better error handling

tighten dispose
add extra cancellation check
2026-01-24 10:24:39 -08:00 · 2026-01-23 14:55:01 -05:00 · 2026-01-23 14:50:27 -05:00 · 2026-01-23 14:44:36 -05:00 · 2026-01-23 14:39:30 -05:00 · 2026-01-23 02:10:39 -05:00
780 changed files with 60012 additions and 11723 deletions
--- a/.github/.nvmrc
+++ b/.github/.nvmrc
@@ -1 +1 @@
-24.12.0
+24.13.0
--- a/.github/workflows/build-mobile.yml
+++ b/.github/workflows/build-mobile.yml
@@ -26,9 +26,9 @@ on:
        required: true
      APP_STORE_CONNECT_API_KEY:
        required: true
-      MATCH_PASSWORD:
+      IOS_CERTIFICATE_P12:
        required: true
-      MATCH_GIT_BASIC_AUTHORIZATION:
+      IOS_CERTIFICATE_PASSWORD:
        required: true
      FASTLANE_TEAM_ID:
        required: true
@@ -84,7 +84,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
@@ -103,7 +103,7 @@ jobs:

      - name: Restore Gradle Cache
        id: cache-gradle-restore
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ~/.gradle/caches
@@ -153,14 +153,14 @@ jobs:
          fi

      - name: Publish Android Artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk

      - name: Save Gradle Cache
        id: cache-gradle-save
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        if: github.ref == 'refs/heads/main'
        with:
          path: |
@@ -181,23 +181,8 @@ jobs:
    runs-on: macos-latest

    steps:
-      - name: Generate token for ios-certs repo
-        id: token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
-          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-          owner: immich-app
-          repositories: immich,ios-certs
-
-      - name: Set up match authorization
-        id: match-auth
-        run: |
-          # Create base64-encoded authorization for match
-          echo "base64_token=$(echo -n 'x-access-token:${{ steps.token.outputs.token }}' | base64)" >> $GITHUB_OUTPUT
-
      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
@@ -243,26 +228,43 @@ jobs:
          mkdir -p ~/.appstoreconnect/private_keys
          echo "$API_KEY_CONTENT" | base64 --decode > ~/.appstoreconnect/private_keys/AuthKey_${API_KEY_ID}.p8

-      - name: Create keychain for match
+      - name: Import Certificate
        env:
-          KEYCHAIN_PASSWORD: ${{ github.run_id }}
+          IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
+        working-directory: ./mobile/ios
        run: |
-          # Create a temporary keychain for CI
+          # Decode certificate
+          echo "$IOS_CERTIFICATE_P12" | base64 --decode > certificate.p12
+
+      - name: Create keychain and import certificate
+        env:
+          KEYCHAIN_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
+          CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
+        working-directory: ./mobile/ios
+        run: |
+          # Create keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security set-keychain-settings -t 3600 -u build.keychain

+          # Import certificate
+          security import certificate.p12 -k build.keychain -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+
+          # Verify certificate was imported
+          security find-identity -v -p codesigning build.keychain
+
      - name: Build and deploy to TestFlight
        env:
          FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}
-          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
-          MATCH_GIT_BASIC_AUTHORIZATION: ${{ steps.match-auth.outputs.base64_token }}
+          IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
          KEYCHAIN_NAME: build.keychain
-          KEYCHAIN_PASSWORD: ${{ github.run_id }}
+          KEYCHAIN_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
          APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
          APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
          ENVIRONMENT: ${{ inputs.environment || 'development' }}
+          BUNDLE_ID_SUFFIX: ${{ inputs.environment == 'production' && '' || 'development' }}
          GITHUB_REF: ${{ github.ref }}
        working-directory: ./mobile/ios
        run: |
@@ -284,7 +286,7 @@ jobs:
          security delete-keychain build.keychain || true

      - name: Upload IPA artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: ios-release-ipa
          path: mobile/ios/Runner.ipa
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -25,7 +25,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check out code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -35,7 +35,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -78,7 +78,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -50,7 +50,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/docs-build.yml
+++ b/.github/workflows/docs-build.yml
@@ -60,10 +60,11 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
@@ -85,7 +86,7 @@ jobs:
        run: pnpm build

      - name: Upload build output
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: docs-build-output
          path: docs/build/
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -125,7 +125,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/docs-destroy.yml
+++ b/.github/workflows/docs-destroy.yml
@@ -23,7 +23,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/fix-format.yml
+++ b/.github/workflows/fix-format.yml
@@ -22,7 +22,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: 'Checkout'
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -56,7 +56,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
@@ -136,13 +136,13 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false

      - name: Download APK
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -23,7 +23,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
@@ -159,7 +159,7 @@ jobs:

      - name: Create PR
        id: create-pr
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          commit-message: 'chore: release ${{ steps.bump-type.outputs.next }}'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -58,7 +58,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
@@ -74,7 +74,7 @@ jobs:
          echo "version=$VERSION" >> $GITHUB_OUTPUT

      - name: Download APK
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -22,7 +22,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -55,7 +55,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -69,7 +69,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -114,7 +114,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -161,7 +161,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -203,7 +203,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -247,7 +247,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -285,7 +285,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -298,9 +298,9 @@ jobs:
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install dependencies
-        run: pnpm --filter=immich-web install --frozen-lockfile
+        run: pnpm --filter=immich-i18n install --frozen-lockfile
      - name: Format
-        run: pnpm --filter=immich-web format:i18n
+        run: pnpm --filter=immich-i18n format:fix
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
@@ -333,7 +333,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -379,7 +379,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -418,7 +418,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -473,7 +473,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          submodules: 'recursive'
@@ -502,10 +502,15 @@ jobs:
      - name: Run e2e tests (web)
        env:
          CI: true
-        run: npx playwright test
+        run: npx playwright test --project=chromium
+        if: ${{ !cancelled() }}
+      - name: Run ui tests (web)
+        env:
+          CI: true
+        run: npx playwright test --project=ui
        if: ${{ !cancelled() }}
      - name: Archive test results
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: success() || failure()
        with:
          name: e2e-web-test-results-${{ matrix.runner }}
@@ -534,7 +539,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -566,17 +571,14 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Install uv
        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
-      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        # TODO: add caching when supported (https://github.com/actions/setup-python/pull/818)
        with:
          python-version: 3.11
-          #cache: 'uv'
      - name: Install dependencies
        run: |
          uv sync --extra cpu
@@ -610,7 +612,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -639,7 +641,7 @@ jobs:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -661,7 +663,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
@@ -723,7 +725,7 @@ jobs:
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,31 @@
+# Contributing to Immich
+
+We appreciate every contribution, and we're happy about every new contributor. So please feel invited to help make Immich a better product!
+
+## Getting started
+
+To get you started quickly we have detailed guides for the dev setup on our [website](https://docs.immich.app/developer/setup). If you prefer, you can also use [Devcontainers](https://docs.immich.app/developer/devcontainers).
+There are also additional resources about Immich's architecture, database migrations, the use of OpenAPI, and more in our [developer documentation](https://docs.immich.app/developer/architecture).
+
+## General
+
+Please try to keep pull requests as focused as possible. A PR should do exactly one thing and not bleed into other, unrelated areas. The smaller a PR, the fewer changes are likely needed, and the quicker it will likely be merged. For larger/more impactful PRs, please reach out to us first to discuss your plans. The best way to do this is through our [Discord](https://discord.immich.app). We have a dedicated `#contributing` channel there. Additionally, please fill out the entire template when opening a PR.
+
+## Finding work
+
+If you are looking for something to work on, there are discussions and issues with a `good-first-issue` label on them. These are always a good starting point. If none of them sound interesting or fit your skill set, feel free to reach out on our Discord. We're happy to help you find something to work on!
+
+## Use of generative AI
+
+We generally discourage PRs entirely generated by an LLM. For any part generated by an LLM, please put extra effort into your self-review. By using generative AI without proper self-review, the time you save ends up being more work we need to put in for proper reviews and code cleanup. Please keep that in mind when submitting code by an LLM. Clearly state the use of LLMs/(generative) AI in your pull request as requested by the template.
+
+## Feature freezes
+
+From time to time, we put a feature freeze on parts of the codebase. For us, this means we won't accept most PRs that make changes in that area. Exempted from this are simple bug fixes that require only minor changes. We will close feature PRs that target a feature-frozen area, even if that feature is highly requested and you put a lot of work into it. Please keep that in mind, and if you're ever uncertain if a PR would be accepted, reach out to us first (e.g., in the aforementioned `#contributing` channel). We hate to throw away work. Currently, we have feature freezes on:
+
+* Sharing/Asset ownership
+* (External) libraries
+
+## Non-code contributions
+
+If you want to contribute to Immich but you don't feel comfortable programming in our tech stack, there are other ways you can help the team. All our translations are done through [Weblate](https://hosted.weblate.org/projects/immich). These rely entirely on the community; if you speak a language that isn't fully translated yet, submitting translations there is greatly appreciated! If you like helping others, answering Q&A discussions here on GitHub and replying to people on our Discord is also always appreciated.
--- a/cli/.nvmrc
+++ b/cli/.nvmrc
@@ -1 +1 @@
-24.12.0
+24.13.0
--- a/cli/package.json
+++ b/cli/package.json
@@ -20,7 +20,7 @@
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.10.4",
+    "@types/node": "^24.10.8",
    "@vitest/coverage-v8": "^3.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -69,6 +69,6 @@
    "micromatch": "^4.0.8"
  },
  "volta": {
-    "node": "24.12.0"
+    "node": "24.13.0"
  }
 }
--- a/docker/docker-compose.prod.yml
+++ b/docker/docker-compose.prod.yml
@@ -85,7 +85,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:2b6f734e372c1b4717008f7d0a0152316aedd4d13ae17ef1e3268dbfaf68041b
+    image: prom/prometheus@sha256:1f0f50f06acaceb0f5670d2c8a658a599affe7b0d8e78b898c1035653849a702
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
--- a/docs/.nvmrc
+++ b/docs/.nvmrc
@@ -1 +1 @@
-24.12.0
+24.13.0
--- a/docs/docs/developer/setup.md
+++ b/docs/docs/developer/setup.md
@@ -4,6 +4,10 @@ sidebar_position: 2

