const album = getAlbum(timelineRestData, testContext.adminId, albumsMatch.groups?.albumId, changes);
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: album,
+      });
     }
-    const album = getAlbum(timelineRestData, testContext.adminId, match.groups?.albumId, changes);
-    return route.fulfill({
-      status: 200,
-      contentType: 'application/json',
-      json: album,
-    });
+    return route.fallback();
+  });
+
+  await context.route('**/api/albums**', async (route, request) => {
+    const allAlbums = request.url().match(/\/api\/albums\?assetId=(?<assetId>[^&]+)/);
+    if (allAlbums) {
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: [],
+      });
+    }
+    return route.fallback();
   });
 };
 

e2e/src/web/specs/asset-viewer/asset-viewer.parallel-e2e-spec.ts

@@ -0,0 +1,270 @@
+import { faker } from '@faker-js/faker';
+import { expect, test } from '@playwright/test';
+import {
+  Changes,
+  createDefaultTimelineConfig,
+  generateTimelineData,
+  SeededRandom,
+  selectRandom,
+  TimelineAssetConfig,
+  TimelineData,
+} from 'src/generators/timeline';
+import { setupBaseMockApiRoutes } from 'src/mock-network/base-network';
+import { setupTimelineMockApiRoutes, TimelineTestContext } from 'src/mock-network/timeline-network';
+import { utils } from 'src/utils';
+import { assetViewerUtils, cancelAllPollers } from 'src/web/specs/timeline/utils';
+
+test.describe.configure({ mode: 'parallel' });
+test.describe('asset-viewer', () => {
+  const rng = new SeededRandom(529);
+  let adminUserId: string;
+  let timelineRestData: TimelineData;
+  const assets: TimelineAssetConfig[] = [];
+  const yearMonths: string[] = [];
+  const testContext = new TimelineTestContext();
+  const changes: Changes = {
+    albumAdditions: [],
+    assetDeletions: [],
+    assetArchivals: [],
+    assetFavorites: [],
+  };
+
+  test.beforeAll(async () => {
+    utils.initSdk();
+    adminUserId = faker.string.uuid();
+    testContext.adminId = adminUserId;
+    timelineRestData = generateTimelineData({ ...createDefaultTimelineConfig(), ownerId: adminUserId });
+    for (const timeBucket of timelineRestData.buckets.values()) {
+      assets.push(...timeBucket);
+    }
+    for (const yearMonth of timelineRestData.buckets.keys()) {
+      const [year, month] = yearMonth.split('-');
+      yearMonths.push(`${year}-${Number(month)}`);
+    }
+  });
+
+  test.beforeEach(async ({ context }) => {
+    await setupBaseMockApiRoutes(context, adminUserId);
+    await setupTimelineMockApiRoutes(context, timelineRestData, changes, testContext);
+  });
+
+  test.afterEach(() => {
+    cancelAllPollers();
+    testContext.slowBucket = false;
+    changes.albumAdditions = [];
+    changes.assetDeletions = [];
+    changes.assetArchivals = [];
+    changes.assetFavorites = [];
+  });
+
+  test.describe('/photos/:id', () => {
+    test('Navigate to next asset via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.getByLabel('View next asset').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + 1].id}`);
+    });
+
+    test('Navigate to previous asset via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.getByLabel('View previous asset').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - 1].id}`);
+    });
+
+    test('Navigate to next asset via keyboard (ArrowRight)', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.keyboard.press('ArrowRight');
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + 1].id}`);
+    });
+
+    test('Navigate to previous asset via keyboard (ArrowLeft)', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.keyboard.press('ArrowLeft');
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - 1].id}`);
+    });
+
+    test('Navigate forward 5 times via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+
+      for (let i = 1; i <= 5; i++) {
+        await page.getByLabel('View next asset').click();
+        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
+        await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + i].id}`);
+      }
+    });
+
+    test('Navigate backward 5 times via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+
+      for (let i = 1; i <= 5; i++) {
+        await page.getByLabel('View previous asset').click();
+        await assetViewerUtils.waitForViewerLoad(page, assets[index - i]);
+        await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - i].id}`);
+      }
+    });
+
+    test('Navigate forward then backward via keyboard', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+
+      // Navigate forward 3 times
+      for (let i = 1; i <= 3; i++) {
+        await page.keyboard.press('ArrowRight');
+        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
+      }
+
+      // Navigate backward 3 times to return to original
+      for (let i = 2; i >= 0; i--) {
+        await page.keyboard.press('ArrowLeft');
+        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
+      }
+
+      // Verify we're back at the original asset
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+    });
+
+    test('Verify no next button on last asset', async ({ page }) => {
+      const lastAsset = assets.at(-1)!;
+      await page.goto(`/photos/${lastAsset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, lastAsset);
+
+      // Verify next button doesn't exist
+      await expect(page.getByLabel('View next asset')).toHaveCount(0);
+    });
+
+    test('Verify no previous button on first asset', async ({ page }) => {
+      const firstAsset = assets[0];
+      await page.goto(`/photos/${firstAsset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, firstAsset);
+
+      // Verify previous button doesn't exist
+      await expect(page.getByLabel('View previous asset')).toHaveCount(0);
+    });
+
+    test('Delete photo advances to next', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+    });
+    test('Delete photo advances to next (2x)', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 2]);
+    });
+    test('Delete last photo advances to prev', async ({ page }) => {
+      const asset = assets.at(-1)!;
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+    });
+    test('Delete last photo advances to prev (2x)', async ({ page }) => {
+      const asset = assets.at(-1)!;
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 2]);
+    });
+  });
+  test.describe('/trash/photos/:id', () => {
+    test('Delete trashed photo advances to next', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+    });
+    test('Delete trashed photo advances to next 2x', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 2]);
+    });
+    test('Delete trashed photo advances to prev', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${assets[index + 9].id}`);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 9]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 8]);
+    });
+    test('Delete trashed photo advances to prev 2x', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${assets[index + 9].id}`);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 9]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 8]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 7]);
+    });
+  });
+});

e2e/src/web/specs/photo-viewer.e2e-spec.ts

@@ -3,7 +3,7 @@ import { Page, expect, test } from '@playwright/test';
 import { utils } from 'src/utils';
 
 function imageLocator(page: Page) {
-  return page.getByAltText('Image taken on').locator('visible=true');
+  return page.getByAltText('Image taken').locator('visible=true');
 }
 test.describe('Photo Viewer', () => {
   let admin: LoginResponseDto;

e2e/src/web/specs/timeline/timeline.parallel-e2e-spec.ts

@@ -463,7 +463,7 @@ test.describe('Timeline', () => {
         });
         changes.albumAdditions.push(...requestJson.ids);
       });
-      await page.getByText('Done').click();
+      await page.getByText('Add assets').click();
       await expect(put).resolves.toEqual({
         ids: [
           'c077ea7b-cfa1-45e4-8554-f86c00ee5658',

e2e/src/web/specs/timeline/utils.ts

@@ -181,8 +181,12 @@ export const assetViewerUtils = {
   },
   async waitForViewerLoad(page: Page, asset: TimelineAssetConfig) {
     await page
-      .locator(`img[draggable="false"][src="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}"]`)
-      .or(page.locator(`video[poster="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}"]`))
+      .locator(
+        `img[draggable="false"][src="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}&edited=true"]`,
+      )
+      .or(
+        page.locator(`video[poster="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}&edited=true"]`),
+      )
       .waitFor();
   },
   async expectActiveAssetToBe(page: Page, assetId: string) {

e2e/src/web/specs/user-admin.e2e-spec.ts

@@ -56,7 +56,7 @@ test.describe('User Administration', () => {
     await expect(page.getByLabel('Admin User')).not.toBeChecked();
     await page.getByLabel('Admin User').click();
     await expect(page.getByLabel('Admin User')).toBeChecked();
-    await page.getByRole('button', { name: 'Confirm' }).click();
+    await page.getByRole('button', { name: 'Save' }).click();
 
     await expect
       .poll(async () => {
@@ -85,7 +85,7 @@ test.describe('User Administration', () => {
     await expect(page.getByLabel('Admin User')).toBeChecked();
     await page.getByLabel('Admin User').click();
     await expect(page.getByLabel('Admin User')).not.toBeChecked();
-    await page.getByRole('button', { name: 'Confirm' }).click();
+    await page.getByRole('button', { name: 'Save' }).click();
 
     await expect
       .poll(async () => {

e2e/vitest.config.ts

@@ -1,7 +1,7 @@
 import { defineConfig } from 'vitest/config';
 
 // skip `docker compose up` if `make e2e` was already run
-const globalSetup: string[] = ['src/setup/auth-server.ts'];
+const globalSetup: string[] = [];
 try {
   await fetch('http://127.0.0.1:2285/api/server-info/ping');
 } catch {

i18n/.prettierrc

@@ -0,0 +1,5 @@
+{
+  "jsonRecursiveSort": true,
+  "jsonSortOrder": "{\"/.*/\": \"lexical\"}",
+  "plugins": ["prettier-plugin-sort-json"]
+}

i18n/en.json

@@ -18,6 +18,7 @@
   "add_a_title": "Add a title",
   "add_action": "Add action",
   "add_action_description": "Click to add an action to perform",
+  "add_assets": "Add assets",
   "add_birthday": "Add a birthday",
   "add_endpoint": "Add endpoint",
   "add_exclusion_pattern": "Add exclusion pattern",
@@ -478,6 +479,7 @@
   "album_summary": "Album summary",
   "album_updated": "Album updated",
   "album_updated_setting_description": "Receive an email notification when a shared album has new assets",
+  "album_upload_assets": "Upload assets from your computer and add to album",
   "album_user_left": "Left {album}",
   "album_user_removed": "Removed {user}",
   "album_viewer_appbar_delete_confirm": "Are you sure you want to delete this album from your account?",
@@ -734,6 +736,18 @@
   "checksum": "Checksum",
   "choose_matching_people_to_merge": "Choose matching people to merge",
   "city": "City",
+  "cleanup_confirm_description": "Immich found {count} assets (created before {date}) safely backed up to the server. Remove the local copies from this device?",
+  "cleanup_confirm_prompt_title": "Remove from this device?",
+  "cleanup_deleted_assets": "Moved {count} assets to device trash",
+  "cleanup_deleting": "Moving to trash...",
+  "cleanup_filter_description": "Choose which types of assets to remove in the cleanup",
+  "cleanup_found_assets": "Found {count} backed up assets",
+  "cleanup_icloud_shared_albums_excluded": "iCloud Shared Albums are excluded from the scan",
+  "cleanup_no_assets_found": "No backed up assets found matching your criteria",
+  "cleanup_preview_title": "Assets to remove ({count})",
+  "cleanup_step3_description": "Scan for photos and videos that have been backed up to the server with the selected cutoff date and filter options",
+  "cleanup_step4_summary": "{count} assets created before {date} are queued for removal from your device",
+  "cleanup_trash_hint": "To fully reclaim storage space, open the system gallery app and empty the trash",
   "clear": "Clear",
   "clear_all": "Clear all",
   "clear_all_recent_searches": "Clear all recent searches",
@@ -819,13 +833,20 @@
   "created_at": "Created",
   "creating_linked_albums": "Creating linked albums...",
   "crop": "Crop",
+  "crop_aspect_ratio_fixed": "Fixed",
+  "crop_aspect_ratio_free": "Free",
+  "crop_aspect_ratio_original": "Original",
   "curated_object_page_title": "Things",
   "current_device": "Current device",
   "current_pin_code": "Current PIN code",
   "current_server_address": "Current server address",
+  "custom_date": "Custom date",
   "custom_locale": "Custom Locale",
   "custom_locale_description": "Format dates and numbers based on the language and the region",
   "custom_url": "Custom URL",
+  "cutoff_date_description": "Remove photos and videos older than",
+  "cutoff_day": "{count, plural, one {day} other {days}}",
+  "cutoff_year": "{count, plural, one {year} other {years}}",
   "daily_title_text_date": "E, MMM dd",
   "daily_title_text_date_year": "E, MMM dd, yyyy",
   "dark": "Dark",
@@ -907,6 +928,7 @@
   "download_include_embedded_motion_videos": "Embedded videos",
   "download_include_embedded_motion_videos_description": "Include videos embedded in motion photos as a separate file",
   "download_notfound": "Download not found",
+  "download_original": "Download original",
   "download_paused": "Download paused",
   "download_settings": "Download",
   "download_settings_description": "Manage settings related to asset download",
@@ -916,6 +938,7 @@
   "download_waiting_to_retry": "Waiting to retry",
   "downloading": "Downloading",
   "downloading_asset_filename": "Downloading asset {filename}",
+  "downloading_from_icloud": "Downloading from iCloud",
   "downloading_media": "Downloading media",
   "drop_files_to_upload": "Drop files anywhere to upload",
   "duplicates": "Duplicates",
@@ -948,9 +971,13 @@
   "editor": "Editor",
   "editor_close_without_save_prompt": "The changes will not be saved",
   "editor_close_without_save_title": "Close editor?",
-  "editor_crop_tool_h2_aspect_ratios": "Aspect ratios",
-  "editor_crop_tool_h2_rotation": "Rotation",
-  "editor_mode": "Editor mode",
+  "editor_confirm_reset_all_changes": "Are you sure you want to reset all changes?",
+  "editor_flip_horizontal": "Flip horizontal",
+  "editor_flip_vertical": "Flip vertical",
+  "editor_orientation": "Orientation",
+  "editor_reset_all_changes": "Reset changes",
+  "editor_rotate_left": "Rotate 90° counterclockwise",
+  "editor_rotate_right": "Rotate 90° clockwise",
   "email": "Email",
   "email_notifications": "Email notifications",
   "empty_folder": "This folder is empty",
@@ -1082,6 +1109,7 @@
     "unable_to_scan_library": "Unable to scan library",
     "unable_to_set_feature_photo": "Unable to set feature photo",
     "unable_to_set_profile_picture": "Unable to set profile picture",
+    "unable_to_set_rating": "Unable to set rating",
     "unable_to_submit_job": "Unable to submit job",
     "unable_to_trash_asset": "Unable to trash asset",
     "unable_to_unlink_account": "Unable to unlink account",
@@ -1096,6 +1124,7 @@
     "unable_to_update_workflow": "Unable to update workflow",
     "unable_to_upload_file": "Unable to upload file"
   },
+  "errors_text": "Errors",
   "exclusion_pattern": "Exclusion pattern",
   "exif": "Exif",
   "exif_bottom_sheet_description": "Add Description...",
@@ -1140,13 +1169,14 @@
   "features": "Features",
   "features_in_development": "Features in Development",
   "features_setting_description": "Manage the app features",
-  "file_name": "File name",
+  "file_name": "File name: {file_name}",
   "file_name_or_extension": "File name or extension",
   "file_size": "File size",
   "filename": "Filename",
   "filetype": "Filetype",
   "filter": "Filter",
   "filter_description": "Conditions to filter the target assets",
+  "filter_options": "Filter options",
   "filter_people": "Filter people",
   "filter_places": "Filter places",
   "filters": "Filters",
@@ -1159,6 +1189,9 @@
   "folders_feature_description": "Browsing the folder view for the photos and videos on the file system",
   "forgot_pin_code_question": "Forgot your PIN?",
   "forward": "Forward",
+  "free_up_space": "Free Up Space",
+  "free_up_space_description": "Move backed-up photos and videos to your device's trash to free up space. Your copies on the server remain safe",
+  "free_up_space_settings_subtitle": "Free up device storage",
   "full_path": "Full path: {path}",
   "gcast_enabled": "Google Cast",
   "gcast_enabled_description": "This feature loads external resources from Google in order to work.",
@@ -1275,6 +1308,8 @@
   "json_error": "JSON error",
   "keep": "Keep",
   "keep_all": "Keep All",
+  "keep_favorites": "Keep favorites",
+  "keep_favorites_description": "Favorite assets will not be deleted from your device",
   "keep_this_delete_others": "Keep this, delete others",
   "kept_this_deleted_others": "Kept this asset and deleted {count, plural, one {# asset} other {# assets}}",
   "keyboard_shortcuts": "Keyboard shortcuts",
@@ -1434,6 +1469,8 @@
   "minimize": "Minimize",
   "minute": "Minute",
   "minutes": "Minutes",
+  "mirror_horizontal": "Horizontal",
+  "mirror_vertical": "Vertical",
   "missing": "Missing",
   "mobile_app": "Mobile App",
   "mobile_app_download_onboarding_note": "Download the companion mobile app using the following options",
@@ -1445,6 +1482,7 @@
   "move_down": "Move down",
   "move_off_locked_folder": "Move out of locked folder",
   "move_to": "Move to",
+  "move_to_device_trash": "Move to device trash",
   "move_to_lock_folder_action_prompt": "{count} added to the locked folder",
   "move_to_locked_folder": "Move to locked folder",
   "move_to_locked_folder_confirmation": "These photos and video will be removed from all albums, and only viewable from the locked folder",
@@ -1627,6 +1665,7 @@
   "photos_and_videos": "Photos & Videos",
   "photos_count": "{count, plural, one {{count, number} Photo} other {{count, number} Photos}}",
   "photos_from_previous_years": "Photos from previous years",
+  "photos_only": "Photos only",
   "pick_a_location": "Pick a location",
   "pick_custom_range": "Custom range",
   "pick_date_range": "Select a date range",
@@ -1702,10 +1741,12 @@
   "purchase_settings_server_activated": "The server product key is managed by the admin",
   "query_asset_id": "Query Asset ID",
   "queue_status": "Queuing {count}/{total}",
+  "rate_asset": "Rate Asset",
   "rating": "Star rating",
   "rating_clear": "Clear rating",
   "rating_count": "{count, plural, one {# star} other {# stars}}",
   "rating_description": "Display the EXIF rating in the info panel",
+  "rating_set": "Rating set to {rating, plural, one {# star} other {# stars}}",
   "reaction_options": "Reaction options",
   "read_changelog": "Read Changelog",
   "readonly_mode_disabled": "Read-only mode disabled",
@@ -1805,9 +1846,11 @@
   "saved_settings": "Saved settings",
   "say_something": "Say something",
   "scaffold_body_error_occurred": "Error occurred",
+  "scan": "Scan",
   "scan_all_libraries": "Scan All Libraries",
   "scan_library": "Scan",
   "scan_settings": "Scan Settings",
+  "scanning": "Scanning",
   "scanning_for_album": "Scanning for album...",
   "search": "Search",
   "search_albums": "Search albums",
@@ -1879,6 +1922,7 @@
   "select_all_in": "Select all in {group}",
   "select_avatar_color": "Select avatar color",
   "select_count": "{count, plural, one {Select #} other {Select #}}",
+  "select_cutoff_date": "Select cutoff date",
   "select_face": "Select face",
   "select_featured_photo": "Select featured photo",
   "select_from_computer": "Select from computer",
@@ -2153,7 +2197,7 @@
   "trigger": "Trigger",
   "trigger_asset_uploaded": "Asset Uploaded",
   "trigger_asset_uploaded_description": "Triggered when a new asset is uploaded",
-  "trigger_description": "An event that kick off the workflow",
+  "trigger_description": "An event that kicks off the workflow",
   "trigger_person_recognized": "Person Recognized",
   "trigger_person_recognized_description": "Triggered when a person is detected",
   "trigger_type": "Trigger type",
@@ -2195,7 +2239,6 @@
   "updated_at": "Updated",
   "updated_password": "Updated password",
   "upload": "Upload",
-  "upload_action_prompt": "{count} queued for upload",
   "upload_concurrency": "Upload concurrency",
   "upload_details": "Upload Details",
   "upload_dialog_info": "Do you want to backup the selected Asset(s) to the server?",
@@ -2247,6 +2290,7 @@
   "video_hover_setting_description": "Play video thumbnail when mouse is hovering over item. Even when disabled, playback can be started by hovering over the play icon.",
   "videos": "Videos",
   "videos_count": "{count, plural, one {# Video} other {# Videos}}",
+  "videos_only": "Videos only",
   "view": "View",
   "view_album": "View Album",
   "view_all": "View All",
@@ -2296,6 +2340,7 @@
   "yes": "Yes",
   "you_dont_have_any_shared_links": "You don't have any shared links",
   "your_wifi_name": "Your Wi-Fi name",
+  "zero_to_clear_rating": "press 0 to clear asset rating",
   "zoom_image": "Zoom Image",
   "zoom_to_bounds": "Zoom to bounds"
 }