 # Setup

+:::warning
+Make sure to read the [`CONTRIBUTING.md`](https://github.com/immich-app/immich/blob/main/CONTRIBUTING.md) before you dive into the code.
+:::
+
 :::note
 If there's a feature you're planning to work on, just give us a heads up in [#contributing](https://discord.com/channels/979116623879368755/1071165397228855327) on [our Discord](https://discord.immich.app) so we can:

--- a/docs/docs/features/mobile-app.mdx
+++ b/docs/docs/features/mobile-app.mdx
@@ -68,6 +68,56 @@ Now make sure that the local album is selected in the backup screen (steps 1-2 a
  title="Upload button after photos selection"
 />

+## Free Up Space
+
+The **Free Up Space** tool allows you to remove local media files from your device that have already been successfully backed up to your Immich server (and are not in the Immich trash). This helps reclaim storage on your mobile device without losing your memories.
+
+### How it works
+
+1.  **Configuration:**
+    - **Cutoff Date:** You can select a cutoff date. The tool will only look for photos and videos **on or before** this date.
+    - **Filter Options:** You can choose to remove **All** assets, or restrict removal to **Photos only** or **Videos only**.
+    - **Keep Favorites:** By default, local assets marked as favorites are preserved on your device, even if they match the cutoff date.
+2.  **Scan & Review:** Before any files are removed, you are presented with a review screen to verify which items will be deleted.
+3.  **Deletion:** Confirmed items are moved to your device's native Trash/Recycle Bin. They will be permanently removed by the OS based on your system settings (usually after 30 days).
+
+:::info Android Permissions
+For the smoothest experience on Android, you should grant Immich special delete privileges. Without this, you may be prompted to confirm deletion for every single image.
+
+Go to **Immich Settings > Advanced** and enable **"Media Management Access"**.
+:::
+
+### iCloud Photos (iOS Users)
+
+If you use **iCloud Photos** alongside Immich, it is vital to understand how deletion affects your data. iCloud utilizes a two-way sync; this means deleting a photo from your iPhone to free up space will **also delete it from iCloud**.
+
+:::warning iCloud & Backups
+If you rely on iCloud as a secondary backup (part of a 3-2-1 backup strategy), using the Free Up Space feature in Immich will remove the file from both your phone and iCloud.
+
+Once deleted, the photo will exist **only** on your Immich server (and your phone's "Recently Deleted" folder for 30 days).
+
+When you use iCloud Photos and delete a photo or video on one device, it's also deleted on all other devices where you're signed in with the same Apple Account.
+
+More information on the [Apple Support](https://support.apple.com/en-us/108922#iCloud_photo_library) website
+
+**Shared Albums**
+Assets that are part of an **iCloud Shared Album** are automatically excluded from the cleanup scan to ensure they remain viewable to others in the shared album.
+:::
+
+### External App Dependencies (WhatsApp, etc.)
+
+:::danger WhatsApp & Local Files
+Android applications like **WhatsApp** rely on local files to display media in chat history.
+
+If Immich backs up your WhatsApp folder and you run **Free Up Space**, the local copies of these images will be deleted. Consequently, **media in your WhatsApp chats will appear blurry or missing.** You will only be able to view these photos inside the Immich app; they will no longer be visible within the WhatsApp interface.
+
+**Recommendation:** If keeping chat history intact is important, please ensure you review the deletion list carefully or consider excluding WhatsApp folders from the backup if you intend to use this feature frequently.
+:::
+
+:::info reclaim storage
+You must empty the system/gallery trash manually to reclaim storage.
+:::
+
 ## Album Sync

 You can sync or mirror an album from your phone to the Immich server on your account. For example, if you select Recents, Camera and Videos album for backup, the corresponding album with the same name will be created on the server. Once the assets from those albums are uploaded, they will be put into the target albums automatically.
@@ -95,11 +145,3 @@ Enter the cloud on the top right -> cog wheel on the top right -> select the syn
 If you delete/move photos in the local album on your device, it will not be reflected in the album on the server **even if** you click Sync albums
 It will only reflect files you add.
 :::
-
-If the same asset is in more than one album it will only sync to the first album it's in, after that it won't sync again even if the user clicks sync albums manually.
-To overcome this limitation, the files must be removed from the ignore list by
-App settings -> Advanced -> Duplicate Assets -> Clear
-
-:::info
-Cleaning duplicate assets from the list will cause all the previously uploaded duplicate files to be re-uploaded, the files will not actually be uploaded and will be rejected on the server side (due to duplication) but will be synchronized to the album and at the end will be added to the ignore list again at the end of the synchronization.
-:::
--- a/docs/docs/features/sharing.md
+++ b/docs/docs/features/sharing.md
@@ -33,7 +33,7 @@ You can create a public link to share a group of photos or videos, or an album,
 The public shared link is generated with a random URL, which acts as as a secret to avoid the link being guessed by unwanted parties, for instance.

 ```
-https://immich.yourdomain.com/share/JUckRMxlgpo7F9BpyqGk_cZEwDzaU_U5LU5_oNZp1ETIBa9dpQ0b5ghNm_22QVJfn3k
+https://my.immich.app/share/JUckRMxlgpo7F9BpyqGk_cZEwDzaU_U5LU5_oNZp1ETIBa9dpQ0b5ghNm_22QVJfn3k
 ```

 ### Creating a public share link
--- a/docs/docs/install/requirements.md
+++ b/docs/docs/install/requirements.md
@@ -17,12 +17,17 @@ Hardware and software requirements for Immich:
  - Immich runs well in a virtualized environment when running in a full virtual machine.
    The use of Docker in LXC containers is [not recommended](https://pve.proxmox.com/wiki/Linux_Container), but may be possible for advanced users.
    If you have issues, we recommend that you switch to a supported VM deployment.
- **RAM**: Minimum 4GB, recommended 6GB.
+- **RAM**: Minimum 6GB, recommended 8GB.
 - **CPU**: Minimum 2 cores, recommended 4 cores.
 - **Storage**: Recommended Unix-compatible filesystem (EXT4, ZFS, APFS, etc.) with support for user/group ownership and permissions.
  - The generation of thumbnails and transcoded video can increase the size of the photo library by 10-20% on average.

-:::tip
+:::note RAM requirements
+For a smooth experience, especially during asset upload, Immich requires at least 6GB of RAM.
+For systems with only 4GB of RAM, Immich can be run with machine learning features disabled.
+:::
+
+:::tip Postgres setup
 Good performance and a stable connection to the Postgres database is critical to a smooth Immich experience.
 The Postgres database files are typically between 1-3 GB in size.
 For this reason, the Postgres database (`DB_DATA_LOCATION`) should ideally use local SSD storage, and never a network share of any kind.
--- a/docs/docusaurus.config.js
+++ b/docs/docusaurus.config.js
@@ -26,6 +26,12 @@ const config = {
    locales: ['en'],
  },

+  // Mermaid diagrams
+  markdown: {
+    mermaid: true,
+  },
+  themes: ['@docusaurus/theme-mermaid'],
+
  plugins: [
    async function myPlugin(context, options) {
      return {
--- a/docs/package.json
+++ b/docs/package.json
@@ -20,6 +20,7 @@
    "@docusaurus/core": "~3.9.0",
    "@docusaurus/preset-classic": "~3.9.0",
    "@docusaurus/theme-common": "~3.9.0",
+    "@docusaurus/theme-mermaid": "~3.9.0",
    "@mdi/js": "^7.3.67",
    "@mdi/react": "^1.6.1",
    "@mdx-js/react": "^3.0.0",
@@ -57,6 +58,6 @@
    "node": ">=20"
  },
  "volta": {
-    "node": "24.12.0"
+    "node": "24.13.0"
  }
 }
--- a/docs/src/css/custom.css
+++ b/docs/src/css/custom.css
@@ -8,19 +8,19 @@
@tailwind utilities;

@font-face {
-  font-family: 'Overpass';
-  src: url('/fonts/overpass/Overpass.ttf') format('truetype-variations');
-  font-weight: 1 999;
+  font-family: 'GoogleSans';
+  src: url('/fonts/GoogleSans/GoogleSans.ttf') format('truetype-variations');
+  font-weight: 410 900;
  font-style: normal;
  ascent-override: 106.25%;
  size-adjust: 106.25%;
 }

@font-face {
-  font-family: 'Overpass Mono';
-  src: url('/fonts/overpass/OverpassMono.ttf') format('truetype-variations');
-  font-weight: 1 999;
-  font-style: normal;
+  font-family: 'GoogleSansCode';
+  src: url('/fonts/GoogleSansCode/GoogleSansCode.ttf') format('truetype-variations');
+  font-weight: 1 900;
+  font-style: monospace;
  ascent-override: 106.25%;
  size-adjust: 106.25%;
 }
@@ -37,7 +37,8 @@ img {

 /* You can override the default Infima variables here. */
 :root {
-  font-family: 'Overpass', sans-serif;
+  font-family: 'GoogleSans', sans-serif;
+  letter-spacing: 0.1px;
  --ifm-color-primary: #4250af;
  --ifm-color-primary-dark: #4250af;
  --ifm-color-primary-darker: #4250af;
@@ -48,6 +49,16 @@ img {
  --docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.1);
 }

+h1,
+h2,
+h3,
+h4,
+h5,
+h6 {
+  font-family: 'GoogleSans', sans-serif;
+  letter-spacing: 0.1px;
+}
+
 /* For readability concerns, you should choose a lighter palette in dark mode. */
 [data-theme='dark'] {
  --ifm-color-primary: #adcbfa;
@@ -71,15 +82,22 @@ div[class^='announcementBar_'] {
  padding: 10px 10px 10px 16px;
  border-radius: 24px;
  margin-right: 16px;
+  font-weight: 500;
 }

 .menu__list-item-collapsible {
  margin-right: 16px;
  border-radius: 24px;
+  font-weight: 500;
 }

 .menu__link--active {
-  font-weight: 500;
+  font-weight: 600;
+}
+
+.table-of-contents__link {
+  font-size: 14px;
+  font-weight: 450;
 }

 /* workaround for version switcher PR 15894 */
@@ -88,13 +106,14 @@ div[class*='navbar__items'] > li:has(a[class*='version-switcher-34ab39']) {
 }

 code {
-  font-weight: 600;
+  font-weight: 500;
+  font-family: 'GoogleSansCode';
 }

 .buy-button {
  padding: 8px 14px;
  border: 1px solid transparent;
-  font-family: 'Overpass', sans-serif;
+  font-family: 'GoogleSans', sans-serif;
  font-weight: 500;
  cursor: pointer;
  box-shadow: 0 0 5px 2px rgba(181, 206, 254, 0.4);
--- a/docs/static/fonts/GoogleSans/GoogleSans.ttf
+++ b/docs/static/fonts/GoogleSans/GoogleSans.ttf
--- a/docs/static/fonts/GoogleSansCode/GoogleSansCode.ttf
+++ b/docs/static/fonts/GoogleSansCode/GoogleSansCode.ttf
--- a/docs/static/fonts/overpass/Overpass-Italic.ttf
+++ b/docs/static/fonts/overpass/Overpass-Italic.ttf
--- a/docs/static/fonts/overpass/Overpass.ttf
+++ b/docs/static/fonts/overpass/Overpass.ttf
--- a/docs/static/fonts/overpass/OverpassMono.ttf
+++ b/docs/static/fonts/overpass/OverpassMono.ttf
--- a/e2e-auth-server/Dockerfile
+++ b/e2e-auth-server/Dockerfile
@@ -0,0 +1,6 @@
+FROM node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25
+RUN corepack enable
+ADD package.json *.ts ./
+RUN pnpm install
+EXPOSE 2286
+CMD ["pnpm", "run", "start"]
--- a/e2e-auth-server/auth-server.ts
+++ b/e2e-auth-server/auth-server.ts
@@ -125,7 +125,7 @@ const setup = async () => {
    ],
  });

-  const onStart = () => console.log(`[auth-server] http://${host}:${port}/.well-known/openid-configuration`);
+  const onStart = () => console.log(`[e2e-auth-server] http://${host}:${port}/.well-known/openid-configuration`);
  const app = oidc.listen(port, host, onStart);
  return () => app.close();
 };
--- a/e2e-auth-server/package.json
+++ b/e2e-auth-server/package.json
@@ -0,0 +1,15 @@
+{
+  "name": "@immich/e2e-auth-server",
+  "version": "0.1.0",
+  "type": "module",
+  "main": "auth-server.ts",
+  "scripts": {
+    "start": "tsx startup.ts"
+  },
+  "devDependencies": {
+    "jose": "^5.6.3",
+    "@types/oidc-provider": "^9.0.0",
+    "oidc-provider": "^9.0.0",
+    "tsx": "^4.20.6"
+  }
+}
--- a/e2e-auth-server/startup.ts
+++ b/e2e-auth-server/startup.ts
@@ -0,0 +1,8 @@
+import setup from './auth-server'
+
+const teardown = await setup()
+process.on('exit', () => {
+  teardown()
+  console.log('[e2e-auth-server] stopped')
+  process.exit(0)
+})
--- a/e2e/.nvmrc
+++ b/e2e/.nvmrc
@@ -1 +1 @@
-24.12.0
+24.13.0
--- a/e2e/docker-compose.yml
+++ b/e2e/docker-compose.yml
@@ -1,6 +1,12 @@
 name: immich-e2e

 services:
+  e2e-auth-server:
+    build:
+      context: ../e2e-auth-server
+    ports:
+      - 2286:2286
+
  immich-server:
    container_name: immich-e2e-server
    image: immich-server:latest
@@ -27,8 +33,6 @@ services:
      - IMMICH_IGNORE_MOUNT_CHECK_ERRORS=true
    volumes:
      - ./test-assets:/test-assets
-    extra_hosts:
-      - 'auth-server:host-gateway'
    depends_on:
      redis:
        condition: service_started
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -22,12 +22,12 @@
    "@eslint/js": "^9.8.0",
    "@faker-js/faker": "^10.1.0",
    "@immich/cli": "file:../cli",
+    "@immich/e2e-auth-server": "file:../e2e-auth-server",
    "@immich/sdk": "file:../open-api/typescript-sdk",
    "@playwright/test": "^1.44.1",
    "@socket.io/component-emitter": "^3.1.2",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^24.10.4",
-    "@types/oidc-provider": "^9.0.0",
+    "@types/node": "^24.10.8",
    "@types/pg": "^8.15.1",
    "@types/pngjs": "^6.0.4",
    "@types/supertest": "^6.0.2",
@@ -38,9 +38,7 @@
    "eslint-plugin-unicorn": "^62.0.0",
    "exiftool-vendored": "^34.3.0",
    "globals": "^16.0.0",
-    "jose": "^5.6.3",
    "luxon": "^3.4.4",
-    "oidc-provider": "^9.0.0",
    "pg": "^8.11.3",
    "pngjs": "^7.0.0",
    "prettier": "^3.7.4",
@@ -54,6 +52,6 @@
    "vitest": "^3.0.0"
  },
  "volta": {
-    "node": "24.12.0"
+    "node": "24.13.0"
  }
 }
--- a/e2e/playwright.config.ts
+++ b/e2e/playwright.config.ts
@@ -8,7 +8,7 @@ dotenv.config({ path: resolve(import.meta.dirname, '.env') });
 export const playwrightHost = process.env.PLAYWRIGHT_HOST ?? '127.0.0.1';
 export const playwrightDbHost = process.env.PLAYWRIGHT_DB_HOST ?? '127.0.0.1';
 export const playwriteBaseUrl = process.env.PLAYWRIGHT_BASE_URL ?? `http://${playwrightHost}:2285`;
-export const playwriteSlowMo = parseInt(process.env.PLAYWRIGHT_SLOW_MO ?? '0');
+export const playwriteSlowMo = Number.parseInt(process.env.PLAYWRIGHT_SLOW_MO ?? '0');
 export const playwrightDisableWebserver = process.env.PLAYWRIGHT_DISABLE_WEBSERVER;

 process.env.PW_EXPERIMENTAL_SERVICE_WORKER_NETWORK_EVENTS = '1';
@@ -40,9 +40,9 @@ const config: PlaywrightTestConfig = {
      workers: 1,
    },
    {
-      name: 'parallel tests',
+      name: 'ui',
      use: { ...devices['Desktop Chrome'] },
-      testMatch: /.*\.parallel-e2e-spec\.ts/,
+      testMatch: /.*\.ui-spec\.ts/,
      fullyParallel: true,
      workers: process.env.CI ? 3 : Math.max(1, Math.round(cpus().length * 0.75) - 1),
    },
--- a/e2e/src/api/specs/database-backups.e2e-spec.ts
+++ b/e2e/src/api/specs/database-backups.e2e-spec.ts
@@ -0,0 +1,350 @@
+import { LoginResponseDto, ManualJobName } from '@immich/sdk';
+import { errorDto } from 'src/responses';
+import { app, utils } from 'src/utils';
+import request from 'supertest';
+import { afterAll, beforeAll, describe, expect, it } from 'vitest';
+
+describe('/admin/database-backups', () => {
+  let cookie: string | undefined;
+  let admin: LoginResponseDto;
+
+  beforeAll(async () => {
+    await utils.resetDatabase();
+    admin = await utils.adminSetup();
+    await utils.resetBackups(admin.accessToken);
+  });
+
+  describe('GET /', async () => {
+    it('should succeed and be empty', async () => {
+      const { status, body } = await request(app)
+        .get('/admin/database-backups')
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        backups: [],
+      });
+    });
+
+    it('should contain a created backup', async () => {
+      await utils.createJob(admin.accessToken, {
+        name: ManualJobName.BackupDatabase,
+      });
+
+      await utils.waitForQueueFinish(admin.accessToken, 'backupDatabase');
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app)
+              .get('/admin/database-backups')
+              .set('Authorization', `Bearer ${admin.accessToken}`);
+
+            expect(status).toBe(200);
+            return body;
+          },
+          {
+            interval: 500,
+            timeout: 10_000,
+          },
+        )
+        .toEqual(
+          expect.objectContaining({
+            backups: [
+              expect.objectContaining({
+                filename: expect.stringMatching(/immich-db-backup-\d{8}T\d{6}-v.*-pg.*\.sql\.gz$/),
+                filesize: expect.any(Number),
+              }),
+            ],
+          }),
+        );
+    });
+  });
+
+  describe('DELETE /', async () => {
+    it('should delete backup', async () => {
+      const filename = await utils.createBackup(admin.accessToken);
+
+      const { status } = await request(app)
+        .delete(`/admin/database-backups`)
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({ backups: [filename] });
+
+      expect(status).toBe(200);
+
+      const { status: listStatus, body } = await request(app)
+        .get('/admin/database-backups')
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+
+      expect(listStatus).toBe(200);
+      expect(body).toEqual(
+        expect.objectContaining({
+          backups: [],
+        }),
+      );
+    });
+  });
+
+  // => action: restore database flow
+
+  describe.sequential('POST /start-restore', () => {
+    afterAll(async () => {
+      await request(app).post('/admin/maintenance').set('cookie', cookie!).send({ action: 'end' });
+      await utils.poll(
+        () => request(app).get('/server/config'),
+        ({ status, body }) => status === 200 && !body.maintenanceMode,
+      );
+
+      admin = await utils.adminSetup();
+    });
+
+    it.sequential('should not work when the server is configured', async () => {
+      const { status, body } = await request(app).post('/admin/database-backups/start-restore').send();
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('The server already has an admin'));
+    });
+
+    it.sequential('should enter maintenance mode in "database restore mode"', async () => {
+      await utils.resetDatabase(); // reset database before running this test
+
+      const { status, headers } = await request(app).post('/admin/database-backups/start-restore').send();
+
+      expect(status).toBe(201);
+
+      cookie = headers['set-cookie'][0].split(';')[0];
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app).get('/server/config');
+            expect(status).toBe(200);
+            return body.maintenanceMode;
+          },
+          {
+            interval: 500,
+            timeout: 10_000,
+          },
+        )
+        .toBeTruthy();
+
+      const { status: status2, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
+      expect(status2).toBe(200);
+      expect(body).toEqual({
+        active: true,
+        action: 'select_database_restore',
+      });
+    });
+  });
+
+  // => action: restore database
+
+  describe.sequential('POST /backups/restore', () => {
+    beforeAll(async () => {
+      await utils.disconnectDatabase();
+    });
+
+    afterAll(async () => {
+      await utils.connectDatabase();
+    });
+
+    it.sequential('should restore a backup', { timeout: 60_000 }, async () => {
+      let filename = await utils.createBackup(admin.accessToken);
+
+      // work-around until test is running on released version
+      await utils.move(
+        `/data/backups/${filename}`,
+        '/data/backups/immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz',
+      );
+      filename = 'immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz';
+
+      const { status } = await request(app)
+        .post('/admin/maintenance')
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({
+          action: 'restore_database',
+          restoreBackupFilename: filename,
+        });
+
+      expect(status).toBe(201);
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app).get('/server/config');
+            expect(status).toBe(200);
+            return body.maintenanceMode;
+          },
+          {
+            interval: 500,
+            timeout: 10_000,
+          },
+        )
+        .toBeTruthy();
+
+      const { status: status2, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
+      expect(status2).toBe(200);
+      expect(body).toEqual(
+        expect.objectContaining({
+          active: true,
+          action: 'restore_database',
+        }),
+      );
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app).get('/server/config');
+            expect(status).toBe(200);
+            return body.maintenanceMode;
+          },
+          {
+            interval: 500,
+            timeout: 60_000,
+          },
+        )
+        .toBeFalsy();
+    });
+
+    it.sequential('fail to restore a corrupted backup', { timeout: 60_000 }, async () => {
+      await utils.prepareTestBackup('corrupted');
+
+      const { status, headers } = await request(app)
+        .post('/admin/maintenance')
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({
+          action: 'restore_database',
+          restoreBackupFilename: 'development-corrupted.sql.gz',
+        });
+
+      expect(status).toBe(201);
+      cookie = headers['set-cookie'][0].split(';')[0];
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app).get('/server/config');
+            expect(status).toBe(200);
+            return body.maintenanceMode;
+          },
+          {
+            interval: 500,
+            timeout: 10_000,
+          },
+        )
+        .toBeTruthy();
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
+            expect(status).toBe(200);
+            return body;
+          },
+          {
+            interval: 500,
+            timeout: 10_000,
+          },
+        )
+        .toEqual(
+          expect.objectContaining({
+            active: true,
+            action: 'restore_database',
+            error: 'Something went wrong, see logs!',
+          }),
+        );
+
+      const { status: status2, body: body2 } = await request(app)
+        .get('/admin/maintenance/status')
+        .set('cookie', cookie!)
+        .send({ token: 'token' });
+      expect(status2).toBe(200);
+      expect(body2).toEqual(
+        expect.objectContaining({
+          active: true,
+          action: 'restore_database',
+          error: expect.stringContaining('IM CORRUPTED'),
+        }),
+      );
+
+      await request(app).post('/admin/maintenance').set('cookie', cookie!).send({
+        action: 'end',
+      });
+
+      await utils.poll(
+        () => request(app).get('/server/config'),
+        ({ status, body }) => status === 200 && !body.maintenanceMode,
+      );
+    });
+
+    it.sequential('rollback to restore point if backup is missing admin', { timeout: 60_000 }, async () => {
+      await utils.prepareTestBackup('empty');
+
+      const { status, headers } = await request(app)
+        .post('/admin/maintenance')
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({
+          action: 'restore_database',
+          restoreBackupFilename: 'development-empty.sql.gz',
+        });
+
+      expect(status).toBe(201);
+      cookie = headers['set-cookie'][0].split(';')[0];
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app).get('/server/config');
+            expect(status).toBe(200);
+            return body.maintenanceMode;
+          },
+          {
+            interval: 500,
+            timeout: 10_000,
+          },
+        )
+        .toBeTruthy();
+
+      await expect
+        .poll(
+          async () => {
+            const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
+            expect(status).toBe(200);
+            return body;
+          },
+          {
+            interval: 500,
+            timeout: 30_000,
+          },
+        )
+        .toEqual(
+          expect.objectContaining({
+            active: true,
+            action: 'restore_database',
+            error: 'Something went wrong, see logs!',
+          }),
+        );
+
+      const { status: status2, body: body2 } = await request(app)
+        .get('/admin/maintenance/status')
+        .set('cookie', cookie!)
+        .send({ token: 'token' });
+      expect(status2).toBe(200);
+      expect(body2).toEqual(
+        expect.objectContaining({
+          active: true,
+          action: 'restore_database',
+          error: expect.stringContaining('Server health check failed, no admin exists.'),
+        }),
+      );
+
+      await request(app).post('/admin/maintenance').set('cookie', cookie!).send({
+        action: 'end',
+      });
+
+      await utils.poll(
+        () => request(app).get('/server/config'),
+        ({ status, body }) => status === 200 && !body.maintenanceMode,
+      );
+    });
+  });
+});
--- a/e2e/src/api/specs/maintenance.e2e-spec.ts
+++ b/e2e/src/api/specs/maintenance.e2e-spec.ts
@@ -14,6 +14,7 @@ describe('/admin/maintenance', () => {
    await utils.resetDatabase();
    admin = await utils.adminSetup();
    nonAdmin = await utils.userSetup(admin.accessToken, createUserDto.user1);
+    await utils.resetBackups(admin.accessToken);
  });