i18n/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "immich-i18n",
+  "version": "1.0.0",
+  "private": true,
+  "scripts": {
+    "format": "prettier --check .",
+    "format:fix": "prettier --write ."
+  },
+  "devDependencies": {
+    "prettier": "^3.7.4",
+    "prettier-plugin-sort-json": "^4.1.1"
+  }
+}

machine-learning/Dockerfile

@@ -92,14 +92,14 @@ FROM python:3.13-slim-trixie@sha256:0222b795db95bf7412cede36ab46a266cfb31f632e64
 
 RUN apt-get update && \
     apt-get install --no-install-recommends -yqq ocl-icd-libopencl1 wget && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.24.8/intel-igc-core-2_2.24.8+20344_amd64.deb && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.24.8/intel-igc-opencl-2_2.24.8+20344_amd64.deb && \
-    wget -nv https://github.com/intel/compute-runtime/releases/download/25.48.36300.8/intel-opencl-icd_25.48.36300.8-0_amd64.deb &&  \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.27.10/intel-igc-core-2_2.27.10+20617_amd64.deb && \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.27.10/intel-igc-opencl-2_2.27.10+20617_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/26.01.36711.4/intel-opencl-icd_26.01.36711.4-0_amd64.deb &&  \
     wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-core_1.0.17537.24_amd64.deb && \
     wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-opencl_1.0.17537.24_amd64.deb && \
     wget -nv https://github.com/intel/compute-runtime/releases/download/24.35.30872.36/intel-opencl-icd-legacy1_24.35.30872.36_amd64.deb && \
     # TODO: Figure out how to get renovate to manage this differently versioned libigdgmm file
-    wget -nv https://github.com/intel/compute-runtime/releases/download/25.48.36300.8/libigdgmm12_22.8.2_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/26.01.36711.4/libigdgmm12_22.9.0_amd64.deb && \
     dpkg -i *.deb && \
     rm *.deb && \
     apt-get remove wget -yqq && \

mise.toml

@@ -1,9 +1,9 @@
 experimental_monorepo_root = true
 
 [tools]
-node = "24.11.1"
+node = "24.13.0"
 flutter = "3.35.7"
-pnpm = "10.24.0"
+pnpm = "10.27.0"
 terragrunt = "0.93.10"
 opentofu = "1.10.7"
 java = "25.0.1"
@@ -34,4 +34,4 @@ run = { task = ":i18n:format-fix" }
 
 [tasks."i18n:format-fix"]
 dir = "i18n"
-run = "pnpm dlx sort-json *.json"
+run = "pnpm run format:fix"

mobile/android/app/CMakeLists.txt

@@ -8,3 +8,5 @@ project(native_buffer LANGUAGES C)
 add_library(native_buffer SHARED
     src/main/cpp/native_buffer.c
 )
+
+target_link_libraries(native_buffer jnigraphics)

mobile/android/app/build.gradle

@@ -31,7 +31,7 @@ if (keystorePropertiesFile.exists()) {
 
 android {
   compileSdkVersion 35
-  ndkVersion = "28.1.13356709"
+  ndkVersion = "28.2.13676358"
 
   compileOptions {
     sourceCompatibility JavaVersion.VERSION_17
@@ -48,6 +48,7 @@ android {
   }
 
   buildFeatures {
+    buildConfig true
     compose true
   }
 
@@ -105,8 +106,11 @@ dependencies {
   def serialization_version = '1.8.1'
   def compose_version = '1.1.1'
   def gson_version = '2.10.1'
+  def okhttp_version = '4.12.0'
 
   implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
+  implementation "com.squareup.okhttp3:okhttp:$okhttp_version"
+  implementation 'org.chromium.net:cronet-embedded:143.7445.0'
   implementation "org.jetbrains.kotlinx:kotlinx-coroutines-android:$kotlin_coroutines_version"
   implementation "androidx.work:work-runtime-ktx:$work_version"
   implementation "androidx.concurrent:concurrent-futures:$concurrent_version"

mobile/android/app/src/main/cpp/native_buffer.c

@@ -1,40 +1,38 @@
 #include <jni.h>
 #include <stdlib.h>
+#include <string.h>
 
 JNIEXPORT jlong JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_00024Companion_allocateNative(
-        JNIEnv *env, jclass clazz, jint size) {
-    void *ptr = malloc(size);
-    return (jlong) ptr;
-}
-
-JNIEXPORT jlong JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_allocateNative(
+Java_app_alextran_immich_NativeBuffer_allocate(
         JNIEnv *env, jclass clazz, jint size) {
     void *ptr = malloc(size);
     return (jlong) ptr;
 }
 
 JNIEXPORT void JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_00024Companion_freeNative(
+Java_app_alextran_immich_NativeBuffer_free(
         JNIEnv *env, jclass clazz, jlong address) {
     free((void *) address);
 }
 
+JNIEXPORT jlong JNICALL
+Java_app_alextran_immich_NativeBuffer_realloc(
+        JNIEnv *env, jclass clazz, jlong address, jint size) {
+    void *ptr = realloc((void *) address, size);
+    return (jlong) ptr;
+}
+
+JNIEXPORT jobject JNICALL
+Java_app_alextran_immich_NativeBuffer_wrap(
+        JNIEnv *env, jclass clazz, jlong address, jint capacity) {
+    return (*env)->NewDirectByteBuffer(env, (void *) address, capacity);
+}
+
 JNIEXPORT void JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_freeNative(
-        JNIEnv *env, jclass clazz, jlong address) {
-    free((void *) address);
-}
-
-JNIEXPORT jobject JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_00024Companion_wrapAsBuffer(
-        JNIEnv *env, jclass clazz, jlong address, jint capacity) {
-    return (*env)->NewDirectByteBuffer(env, (void *) address, capacity);
-}
-
-JNIEXPORT jobject JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_wrapAsBuffer(
-        JNIEnv *env, jclass clazz, jlong address, jint capacity) {
-    return (*env)->NewDirectByteBuffer(env, (void *) address, capacity);
+Java_app_alextran_immich_NativeBuffer_copy(
+        JNIEnv *env, jclass clazz, jobject buffer, jlong destAddress, jint offset, jint length) {
+    void *src = (*env)->GetDirectBufferAddress(env, buffer);
+    if (src != NULL) {
+        memcpy((void *) destAddress, (char *) src + offset, length);
+    }
 }

mobile/android/app/src/main/kotlin/app/alextran/immich/HttpSSLOptionsPlugin.kt

@@ -2,6 +2,7 @@ package app.alextran.immich
 
 import android.annotation.SuppressLint
 import android.content.Context
+import app.alextran.immich.core.SSLConfig
 import io.flutter.embedding.engine.plugins.FlutterPlugin
 import io.flutter.plugin.common.BinaryMessenger
 import io.flutter.plugin.common.MethodCall
@@ -51,15 +52,18 @@ class HttpSSLOptionsPlugin : FlutterPlugin, MethodChannel.MethodCallHandler {
       when (call.method) {
         "apply" -> {
           val args = call.arguments<ArrayList<*>>()!!
+          val allowSelfSigned = args[0] as Boolean
+          val serverHost = args[1] as? String
+          val clientCertHash = (args[2] as? ByteArray)
 
           var tm: Array<TrustManager>? = null
-          if (args[0] as Boolean) {
-            tm = arrayOf(AllowSelfSignedTrustManager(args[1] as? String))
+          if (allowSelfSigned) {
+            tm = arrayOf(AllowSelfSignedTrustManager(serverHost))
           }
 
           var km: Array<KeyManager>? = null
-          if (args[2] != null) {
-            val cert = ByteArrayInputStream(args[2] as ByteArray)
+          if (clientCertHash != null) {
+            val cert = ByteArrayInputStream(clientCertHash)
             val password = (args[3] as String).toCharArray()
             val keyStore = KeyStore.getInstance("PKCS12")
             keyStore.load(cert, password)
@@ -69,6 +73,9 @@ class HttpSSLOptionsPlugin : FlutterPlugin, MethodChannel.MethodCallHandler {
             km = keyManagerFactory.keyManagers
           }
 
+          // Update shared SSL config for OkHttp and other HTTP clients
+          SSLConfig.apply(km, tm, allowSelfSigned, serverHost, clientCertHash?.contentHashCode() ?: 0)
+
           val sslContext = SSLContext.getInstance("TLS")
           sslContext.init(km, tm, null)
           HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)

mobile/android/app/src/main/kotlin/app/alextran/immich/MainActivity.kt

@@ -10,8 +10,10 @@ import app.alextran.immich.background.BackgroundWorkerLockApi
 import app.alextran.immich.connectivity.ConnectivityApi
 import app.alextran.immich.connectivity.ConnectivityApiImpl
 import app.alextran.immich.core.ImmichPlugin
-import app.alextran.immich.images.ThumbnailApi
-import app.alextran.immich.images.ThumbnailsImpl
+import app.alextran.immich.images.LocalImageApi
+import app.alextran.immich.images.LocalImagesImpl
+import app.alextran.immich.images.RemoteImageApi
+import app.alextran.immich.images.RemoteImagesImpl
 import app.alextran.immich.sync.NativeSyncApi
 import app.alextran.immich.sync.NativeSyncApiImpl26
 import app.alextran.immich.sync.NativeSyncApiImpl30
@@ -36,7 +38,9 @@ class MainActivity : FlutterFragmentActivity() {
           NativeSyncApiImpl30(ctx)
         }
       NativeSyncApi.setUp(messenger, nativeSyncApiImpl)
-      ThumbnailApi.setUp(messenger, ThumbnailsImpl(ctx))
+      LocalImageApi.setUp(messenger, LocalImagesImpl(ctx))
+      RemoteImageApi.setUp(messenger, RemoteImagesImpl(ctx))
+
       BackgroundWorkerFgHostApi.setUp(messenger, BackgroundWorkerApiImpl(ctx))
       ConnectivityApi.setUp(messenger, ConnectivityApiImpl(ctx))
 

mobile/android/app/src/main/kotlin/app/alextran/immich/NativeBuffer.kt

@@ -0,0 +1,52 @@
+package app.alextran.immich
+
+import java.nio.ByteBuffer
+
+const val INITIAL_BUFFER_SIZE = 32 * 1024
+
+object NativeBuffer {
+  init {
+    System.loadLibrary("native_buffer")
+  }
+
+  @JvmStatic
+  external fun allocate(size: Int): Long
+
+  @JvmStatic
+  external fun free(address: Long)
+
+  @JvmStatic
+  external fun realloc(address: Long, size: Int): Long
+
+  @JvmStatic
+  external fun wrap(address: Long, capacity: Int): ByteBuffer
+
+  @JvmStatic
+  external fun copy(buffer: ByteBuffer, destAddress: Long, offset: Int, length: Int)
+}
+
+class NativeByteBuffer(initialCapacity: Int) {
+  var pointer = NativeBuffer.allocate(initialCapacity)
+  var capacity = initialCapacity
+  var offset = 0
+
+  inline fun ensureHeadroom() {
+    if (offset == capacity) {
+      capacity *= 2
+      pointer = NativeBuffer.realloc(pointer, capacity)
+    }
+  }
+
+  inline fun wrapRemaining() = NativeBuffer.wrap(pointer + offset, capacity - offset)
+
+  inline fun advance(bytesRead: Int) {
+    offset += bytesRead
+  }
+
+  inline fun free() {
+    if (pointer != 0L) {
+      NativeBuffer.free(pointer)
+      pointer = 0L
+    }
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/core/SSLConfig.kt