  // => outside of maintenance mode
@@ -26,6 +27,17 @@ describe('/admin/maintenance', () => {
    });
  });

+  describe('GET /status', async () => {
+    it('to always indicate we are not in maintenance mode', async () => {
+      const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        active: false,
+        action: 'end',
+      });
+    });
+  });
+
  describe('POST /login', async () => {
    it('should not work out of maintenance mode', async () => {
      const { status, body } = await request(app).post('/admin/maintenance/login').send({ token: 'token' });
@@ -39,6 +51,7 @@ describe('/admin/maintenance', () => {
  describe.sequential('POST /', () => {
    it('should require authentication', async () => {
      const { status, body } = await request(app).post('/admin/maintenance').send({
+        active: false,
        action: 'end',
      });
      expect(status).toBe(401);
@@ -69,6 +82,7 @@ describe('/admin/maintenance', () => {
        .send({
          action: 'start',
        });
+
      expect(status).toBe(201);

      cookie = headers['set-cookie'][0].split(';')[0];
@@ -79,12 +93,13 @@ describe('/admin/maintenance', () => {
      await expect
        .poll(
          async () => {
-            const { body } = await request(app).get('/server/config');
+            const { status, body } = await request(app).get('/server/config');
+            expect(status).toBe(200);
            return body.maintenanceMode;
          },
          {
-            interval: 5e2,
-            timeout: 1e4,
+            interval: 500,
+            timeout: 10_000,
          },
        )
        .toBeTruthy();
@@ -102,6 +117,17 @@ describe('/admin/maintenance', () => {
      });
    });

+    describe('GET /status', async () => {
+      it('to indicate we are in maintenance mode', async () => {
+        const { status, body } = await request(app).get('/admin/maintenance/status').send({ token: 'token' });
+        expect(status).toBe(200);
+        expect(body).toEqual({
+          active: true,
+          action: 'start',
+        });
+      });
+    });
+
    describe('POST /login', async () => {
      it('should fail without cookie or token in body', async () => {
        const { status, body } = await request(app).post('/admin/maintenance/login').send({});
@@ -158,12 +184,13 @@ describe('/admin/maintenance', () => {
      await expect
        .poll(
          async () => {
-            const { body } = await request(app).get('/server/config');
+            const { status, body } = await request(app).get('/server/config');
+            expect(status).toBe(200);
            return body.maintenanceMode;
          },
          {
-            interval: 5e2,
-            timeout: 1e4,
+            interval: 500,
+            timeout: 10_000,
          },
        )
        .toBeFalsy();
--- a/e2e/src/api/specs/oauth.e2e-spec.ts
+++ b/e2e/src/api/specs/oauth.e2e-spec.ts
@@ -1,3 +1,4 @@
+import { OAuthClient, OAuthUser } from '@immich/e2e-auth-server';
 import {
  LoginResponseDto,
  SystemConfigOAuthDto,
@@ -8,13 +9,12 @@ import {
 } from '@immich/sdk';
 import { createHash, randomBytes } from 'node:crypto';
 import { errorDto } from 'src/responses';
-import { OAuthClient, OAuthUser } from 'src/setup/auth-server';
 import { app, asBearerAuth, baseUrl, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeAll, describe, expect, it } from 'vitest';

 const authServer = {
-  internal: 'http://auth-server:2286',
+  internal: 'http://e2e-auth-server:2286',
  external: 'http://127.0.0.1:2286',
 };

--- a/e2e/src/generators.ts
+++ b/e2e/src/generators.ts
@@ -26,6 +26,5 @@ export const makeRandomImage = () => {
  if (!value) {
    throw new Error('Ran out of random asset data');
  }
-
  return value;
 };
--- a/e2e/src/generators/timeline/rest-response.ts
+++ b/e2e/src/generators/timeline/rest-response.ts
@@ -346,6 +346,9 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons
    duplicateId: null,
    resized: true,
    checksum: asset.checksum,
+    width: exifInfo.exifImageWidth ?? 1,
+    height: exifInfo.exifImageHeight ?? 1,
+    isEdited: false,
  };
 }

--- a/e2e/src/mock-network/timeline-network.ts
+++ b/e2e/src/mock-network/timeline-network.ts
@@ -1,3 +1,4 @@
+import { AssetResponseDto } from '@immich/sdk';
 import { BrowserContext, Page, Request, Route } from '@playwright/test';
 import { basename } from 'node:path';
 import {
@@ -63,15 +64,33 @@ export const setupTimelineMockApiRoutes = async (
  });

  await context.route('**/api/assets/*', async (route, request) => {
-    const url = new URL(request.url());
-    const pathname = url.pathname;
-    const assetId = basename(pathname);
-    const asset = getAsset(timelineRestData, assetId);
-    return route.fulfill({
-      status: 200,
-      contentType: 'application/json',
-      json: asset,
-    });
+    if (request.method() === 'GET') {
+      const url = new URL(request.url());
+      const pathname = url.pathname;
+      const assetId = basename(pathname);
+      let asset = getAsset(timelineRestData, assetId);
+      if (changes.assetDeletions.includes(asset!.id)) {
+        asset = {
+          ...asset,
+          isTrashed: true,
+        } as AssetResponseDto;
+      }
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: asset,
+      });
+    }
+    await route.fallback();
+  });
+
+  await context.route('**/api/assets', async (route, request) => {
+    if (request.method() === 'DELETE') {
+      return route.fulfill({
+        status: 204,
+      });
+    }
+    await route.fallback();
  });

  await context.route('**/api/assets/*/ocr', async (route) => {
@@ -117,17 +136,28 @@ export const setupTimelineMockApiRoutes = async (
  });

  await context.route('**/api/albums/**', async (route, request) => {
-    const pattern = /\/api\/albums\/(?<albumId>[^/?]+)/;
-    const match = request.url().match(pattern);
-    if (!match) {
-      return route.continue();
+    const albumsMatch = request.url().match(/\/api\/albums\/(?<albumId>[^/?]+)/);
+    if (albumsMatch) {
+      const album = getAlbum(timelineRestData, testContext.adminId, albumsMatch.groups?.albumId, changes);
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: album,
+      });
    }
-    const album = getAlbum(timelineRestData, testContext.adminId, match.groups?.albumId, changes);
-    return route.fulfill({
-      status: 200,
-      contentType: 'application/json',
-      json: album,
-    });
+    return route.fallback();
+  });
+
+  await context.route('**/api/albums**', async (route, request) => {
+    const allAlbums = request.url().match(/\/api\/albums\?assetId=(?<assetId>[^&]+)/);
+    if (allAlbums) {
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: [],
+      });
+    }
+    return route.fallback();
  });
 };