@@ -0,0 +1,73 @@
+package app.alextran.immich.core
+
+import java.security.KeyStore
+import javax.net.ssl.KeyManager
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509TrustManager
+
+/**
+ * Shared SSL configuration for OkHttp and HttpsURLConnection.
+ * Stores the SSLSocketFactory and X509TrustManager configured by HttpSSLOptionsPlugin.
+ */
+object SSLConfig {
+  var sslSocketFactory: SSLSocketFactory? = null
+    private set
+
+  var trustManager: X509TrustManager? = null
+    private set
+
+  var requiresCustomSSL: Boolean = false
+    private set
+
+  private val listeners = mutableListOf<() -> Unit>()
+  private var configHash: Int = 0
+
+  fun addListener(listener: () -> Unit) {
+    listeners.add(listener)
+  }
+
+  fun apply(
+    keyManagers: Array<KeyManager>?,
+    trustManagers: Array<TrustManager>?,
+    allowSelfSigned: Boolean,
+    serverHost: String?,
+    clientCertHash: Int
+  ) {
+    synchronized(this) {
+      val newHash = computeHash(allowSelfSigned, serverHost, clientCertHash)
+      val newRequiresCustomSSL = allowSelfSigned || keyManagers != null
+      if (newHash == configHash && sslSocketFactory != null && requiresCustomSSL == newRequiresCustomSSL) {
+        return  // Config unchanged, skip
+      }
+
+      val sslContext = SSLContext.getInstance("TLS")
+      sslContext.init(keyManagers, trustManagers, null)
+      sslSocketFactory = sslContext.socketFactory
+      trustManager = trustManagers?.filterIsInstance<X509TrustManager>()?.firstOrNull()
+        ?: getDefaultTrustManager()
+      requiresCustomSSL = newRequiresCustomSSL
+      configHash = newHash
+      notifyListeners()
+    }
+  }
+
+  private fun computeHash(allowSelfSigned: Boolean, serverHost: String?, clientCertHash: Int): Int {
+    var result = allowSelfSigned.hashCode()
+    result = 31 * result + (serverHost?.hashCode() ?: 0)
+    result = 31 * result + clientCertHash
+    return result
+  }
+
+  private fun notifyListeners() {
+    listeners.forEach { it() }
+  }
+
+  private fun getDefaultTrustManager(): X509TrustManager {
+    val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+    factory.init(null as KeyStore?)
+    return factory.trustManagers.filterIsInstance<X509TrustManager>().first()
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImages.g.kt

@@ -13,7 +13,7 @@ import io.flutter.plugin.common.StandardMethodCodec
 import io.flutter.plugin.common.StandardMessageCodec
 import java.io.ByteArrayOutputStream
 import java.nio.ByteBuffer
-private object ThumbnailsPigeonUtils {
+private object LocalImagesPigeonUtils {
 
   fun wrapResult(result: Any?): List<Any?> {
     return listOf(result)
@@ -47,7 +47,7 @@ class FlutterError (
   override val message: String? = null,
   val details: Any? = null
 ) : Throwable()
-private open class ThumbnailsPigeonCodec : StandardMessageCodec() {
+private open class LocalImagesPigeonCodec : StandardMessageCodec() {
   override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
     return     super.readValueOfType(type, buffer)
   }
@@ -58,22 +58,22 @@ private open class ThumbnailsPigeonCodec : StandardMessageCodec() {
 
 
 /** Generated interface from Pigeon that represents a handler of messages from Flutter. */
-interface ThumbnailApi {
-  fun requestImage(assetId: String, requestId: Long, width: Long, height: Long, isVideo: Boolean, callback: (Result<Map<String, Long>>) -> Unit)
-  fun cancelImageRequest(requestId: Long)
+interface LocalImageApi {
+  fun requestImage(assetId: String, requestId: Long, width: Long, height: Long, isVideo: Boolean, callback: (Result<Map<String, Long>?>) -> Unit)
+  fun cancelRequest(requestId: Long)
   fun getThumbhash(thumbhash: String, callback: (Result<Map<String, Long>>) -> Unit)
 
   companion object {
-    /** The codec used by ThumbnailApi. */
+    /** The codec used by LocalImageApi. */
     val codec: MessageCodec<Any?> by lazy {
-      ThumbnailsPigeonCodec()
+      LocalImagesPigeonCodec()
     }
-    /** Sets up an instance of `ThumbnailApi` to handle messages through the `binaryMessenger`. */
+    /** Sets up an instance of `LocalImageApi` to handle messages through the `binaryMessenger`. */
     @JvmOverloads
-    fun setUp(binaryMessenger: BinaryMessenger, api: ThumbnailApi?, messageChannelSuffix: String = "") {
+    fun setUp(binaryMessenger: BinaryMessenger, api: LocalImageApi?, messageChannelSuffix: String = "") {
       val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
       run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.ThumbnailApi.requestImage$separatedMessageChannelSuffix", codec)
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.LocalImageApi.requestImage$separatedMessageChannelSuffix", codec)
         if (api != null) {
           channel.setMessageHandler { message, reply ->
             val args = message as List<Any?>
@@ -82,13 +82,13 @@ interface ThumbnailApi {
             val widthArg = args[2] as Long
             val heightArg = args[3] as Long
             val isVideoArg = args[4] as Boolean
-            api.requestImage(assetIdArg, requestIdArg, widthArg, heightArg, isVideoArg) { result: Result<Map<String, Long>> ->
+            api.requestImage(assetIdArg, requestIdArg, widthArg, heightArg, isVideoArg) { result: Result<Map<String, Long>?> ->
               val error = result.exceptionOrNull()
               if (error != null) {
-                reply.reply(ThumbnailsPigeonUtils.wrapError(error))
+                reply.reply(LocalImagesPigeonUtils.wrapError(error))
               } else {
                 val data = result.getOrNull()
-                reply.reply(ThumbnailsPigeonUtils.wrapResult(data))
+                reply.reply(LocalImagesPigeonUtils.wrapResult(data))
               }
             }
           }
@@ -97,16 +97,16 @@ interface ThumbnailApi {
         }
       }
       run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.ThumbnailApi.cancelImageRequest$separatedMessageChannelSuffix", codec)
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.LocalImageApi.cancelRequest$separatedMessageChannelSuffix", codec)
         if (api != null) {
           channel.setMessageHandler { message, reply ->
             val args = message as List<Any?>
             val requestIdArg = args[0] as Long
             val wrapped: List<Any?> = try {
-              api.cancelImageRequest(requestIdArg)
+              api.cancelRequest(requestIdArg)
               listOf(null)
             } catch (exception: Throwable) {
-              ThumbnailsPigeonUtils.wrapError(exception)
+              LocalImagesPigeonUtils.wrapError(exception)
             }
             reply.reply(wrapped)
           }
@@ -115,7 +115,7 @@ interface ThumbnailApi {
         }
       }
       run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.ThumbnailApi.getThumbhash$separatedMessageChannelSuffix", codec)
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.LocalImageApi.getThumbhash$separatedMessageChannelSuffix", codec)
         if (api != null) {
           channel.setMessageHandler { message, reply ->
             val args = message as List<Any?>
@@ -123,10 +123,10 @@ interface ThumbnailApi {
             api.getThumbhash(thumbhashArg) { result: Result<Map<String, Long>> ->
               val error = result.exceptionOrNull()
               if (error != null) {
-                reply.reply(ThumbnailsPigeonUtils.wrapError(error))
+                reply.reply(LocalImagesPigeonUtils.wrapError(error))
               } else {
                 val data = result.getOrNull()
-                reply.reply(ThumbnailsPigeonUtils.wrapResult(data))
+                reply.reply(LocalImagesPigeonUtils.wrapResult(data))
               }
             }
           }

mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImagesImpl.kt

@@ -11,7 +11,8 @@ import android.os.OperationCanceledException
 import android.provider.MediaStore.Images
 import android.provider.MediaStore.Video
 import android.util.Size
-import java.nio.ByteBuffer
+import androidx.annotation.RequiresApi
+import app.alextran.immich.NativeBuffer
 import kotlin.math.*
 import java.util.concurrent.Executors
 import com.bumptech.glide.Glide
@@ -26,10 +27,42 @@ import java.util.concurrent.Future
 data class Request(
   val taskFuture: Future<*>,
   val cancellationSignal: CancellationSignal,
-  val callback: (Result<Map<String, Long>>) -> Unit
+  val callback: (Result<Map<String, Long>?>) -> Unit
 )
 
-class ThumbnailsImpl(context: Context) : ThumbnailApi {
+@RequiresApi(Build.VERSION_CODES.Q)
+inline fun ImageDecoder.Source.decodeBitmap(target: Size = Size(0, 0)): Bitmap {
+  return ImageDecoder.decodeBitmap(this) { decoder, info, _ ->
+    if (target.width > 0 && target.height > 0) {
+      val sample = max(1, min(info.size.width / target.width, info.size.height / target.height))
+      decoder.setTargetSampleSize(sample)
+    }
+    decoder.allocator = ImageDecoder.ALLOCATOR_SOFTWARE
+    decoder.setTargetColorSpace(ColorSpace.get(ColorSpace.Named.SRGB))
+  }
+}
+
+fun Bitmap.toNativeBuffer(): Map<String, Long>  {
+  val size = width * height * 4
+  val pointer = NativeBuffer.allocate(size)
+  try {
+    val buffer = NativeBuffer.wrap(pointer, size)
+    copyPixelsToBuffer(buffer)
+    recycle()
+    return mapOf(
+      "pointer" to pointer,
+      "width" to width.toLong(),
+      "height" to height.toLong(),
+      "rowBytes" to (width * 4).toLong()
+    )
+  } catch (e: Exception) {
+    NativeBuffer.free(pointer)
+    recycle()
+    throw e
+  }
+}
+
+class LocalImagesImpl(context: Context) : LocalImageApi {
   private val ctx: Context = context.applicationContext
   private val resolver: ContentResolver = ctx.contentResolver
   private val requestThread = Executors.newSingleThreadExecutor()
@@ -38,21 +71,8 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
   private val requestMap = ConcurrentHashMap<Long, Request>()
 
   companion object {
-    val CANCELLED = Result.success<Map<String, Long>>(mapOf())
+    val CANCELLED = Result.success<Map<String, Long>?>(null)
     val OPTIONS = BitmapFactory.Options().apply { inPreferredConfig = Bitmap.Config.ARGB_8888 }
-
-    init {
-      System.loadLibrary("native_buffer")
-    }
-
-    @JvmStatic
-    external fun allocateNative(size: Int): Long
-
-    @JvmStatic
-    external fun freeNative(pointer: Long)
-
-    @JvmStatic
-    external fun wrapAsBuffer(address: Long, capacity: Int): ByteBuffer
   }
 
   override fun getThumbhash(thumbhash: String, callback: (Result<Map<String, Long>>) -> Unit) {
@@ -63,7 +83,8 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
         val res = mapOf(
           "pointer" to image.pointer,
           "width" to image.width.toLong(),
-          "height" to image.height.toLong()
+          "height" to image.height.toLong(),
+          "rowBytes" to (image.width * 4).toLong()
         )
         callback(Result.success(res))
       } catch (e: Exception) {
@@ -78,7 +99,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
     width: Long,
     height: Long,
     isVideo: Boolean,
-    callback: (Result<Map<String, Long>>) -> Unit
+    callback: (Result<Map<String, Long>?>) -> Unit
   ) {
     val signal = CancellationSignal()
     val task = threadPool.submit {
@@ -98,7 +119,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
     requestMap[requestId] = request
   }
 
-  override fun cancelImageRequest(requestId: Long) {
+  override fun cancelRequest(requestId: Long) {
     val request = requestMap.remove(requestId) ?: return
     request.taskFuture.cancel(false)
     request.cancellationSignal.cancel()
@@ -117,7 +138,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
     width: Long,
     height: Long,
     isVideo: Boolean,
-    callback: (Result<Map<String, Long>>) -> Unit,
+    callback: (Result<Map<String, Long>?>) -> Unit,
     signal: CancellationSignal
   ) {
     signal.throwIfCanceled()
@@ -131,31 +152,12 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
       decodeImage(id, size, signal)
     }
 
-    processBitmap(bitmap, callback, signal)
-  }
-
-  private fun processBitmap(
-    bitmap: Bitmap, callback: (Result<Map<String, Long>>) -> Unit, signal: CancellationSignal
-  ) {
-    signal.throwIfCanceled()
-    val actualWidth = bitmap.width
-    val actualHeight = bitmap.height
-
-    val size = actualWidth * actualHeight * 4
-    val pointer = allocateNative(size)
-
     try {
       signal.throwIfCanceled()
-      val buffer = wrapAsBuffer(pointer, size)
-      bitmap.copyPixelsToBuffer(buffer)
-      bitmap.recycle()
+      val res = bitmap.toNativeBuffer()
       signal.throwIfCanceled()
-      val res = mapOf(
-        "pointer" to pointer, "width" to actualWidth.toLong(), "height" to actualHeight.toLong()
-      )
       callback(Result.success(res))
     } catch (e: Exception) {
-      freeNative(pointer)
       callback(if (e is OperationCanceledException) CANCELLED else Result.failure(e))
     }
   }
@@ -191,16 +193,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
   private fun decodeSource(uri: Uri, target: Size, signal: CancellationSignal): Bitmap {
     signal.throwIfCanceled()
     return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
-      val source = ImageDecoder.createSource(resolver, uri)
-      signal.throwIfCanceled()
-      ImageDecoder.decodeBitmap(source) { decoder, info, _ ->
-        if (target.width > 0 && target.height > 0) {
-          val sample = max(1, min(info.size.width / target.width, info.size.height / target.height))
-          decoder.setTargetSampleSize(sample)
-        }
-        decoder.allocator = ImageDecoder.ALLOCATOR_SOFTWARE
-        decoder.setTargetColorSpace(ColorSpace.get(ColorSpace.Named.SRGB))
-      }
+      ImageDecoder.createSource(resolver, uri).decodeBitmap(target)
     } else {
       val ref =
         Glide.with(ctx).asBitmap().priority(Priority.IMMEDIATE).load(uri).disallowHardwareConfig()

mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImages.g.kt

@@ -0,0 +1,104 @@
+// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+@file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")
+
+package app.alextran.immich.images
+
+import android.util.Log
+import io.flutter.plugin.common.BasicMessageChannel
+import io.flutter.plugin.common.BinaryMessenger
+import io.flutter.plugin.common.EventChannel
+import io.flutter.plugin.common.MessageCodec
+import io.flutter.plugin.common.StandardMethodCodec
+import io.flutter.plugin.common.StandardMessageCodec
+import java.io.ByteArrayOutputStream
+import java.nio.ByteBuffer
+private object RemoteImagesPigeonUtils {
+
+  fun wrapResult(result: Any?): List<Any?> {
+    return listOf(result)
+  }
+
+  fun wrapError(exception: Throwable): List<Any?> {
+    return if (exception is FlutterError) {
+      listOf(
+        exception.code,
+        exception.message,
+        exception.details
+      )
+    } else {
+      listOf(
+        exception.javaClass.simpleName,
+        exception.toString(),
+        "Cause: " + exception.cause + ", Stacktrace: " + Log.getStackTraceString(exception)
+      )
+    }
+  }
+}
+private open class RemoteImagesPigeonCodec : StandardMessageCodec() {
+  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
+    return     super.readValueOfType(type, buffer)
+  }
+  override fun writeValue(stream: ByteArrayOutputStream, value: Any?)   {
+    super.writeValue(stream, value)
+  }
+}
+
+
+/** Generated interface from Pigeon that represents a handler of messages from Flutter. */
+interface RemoteImageApi {
+  fun requestImage(url: String, headers: Map<String, String>, requestId: Long, callback: (Result<Map<String, Long>?>) -> Unit)
+  fun cancelRequest(requestId: Long)
+
+  companion object {
+    /** The codec used by RemoteImageApi. */
+    val codec: MessageCodec<Any?> by lazy {
+      RemoteImagesPigeonCodec()
+    }
+    /** Sets up an instance of `RemoteImageApi` to handle messages through the `binaryMessenger`. */
+    @JvmOverloads
+    fun setUp(binaryMessenger: BinaryMessenger, api: RemoteImageApi?, messageChannelSuffix: String = "") {
+      val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.RemoteImageApi.requestImage$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val urlArg = args[0] as String
+            val headersArg = args[1] as Map<String, String>
+            val requestIdArg = args[2] as Long
+            api.requestImage(urlArg, headersArg, requestIdArg) { result: Result<Map<String, Long>?> ->
+              val error = result.exceptionOrNull()
+              if (error != null) {
+                reply.reply(RemoteImagesPigeonUtils.wrapError(error))
+              } else {
+                val data = result.getOrNull()
+                reply.reply(RemoteImagesPigeonUtils.wrapResult(data))
+              }
+            }
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.RemoteImageApi.cancelRequest$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val requestIdArg = args[0] as Long
+            val wrapped: List<Any?> = try {
+              api.cancelRequest(requestIdArg)
+              listOf(null)
+            } catch (exception: Throwable) {
+              RemoteImagesPigeonUtils.wrapError(exception)
+            }
+            reply.reply(wrapped)
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+    }
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt

@@ -0,0 +1,432 @@
+package app.alextran.immich.images
+
+import android.content.Context
+import android.os.CancellationSignal
+import android.os.OperationCanceledException
+import app.alextran.immich.BuildConfig
+import app.alextran.immich.INITIAL_BUFFER_SIZE
+import app.alextran.immich.NativeBuffer
+import app.alextran.immich.NativeByteBuffer
+import app.alextran.immich.core.SSLConfig
+import okhttp3.Cache
+import okhttp3.Call
+import okhttp3.Callback
+import okhttp3.ConnectionPool
+import okhttp3.Dispatcher
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.Response
+import org.chromium.net.CronetEngine
+import org.chromium.net.CronetException
+import org.chromium.net.UrlRequest
+import org.chromium.net.UrlResponseInfo
+import java.io.EOFException
+import java.io.File
+import java.io.IOException
+import java.nio.ByteBuffer
+import java.util.concurrent.ConcurrentHashMap
+import java.util.concurrent.Executors
+import java.util.concurrent.TimeUnit
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.X509TrustManager
+
+
+private const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
+private const val MAX_REQUESTS_PER_HOST = 64
+private const val KEEP_ALIVE_CONNECTIONS = 10
+private const val KEEP_ALIVE_DURATION_MINUTES = 5L
+private const val CACHE_SIZE_BYTES = 1024L * 1024 * 1024
+
+private class RemoteRequest(val cancellationSignal: CancellationSignal)
+
+class RemoteImagesImpl(context: Context) : RemoteImageApi {
+  private val requestMap = ConcurrentHashMap<Long, RemoteRequest>()
+
+  init {
+    ImageFetcherManager.initialize(context)
+  }
+
+  companion object {
+    val CANCELLED = Result.success<Map<String, Long>?>(null)
+  }
+
+  override fun requestImage(
+    url: String,
+    headers: Map<String, String>,
+    requestId: Long,
+    callback: (Result<Map<String, Long>?>) -> Unit
+  ) {
+    val signal = CancellationSignal()
+    requestMap[requestId] = RemoteRequest(signal)
+
+    ImageFetcherManager.fetch(
+      url,
+      headers,
+      signal,
+      onSuccess = { buffer ->
+        requestMap.remove(requestId)
+        if (signal.isCanceled) {
+          NativeBuffer.free(buffer.pointer)
+          return@fetch callback(CANCELLED)
+        }
+
+        callback(
+          Result.success(
+            mapOf(
+              "pointer" to buffer.pointer,
+              "length" to buffer.offset.toLong()
+            )
+          )
+        )
+      },
+      onFailure = { e ->
+        requestMap.remove(requestId)
+        val result = if (signal.isCanceled) CANCELLED else Result.failure(e)
+        callback(result)
+      }
+    )
+  }
+
+  override fun cancelRequest(requestId: Long) {
+    requestMap.remove(requestId)?.cancellationSignal?.cancel()
+  }
+}
+
+private object ImageFetcherManager {
+  private lateinit var appContext: Context
+  private lateinit var cacheDir: File
+  private lateinit var fetcher: ImageFetcher
+  private var initialized = false
+
+  fun initialize(context: Context) {
+    if (initialized) return
+    synchronized(this) {
+      if (initialized) return
+      appContext = context.applicationContext
+      cacheDir = context.cacheDir
+      fetcher = build()
+      SSLConfig.addListener(::invalidate)
+      initialized = true
+    }
+  }
+
+  fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  ) {
+    fetcher.fetch(url, headers, signal, onSuccess, onFailure)
+  }
+
+  private fun invalidate() {
+    synchronized(this) {
+      val oldFetcher = fetcher
+      if (oldFetcher is OkHttpImageFetcher && SSLConfig.requiresCustomSSL) {
+        fetcher = oldFetcher.reconfigure(SSLConfig.sslSocketFactory, SSLConfig.trustManager)
+        return
+      }
+      fetcher = build()
+      oldFetcher.drain()
+    }
+  }
+
+  private fun build(): ImageFetcher {
+    return if (SSLConfig.requiresCustomSSL) {
+      OkHttpImageFetcher.create(cacheDir, SSLConfig.sslSocketFactory, SSLConfig.trustManager)
+    } else {
+      CronetImageFetcher(appContext, cacheDir)
+    }
+  }
+}
+
+private sealed interface ImageFetcher {
+  fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  )
+
+  fun drain()
+}
+
+private class CronetImageFetcher(context: Context, cacheDir: File) : ImageFetcher {
+  private val engine: CronetEngine
+  private val executor = Executors.newFixedThreadPool(4)
+  private val stateLock = Any()
+  private var activeCount = 0
+  private var draining = false
+
+  init {
+    val storageDir = File(cacheDir, "cronet").apply { mkdirs() }
+    engine = CronetEngine.Builder(context)
+      .enableHttp2(true)
+      .enableQuic(true)
+      .enableBrotli(true)
+      .setStoragePath(storageDir.absolutePath)
+      .setUserAgent(USER_AGENT)
+      .enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK, CACHE_SIZE_BYTES)
+      .build()
+  }
+
+  override fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  ) {
+    synchronized(stateLock) {
+      if (draining) {
+        onFailure(IllegalStateException("Engine is draining"))
+        return
+      }
+      activeCount++
+    }
+
+    val callback = FetchCallback(onSuccess, onFailure, ::onComplete)
+    val requestBuilder = engine.newUrlRequestBuilder(url, callback, executor)
+    headers.forEach { (key, value) -> requestBuilder.addHeader(key, value) }
+    val request = requestBuilder.build()
+    signal.setOnCancelListener(request::cancel)
+    request.start()
+  }
+
+  private fun onComplete() {
+    val shouldShutdown = synchronized(stateLock) {
+      activeCount--
+      draining && activeCount == 0
+    }
+    if (shouldShutdown) {
+      engine.shutdown()
+      executor.shutdown()
+    }
+  }
+
+  override fun drain() {
+    val shouldShutdown = synchronized(stateLock) {
+      if (draining) return
+      draining = true
+      activeCount == 0
+    }
+    if (shouldShutdown) {
+      engine.shutdown()
+      executor.shutdown()
+    }
+  }
+
+  private class FetchCallback(
+    private val onSuccess: (NativeByteBuffer) -> Unit,
+    private val onFailure: (Exception) -> Unit,
+    private val onComplete: () -> Unit,
+  ) : UrlRequest.Callback() {
+    private var buffer: NativeByteBuffer? = null
+    private var wrapped: ByteBuffer? = null
+    private var httpError: IOException? = null
+
+    override fun onRedirectReceived(request: UrlRequest, info: UrlResponseInfo, newUrl: String) {
+      request.followRedirect()
+    }
+
+    override fun onResponseStarted(request: UrlRequest, info: UrlResponseInfo) {
+      if (info.httpStatusCode !in 200..299) {
+        httpError = IOException("HTTP ${info.httpStatusCode}: ${info.httpStatusText}")
+        return request.cancel()
+      }
+
+      val contentLength = info.allHeaders["content-length"]?.firstOrNull()?.toIntOrNull() ?: 0
+      if (contentLength > 0) {
+        buffer = NativeByteBuffer(contentLength + 1)
+        wrapped = NativeBuffer.wrap(buffer!!.pointer, contentLength + 1)
+        request.read(wrapped)
+      } else {
+        buffer = NativeByteBuffer(INITIAL_BUFFER_SIZE)
+        request.read(buffer!!.wrapRemaining())
+      }
+    }
+
+    override fun onReadCompleted(
+      request: UrlRequest,
+      info: UrlResponseInfo,
+      byteBuffer: ByteBuffer
+    ) {
+      val buf = if (wrapped == null) {
+        buffer!!.run {
+          advance(byteBuffer.position())
+          ensureHeadroom()
+          wrapRemaining()
+        }
+      } else {
+        wrapped
+      }
+      request.read(buf)
+    }
+
+    override fun onSucceeded(request: UrlRequest, info: UrlResponseInfo) {
+      wrapped?.let { buffer!!.advance(it.position()) }
+      onSuccess(buffer!!)
+      onComplete()
+    }
+
+    override fun onFailed(request: UrlRequest, info: UrlResponseInfo?, error: CronetException) {
+      buffer?.free()
+      onFailure(error)
+      onComplete()
+    }
+
+    override fun onCanceled(request: UrlRequest, info: UrlResponseInfo?) {
+      buffer?.free()
+      onFailure(httpError ?: OperationCanceledException())
+      onComplete()
+    }
+  }
+}
+
+private class OkHttpImageFetcher private constructor(
+  private val client: OkHttpClient,
+) : ImageFetcher {
+  private val stateLock = Any()
+  private var activeCount = 0
+  private var draining = false
+
+  companion object {
+    fun create(
+      cacheDir: File,
+      sslSocketFactory: SSLSocketFactory?,
+      trustManager: X509TrustManager?,
+    ): OkHttpImageFetcher {
+      val dir = File(cacheDir, "okhttp")
+      val connectionPool = ConnectionPool(
+        maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
+        keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
+        timeUnit = TimeUnit.MINUTES
+      )
+
+      val builder = OkHttpClient.Builder()
+        .addInterceptor { chain ->
+          chain.proceed(
+            chain.request().newBuilder()
+              .header("User-Agent", USER_AGENT)
+              .build()
+          )
+        }
+        .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
+        .connectionPool(connectionPool)
+        .cache(Cache(File(dir, "thumbnails"), CACHE_SIZE_BYTES))
+
+      if (sslSocketFactory != null && trustManager != null) {
+        builder.sslSocketFactory(sslSocketFactory, trustManager)
+      }
+
+      return OkHttpImageFetcher(builder.build())
+    }
+  }
+
+  fun reconfigure(
+    sslSocketFactory: SSLSocketFactory?,
+    trustManager: X509TrustManager?,
+  ): OkHttpImageFetcher {
+    val builder = client.newBuilder()
+    if (sslSocketFactory != null && trustManager != null) {
+      builder.sslSocketFactory(sslSocketFactory, trustManager)
+    }
+    // Evict idle connections using old SSL config
+    client.connectionPool.evictAll()
+    return OkHttpImageFetcher(builder.build())
+  }
+
+  private fun onComplete() {
+    val shouldClose = synchronized(stateLock) {
+      activeCount--
+      draining && activeCount == 0
+    }
+    if (shouldClose) {
+      client.cache?.close()
+    }
+  }
+
+  override fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  ) {
+    synchronized(stateLock) {
+      if (draining) {
+        return onFailure(IllegalStateException("Client is draining"))
+      }
+      activeCount++
+    }
+
+    val requestBuilder = Request.Builder().url(url)
+    headers.forEach { (key, value) -> requestBuilder.addHeader(key, value) }
+    val call = client.newCall(requestBuilder.build())
+    signal.setOnCancelListener(call::cancel)
+
+    call.enqueue(object : Callback {
+      override fun onFailure(call: Call, e: IOException) {
+        onFailure(e)
+        onComplete()
+      }
+
+      override fun onResponse(call: Call, response: Response) {
+        response.use {
+          if (!response.isSuccessful) {
+            return onFailure(IOException("HTTP ${response.code}: ${response.message}")).also { onComplete() }
+          }
+
+          val body = response.body
+            ?: return onFailure(IOException("Empty response body")).also { onComplete() }
+
+          if (call.isCanceled()) {
+            onFailure(OperationCanceledException())
+            return onComplete()
+          }
+
+          body.source().use { source ->
+            val length = body.contentLength().toInt()
+            val buffer = NativeByteBuffer(if (length > 0) length else INITIAL_BUFFER_SIZE)
+            try {
+              if (length > 0) {
+                val wrapped = NativeBuffer.wrap(buffer.pointer, length)
+                while (wrapped.hasRemaining()) {
+                  if (call.isCanceled()) throw OperationCanceledException()
+                  if (source.read(wrapped) == -1) throw EOFException()
+                }
+                buffer.advance(length)
+              } else {
+                while (true) {
+                  if (call.isCanceled()) throw OperationCanceledException()
+                  val bytesRead = source.read(buffer.wrapRemaining())
+                  if (bytesRead == -1) break
+                  buffer.advance(bytesRead)
+                  buffer.ensureHeadroom()
+                }
+              }
+              onSuccess(buffer)
+            } catch (e: Exception) {
+              buffer.free()
+              onFailure(e)
+            }
+          }
+        }
+      }
+    })
+  }
+
+  override fun drain() {
+    val shouldClose = synchronized(stateLock) {
+      if (draining) return
+      draining = true
+      activeCount == 0
+    }
+    client.connectionPool.evictAll()
+    if (shouldClose) {
+      client.cache?.close()
+    }
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/images/ThumbHash.java

@@ -7,6 +7,8 @@ package app.alextran.immich.images;
 
 import java.nio.ByteBuffer;
 
+import app.alextran.immich.NativeBuffer;
+
 // modified to use native allocations
 public final class ThumbHash {
   /**
@@ -56,8 +58,8 @@ public final class ThumbHash {
     int w = Math.round(ratio > 1.0f ? 32.0f : 32.0f * ratio);
     int h = Math.round(ratio > 1.0f ? 32.0f / ratio : 32.0f);
     int size = w * h * 4;
-    long pointer = ThumbnailsImpl.allocateNative(size);
-    ByteBuffer rgba = ThumbnailsImpl.wrapAsBuffer(pointer, size);
+    long pointer = NativeBuffer.allocate(size);
+    ByteBuffer rgba = NativeBuffer.wrap(pointer, size);
     int cx_stop = Math.max(lx, hasAlpha ? 5 : 3);
     int cy_stop = Math.max(ly, hasAlpha ? 5 : 3);
     float[] fx = new float[cx_stop];

mobile/android/app/src/main/kotlin/app/alextran/immich/sync/Messages.g.kt

@@ -252,6 +252,40 @@ data class HashResult (
 
   override fun hashCode(): Int = toList().hashCode()
 }
+
+/** Generated class from Pigeon that represents data sent in messages. */
+data class CloudIdResult (
+  val assetId: String,
+  val error: String? = null,
+  val cloudId: String? = null
+)
+ {
+  companion object {
+    fun fromList(pigeonVar_list: List<Any?>): CloudIdResult {
+      val assetId = pigeonVar_list[0] as String
+      val error = pigeonVar_list[1] as String?
+      val cloudId = pigeonVar_list[2] as String?
+      return CloudIdResult(assetId, error, cloudId)
+    }
+  }
+  fun toList(): List<Any?> {
+    return listOf(
+      assetId,
+      error,
+      cloudId,
+    )
+  }
+  override fun equals(other: Any?): Boolean {
+    if (other !is CloudIdResult) {
+      return false
+    }
+    if (this === other) {
+      return true
+    }
+    return MessagesPigeonUtils.deepEquals(toList(), other.toList())  }
+
+  override fun hashCode(): Int = toList().hashCode()
+}
 private open class MessagesPigeonCodec : StandardMessageCodec() {
   override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
     return when (type) {
@@ -275,6 +309,11 @@ private open class MessagesPigeonCodec : StandardMessageCodec() {
           HashResult.fromList(it)
         }
       }
+      133.toByte() -> {
+        return (readValue(buffer) as? List<Any?>)?.let {
+          CloudIdResult.fromList(it)
+        }
+      }
       else -> super.readValueOfType(type, buffer)
     }
   }
@@ -296,6 +335,10 @@ private open class MessagesPigeonCodec : StandardMessageCodec() {
         stream.write(132)
         writeValue(stream, value.toList())
       }
+      is CloudIdResult -> {
+        stream.write(133)
+        writeValue(stream, value.toList())
+      }
       else -> super.writeValue(stream, value)
     }
   }
@@ -315,6 +358,7 @@ interface NativeSyncApi {
   fun hashAssets(assetIds: List<String>, allowNetworkAccess: Boolean, callback: (Result<List<HashResult>>) -> Unit)
   fun cancelHashing()
   fun getTrashedAssets(): Map<String, List<PlatformAsset>>
+  fun getCloudIdForAssetIds(assetIds: List<String>): List<CloudIdResult>
 