--- a/e2e/src/utils.ts
+++ b/e2e/src/utils.ts
@@ -6,7 +6,9 @@ import {
  CheckExistingAssetsDto,
  CreateAlbumDto,
  CreateLibraryDto,
+  JobCreateDto,
  MaintenanceAction,
+  ManualJobName,
  MetadataSearchDto,
  Permission,
  PersonCreateDto,
@@ -21,6 +23,7 @@ import {
  checkExistingAssets,
  createAlbum,
  createApiKey,
+  createJob,
  createLibrary,
  createPartner,
  createPerson,
@@ -28,10 +31,12 @@ import {
  createStack,
  createUserAdmin,
  deleteAssets,
+  deleteDatabaseBackup,
  getAssetInfo,
  getConfig,
  getConfigDefaults,
  getQueuesLegacy,
+  listDatabaseBackups,
  login,
  runQueueCommandLegacy,
  scanLibrary,
@@ -52,11 +57,15 @@ import {
 import { BrowserContext } from '@playwright/test';
 import { exec, spawn } from 'node:child_process';
 import { createHash } from 'node:crypto';
-import { existsSync, mkdirSync, renameSync, rmSync, writeFileSync } from 'node:fs';
+import { createWriteStream, existsSync, mkdirSync, renameSync, rmSync, writeFileSync } from 'node:fs';
+import { mkdtemp } from 'node:fs/promises';
 import { tmpdir } from 'node:os';
-import { dirname, resolve } from 'node:path';
+import { dirname, join, resolve } from 'node:path';
+import { Readable } from 'node:stream';
+import { pipeline } from 'node:stream/promises';
 import { setTimeout as setAsyncTimeout } from 'node:timers/promises';
 import { promisify } from 'node:util';
+import { createGzip } from 'node:zlib';
 import pg from 'pg';
 import { io, type Socket } from 'socket.io-client';
 import { loginDto, signupDto } from 'src/fixtures';
@@ -84,8 +93,9 @@ export const asBearerAuth = (accessToken: string) => ({ Authorization: `Bearer $
 export const asKeyAuth = (key: string) => ({ 'x-api-key': key });
 export const immichCli = (args: string[]) =>
  executeCommand('pnpm', ['exec', 'immich', '-d', `/${tempDir}/immich/`, ...args], { cwd: '../cli' }).promise;
-export const immichAdmin = (args: string[]) =>
-  executeCommand('docker', ['exec', '-i', 'immich-e2e-server', '/bin/bash', '-c', `immich-admin ${args.join(' ')}`]);
+export const dockerExec = (args: string[]) =>
+  executeCommand('docker', ['exec', '-i', 'immich-e2e-server', '/bin/bash', '-c', args.join(' ')]);
+export const immichAdmin = (args: string[]) => dockerExec([`immich-admin ${args.join(' ')}`]);
 export const specialCharStrings = ["'", '"', ',', '{', '}', '*'];
 export const TEN_TIMES = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9];

@@ -149,12 +159,26 @@ const onEvent = ({ event, id }: { event: EventType; id: string }) => {
 };

 export const utils = {
+  connectDatabase: async () => {
+    if (!client) {
+      client = new pg.Client(dbUrl);
+      client.on('end', () => (client = null));
+      client.on('error', () => (client = null));
+      await client.connect();
+    }
+
+    return client;
+  },
+
+  disconnectDatabase: async () => {
+    if (client) {
+      await client.end();
+    }
+  },
+
  resetDatabase: async (tables?: string[]) => {
    try {
-      if (!client) {
-        client = new pg.Client(dbUrl);
-        await client.connect();
-      }
+      client = await utils.connectDatabase();

      tables = tables || [
        // TODO e2e test for deleting a stack, since it is quite complex
@@ -481,6 +505,9 @@ export const utils = {
  tagAssets: (accessToken: string, tagId: string, assetIds: string[]) =>
    tagAssets({ id: tagId, bulkIdsDto: { ids: assetIds } }, { headers: asBearerAuth(accessToken) }),

+  createJob: async (accessToken: string, jobCreateDto: JobCreateDto) =>
+    createJob({ jobCreateDto }, { headers: asBearerAuth(accessToken) }),
+
  queueCommand: async (accessToken: string, name: QueueName, queueCommandDto: QueueCommandDto) =>
    runQueueCommandLegacy({ name, queueCommandDto }, { headers: asBearerAuth(accessToken) }),

@@ -559,6 +586,45 @@ export const utils = {
    mkdirSync(`${testAssetDir}/temp`, { recursive: true });
  },

+  async move(source: string, dest: string) {
+    return executeCommand('docker', ['exec', 'immich-e2e-server', 'mv', source, dest]).promise;
+  },
+
+  createBackup: async (accessToken: string) => {
+    await utils.createJob(accessToken, {
+      name: ManualJobName.BackupDatabase,
+    });
+
+    return utils.poll(
+      () => request(app).get('/admin/database-backups').set('Authorization', `Bearer ${accessToken}`),
+      ({ status, body }) => status === 200 && body.backups.length === 1,
+      ({ body }) => body.backups[0].filename,
+    );
+  },
+
+  resetBackups: async (accessToken: string) => {
+    const { backups } = await listDatabaseBackups({ headers: asBearerAuth(accessToken) });
+
+    const backupFiles = backups.map((b) => b.filename);
+    await deleteDatabaseBackup(
+      { databaseBackupDeleteDto: { backups: backupFiles } },
+      { headers: asBearerAuth(accessToken) },
+    );
+  },
+
+  prepareTestBackup: async (generate: 'empty' | 'corrupted') => {
+    const dir = await mkdtemp(join(tmpdir(), 'test-'));
+    const fn = join(dir, 'file');
+
+    const sql = Readable.from(generate === 'corrupted' ? 'IM CORRUPTED;' : 'SELECT 1;');
+    const gzip = createGzip();
+    const writeStream = createWriteStream(fn);
+    await pipeline(sql, gzip, writeStream);
+
+    await executeCommand('docker', ['cp', fn, `immich-e2e-server:/data/backups/development-${generate}.sql.gz`])
+      .promise;
+  },
+
  resetAdminConfig: async (accessToken: string) => {
    const defaultConfig = await getConfigDefaults({ headers: asBearerAuth(accessToken) });
    await updateConfig({ systemConfigDto: defaultConfig }, { headers: asBearerAuth(accessToken) });
@@ -601,6 +667,25 @@ export const utils = {
    await utils.waitForQueueFinish(accessToken, 'sidecar');
    await utils.waitForQueueFinish(accessToken, 'metadataExtraction');
  },
+
+  async poll<T>(cb: () => Promise<T>, validate: (value: T) => boolean, map?: (value: T) => any) {
+    let timeout = 0;
+    while (true) {
+      try {
+        const data = await cb();
+        if (validate(data)) {
+          return map ? map(data) : data;
+        }
+        timeout++;
+        if (timeout >= 10) {
+          throw 'Could not clean up test.';
+        }
+        await new Promise((resolve) => setTimeout(resolve, 5e2));
+      } catch {
+        // no-op
+      }
+    }
+  },
 };

 utils.initSdk();
--- a/e2e/src/web/specs/asset-viewer/asset-viewer.ui-spec.ts
+++ b/e2e/src/web/specs/asset-viewer/asset-viewer.ui-spec.ts
@@ -0,0 +1,269 @@
+import { faker } from '@faker-js/faker';
+import { expect, test } from '@playwright/test';
+import {
+  Changes,
+  createDefaultTimelineConfig,
+  generateTimelineData,
+  SeededRandom,
+  selectRandom,
+  TimelineAssetConfig,
+  TimelineData,
+} from 'src/generators/timeline';
+import { setupBaseMockApiRoutes } from 'src/mock-network/base-network';
+import { setupTimelineMockApiRoutes, TimelineTestContext } from 'src/mock-network/timeline-network';
+import { utils } from 'src/utils';
+import { assetViewerUtils } from 'src/web/specs/timeline/utils';
+
+test.describe.configure({ mode: 'parallel' });
+test.describe('asset-viewer', () => {
+  const rng = new SeededRandom(529);
+  let adminUserId: string;
+  let timelineRestData: TimelineData;
+  const assets: TimelineAssetConfig[] = [];
+  const yearMonths: string[] = [];
+  const testContext = new TimelineTestContext();
+  const changes: Changes = {
+    albumAdditions: [],
+    assetDeletions: [],
+    assetArchivals: [],
+    assetFavorites: [],
+  };
+
+  test.beforeAll(async () => {
+    utils.initSdk();
+    adminUserId = faker.string.uuid();
+    testContext.adminId = adminUserId;
+    timelineRestData = generateTimelineData({ ...createDefaultTimelineConfig(), ownerId: adminUserId });
+    for (const timeBucket of timelineRestData.buckets.values()) {
+      assets.push(...timeBucket);
+    }
+    for (const yearMonth of timelineRestData.buckets.keys()) {
+      const [year, month] = yearMonth.split('-');
+      yearMonths.push(`${year}-${Number(month)}`);
+    }
+  });
+
+  test.beforeEach(async ({ context }) => {
+    await setupBaseMockApiRoutes(context, adminUserId);
+    await setupTimelineMockApiRoutes(context, timelineRestData, changes, testContext);
+  });
+
+  test.afterEach(() => {
+    testContext.slowBucket = false;
+    changes.albumAdditions = [];
+    changes.assetDeletions = [];
+    changes.assetArchivals = [];
+    changes.assetFavorites = [];
+  });
+
+  test.describe('/photos/:id', () => {
+    test('Navigate to next asset via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.getByLabel('View next asset').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + 1].id}`);
+    });
+
+    test('Navigate to previous asset via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.getByLabel('View previous asset').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - 1].id}`);
+    });
+
+    test('Navigate to next asset via keyboard (ArrowRight)', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.keyboard.press('ArrowRight');
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + 1].id}`);
+    });
+
+    test('Navigate to previous asset via keyboard (ArrowLeft)', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+
+      await page.keyboard.press('ArrowLeft');
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - 1].id}`);
+    });
+
+    test('Navigate forward 5 times via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+
+      for (let i = 1; i <= 5; i++) {
+        await page.getByLabel('View next asset').click();
+        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
+        await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index + i].id}`);
+      }
+    });
+
+    test('Navigate backward 5 times via button', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+
+      for (let i = 1; i <= 5; i++) {
+        await page.getByLabel('View previous asset').click();
+        await assetViewerUtils.waitForViewerLoad(page, assets[index - i]);
+        await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${assets[index - i].id}`);
+      }
+    });
+
+    test('Navigate forward then backward via keyboard', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+
+      // Navigate forward 3 times
+      for (let i = 1; i <= 3; i++) {
+        await page.keyboard.press('ArrowRight');
+        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
+      }
+
+      // Navigate backward 3 times to return to original
+      for (let i = 2; i >= 0; i--) {
+        await page.keyboard.press('ArrowLeft');
+        await assetViewerUtils.waitForViewerLoad(page, assets[index + i]);
+      }
+
+      // Verify we're back at the original asset
+      await expect.poll(() => new URL(page.url()).pathname).toBe(`/photos/${asset.id}`);
+    });
+
+    test('Verify no next button on last asset', async ({ page }) => {
+      const lastAsset = assets.at(-1)!;
+      await page.goto(`/photos/${lastAsset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, lastAsset);
+
+      // Verify next button doesn't exist
+      await expect(page.getByLabel('View next asset')).toHaveCount(0);
+    });
+
+    test('Verify no previous button on first asset', async ({ page }) => {
+      const firstAsset = assets[0];
+      await page.goto(`/photos/${firstAsset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, firstAsset);
+
+      // Verify previous button doesn't exist
+      await expect(page.getByLabel('View previous asset')).toHaveCount(0);
+    });
+
+    test('Delete photo advances to next', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+    });
+    test('Delete photo advances to next (2x)', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 2]);
+    });
+    test('Delete last photo advances to prev', async ({ page }) => {
+      const asset = assets.at(-1)!;
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+    });
+    test('Delete last photo advances to prev (2x)', async ({ page }) => {
+      const asset = assets.at(-1)!;
+      await page.goto(`/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      const index = assets.indexOf(asset);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 1]);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index - 2]);
+    });
+  });
+  test.describe('/trash/photos/:id', () => {
+    test('Delete trashed photo advances to next', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+    });
+    test('Delete trashed photo advances to next 2x', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${asset.id}`);
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 1]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 2]);
+    });
+    test('Delete trashed photo advances to prev', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${assets[index + 9].id}`);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 9]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 8]);
+    });
+    test('Delete trashed photo advances to prev 2x', async ({ page }) => {
+      const asset = selectRandom(assets, rng);
+      const index = assets.indexOf(asset);
+      const deletedAssets = assets.slice(index - 10, index + 10).map((asset) => asset.id);
+      changes.assetDeletions.push(...deletedAssets);
+      await page.goto(`/trash/photos/${assets[index + 9].id}`);
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 9]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 8]);
+      await page.getByLabel('Delete').click();
+      // confirm dialog
+      await page.getByRole('button').getByText('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[index + 7]);
+    });
+  });
+});
--- a/e2e/src/web/specs/database-backups.e2e-spec.ts
+++ b/e2e/src/web/specs/database-backups.e2e-spec.ts
@@ -0,0 +1,105 @@
+import { LoginResponseDto } from '@immich/sdk';
+import { expect, test } from '@playwright/test';
+import { utils } from 'src/utils';
+
+test.describe.configure({ mode: 'serial' });
+
+test.describe('Database Backups', () => {
+  let admin: LoginResponseDto;
+
+  test.beforeAll(async () => {
+    utils.initSdk();
+    await utils.resetDatabase();
+    admin = await utils.adminSetup();
+  });
+
+  test('restore a backup from settings', async ({ context, page }) => {
+    test.setTimeout(60_000);
+
+    await utils.resetBackups(admin.accessToken);
+    const filename = await utils.createBackup(admin.accessToken);
+    await utils.setAuthCookies(context, admin.accessToken);
+
+    // work-around until test is running on released version
+    await utils.move(
+      `/data/backups/${filename}`,
+      '/data/backups/immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz',
+    );
+
+    await page.goto('/admin/maintenance?isOpen=backups');
+    await page.getByRole('button', { name: 'Restore', exact: true }).click();
+    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
+
+    await page.waitForURL('/maintenance?**');
+    await page.waitForURL('/admin/maintenance**', { timeout: 60_000 });
+  });
+
+  test('handle backup restore failure', async ({ context, page }) => {
+    test.setTimeout(60_000);
+
+    await utils.resetBackups(admin.accessToken);
+    await utils.prepareTestBackup('corrupted');
+    await utils.setAuthCookies(context, admin.accessToken);
+
+    await page.goto('/admin/maintenance?isOpen=backups');
+    await page.getByRole('button', { name: 'Restore', exact: true }).click();
+    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
+
+    await page.waitForURL('/maintenance?**');
+    await expect(page.getByText('IM CORRUPTED')).toBeVisible({ timeout: 60_000 });
+    await page.getByRole('button', { name: 'End maintenance mode' }).click();
+    await page.waitForURL('/admin/maintenance**');
+  });
+
+  test('rollback to restore point if backup is missing admin', async ({ context, page }) => {
+    test.setTimeout(60_000);
+
+    await utils.resetBackups(admin.accessToken);
+    await utils.prepareTestBackup('empty');
+    await utils.setAuthCookies(context, admin.accessToken);
+
+    await page.goto('/admin/maintenance?isOpen=backups');
+    await page.getByRole('button', { name: 'Restore', exact: true }).click();
+    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
+
+    await page.waitForURL('/maintenance?**');
+    await expect(page.getByText('Server health check failed, no admin exists.')).toBeVisible({ timeout: 60_000 });
+    await page.getByRole('button', { name: 'End maintenance mode' }).click();
+    await page.waitForURL('/admin/maintenance**');
+  });
+
+  test('restore a backup from onboarding', async ({ context, page }) => {
+    test.setTimeout(60_000);
+
+    await utils.resetBackups(admin.accessToken);
+    const filename = await utils.createBackup(admin.accessToken);
+    await utils.setAuthCookies(context, admin.accessToken);
+
+    // work-around until test is running on released version
+    await utils.move(
+      `/data/backups/${filename}`,
+      '/data/backups/immich-db-backup-20260114T184016-v2.5.0-pg14.19.sql.gz',
+    );
+
+    await utils.resetDatabase();
+
+    await page.goto('/');
+    await page.getByRole('button', { name: 'Restore from backup' }).click();
+
+    try {
+      await page.waitForURL('/maintenance**');
+    } catch {
+      // when chained with the rest of the tests
+      // this navigation may fail..? not sure why...
+      await page.goto('/maintenance');
+      await page.waitForURL('/maintenance**');
+    }
+
+    await page.getByRole('button', { name: 'Next' }).click();
+    await page.getByRole('button', { name: 'Restore', exact: true }).click();
+    await page.getByRole('dialog').getByRole('button', { name: 'Restore' }).click();
+
+    await page.waitForURL('/maintenance?**');
+    await page.waitForURL('/photos', { timeout: 60_000 });
+  });
+});
--- a/e2e/src/web/specs/maintenance.e2e-spec.ts
+++ b/e2e/src/web/specs/maintenance.e2e-spec.ts
@@ -16,12 +16,12 @@ test.describe('Maintenance', () => {
  test('enter and exit maintenance mode', async ({ context, page }) => {
    await utils.setAuthCookies(context, admin.accessToken);

-    await page.goto('/admin/system-settings?isOpen=maintenance');
-    await page.getByRole('button', { name: 'Start maintenance mode' }).click();
+    await page.goto('/admin/maintenance');
+    await page.getByRole('button', { name: 'Switch to maintenance mode' }).click();

    await expect(page.getByText('Temporarily Unavailable')).toBeVisible({ timeout: 10_000 });
    await page.getByRole('button', { name: 'End maintenance mode' }).click();
-    await page.waitForURL('**/admin/system-settings*', { timeout: 10_000 });
+    await page.waitForURL('**/admin/maintenance*', { timeout: 10_000 });
  });

  test('maintenance shows no options to users until they authenticate', async ({ page }) => {
--- a/e2e/src/web/specs/photo-viewer.e2e-spec.ts
+++ b/e2e/src/web/specs/photo-viewer.e2e-spec.ts
@@ -3,7 +3,7 @@ import { Page, expect, test } from '@playwright/test';
 import { utils } from 'src/utils';

 function imageLocator(page: Page) {
-  return page.getByAltText('Image taken on').locator('visible=true');
+  return page.getByAltText('Image taken').locator('visible=true');
 }
 test.describe('Photo Viewer', () => {
  let admin: LoginResponseDto;
--- a/e2e/src/web/specs/timeline/timeline.parallel-e2e-spec.ts
+++ b/e2e/src/web/specs/timeline/timeline.parallel-e2e-spec.ts
@@ -18,7 +18,6 @@ import { pageRoutePromise, setupTimelineMockApiRoutes, TimelineTestContext } fro
 import { utils } from 'src/utils';
 import {
  assetViewerUtils,
-  cancelAllPollers,
  padYearMonth,
  pageUtils,
  poll,
@@ -64,7 +63,6 @@ test.describe('Timeline', () => {
  });

  test.afterEach(() => {
-    cancelAllPollers();
    testContext.slowBucket = false;
    changes.albumAdditions = [];
    changes.assetDeletions = [];
@@ -463,7 +461,7 @@ test.describe('Timeline', () => {
        });
        changes.albumAdditions.push(...requestJson.ids);
      });
-      await page.getByText('Done').click();
+      await page.getByText('Add assets').click();
      await expect(put).resolves.toEqual({
        ids: [
          'c077ea7b-cfa1-45e4-8554-f86c00ee5658',
--- a/e2e/src/web/specs/timeline/utils.ts
+++ b/e2e/src/web/specs/timeline/utils.ts
@@ -23,13 +23,6 @@ export async function throttlePage(context: BrowserContext, page: Page) {
  await session.send('Emulation.setCPUThrottlingRate', { rate: 10 });
 }