   companion object {
     /** The codec used by NativeSyncApi. */
@@ -508,6 +552,23 @@ interface NativeSyncApi {
           channel.setMessageHandler(null)
         }
       }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds$separatedMessageChannelSuffix", codec, taskQueue)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val assetIdsArg = args[0] as List<String>
+            val wrapped: List<Any?> = try {
+              listOf(api.getCloudIdForAssetIds(assetIdsArg))
+            } catch (exception: Throwable) {
+              MessagesPigeonUtils.wrapError(exception)
+            }
+            reply.reply(wrapped)
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
     }
   }
 }

mobile/android/app/src/main/kotlin/app/alextran/immich/sync/MessagesImplBase.kt

@@ -14,6 +14,7 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.async
 import kotlinx.coroutines.awaitAll
+import kotlinx.coroutines.currentCoroutineContext
 import kotlinx.coroutines.ensureActive
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.sync.Semaphore
@@ -21,7 +22,6 @@ import kotlinx.coroutines.sync.withPermit
 import java.io.File
 import java.security.MessageDigest
 import kotlin.coroutines.cancellation.CancellationException
-import kotlin.coroutines.coroutineContext
 
 sealed class AssetResult {
   data class ValidAsset(val asset: PlatformAsset, val albumId: String) : AssetResult()
@@ -298,7 +298,7 @@ open class NativeSyncApiImplBase(context: Context) : ImmichPlugin() {
         var bytesRead: Int
         val buffer = ByteArray(HASH_BUFFER_SIZE)
         while (inputStream.read(buffer).also { bytesRead = it } > 0) {
-          coroutineContext.ensureActive()
+          currentCoroutineContext().ensureActive()
           digest.update(buffer, 0, bytesRead)
         }
       } ?: return HashResult(assetId, "Cannot open input stream for asset", null)
@@ -316,4 +316,10 @@ open class NativeSyncApiImplBase(context: Context) : ImmichPlugin() {
     hashTask?.cancel()
     hashTask = null
   }
+
+  // This method is only implemented on iOS; on Android, we do not have a concept of cloud IDs
+  @Suppress("unused", "UNUSED_PARAMETER")
+  fun getCloudIdForAssetIds(assetIds: List<String>): List<CloudIdResult> {
+    return emptyList()
+  }
 }

mobile/ios/.gitignore

@@ -33,4 +33,5 @@ Runner/GeneratedPluginRegistrant.*
 !default.perspectivev3
 
 fastlane/report.xml
-Gemfile.lock
+Gemfile.lock
+certs/

mobile/ios/Podfile.lock

@@ -6,6 +6,9 @@ PODS:
     - FlutterMacOS
   - connectivity_plus (0.0.1):
     - Flutter
+  - cupertino_http (0.0.1):
+    - Flutter
+    - FlutterMacOS
   - device_info_plus (0.0.1):
     - Flutter
   - DKImagePickerController/Core (4.3.9):
@@ -136,6 +139,7 @@ DEPENDENCIES:
   - background_downloader (from `.symlinks/plugins/background_downloader/ios`)
   - bonsoir_darwin (from `.symlinks/plugins/bonsoir_darwin/darwin`)
   - connectivity_plus (from `.symlinks/plugins/connectivity_plus/ios`)
+  - cupertino_http (from `.symlinks/plugins/cupertino_http/darwin`)
   - device_info_plus (from `.symlinks/plugins/device_info_plus/ios`)
   - file_picker (from `.symlinks/plugins/file_picker/ios`)
   - Flutter (from `Flutter`)
@@ -184,6 +188,8 @@ EXTERNAL SOURCES:
     :path: ".symlinks/plugins/bonsoir_darwin/darwin"
   connectivity_plus:
     :path: ".symlinks/plugins/connectivity_plus/ios"
+  cupertino_http:
+    :path: ".symlinks/plugins/cupertino_http/darwin"
   device_info_plus:
     :path: ".symlinks/plugins/device_info_plus/ios"
   file_picker:
@@ -249,6 +255,7 @@ SPEC CHECKSUMS:
   background_downloader: 50e91d979067b82081aba359d7d916b3ba5fadad
   bonsoir_darwin: 29c7ccf356646118844721f36e1de4b61f6cbd0e
   connectivity_plus: cb623214f4e1f6ef8fe7403d580fdad517d2f7dd
+  cupertino_http: 94ac07f5ff090b8effa6c5e2c47871d48ab7c86c
   device_info_plus: 21fcca2080fbcd348be798aa36c3e5ed849eefbe
   DKImagePickerController: 946cec48c7873164274ecc4624d19e3da4c1ef3c
   DKPhotoGallery: b3834fecb755ee09a593d7c9e389d8b5d6deed60

mobile/ios/Runner.xcodeproj/project.pbxproj

@@ -3,7 +3,7 @@
 	archiveVersion = 1;
 	classes = {
 	};
-	objectVersion = 54;
+	objectVersion = 77;
 	objects = {
 
 /* Begin PBXBuildFile section */
@@ -29,9 +29,11 @@
 		FAC6F89B2D287C890078CB2F /* ShareExtension.appex in Embed Foundation Extensions */ = {isa = PBXBuildFile; fileRef = FAC6F8902D287C890078CB2F /* ShareExtension.appex */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
 		FAC6F8B72D287F120078CB2F /* ShareViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = FAC6F8B52D287F120078CB2F /* ShareViewController.swift */; };
 		FAC6F8B92D287F120078CB2F /* MainInterface.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = FAC6F8B32D287F120078CB2F /* MainInterface.storyboard */; };
+		FE5499F32F1197D8006016CB /* LocalImages.g.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F12F1197D8006016CB /* LocalImages.g.swift */; };
+		FE5499F42F1197D8006016CB /* RemoteImages.g.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F22F1197D8006016CB /* RemoteImages.g.swift */; };
+		FE5499F62F11980E006016CB /* LocalImagesImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F52F11980E006016CB /* LocalImagesImpl.swift */; };
+		FE5499F82F1198E2006016CB /* RemoteImagesImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */; };
 		FEAFA8732E4D42F4001E47FE /* Thumbhash.swift in Sources */ = {isa = PBXBuildFile; fileRef = FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */; };
-		FED3B1962E253E9B0030FD97 /* ThumbnailsImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FED3B1942E253E9B0030FD97 /* ThumbnailsImpl.swift */; };
-		FED3B1972E253E9B0030FD97 /* Thumbnails.g.swift in Sources */ = {isa = PBXBuildFile; fileRef = FED3B1932E253E9B0030FD97 /* Thumbnails.g.swift */; };
 		FEE084F82EC172460045228E /* SQLiteData in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084F72EC172460045228E /* SQLiteData */; };
 		FEE084FB2EC1725A0045228E /* RawStructuredFieldValues in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084FA2EC1725A0045228E /* RawStructuredFieldValues */; };
 		FEE084FD2EC1725A0045228E /* StructuredFieldValues in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084FC2EC1725A0045228E /* StructuredFieldValues */; };
@@ -118,9 +120,11 @@
 		FAC6F8B42D287F120078CB2F /* ShareExtension.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = ShareExtension.entitlements; sourceTree = "<group>"; };
 		FAC6F8B52D287F120078CB2F /* ShareViewController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ShareViewController.swift; sourceTree = "<group>"; };
 		FAC7416727DB9F5500C668D8 /* RunnerProfile.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = RunnerProfile.entitlements; sourceTree = "<group>"; };
+		FE5499F12F1197D8006016CB /* LocalImages.g.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LocalImages.g.swift; sourceTree = "<group>"; };
+		FE5499F22F1197D8006016CB /* RemoteImages.g.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RemoteImages.g.swift; sourceTree = "<group>"; };
+		FE5499F52F11980E006016CB /* LocalImagesImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LocalImagesImpl.swift; sourceTree = "<group>"; };
+		FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RemoteImagesImpl.swift; sourceTree = "<group>"; };
 		FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Thumbhash.swift; sourceTree = "<group>"; };
-		FED3B1932E253E9B0030FD97 /* Thumbnails.g.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Thumbnails.g.swift; sourceTree = "<group>"; };
-		FED3B1942E253E9B0030FD97 /* ThumbnailsImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ThumbnailsImpl.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFileSystemSynchronizedBuildFileExceptionSet section */
@@ -136,15 +140,11 @@
 /* Begin PBXFileSystemSynchronizedRootGroup section */
 		B231F52D2E93A44A00BC45D1 /* Core */ = {
 			isa = PBXFileSystemSynchronizedRootGroup;
-			exceptions = (
-			);
 			path = Core;
 			sourceTree = "<group>";
 		};
 		B2CF7F8C2DDE4EBB00744BF6 /* Sync */ = {
 			isa = PBXFileSystemSynchronizedRootGroup;
-			exceptions = (
-			);
 			path = Sync;
 			sourceTree = "<group>";
 		};
@@ -158,8 +158,6 @@
 		};
 		FEE084F22EC172080045228E /* Schemas */ = {
 			isa = PBXFileSystemSynchronizedRootGroup;
-			exceptions = (
-			);
 			path = Schemas;
 			sourceTree = "<group>";
 		};
@@ -321,9 +319,11 @@
 		FED3B1952E253E9B0030FD97 /* Images */ = {
 			isa = PBXGroup;
 			children = (
+				FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */,
+				FE5499F52F11980E006016CB /* LocalImagesImpl.swift */,
+				FE5499F12F1197D8006016CB /* LocalImages.g.swift */,
+				FE5499F22F1197D8006016CB /* RemoteImages.g.swift */,
 				FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */,
-				FED3B1932E253E9B0030FD97 /* Thumbnails.g.swift */,
-				FED3B1942E253E9B0030FD97 /* ThumbnailsImpl.swift */,
 			);
 			path = Images;
 			sourceTree = "<group>";
@@ -549,10 +549,14 @@
 			inputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-resources-${CONFIGURATION}-input-files.xcfilelist",
 			);
+			inputPaths = (
+			);
 			name = "[CP] Copy Pods Resources";
 			outputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-resources-${CONFIGURATION}-output-files.xcfilelist",
 			);
+			outputPaths = (
+			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
 			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-resources.sh\"\n";
@@ -581,10 +585,14 @@
 			inputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-input-files.xcfilelist",
 			);
+			inputPaths = (
+			);
 			name = "[CP] Embed Pods Frameworks";
 			outputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-output-files.xcfilelist",
 			);
+			outputPaths = (
+			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
 			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks.sh\"\n";
@@ -600,12 +608,14 @@
 				65F32F31299BD2F800CE9261 /* BackgroundServicePlugin.swift in Sources */,
 				74858FAF1ED2DC5600515810 /* AppDelegate.swift in Sources */,
 				B21E34AC2E5B09190031FDB9 /* BackgroundWorker.swift in Sources */,
+				FE5499F32F1197D8006016CB /* LocalImages.g.swift in Sources */,
+				FE5499F62F11980E006016CB /* LocalImagesImpl.swift in Sources */,
+				FE5499F42F1197D8006016CB /* RemoteImages.g.swift in Sources */,
 				B25D377A2E72CA15008B6CA7 /* Connectivity.g.swift in Sources */,
+				FE5499F82F1198E2006016CB /* RemoteImagesImpl.swift in Sources */,
 				FEAFA8732E4D42F4001E47FE /* Thumbhash.swift in Sources */,
 				B25D377C2E72CA26008B6CA7 /* ConnectivityApiImpl.swift in Sources */,
-				FED3B1962E253E9B0030FD97 /* ThumbnailsImpl.swift in Sources */,
 				B21E34AA2E5AFD2B0031FDB9 /* BackgroundWorkerApiImpl.swift in Sources */,
-				FED3B1972E253E9B0030FD97 /* Thumbnails.g.swift in Sources */,
 				1498D2341E8E89220040F4C2 /* GeneratedPluginRegistrant.m in Sources */,
 				B2BE315F2E5E5229006EEF88 /* BackgroundWorker.g.swift in Sources */,
 				65F32F33299D349D00CE9261 /* BackgroundSyncWorker.swift in Sources */,

mobile/ios/Runner/AppDelegate.swift

@@ -53,8 +53,10 @@ import UIKit
   
   public static func registerPlugins(with engine: FlutterEngine) {
     NativeSyncApiImpl.register(with: engine.registrar(forPlugin: NativeSyncApiImpl.name)!)
-    ThumbnailApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: ThumbnailApiImpl())
+    LocalImageApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: LocalImageApiImpl())
+    RemoteImageApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: RemoteImageApiImpl())
     BackgroundWorkerFgHostApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: BackgroundWorkerApiImpl())
+    ConnectivityApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: ConnectivityApiImpl())
   }
   
   public static func cancelPlugins(with engine: FlutterEngine) {

mobile/ios/Runner/Connectivity/ConnectivityApiImpl.swift

@@ -1,6 +1,60 @@
+import Network
 
 class ConnectivityApiImpl: ConnectivityApi {
+  private let monitor = NWPathMonitor()
+  private let queue = DispatchQueue(label: "ConnectivityMonitor")
+  private var currentPath: NWPath?
+  
+  init() {
+    monitor.pathUpdateHandler = { [weak self] path in
+      self?.currentPath = path
+    }
+    monitor.start(queue: queue)
+    // Get initial state synchronously
+    currentPath = monitor.currentPath
+  }
+  
+  deinit {
+    monitor.cancel()
+  }
+  
   func getCapabilities() throws -> [NetworkCapability] {
-    []
+    guard let path = currentPath else {
+      return []
+    }
+    
+    guard path.status == .satisfied else {
+      return []
+    }
+    
+    var capabilities: [NetworkCapability] = []
+    
+    if path.usesInterfaceType(.wifi) {
+      capabilities.append(.wifi)
+    }
+    
+    if path.usesInterfaceType(.cellular) {
+      capabilities.append(.cellular)
+    }
+    
+    // Check for VPN - iOS reports VPN as .other interface type in many cases
+    // or through the path's expensive property when on cellular with VPN
+    if path.usesInterfaceType(.other) {
+      capabilities.append(.vpn)
+    }
+    
+    // Determine if connection is unmetered:
+    // - Must be on WiFi (not cellular)
+    // - Must not be expensive (rules out personal hotspot)
+    // - Must not be constrained (Low Data Mode)
+    // Note: VPN over cellular should still be considered metered
+    let isOnCellular = path.usesInterfaceType(.cellular)
+    let isOnWifi = path.usesInterfaceType(.wifi)
+    
+    if isOnWifi && !isOnCellular && !path.isExpensive && !path.isConstrained {
+      capabilities.append(.unmetered)
+    }
+    
+    return capabilities
   }
 }

mobile/ios/Runner/Images/LocalImages.g.swift

@@ -47,41 +47,41 @@ private func nilOrValue<T>(_ value: Any?) -> T? {
 }
 
 
-private class ThumbnailsPigeonCodecReader: FlutterStandardReader {
+private class LocalImagesPigeonCodecReader: FlutterStandardReader {
 }
 
-private class ThumbnailsPigeonCodecWriter: FlutterStandardWriter {
+private class LocalImagesPigeonCodecWriter: FlutterStandardWriter {
 }
 
-private class ThumbnailsPigeonCodecReaderWriter: FlutterStandardReaderWriter {
+private class LocalImagesPigeonCodecReaderWriter: FlutterStandardReaderWriter {
   override func reader(with data: Data) -> FlutterStandardReader {
-    return ThumbnailsPigeonCodecReader(data: data)
+    return LocalImagesPigeonCodecReader(data: data)
   }
 
   override func writer(with data: NSMutableData) -> FlutterStandardWriter {
-    return ThumbnailsPigeonCodecWriter(data: data)
+    return LocalImagesPigeonCodecWriter(data: data)
   }
 }
 