-let activePollsAbortController = new AbortController();
-
-export const cancelAllPollers = () => {
-  activePollsAbortController.abort();
-  activePollsAbortController = new AbortController();
-};
-
 export const poll = async <T>(
  page: Page,
  query: () => Promise<T>,
@@ -37,21 +30,14 @@ export const poll = async <T>(
 ) => {
  let result;
  const timeout = Date.now() + 10_000;
-  const signal = activePollsAbortController.signal;

  const terminate = callback || ((result: Awaited<T> | undefined) => !!result);
  while (!terminate(result) && Date.now() < timeout) {
-    if (signal.aborted) {
-      return;
-    }
    try {
      result = await query();
    } catch {
      // ignore
    }
-    if (signal.aborted) {
-      return;
-    }
    if (page.isClosed()) {
      return;
    }
@@ -181,8 +167,12 @@ export const assetViewerUtils = {
  },
  async waitForViewerLoad(page: Page, asset: TimelineAssetConfig) {
    await page
-      .locator(`img[draggable="false"][src="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}"]`)
-      .or(page.locator(`video[poster="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}"]`))
+      .locator(
+        `img[draggable="false"][src="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}&edited=true"]`,
+      )
+      .or(
+        page.locator(`video[poster="/api/assets/${asset.id}/thumbnail?size=preview&c=${asset.thumbhash}&edited=true"]`),
+      )
      .waitFor();
  },
  async expectActiveAssetToBe(page: Page, assetId: string) {
--- a/e2e/src/web/specs/user-admin.e2e-spec.ts
+++ b/e2e/src/web/specs/user-admin.e2e-spec.ts
@@ -56,7 +56,7 @@ test.describe('User Administration', () => {
    await expect(page.getByLabel('Admin User')).not.toBeChecked();
    await page.getByLabel('Admin User').click();
    await expect(page.getByLabel('Admin User')).toBeChecked();
-    await page.getByRole('button', { name: 'Confirm' }).click();
+    await page.getByRole('button', { name: 'Save' }).click();

    await expect
      .poll(async () => {
@@ -85,7 +85,7 @@ test.describe('User Administration', () => {
    await expect(page.getByLabel('Admin User')).toBeChecked();
    await page.getByLabel('Admin User').click();
    await expect(page.getByLabel('Admin User')).not.toBeChecked();
-    await page.getByRole('button', { name: 'Confirm' }).click();
+    await page.getByRole('button', { name: 'Save' }).click();

    await expect
      .poll(async () => {
--- a/e2e/vitest.config.ts
+++ b/e2e/vitest.config.ts
@@ -1,7 +1,7 @@
 import { defineConfig } from 'vitest/config';