-class ThumbnailsPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
-  static let shared = ThumbnailsPigeonCodec(readerWriter: ThumbnailsPigeonCodecReaderWriter())
+class LocalImagesPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
+  static let shared = LocalImagesPigeonCodec(readerWriter: LocalImagesPigeonCodecReaderWriter())
 }
 
 
 /// Generated protocol from Pigeon that represents a handler of messages from Flutter.
-protocol ThumbnailApi {
-  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64], Error>) -> Void)
-  func cancelImageRequest(requestId: Int64) throws
+protocol LocalImageApi {
+  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64]?, Error>) -> Void)
+  func cancelRequest(requestId: Int64) throws
   func getThumbhash(thumbhash: String, completion: @escaping (Result<[String: Int64], Error>) -> Void)
 }
 
 /// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
-class ThumbnailApiSetup {
-  static var codec: FlutterStandardMessageCodec { ThumbnailsPigeonCodec.shared }
-  /// Sets up an instance of `ThumbnailApi` to handle messages through the `binaryMessenger`.
-  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: ThumbnailApi?, messageChannelSuffix: String = "") {
+class LocalImageApiSetup {
+  static var codec: FlutterStandardMessageCodec { LocalImagesPigeonCodec.shared }
+  /// Sets up an instance of `LocalImageApi` to handle messages through the `binaryMessenger`.
+  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: LocalImageApi?, messageChannelSuffix: String = "") {
     let channelSuffix = messageChannelSuffix.count > 0 ? ".\(messageChannelSuffix)" : ""
-    let requestImageChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.ThumbnailApi.requestImage\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    let requestImageChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.LocalImageApi.requestImage\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
     if let api = api {
       requestImageChannel.setMessageHandler { message, reply in
         let args = message as! [Any?]
@@ -102,22 +102,22 @@ class ThumbnailApiSetup {
     } else {
       requestImageChannel.setMessageHandler(nil)
     }
-    let cancelImageRequestChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.ThumbnailApi.cancelImageRequest\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    let cancelRequestChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.LocalImageApi.cancelRequest\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
     if let api = api {
-      cancelImageRequestChannel.setMessageHandler { message, reply in
+      cancelRequestChannel.setMessageHandler { message, reply in
         let args = message as! [Any?]
         let requestIdArg = args[0] as! Int64
         do {
-          try api.cancelImageRequest(requestId: requestIdArg)
+          try api.cancelRequest(requestId: requestIdArg)
           reply(wrapResult(nil))
         } catch {
           reply(wrapError(error))
         }
       }
     } else {
-      cancelImageRequestChannel.setMessageHandler(nil)
+      cancelRequestChannel.setMessageHandler(nil)
     }
-    let getThumbhashChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.ThumbnailApi.getThumbhash\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    let getThumbhashChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.LocalImageApi.getThumbhash\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
     if let api = api {
       getThumbhashChannel.setMessageHandler { message, reply in
         let args = message as! [Any?]

mobile/ios/Runner/Images/LocalImagesImpl.swift

@@ -1,19 +1,19 @@
-import CryptoKit
+import Accelerate
 import Flutter
 import MobileCoreServices
 import Photos
 
-class Request {
+class LocalImageRequest {
   weak var workItem: DispatchWorkItem?
   var isCancelled = false
-  let callback: (Result<[String: Int64], any Error>) -> Void
+  let callback: (Result<[String: Int64]?, any Error>) -> Void
   
-  init(callback: @escaping (Result<[String: Int64], any Error>) -> Void) {
+  init(callback: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
     self.callback = callback
   }
 }
 
-class ThumbnailApiImpl: ThumbnailApi {
+class LocalImageApiImpl: LocalImageApi {
   private static let imageManager = PHImageManager.default()
   private static let fetchOptions = {
     let fetchOptions = PHFetchOptions()
@@ -36,47 +36,39 @@ class ThumbnailApiImpl: ThumbnailApi {
   private static let cancelQueue = DispatchQueue(label: "thumbnail.cancellation", qos: .default)
   private static let processingQueue = DispatchQueue(label: "thumbnail.processing", qos: .userInteractive, attributes: .concurrent)
   
-  private static let rgbColorSpace = CGColorSpaceCreateDeviceRGB()
-  private static let bitmapInfo = CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue).rawValue
-  private static var requests = [Int64: Request]()
-  private static let cancelledResult = Result<[String: Int64], any Error>.success([:])
+  private static var rgbaFormat = vImage_CGImageFormat(
+    bitsPerComponent: 8,
+    bitsPerPixel: 32,
+    colorSpace: CGColorSpaceCreateDeviceRGB(),
+    bitmapInfo: CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue),
+    renderingIntent: .defaultIntent
+  )!
+  private static var requests = [Int64: LocalImageRequest]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
   private static let concurrencySemaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
   private static let assetCache = {
     let assetCache = NSCache<NSString, PHAsset>()
     assetCache.countLimit = 10000
     return assetCache
   }()
-  private static let activitySemaphore = DispatchSemaphore(value: 1)
-  private static let willResignActiveObserver = NotificationCenter.default.addObserver(
-    forName: UIApplication.willResignActiveNotification,
-    object: nil,
-    queue: .main
-  ) { _ in
-    processingQueue.suspend()
-    activitySemaphore.wait()
-  }
-  private static let didBecomeActiveObserver = NotificationCenter.default.addObserver(
-    forName: UIApplication.didBecomeActiveNotification,
-    object: nil,
-    queue: .main
-  ) { _ in
-    processingQueue.resume()
-    activitySemaphore.signal()
-  }
   
   func getThumbhash(thumbhash: String, completion: @escaping (Result<[String : Int64], any Error>) -> Void) {
     Self.processingQueue.async {
       guard let data = Data(base64Encoded: thumbhash)
       else { return completion(.failure(PigeonError(code: "", message: "Invalid base64 string: \(thumbhash)", details: nil)))}
-
+      
       let (width, height, pointer) = thumbHashToRGBA(hash: data)
-      self.waitForActiveState()
-      completion(.success(["pointer": Int64(Int(bitPattern: pointer.baseAddress)), "width": Int64(width), "height": Int64(height)]))
+      completion(.success([
+        "pointer": Int64(Int(bitPattern: pointer.baseAddress)),
+        "width": Int64(width),
+        "height": Int64(height),
+        "rowBytes": Int64(width * 4)
+      ]))
     }
   }
   
-  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64], any Error>) -> Void) {
-    let request = Request(callback: completion)
+  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
+    let request = LocalImageRequest(callback: completion)
     let item = DispatchWorkItem {
       if request.isCancelled {
         return completion(Self.cancelledResult)
@@ -93,7 +85,7 @@ class ThumbnailApiImpl: ThumbnailApi {
       
       guard let asset = Self.requestAsset(assetId: assetId)
       else {
-        Self.removeRequest(requestId: requestId)
+        Self.remove(requestId: requestId)
         completion(.failure(PigeonError(code: "", message: "Could not get asset data for \(assetId)", details: nil)))
         return
       }
@@ -119,70 +111,54 @@ class ThumbnailApiImpl: ThumbnailApi {
       
       guard let image = image,
             let cgImage = image.cgImage else {
-        Self.removeRequest(requestId: requestId)
+        Self.remove(requestId: requestId)
         return completion(.failure(PigeonError(code: "", message: "Could not get pixel data for \(assetId)", details: nil)))
       }
       
-      let pointer = UnsafeMutableRawPointer.allocate(
-        byteCount: Int(cgImage.width) * Int(cgImage.height) * 4,
-        alignment: MemoryLayout<UInt8>.alignment
-      )
-      
       if request.isCancelled {
-        pointer.deallocate()
         return completion(Self.cancelledResult)
       }
       
-      guard let context = CGContext(
-        data: pointer,
-        width: cgImage.width,
-        height: cgImage.height,
-        bitsPerComponent: 8,
-        bytesPerRow: cgImage.width * 4,
-        space: Self.rgbColorSpace,
-        bitmapInfo: Self.bitmapInfo
-      ) else {
-        pointer.deallocate()
-        Self.removeRequest(requestId: requestId)
-        return completion(.failure(PigeonError(code: "", message: "Could not create context for \(assetId)", details: nil)))
+      do {
+        let buffer = try vImage_Buffer(cgImage: cgImage, format: Self.rgbaFormat)
+        
+        if request.isCancelled {
+          buffer.free()
+          return completion(Self.cancelledResult)
+        }
+        
+        request.callback(.success([
+          "pointer": Int64(Int(bitPattern: buffer.data)),
+          "width": Int64(buffer.width),
+          "height": Int64(buffer.height),
+          "rowBytes": Int64(buffer.rowBytes)
+        ]))
+        print("Successful response for \(requestId)")
+        Self.remove(requestId: requestId)
+      } catch {
+        Self.remove(requestId: requestId)
+        return completion(.failure(PigeonError(code: "", message: "Failed to convert image for \(assetId): \(error)", details: nil)))
       }
-      
-      if request.isCancelled {
-        pointer.deallocate()
-        return completion(Self.cancelledResult)
-      }
-      
-      context.interpolationQuality = .none
-      context.draw(cgImage, in: CGRect(x: 0, y: 0, width: cgImage.width, height: cgImage.height))
-      
-      if request.isCancelled {
-        pointer.deallocate()
-        return completion(Self.cancelledResult)
-      }
-      
-      self.waitForActiveState()
-      completion(.success(["pointer": Int64(Int(bitPattern: pointer)), "width": Int64(cgImage.width), "height": Int64(cgImage.height)]))
-      Self.removeRequest(requestId: requestId)
     }
     
     request.workItem = item
-    Self.addRequest(requestId: requestId, request: request)
+    Self.add(requestId: requestId, request: request)
     Self.processingQueue.async(execute: item)
   }
   
-  func cancelImageRequest(requestId: Int64) {
-    Self.cancelRequest(requestId: requestId)
+  func cancelRequest(requestId: Int64) {
+    Self.cancel(requestId: requestId)
   }
   
-  private static func addRequest(requestId: Int64, request: Request) -> Void {
+  private static func add(requestId: Int64, request: LocalImageRequest) -> Void {
     requestQueue.sync { requests[requestId] = request }
   }
   
-  private static func removeRequest(requestId: Int64) -> Void {
+  private static func remove(requestId: Int64) -> Void {
     requestQueue.sync { requests[requestId] = nil }
   }
   
-  private static func cancelRequest(requestId: Int64) -> Void {
+  private static func cancel(requestId: Int64) -> Void {
     requestQueue.async {
       guard let request = requests.removeValue(forKey: requestId) else { return }
       request.isCancelled = true
@@ -203,9 +179,4 @@ class ThumbnailApiImpl: ThumbnailApi {
     assetQueue.async { assetCache.setObject(asset, forKey: assetId as NSString) }
     return asset
   }
-  
-  func waitForActiveState() {
-    Self.activitySemaphore.wait()
-    Self.activitySemaphore.signal()
-  }
 }

mobile/ios/Runner/Images/RemoteImages.g.swift

@@ -0,0 +1,118 @@
+// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+
+import Foundation
+
+#if os(iOS)
+  import Flutter
+#elseif os(macOS)
+  import FlutterMacOS
+#else
+  #error("Unsupported platform.")
+#endif
+
+private func wrapResult(_ result: Any?) -> [Any?] {
+  return [result]
+}
+
+private func wrapError(_ error: Any) -> [Any?] {
+  if let pigeonError = error as? PigeonError {
+    return [
+      pigeonError.code,
+      pigeonError.message,
+      pigeonError.details,
+    ]
+  }
+  if let flutterError = error as? FlutterError {
+    return [
+      flutterError.code,
+      flutterError.message,
+      flutterError.details,
+    ]
+  }
+  return [
+    "\(error)",
+    "\(type(of: error))",
+    "Stacktrace: \(Thread.callStackSymbols)",
+  ]
+}
+
+private func isNullish(_ value: Any?) -> Bool {
+  return value is NSNull || value == nil
+}
+
+private func nilOrValue<T>(_ value: Any?) -> T? {
+  if value is NSNull { return nil }
+  return value as! T?
+}
+
+
+private class RemoteImagesPigeonCodecReader: FlutterStandardReader {
+}
+
+private class RemoteImagesPigeonCodecWriter: FlutterStandardWriter {
+}
+
+private class RemoteImagesPigeonCodecReaderWriter: FlutterStandardReaderWriter {
+  override func reader(with data: Data) -> FlutterStandardReader {
+    return RemoteImagesPigeonCodecReader(data: data)
+  }
+
+  override func writer(with data: NSMutableData) -> FlutterStandardWriter {
+    return RemoteImagesPigeonCodecWriter(data: data)
+  }
+}
+
+class RemoteImagesPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
+  static let shared = RemoteImagesPigeonCodec(readerWriter: RemoteImagesPigeonCodecReaderWriter())
+}
+
+
+/// Generated protocol from Pigeon that represents a handler of messages from Flutter.
+protocol RemoteImageApi {
+  func requestImage(url: String, headers: [String: String], requestId: Int64, completion: @escaping (Result<[String: Int64]?, Error>) -> Void)
+  func cancelRequest(requestId: Int64) throws
+}
+
+/// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
+class RemoteImageApiSetup {
+  static var codec: FlutterStandardMessageCodec { RemoteImagesPigeonCodec.shared }
+  /// Sets up an instance of `RemoteImageApi` to handle messages through the `binaryMessenger`.
+  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: RemoteImageApi?, messageChannelSuffix: String = "") {
+    let channelSuffix = messageChannelSuffix.count > 0 ? ".\(messageChannelSuffix)" : ""
+    let requestImageChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.RemoteImageApi.requestImage\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      requestImageChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let urlArg = args[0] as! String
+        let headersArg = args[1] as! [String: String]
+        let requestIdArg = args[2] as! Int64
+        api.requestImage(url: urlArg, headers: headersArg, requestId: requestIdArg) { result in
+          switch result {
+          case .success(let res):
+            reply(wrapResult(res))
+          case .failure(let error):
+            reply(wrapError(error))
+          }
+        }
+      }
+    } else {
+      requestImageChannel.setMessageHandler(nil)
+    }
+    let cancelRequestChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.RemoteImageApi.cancelRequest\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      cancelRequestChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let requestIdArg = args[0] as! Int64
+        do {
+          try api.cancelRequest(requestId: requestIdArg)
+          reply(wrapResult(nil))
+        } catch {
+          reply(wrapError(error))
+        }
+      }
+    } else {
+      cancelRequestChannel.setMessageHandler(nil)
+    }
+  }
+}

mobile/ios/Runner/Images/RemoteImagesImpl.swift

@@ -0,0 +1,171 @@
+import Accelerate
+import Flutter
+import MobileCoreServices
+import Photos
+
+class RemoteImageRequest {
+  weak var task: URLSessionDataTask?
+  let id: Int64
+  var isCancelled = false
+  var data: CFMutableData?
+  let completion: (Result<[String: Int64]?, any Error>) -> Void
+  
+  init(id: Int64, task: URLSessionDataTask, completion: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
+    self.id = id
+    self.task = task
+    self.data = nil
+    self.completion = completion
+  }
+}
+
+class RemoteImageApiImpl: NSObject, RemoteImageApi {
+  private static let delegate = RemoteImageApiDelegate()
+  static let session = {
+    let config = URLSessionConfiguration.default
+    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
+    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
+    let thumbnailPath = FileManager.default.temporaryDirectory.appendingPathComponent("thumbnails", isDirectory: true)
+    try! FileManager.default.createDirectory(at: thumbnailPath, withIntermediateDirectories: true)
+    config.urlCache = URLCache(
+      memoryCapacity: 0,
+      diskCapacity: 1 << 30,
+      directory: thumbnailPath
+    )
+    config.httpMaximumConnectionsPerHost = 16
+    return URLSession(configuration: config, delegate: delegate, delegateQueue: nil)
+  }()
+  
+  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
+    var urlRequest = URLRequest(url: URL(string: url)!)
+    for (key, value) in headers {
+      urlRequest.setValue(value, forHTTPHeaderField: key)
+    }
+    let task = Self.session.dataTask(with: urlRequest)
+    
+    let imageRequest = RemoteImageRequest(id: requestId, task: task, completion: completion)
+    Self.delegate.add(taskId: task.taskIdentifier, request: imageRequest)
+    
+    task.resume()
+  }
+  
+  func cancelRequest(requestId: Int64) {
+    Self.delegate.cancel(requestId: requestId)
+  }
+}
+
+class RemoteImageApiDelegate: NSObject, URLSessionDataDelegate {
+  private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated, attributes: .concurrent)
+  private static var rgbaFormat = vImage_CGImageFormat(
+    bitsPerComponent: 8,
+    bitsPerPixel: 32,
+    colorSpace: CGColorSpaceCreateDeviceRGB(),
+    bitmapInfo: CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue),
+    renderingIntent: .perceptual
+  )!
+  private static var requestByTaskId = [Int: RemoteImageRequest]()
+  private static var taskIdByRequestId = [Int64: Int]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
+  private static let decodeOptions = [
+    kCGImageSourceShouldCache: false,
+    kCGImageSourceShouldCacheImmediately: true,
+    kCGImageSourceCreateThumbnailWithTransform: true,
+  ] as CFDictionary
+  
+  func urlSession(
+    _ session: URLSession, dataTask: URLSessionDataTask,
+    didReceive response: URLResponse,
+    completionHandler: @escaping (URLSession.ResponseDisposition) -> Void
+  ) {
+    guard let request = get(taskId: dataTask.taskIdentifier)
+    else {
+      return completionHandler(.cancel)
+    }
+    
+    let capacity = max(Int(response.expectedContentLength), 0)
+    request.data = CFDataCreateMutable(nil, capacity)
+    
+    completionHandler(.allow)
+  }
+  
+  func urlSession(_ session: URLSession, dataTask: URLSessionDataTask,
+                  didReceive data: Data) {
+    guard let request = get(taskId: dataTask.taskIdentifier) else { return }
+    
+    data.withUnsafeBytes { bytes in
+      CFDataAppendBytes(request.data, bytes.bindMemory(to: UInt8.self).baseAddress, data.count)
+    }
+  }
+  
+  func urlSession(_ session: URLSession, task: URLSessionTask,
+                  didCompleteWithError error: Error?) {
+    guard let request = get(taskId: task.taskIdentifier) else { return }
+        
+    defer { remove(taskId: task.taskIdentifier, requestId: request.id) }
+    
+    if let error = error {
+      if request.isCancelled || (error as NSError).code == NSURLErrorCancelled {
+        return request.completion(Self.cancelledResult)
+      }
+      return request.completion(.failure(error))
+    }
+    
+    guard let data = request.data else {
+      return request.completion(.failure(PigeonError(code: "", message: "No data received", details: nil)))
+    }
+    
+    guard let imageSource = CGImageSourceCreateWithData(data, nil),
+          let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, Self.decodeOptions) else {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
+    }
+    
+    if request.isCancelled {
+      return request.completion(Self.cancelledResult)
+    }
+    
+    do {
+      let buffer = try vImage_Buffer(cgImage: cgImage, format: Self.rgbaFormat)
+      
+      if request.isCancelled {
+        buffer.free()
+        return request.completion(Self.cancelledResult)
+      }
+      
+      request.completion(
+        .success([
+          "pointer": Int64(Int(bitPattern: buffer.data)),
+          "width": Int64(buffer.width),
+          "height": Int64(buffer.height),
+          "rowBytes": Int64(buffer.rowBytes),
+        ]))
+    } catch {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
+    }
+  }
+  
+  @inline(__always) func get(taskId: Int) -> RemoteImageRequest? {
+    Self.requestQueue.sync { Self.requestByTaskId[taskId] }
+  }
+  
+  @inline(__always) func add(taskId: Int, request: RemoteImageRequest) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.requestByTaskId[taskId] = request
+      Self.taskIdByRequestId[request.id] = taskId
+    }
+  }
+  
+  @inline(__always) func remove(taskId: Int, requestId: Int64) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.taskIdByRequestId[requestId] = nil
+      Self.requestByTaskId[taskId] = nil
+    }
+  }
+  
+  @inline(__always) func cancel(requestId: Int64) -> Void {
+    guard let request: RemoteImageRequest = (Self.requestQueue.sync {
+      guard let taskId = Self.taskIdByRequestId[requestId] else { return nil }
+      return Self.requestByTaskId[taskId]
+    }) else { return }
+    request.isCancelled = true
+    request.task?.cancel()
+  }
+}

mobile/ios/Runner/Sync/Messages.g.swift

@@ -312,6 +312,39 @@ struct HashResult: Hashable {
   }
 }
 
+/// Generated class from Pigeon that represents data sent in messages.
+struct CloudIdResult: Hashable {
+  var assetId: String
+  var error: String? = nil
+  var cloudId: String? = nil
+
+
+  // swift-format-ignore: AlwaysUseLowerCamelCase
+  static func fromList(_ pigeonVar_list: [Any?]) -> CloudIdResult? {
+    let assetId = pigeonVar_list[0] as! String
+    let error: String? = nilOrValue(pigeonVar_list[1])
+    let cloudId: String? = nilOrValue(pigeonVar_list[2])
+
+    return CloudIdResult(
+      assetId: assetId,
+      error: error,
+      cloudId: cloudId
+    )
+  }
+  func toList() -> [Any?] {
+    return [
+      assetId,
+      error,
+      cloudId,
+    ]
+  }
+  static func == (lhs: CloudIdResult, rhs: CloudIdResult) -> Bool {
+    return deepEqualsMessages(lhs.toList(), rhs.toList())  }
+  func hash(into hasher: inout Hasher) {
+    deepHashMessages(value: toList(), hasher: &hasher)
+  }
+}
+
 private class MessagesPigeonCodecReader: FlutterStandardReader {
   override func readValue(ofType type: UInt8) -> Any? {
     switch type {
@@ -323,6 +356,8 @@ private class MessagesPigeonCodecReader: FlutterStandardReader {
       return SyncDelta.fromList(self.readValue() as! [Any?])
     case 132:
       return HashResult.fromList(self.readValue() as! [Any?])
+    case 133:
+      return CloudIdResult.fromList(self.readValue() as! [Any?])
     default:
       return super.readValue(ofType: type)
     }
@@ -343,6 +378,9 @@ private class MessagesPigeonCodecWriter: FlutterStandardWriter {
     } else if let value = value as? HashResult {
       super.writeByte(132)
       super.writeValue(value.toList())
+    } else if let value = value as? CloudIdResult {
+      super.writeByte(133)
+      super.writeValue(value.toList())
     } else {
       super.writeValue(value)
     }
@@ -377,6 +415,7 @@ protocol NativeSyncApi {
   func hashAssets(assetIds: [String], allowNetworkAccess: Bool, completion: @escaping (Result<[HashResult], Error>) -> Void)
   func cancelHashing() throws
   func getTrashedAssets() throws -> [String: [PlatformAsset]]
+  func getCloudIdForAssetIds(assetIds: [String]) throws -> [CloudIdResult]
 }
 
 /// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
@@ -560,5 +599,22 @@ class NativeSyncApiSetup {
     } else {
       getTrashedAssetsChannel.setMessageHandler(nil)
     }
+    let getCloudIdForAssetIdsChannel = taskQueue == nil
+      ? FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+      : FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec, taskQueue: taskQueue)
+    if let api = api {
+      getCloudIdForAssetIdsChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let assetIdsArg = args[0] as! [String]
+        do {
+          let result = try api.getCloudIdForAssetIds(assetIds: assetIdsArg)
+          reply(wrapResult(result))
+        } catch {
+          reply(wrapError(error))
+        }
+      }
+    } else {
+      getCloudIdForAssetIdsChannel.setMessageHandler(nil)
+    }
   }
 }

mobile/ios/Runner/Sync/MessagesImpl.swift

@@ -19,31 +19,31 @@ struct AssetWrapper: Hashable, Equatable {
 
 class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
   static let name = "NativeSyncApi"
-
+  
   static func register(with registrar: any FlutterPluginRegistrar) {
     let instance = NativeSyncApiImpl()
     NativeSyncApiSetup.setUp(binaryMessenger: registrar.messenger(), api: instance)
     registrar.publish(instance)
   }
-
+  
   func detachFromEngine(for registrar: any FlutterPluginRegistrar) {
     super.detachFromEngine()
   }
-
+  
   private let defaults: UserDefaults
   private let changeTokenKey = "immich:changeToken"
   private let albumTypes: [PHAssetCollectionType] = [.album, .smartAlbum]
   private let recoveredAlbumSubType = 1000000219
-
+  
   private var hashTask: Task<Void?, Error>?
   private static let hashCancelledCode = "HASH_CANCELLED"
   private static let hashCancelled = Result<[HashResult], Error>.failure(PigeonError(code: hashCancelledCode, message: "Hashing cancelled", details: nil))
-
-
+  
+  
   init(with defaults: UserDefaults = .standard) {
     self.defaults = defaults
   }
-
+  
   @available(iOS 16, *)
   private func getChangeToken() -> PHPersistentChangeToken? {
     guard let data = defaults.data(forKey: changeTokenKey) else {
@@ -51,7 +51,7 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
     }
     return try? NSKeyedUnarchiver.unarchivedObject(ofClass: PHPersistentChangeToken.self, from: data)
   }
-
+  
   @available(iOS 16, *)
   private func saveChangeToken(token: PHPersistentChangeToken) -> Void {
     guard let data = try? NSKeyedArchiver.archivedData(withRootObject: token, requiringSecureCoding: true) else {
@@ -59,18 +59,18 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
     }
     defaults.set(data, forKey: changeTokenKey)
   }
-
+  
   func clearSyncCheckpoint() -> Void {
     defaults.removeObject(forKey: changeTokenKey)
   }
-
+  
   func checkpointSync() {
     guard #available(iOS 16, *) else {
       return
     }
     saveChangeToken(token: PHPhotoLibrary.shared().currentChangeToken)
   }
-
+  
   func shouldFullSync() -> Bool {
     guard #available(iOS 16, *),
           PHPhotoLibrary.authorizationStatus(for: .readWrite) == .authorized,
@@ -78,36 +78,36 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
       // When we do not have access to photo library, older iOS version or No token available, fallback to full sync
       return true
     }
-
+    
     guard let _ = try? PHPhotoLibrary.shared().fetchPersistentChanges(since: storedToken) else {
       // Cannot fetch persistent changes
       return true
     }
-
+    
     return false
   }
-
+  
   func getAlbums() throws -> [PlatformAlbum] {
     var albums: [PlatformAlbum] = []
-
+    
     albumTypes.forEach { type in
       let collections = PHAssetCollection.fetchAssetCollections(with: type, subtype: .any, options: nil)
       for i in 0..<collections.count {
         let album = collections.object(at: i)
-
+        
         // Ignore recovered album
         if(album.assetCollectionSubtype.rawValue == self.recoveredAlbumSubType) {
           continue;
         }
-
+        
         let options = PHFetchOptions()
         options.sortDescriptors = [NSSortDescriptor(key: "modificationDate", ascending: false)]
         options.includeHiddenAssets = false
-
+        
         let assets = getAssetsFromAlbum(in: album, options: options)
-
+        
         let isCloud = album.assetCollectionSubtype == .albumCloudShared || album.assetCollectionSubtype == .albumMyPhotoStream
-
+        
         var domainAlbum = PlatformAlbum(
           id: album.localIdentifier,
           name: album.localizedTitle!,
@@ -115,57 +115,57 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
           isCloud: isCloud,
           assetCount: Int64(assets.count)
         )
-
+        
         if let firstAsset = assets.firstObject {
           domainAlbum.updatedAt = firstAsset.modificationDate.map { Int64($0.timeIntervalSince1970) }
         }
-
+        
         albums.append(domainAlbum)
       }
     }
     return albums.sorted { $0.id < $1.id }
   }
-
+  
   func getMediaChanges() throws -> SyncDelta {
     guard #available(iOS 16, *) else {
       throw PigeonError(code: "UNSUPPORTED_OS", message: "This feature requires iOS 16 or later.", details: nil)
     }
-
+    
     guard PHPhotoLibrary.authorizationStatus(for: .readWrite) == .authorized else {
       throw PigeonError(code: "NO_AUTH", message: "No photo library access", details: nil)
     }
-
+    
     guard let storedToken = getChangeToken() else {
       // No token exists, definitely need a full sync
       print("MediaManager::getMediaChanges: No token found")
       throw PigeonError(code: "NO_TOKEN", message: "No stored change token", details: nil)
     }
-
+    
     let currentToken = PHPhotoLibrary.shared().currentChangeToken
     if storedToken == currentToken {
       return SyncDelta(hasChanges: false, updates: [], deletes: [], assetAlbums: [:])
     }
-
+    
     do {
       let changes = try PHPhotoLibrary.shared().fetchPersistentChanges(since: storedToken)
-
+      
       var updatedAssets: Set<AssetWrapper> = []
       var deletedAssets: Set<String> = []
-
+      
       for change in changes {
         guard let details = try? change.changeDetails(for: PHObjectType.asset) else { continue }
-
+        
         let updated = details.updatedLocalIdentifiers.union(details.insertedLocalIdentifiers)
         deletedAssets.formUnion(details.deletedLocalIdentifiers)
-
+        
         if (updated.isEmpty) { continue }
-
+        
         let options = PHFetchOptions()
         options.includeHiddenAssets = false
         let result = PHAsset.fetchAssets(withLocalIdentifiers: Array(updated), options: options)
         for i in 0..<result.count {
           let asset = result.object(at: i)
-
+          
           // Asset wrapper only uses the id for comparison. Multiple change can contain the same asset, skip duplicate changes
           let predicate = PlatformAsset(
             id: asset.localIdentifier,
@@ -178,25 +178,25 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
           if (updatedAssets.contains(AssetWrapper(with: predicate))) {
             continue
           }
-
+          
           let domainAsset = AssetWrapper(with: asset.toPlatformAsset())
           updatedAssets.insert(domainAsset)
         }
       }
-
+      
       let updates = Array(updatedAssets.map { $0.asset })
       return SyncDelta(hasChanges: true, updates: updates, deletes: Array(deletedAssets), assetAlbums: buildAssetAlbumsMap(assets: updates))
     }
   }
-
-
+  
+  
   private func buildAssetAlbumsMap(assets: Array<PlatformAsset>) -> [String: [String]] {
     guard !assets.isEmpty else {
       return [:]
     }
-
+    
     var albumAssets: [String: [String]] = [:]
-
+    
     for type in albumTypes {
       let collections = PHAssetCollection.fetchAssetCollections(with: type, subtype: .any, options: nil)
       collections.enumerateObjects { (album, _, _) in
@@ -211,13 +211,13 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
     }
     return albumAssets
   }
-
+  
   func getAssetIdsForAlbum(albumId: String) throws -> [String] {
     let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
     guard let album = collections.firstObject else {
       return []
     }
-
+    
     var ids: [String] = []
     let options = PHFetchOptions()
     options.includeHiddenAssets = false
@@ -227,13 +227,13 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
     }
     return ids
   }
-
+  
   func getAssetsCountSince(albumId: String, timestamp: Int64) throws -> Int64 {
     let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
     guard let album = collections.firstObject else {
       return 0
     }
-
+    
     let date = NSDate(timeIntervalSince1970: TimeInterval(timestamp))
     let options = PHFetchOptions()
     options.predicate = NSPredicate(format: "creationDate > %@ OR modificationDate > %@", date, date)
@@ -241,32 +241,32 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
     let assets = getAssetsFromAlbum(in: album, options: options)
     return Int64(assets.count)
   }
-
+  
   func getAssetsForAlbum(albumId: String, updatedTimeCond: Int64?) throws -> [PlatformAsset] {
     let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
     guard let album = collections.firstObject else {
       return []
     }
-
+    
     let options = PHFetchOptions()
     options.includeHiddenAssets = false
     if(updatedTimeCond != nil) {
       let date = NSDate(timeIntervalSince1970: TimeInterval(updatedTimeCond!))
       options.predicate = NSPredicate(format: "creationDate > %@ OR modificationDate > %@", date, date)
     }
-
+    
     let result = getAssetsFromAlbum(in: album, options: options)
     if(result.count == 0) {
       return []
     }
-
+    
     var assets: [PlatformAsset] = []
     result.enumerateObjects { (asset, _, _) in
       assets.append(asset.toPlatformAsset())
     }
     return assets
   }
-
+  
   func hashAssets(assetIds: [String], allowNetworkAccess: Bool, completion: @escaping (Result<[HashResult], Error>) -> Void) {
     if let prevTask = hashTask {
       prevTask.cancel()
@@ -284,11 +284,11 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
         missingAssetIds.remove(asset.localIdentifier)
         assets.append(asset)
       }
-
+      
       if Task.isCancelled {
         return self?.completeWhenActive(for: completion, with: Self.hashCancelled)
       }
-
+      
       await withTaskGroup(of: HashResult?.self) { taskGroup in
         var results = [HashResult]()
         results.reserveCapacity(assets.count)
@@ -301,28 +301,28 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
             return await self.hashAsset(asset, allowNetworkAccess: allowNetworkAccess)
           }
         }
-
+        
         for await result in taskGroup {
           guard let result = result else {
             return self?.completeWhenActive(for: completion, with: Self.hashCancelled)
           }
           results.append(result)
         }
-
+        
         for missing in missingAssetIds {
           results.append(HashResult(assetId: missing, error: "Asset not found in library", hash: nil))
         }
-
+        
         return self?.completeWhenActive(for: completion, with: .success(results))
       }
     }
   }
-
+  
   func cancelHashing() {
     hashTask?.cancel()
     hashTask = nil
   }
-
+  
   private func hashAsset(_ asset: PHAsset, allowNetworkAccess: Bool) async -> HashResult? {
     class RequestRef {
       var id: PHAssetResourceDataRequestID?
@@ -332,21 +332,21 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
       if Task.isCancelled {
         return nil
       }
-
+      
       guard let resource = asset.getResource() else {
         return HashResult(assetId: asset.localIdentifier, error: "Cannot get asset resource", hash: nil)
       }
-
+      
       if Task.isCancelled {
         return nil
       }
-
+      
       let options = PHAssetResourceRequestOptions()
       options.isNetworkAccessAllowed = allowNetworkAccess
-
+      
       return await withCheckedContinuation { continuation in
         var hasher = Insecure.SHA1()
-
+        
         requestRef.id = PHAssetResourceManager.default().requestData(
           for: resource,
           options: options,
@@ -377,11 +377,11 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
       PHAssetResourceManager.default().cancelDataRequest(requestId)
     })
   }
-
+  
   func getTrashedAssets() throws -> [String: [PlatformAsset]] {
     throw PigeonError(code: "UNSUPPORTED_OS", message: "This feature not supported on iOS.", details: nil)
   }
-
+  
   private func getAssetsFromAlbum(in album: PHAssetCollection, options: PHFetchOptions) -> PHFetchResult<PHAsset> {
     // Ensure to actually getting all assets for the Recents album
     if (album.assetCollectionSubtype == .smartAlbumUserLibrary) {
@@ -390,4 +390,28 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
       return PHAsset.fetchAssets(in: album, options: options)
     }
   }
+  
+  func getCloudIdForAssetIds(assetIds: [String]) throws -> [CloudIdResult] {
+    guard #available(iOS 16, *) else {
+      return assetIds.map { CloudIdResult(assetId: $0) }
+    }
+    
+    var mappings: [CloudIdResult] = []
+    let result = PHPhotoLibrary.shared().cloudIdentifierMappings(forLocalIdentifiers: assetIds)
+    for (key, value) in result {
+      switch value {
+      case .success(let cloudIdentifier):
+        let cloudId = cloudIdentifier.stringValue
+        // Ignores invalid cloud ids of the format "GUID:ID:". Valid Ids are of the form "GUID:ID:HASH"
+        if !cloudId.hasSuffix(":") {
+          mappings.append(CloudIdResult(assetId: key, cloudId: cloudId))
+        } else {
+          mappings.append(CloudIdResult(assetId: key, error: "Incomplete Cloud Id: \(cloudId)"))
+        }
+      case .failure(let error):
+        mappings.append(CloudIdResult(assetId: key, error: "Error getting Cloud Id: \(error.localizedDescription)"))
+      }
+    }
+    return mappings;
+  }
 }

mobile/ios/fastlane/Fastfile

@@ -44,7 +44,7 @@ def get_version_from_pubspec
 end
   
   # Helper method to configure code signing for all targets
-  def configure_code_signing(bundle_id_suffix: "")
+  def configure_code_signing(bundle_id_suffix: "", profile_name_main:, profile_name_share:, profile_name_widget:)
     bundle_suffix = bundle_id_suffix.empty? ? "" : ".#{bundle_id_suffix}"
     
     # Runner (main app)
@@ -54,7 +54,7 @@ end
       team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
       code_sign_identity: CODE_SIGN_IDENTITY,
       bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}",
-      profile_name: "#{BASE_BUNDLE_ID}#{bundle_suffix} AppStore",
+      profile_name: profile_name_main,
       targets: ["Runner"]
     )
     
@@ -65,7 +65,7 @@ end
       team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
       code_sign_identity: CODE_SIGN_IDENTITY,
       bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}.ShareExtension",
-      profile_name: "#{BASE_BUNDLE_ID}#{bundle_suffix}.ShareExtension AppStore",
+      profile_name: profile_name_share,
       targets: ["ShareExtension"]
     )
     
@@ -76,7 +76,7 @@ end
       team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
       code_sign_identity: CODE_SIGN_IDENTITY,
       bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}.Widget",
-      profile_name: "#{BASE_BUNDLE_ID}#{bundle_suffix}.Widget AppStore",
+      profile_name: profile_name_widget,
       targets: ["WidgetExtension"]
     )
   end
@@ -87,7 +87,10 @@ end
     bundle_id_suffix: "",
     configuration: "Release",
     distribute_external: true,
-    version_number: nil
+    version_number: nil,
+    profile_name_main:,
+    profile_name_share:,
+    profile_name_widget:
   )
     bundle_suffix = bundle_id_suffix.empty? ? "" : ".#{bundle_id_suffix}"
     app_identifier = "#{BASE_BUNDLE_ID}#{bundle_suffix}"
@@ -115,9 +118,9 @@ end
       xcargs: "-skipMacroValidation CODE_SIGN_IDENTITY='#{CODE_SIGN_IDENTITY}' CODE_SIGN_STYLE=Manual",
       export_options: {
         provisioningProfiles: {
-          "#{app_identifier}" => "#{app_identifier} AppStore",
-          "#{app_identifier}.ShareExtension" => "#{app_identifier}.ShareExtension AppStore",
-          "#{app_identifier}.Widget" => "#{app_identifier}.Widget AppStore"
+          "#{app_identifier}" => profile_name_main,
+          "#{app_identifier}.ShareExtension" => profile_name_share,
+          "#{app_identifier}.Widget" => profile_name_widget
         },
         signingStyle: "manual",
         signingCertificate: CODE_SIGN_IDENTITY
@@ -136,20 +139,35 @@ end
   lane :gha_testflight_dev do
     api_key = get_api_key
     
-    # Install development provisioning profiles
-    install_provisioning_profile(path: "profile_dev.mobileprovision")
-    install_provisioning_profile(path: "profile_dev_share.mobileprovision")
-    install_provisioning_profile(path: "profile_dev_widget.mobileprovision")
+    # Download and install provisioning profiles from App Store Connect
+    # Certificate is imported by GHA workflow into build.keychain
+    # Capture profile names after each sigh call
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development", force: true)
+    main_profile_name = lane_context[SharedValues::SIGH_NAME]
     
-    # Configure code signing for dev bundle IDs
-    configure_code_signing(bundle_id_suffix: "development")
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.ShareExtension", force: true)
+    share_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.Widget", force: true)
+    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    # Configure code signing for dev bundle IDs using the downloaded profile names
+    configure_code_signing(
+      bundle_id_suffix: "development",
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
+    )
     
     # Build and upload
     build_and_upload(
       api_key: api_key,
       bundle_id_suffix: "development",
       configuration: "Profile",
-      distribute_external: false
+      distribute_external: false,
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
     )
   end
 
@@ -157,20 +175,33 @@ end
   lane :gha_release_prod do
     api_key = get_api_key
     
-    # Install provisioning profiles
-    install_provisioning_profile(path: "profile.mobileprovision")
-    install_provisioning_profile(path: "profile_share.mobileprovision")
-    install_provisioning_profile(path: "profile_widget.mobileprovision")
+    # Download and install provisioning profiles from App Store Connect
+    # Certificate is imported by GHA workflow into build.keychain
+    sigh(api_key: api_key, app_identifier: BASE_BUNDLE_ID, force: true)
+    main_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.ShareExtension", force: true)
+    share_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.Widget", force: true)
+    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
     
     
     # Configure code signing for production bundle IDs
-    configure_code_signing
+    configure_code_signing(
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
+    )
 
     # Build and upload with version number
     build_and_upload(
       api_key: api_key,
       version_number: get_version_from_pubspec,
       distribute_external: false,
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
     )
   end
 
@@ -215,13 +246,26 @@ end
     # Use the same build process as production, just skip the upload
     # This ensures PR builds validate the same way as production builds
     
-    # Install provisioning profiles (use development profiles for PR builds)
-    install_provisioning_profile(path: "profile_dev.mobileprovision")
-    install_provisioning_profile(path: "profile_dev_share.mobileprovision")
-    install_provisioning_profile(path: "profile_dev_widget.mobileprovision")
+    api_key = get_api_key
+    
+    # Download and install provisioning profiles from App Store Connect
+    # Certificate is imported by GHA workflow into build.keychain
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development", force: true)
+    main_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.ShareExtension", force: true)
+    share_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.Widget", force: true)
+    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
     
     # Configure code signing for dev bundle IDs
-    configure_code_signing(bundle_id_suffix: "development")
+    configure_code_signing(
+      bundle_id_suffix: "development",
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
+    )
     
     # Build the app (same as gha_testflight_dev but without upload)
     build_app(
@@ -233,9 +277,9 @@ end
       xcargs: "-skipMacroValidation CODE_SIGN_IDENTITY='#{CODE_SIGN_IDENTITY}' CODE_SIGN_STYLE=Manual",
       export_options: {
         provisioningProfiles: {
-          "#{BASE_BUNDLE_ID}.development" => "#{BASE_BUNDLE_ID}.development AppStore",
-          "#{BASE_BUNDLE_ID}.development.ShareExtension" => "#{BASE_BUNDLE_ID}.development.ShareExtension AppStore",
-          "#{BASE_BUNDLE_ID}.development.Widget" => "#{BASE_BUNDLE_ID}.development.Widget AppStore"
+          "#{BASE_BUNDLE_ID}.development" => main_profile_name,
+          "#{BASE_BUNDLE_ID}.development.ShareExtension" => share_profile_name,
+          "#{BASE_BUNDLE_ID}.development.Widget" => widget_profile_name
         },
         signingStyle: "manual",
         signingCertificate: CODE_SIGN_IDENTITY

mobile/lib/constants/constants.dart

@@ -4,6 +4,8 @@ const int noDbId = -9223372036854775808; // from Isar
 const double downloadCompleted = -1;
 const double downloadFailed = -2;
 
+const String kMobileMetadataKey = "mobile-app";
+
 // Number of log entries to retain on app start
 const int kLogTruncateLimit = 2000;
 

mobile/lib/constants/enums.dart

@@ -7,3 +7,7 @@ enum AssetVisibilityEnum { timeline, hidden, archive, locked }
 enum SortUserBy { id }
 
 enum ActionSource { timeline, viewer }
+
+enum CleanupStep { selectDate, filterOptions, scan, delete }
+
+enum AssetFilterType { all, photosOnly, videosOnly }

mobile/lib/constants/locales.dart

@@ -51,4 +51,4 @@ const Map<String, Locale> locales = {
 
 const String translationsPath = 'assets/i18n';
 
-const List<Locale> localesNotSupportedByOverpass = [Locale('el', 'GR'), Locale('sr', 'Cyrl')];
+const List<Locale> localesNotSupportedByAppFont = [Locale('el', 'GR'), Locale('sr', 'Cyrl')];

mobile/lib/domain/models/asset/asset_metadata.model.dart

@@ -0,0 +1,62 @@
+enum RemoteAssetMetadataKey {
+  mobileApp("mobile-app");
+
+  final String key;
+
+  const RemoteAssetMetadataKey(this.key);
+}
+
+abstract class RemoteAssetMetadataValue {
+  const RemoteAssetMetadataValue();
+
+  Map<String, dynamic> toJson();
+}
+
+class RemoteAssetMetadataItem {
+  final RemoteAssetMetadataKey key;
+  final RemoteAssetMetadataValue value;
+
+  const RemoteAssetMetadataItem({required this.key, required this.value});
+
+  Map<String, Object?> toJson() {
+    return {'key': key.key, 'value': value};
+  }
+}
+
+class RemoteAssetMobileAppMetadata extends RemoteAssetMetadataValue {
+  final String? cloudId;
+  final String? createdAt;
+  final String? adjustmentTime;
+  final String? latitude;
+  final String? longitude;
+
+  const RemoteAssetMobileAppMetadata({
+    this.cloudId,
+    this.createdAt,
+    this.adjustmentTime,
+    this.latitude,
+    this.longitude,
+  });
+
+  @override
+  Map<String, dynamic> toJson() {
+    final map = <String, Object?>{};
+    if (cloudId != null) {
+      map["iCloudId"] = cloudId;
+    }
+    if (createdAt != null) {
+      map["createdAt"] = createdAt;
+    }
+    if (adjustmentTime != null) {
+      map["adjustmentTime"] = adjustmentTime;
+    }
+    if (latitude != null) {
+      map["latitude"] = latitude;
+    }
+    if (longitude != null) {
+      map["longitude"] = longitude;
+    }
+
+    return map;
+  }
+}

mobile/lib/domain/models/asset/local_asset.model.dart

@@ -3,6 +3,7 @@ part of 'base_asset.model.dart';
 class LocalAsset extends BaseAsset {
   final String id;
   final String? remoteAssetId;
+  final String? cloudId;
   final int orientation;
 
   final DateTime? adjustmentTime;
@@ -12,6 +13,7 @@ class LocalAsset extends BaseAsset {
   const LocalAsset({
     required this.id,
     String? remoteId,
+    this.cloudId,
     required super.name,
     super.checksum,
     required super.type,
@@ -53,12 +55,14 @@ class LocalAsset extends BaseAsset {
    width: ${width ?? "<NA>"},
    height: ${height ?? "<NA>"},
    durationInSeconds: ${durationInSeconds ?? "<NA>"},
-   remoteId: ${remoteId ?? "<NA>"}
+   remoteId: ${remoteId ?? "<NA>"},
+   cloudId: ${cloudId ?? "<NA>"},
+   checksum: ${checksum ?? "<NA>"},
    isFavorite: $isFavorite,
-  orientation: $orientation,
-  adjustmentTime: $adjustmentTime,
-  latitude: ${latitude ?? "<NA>"},
-  longitude: ${longitude ?? "<NA>"},
+   orientation: $orientation,
+   adjustmentTime: $adjustmentTime,
+   latitude: ${latitude ?? "<NA>"},
+   longitude: ${longitude ?? "<NA>"},
  }''';
   }
 
@@ -69,6 +73,7 @@ class LocalAsset extends BaseAsset {
     if (identical(this, other)) return true;
     return super == other &&
         id == other.id &&
+        cloudId == other.cloudId &&
         orientation == other.orientation &&
         adjustmentTime == other.adjustmentTime &&
         latitude == other.latitude &&
@@ -88,6 +93,7 @@ class LocalAsset extends BaseAsset {
   LocalAsset copyWith({
     String? id,
     String? remoteId,
+    String? cloudId,
     String? name,
     String? checksum,
     AssetType? type,
@@ -105,6 +111,7 @@ class LocalAsset extends BaseAsset {
     return LocalAsset(
       id: id ?? this.id,
       remoteId: remoteId ?? this.remoteId,
+      cloudId: cloudId ?? this.cloudId,
       name: name ?? this.name,
       checksum: checksum ?? this.checksum,
       type: type ?? this.type,