 // skip `docker compose up` if `make e2e` was already run
-const globalSetup: string[] = ['src/setup/auth-server.ts'];
+const globalSetup: string[] = [];
 try {
  await fetch('http://127.0.0.1:2285/api/server-info/ping');
 } catch {
--- a/i18n/.prettierrc
+++ b/i18n/.prettierrc
@@ -0,0 +1,5 @@
+{
+  "jsonRecursiveSort": true,
+  "jsonSortOrder": "{\"/.*/\": \"lexical\"}",
+  "plugins": ["prettier-plugin-sort-json"]
+}
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -18,6 +18,7 @@
  "add_a_title": "Add a title",
  "add_action": "Add action",
  "add_action_description": "Click to add an action to perform",
+  "add_assets": "Add assets",
  "add_birthday": "Add a birthday",
  "add_endpoint": "Add endpoint",
  "add_exclusion_pattern": "Add exclusion pattern",
@@ -187,10 +188,21 @@
    "machine_learning_smart_search_enabled": "Enable smart search",
    "machine_learning_smart_search_enabled_description": "If disabled, images will not be encoded for smart search.",
    "machine_learning_url_description": "The URL of the machine learning server. If more than one URL is provided, each server will be attempted one-at-a-time until one responds successfully, in order from first to last. Servers that don't respond will be temporarily ignored until they come back online.",
+    "maintenance_delete_backup": "Delete Backup",
+    "maintenance_delete_backup_description": "This file will be irrevocably deleted.",
+    "maintenance_delete_error": "Failed to delete backup.",
+    "maintenance_restore_backup": "Restore Backup",
+    "maintenance_restore_backup_description": "Immich will be wiped and restored from the chosen backup. A backup will be created before continuing.",
+    "maintenance_restore_backup_different_version": "This backup was created with a different version of Immich!",
+    "maintenance_restore_backup_unknown_version": "Couldn't determine backup version.",
+    "maintenance_restore_database_backup": "Restore database backup",
+    "maintenance_restore_database_backup_description": "Rollback to an earlier database state using a backup file",
    "maintenance_settings": "Maintenance",
    "maintenance_settings_description": "Put Immich into maintenance mode.",
-    "maintenance_start": "Start maintenance mode",
+    "maintenance_start": "Switch to maintenance mode",
    "maintenance_start_error": "Failed to start maintenance mode.",
+    "maintenance_upload_backup": "Upload database backup file",
+    "maintenance_upload_backup_error": "Could not upload backup, is it an .sql/.sql.gz file?",
    "manage_concurrency": "Manage Concurrency",
    "manage_concurrency_description": "Navigate to the jobs page to manage job concurrency",
    "manage_log_settings": "Manage log settings",
@@ -437,6 +449,9 @@
  "admin_password": "Admin Password",
  "administration": "Administration",
  "advanced": "Advanced",
+  "advanced_settings_clear_image_cache": "Clear Image Cache",
+  "advanced_settings_clear_image_cache_error": "Failed to clear image cache",
+  "advanced_settings_clear_image_cache_success": "Successfully cleared {size}",
  "advanced_settings_enable_alternate_media_filter_subtitle": "Use this option to filter media during sync based on alternate criteria. Only try this if you have issues with the app detecting all albums.",
  "advanced_settings_enable_alternate_media_filter_title": "[EXPERIMENTAL] Use alternate device album sync filter",
  "advanced_settings_log_level_title": "Log level: {level}",
@@ -478,6 +493,7 @@
  "album_summary": "Album summary",
  "album_updated": "Album updated",
  "album_updated_setting_description": "Receive an email notification when a shared album has new assets",
+  "album_upload_assets": "Upload assets from your computer and add to album",
  "album_user_left": "Left {album}",
  "album_user_removed": "Removed {user}",
  "album_viewer_appbar_delete_confirm": "Are you sure you want to delete this album from your account?",
@@ -601,7 +617,7 @@
  "backup_album_selection_page_select_albums": "Select albums",
  "backup_album_selection_page_selection_info": "Selection Info",
  "backup_album_selection_page_total_assets": "Total unique assets",
-  "backup_albums_sync": "Backup albums synchronization",
+  "backup_albums_sync": "Backup Albums Synchronization",
  "backup_all": "All",
  "backup_background_service_backup_failed_message": "Failed to backup assets. Retrying…",
  "backup_background_service_complete_notification": "Asset backup complete",
@@ -734,6 +750,18 @@
  "checksum": "Checksum",
  "choose_matching_people_to_merge": "Choose matching people to merge",
  "city": "City",
+  "cleanup_confirm_description": "Immich found {count} assets (created before {date}) safely backed up to the server. Remove the local copies from this device?",
+  "cleanup_confirm_prompt_title": "Remove from this device?",
+  "cleanup_deleted_assets": "Moved {count} assets to device trash",
+  "cleanup_deleting": "Moving to trash...",
+  "cleanup_filter_description": "Choose which types of assets to remove in the cleanup",
+  "cleanup_found_assets": "Found {count} backed up assets",
+  "cleanup_icloud_shared_albums_excluded": "iCloud Shared Albums are excluded from the scan",
+  "cleanup_no_assets_found": "No backed up assets found matching your criteria",
+  "cleanup_preview_title": "Assets to remove ({count})",
+  "cleanup_step3_description": "Scan for photos and videos that have been backed up to the server with the selected cutoff date and filter options",
+  "cleanup_step4_summary": "{count} assets created before {date} are queued for removal from your device",
+  "cleanup_trash_hint": "To fully reclaim storage space, open the system gallery app and empty the trash",
  "clear": "Clear",
  "clear_all": "Clear all",
  "clear_all_recent_searches": "Clear all recent searches",
@@ -819,13 +847,20 @@
  "created_at": "Created",
  "creating_linked_albums": "Creating linked albums...",
  "crop": "Crop",
+  "crop_aspect_ratio_fixed": "Fixed",
+  "crop_aspect_ratio_free": "Free",
+  "crop_aspect_ratio_original": "Original",
  "curated_object_page_title": "Things",
  "current_device": "Current device",
  "current_pin_code": "Current PIN code",
  "current_server_address": "Current server address",
+  "custom_date": "Custom date",
  "custom_locale": "Custom Locale",
  "custom_locale_description": "Format dates and numbers based on the language and the region",
  "custom_url": "Custom URL",
+  "cutoff_date_description": "Remove photos and videos older than",
+  "cutoff_day": "{count, plural, one {day} other {days}}",
+  "cutoff_year": "{count, plural, one {year} other {years}}",
  "daily_title_text_date": "E, MMM dd",
  "daily_title_text_date_year": "E, MMM dd, yyyy",
  "dark": "Dark",
@@ -907,6 +942,7 @@
  "download_include_embedded_motion_videos": "Embedded videos",
  "download_include_embedded_motion_videos_description": "Include videos embedded in motion photos as a separate file",
  "download_notfound": "Download not found",
+  "download_original": "Download original",
  "download_paused": "Download paused",
  "download_settings": "Download",
  "download_settings_description": "Manage settings related to asset download",
@@ -916,6 +952,7 @@
  "download_waiting_to_retry": "Waiting to retry",
  "downloading": "Downloading",
  "downloading_asset_filename": "Downloading asset {filename}",
+  "downloading_from_icloud": "Downloading from iCloud",
  "downloading_media": "Downloading media",
  "drop_files_to_upload": "Drop files anywhere to upload",
  "duplicates": "Duplicates",
@@ -948,9 +985,13 @@
  "editor": "Editor",
  "editor_close_without_save_prompt": "The changes will not be saved",
  "editor_close_without_save_title": "Close editor?",
-  "editor_crop_tool_h2_aspect_ratios": "Aspect ratios",
-  "editor_crop_tool_h2_rotation": "Rotation",
-  "editor_mode": "Editor mode",
+  "editor_confirm_reset_all_changes": "Are you sure you want to reset all changes?",
+  "editor_flip_horizontal": "Flip horizontal",
+  "editor_flip_vertical": "Flip vertical",
+  "editor_orientation": "Orientation",
+  "editor_reset_all_changes": "Reset changes",
+  "editor_rotate_left": "Rotate 90° counterclockwise",
+  "editor_rotate_right": "Rotate 90° clockwise",
  "email": "Email",
  "email_notifications": "Email notifications",
  "empty_folder": "This folder is empty",
@@ -971,9 +1012,11 @@
  "error_getting_places": "Error getting places",
  "error_loading_image": "Error loading image",
  "error_loading_partners": "Error loading partners: {error}",
+  "error_retrieving_asset_information": "Error retrieving asset information",
  "error_saving_image": "Error: {error}",
  "error_tag_face_bounding_box": "Error tagging face - cannot get bounding box coordinates",
  "error_title": "Error - Something went wrong",
+  "error_while_navigating": "Error while navigating to asset",
  "errors": {
    "cannot_navigate_next_asset": "Cannot navigate to the next asset",
    "cannot_navigate_previous_asset": "Cannot navigate to previous asset",
@@ -1082,6 +1125,7 @@
    "unable_to_scan_library": "Unable to scan library",
    "unable_to_set_feature_photo": "Unable to set feature photo",
    "unable_to_set_profile_picture": "Unable to set profile picture",
+    "unable_to_set_rating": "Unable to set rating",
    "unable_to_submit_job": "Unable to submit job",
    "unable_to_trash_asset": "Unable to trash asset",
    "unable_to_unlink_account": "Unable to unlink account",
@@ -1096,6 +1140,7 @@
    "unable_to_update_workflow": "Unable to update workflow",
    "unable_to_upload_file": "Unable to upload file"
  },
+  "errors_text": "Errors",
  "exclusion_pattern": "Exclusion pattern",
  "exif": "Exif",
  "exif_bottom_sheet_description": "Add Description...",
@@ -1140,13 +1185,14 @@
  "features": "Features",
  "features_in_development": "Features in Development",
  "features_setting_description": "Manage the app features",
-  "file_name": "File name",
+  "file_name": "File name: {file_name}",
  "file_name_or_extension": "File name or extension",
  "file_size": "File size",
  "filename": "Filename",
  "filetype": "Filetype",
  "filter": "Filter",
  "filter_description": "Conditions to filter the target assets",
+  "filter_options": "Filter options",
  "filter_people": "Filter people",
  "filter_places": "Filter places",
  "filters": "Filters",
@@ -1159,6 +1205,9 @@
  "folders_feature_description": "Browsing the folder view for the photos and videos on the file system",
  "forgot_pin_code_question": "Forgot your PIN?",
  "forward": "Forward",
+  "free_up_space": "Free Up Space",
+  "free_up_space_description": "Move backed-up photos and videos to your device's trash to free up space. Your copies on the server remain safe",
+  "free_up_space_settings_subtitle": "Free up device storage",
  "full_path": "Full path: {path}",
  "gcast_enabled": "Google Cast",
  "gcast_enabled_description": "This feature loads external resources from Google in order to work.",
@@ -1275,6 +1324,8 @@
  "json_error": "JSON error",
  "keep": "Keep",
  "keep_all": "Keep All",
+  "keep_favorites": "Keep favorites",
+  "keep_favorites_description": "Favorite assets will not be deleted from your device",
  "keep_this_delete_others": "Keep this, delete others",
  "kept_this_deleted_others": "Kept this asset and deleted {count, plural, one {# asset} other {# assets}}",
  "keyboard_shortcuts": "Keyboard shortcuts",
@@ -1369,10 +1420,28 @@
  "loop_videos_description": "Enable to automatically loop a video in the detail viewer.",
  "main_branch_warning": "You're using a development version; we strongly recommend using a release version!",
  "main_menu": "Main menu",
+  "maintenance_action_restore": "Restoring Database",
  "maintenance_description": "Immich has been put into <link>maintenance mode</link>.",
  "maintenance_end": "End maintenance mode",
  "maintenance_end_error": "Failed to end maintenance mode.",
  "maintenance_logged_in_as": "Currently logged in as {user}",
+  "maintenance_restore_from_backup": "Restore From Backup",
+  "maintenance_restore_library": "Restore Your Library",
+  "maintenance_restore_library_confirm": "If this looks correct, continue to restoring a backup!",
+  "maintenance_restore_library_description": "Restoring Database",
+  "maintenance_restore_library_folder_has_files": "{folder} has {count} folder(s)",
+  "maintenance_restore_library_folder_no_files": "{folder} is missing files!",
+  "maintenance_restore_library_folder_pass": "readable and writable",
+  "maintenance_restore_library_folder_read_fail": "not readable",
+  "maintenance_restore_library_folder_write_fail": "not writable",
+  "maintenance_restore_library_hint_missing_files": "You may be missing important files",
+  "maintenance_restore_library_hint_regenerate_later": "You can regenerate these later in settings",
+  "maintenance_restore_library_hint_storage_template_missing_files": "Using storage template? You may be missing files",
+  "maintenance_restore_library_loading": "Loading integrity checks and heuristics…",
+  "maintenance_task_backup": "Creating a backup of the existing database…",
+  "maintenance_task_migrations": "Running database migrations…",
+  "maintenance_task_restore": "Restoring the chosen backup…",
+  "maintenance_task_rollback": "Restore failed, rolling back to restore point…",
  "maintenance_title": "Temporarily Unavailable",
  "make": "Make",
  "manage_geolocation": "Manage location",
@@ -1434,6 +1503,8 @@
  "minimize": "Minimize",
  "minute": "Minute",
  "minutes": "Minutes",
+  "mirror_horizontal": "Horizontal",
+  "mirror_vertical": "Vertical",
  "missing": "Missing",
  "mobile_app": "Mobile App",
  "mobile_app_download_onboarding_note": "Download the companion mobile app using the following options",
@@ -1445,6 +1516,7 @@
  "move_down": "Move down",
  "move_off_locked_folder": "Move out of locked folder",
  "move_to": "Move to",
+  "move_to_device_trash": "Move to device trash",
  "move_to_lock_folder_action_prompt": "{count} added to the locked folder",
  "move_to_locked_folder": "Move to locked folder",
  "move_to_locked_folder_confirmation": "These photos and video will be removed from all albums, and only viewable from the locked folder",
@@ -1488,7 +1560,7 @@
  "no_albums_with_name_yet": "It looks like you do not have any albums with this name yet.",
  "no_albums_yet": "It looks like you do not have any albums yet.",
  "no_archived_assets_message": "Archive photos and videos to hide them from your Photos view",
-  "no_assets_message": "CLICK TO UPLOAD YOUR FIRST PHOTO",
+  "no_assets_message": "Click to upload your first photo",
  "no_assets_to_show": "No assets to show",
  "no_cast_devices_found": "No cast devices found",
  "no_checksum_local": "No checksum available - cannot fetch local assets",
@@ -1627,6 +1699,7 @@
  "photos_and_videos": "Photos & Videos",
  "photos_count": "{count, plural, one {{count, number} Photo} other {{count, number} Photos}}",
  "photos_from_previous_years": "Photos from previous years",
+  "photos_only": "Photos only",
  "pick_a_location": "Pick a location",
  "pick_custom_range": "Custom range",
  "pick_date_range": "Select a date range",
@@ -1702,10 +1775,12 @@
  "purchase_settings_server_activated": "The server product key is managed by the admin",
  "query_asset_id": "Query Asset ID",
  "queue_status": "Queuing {count}/{total}",
+  "rate_asset": "Rate Asset",
  "rating": "Star rating",
  "rating_clear": "Clear rating",
  "rating_count": "{count, plural, one {# star} other {# stars}}",
  "rating_description": "Display the EXIF rating in the info panel",
+  "rating_set": "Rating set to {rating, plural, one {# star} other {# stars}}",
  "reaction_options": "Reaction options",
  "read_changelog": "Read Changelog",
  "readonly_mode_disabled": "Read-only mode disabled",
@@ -1805,9 +1880,11 @@
  "saved_settings": "Saved settings",
  "say_something": "Say something",
  "scaffold_body_error_occurred": "Error occurred",
+  "scan": "Scan",
  "scan_all_libraries": "Scan All Libraries",
  "scan_library": "Scan",
  "scan_settings": "Scan Settings",
+  "scanning": "Scanning",
  "scanning_for_album": "Scanning for album...",
  "search": "Search",
  "search_albums": "Search albums",
@@ -1879,6 +1956,7 @@
  "select_all_in": "Select all in {group}",
  "select_avatar_color": "Select avatar color",
  "select_count": "{count, plural, one {Select #} other {Select #}}",
+  "select_cutoff_date": "Select cutoff date",
  "select_face": "Select face",
  "select_featured_photo": "Select featured photo",
  "select_from_computer": "Select from computer",
@@ -2116,6 +2194,7 @@
  "theme_setting_theme_subtitle": "Choose the app's theme setting",
  "theme_setting_three_stage_loading_subtitle": "Three-stage loading might increase the loading performance but causes significantly higher network load",
  "theme_setting_three_stage_loading_title": "Enable three-stage loading",
+  "then": "Then",
  "they_will_be_merged_together": "They will be merged together",
  "third_party_resources": "Third-Party Resources",
  "time": "Time",
@@ -2171,6 +2250,7 @@
  "unhide_person": "Unhide person",
  "unknown": "Unknown",
  "unknown_country": "Unknown Country",
+  "unknown_date": "Unknown date",
  "unknown_year": "Unknown Year",
  "unlimited": "Unlimited",
  "unlink_motion_video": "Unlink motion video",
@@ -2195,7 +2275,6 @@
  "updated_at": "Updated",
  "updated_password": "Updated password",
  "upload": "Upload",
-  "upload_action_prompt": "{count} queued for upload",
  "upload_concurrency": "Upload concurrency",
  "upload_details": "Upload Details",
  "upload_dialog_info": "Do you want to backup the selected Asset(s) to the server?",
@@ -2214,7 +2293,7 @@
  "url": "URL",
  "usage": "Usage",
  "use_biometric": "Use biometric",
-  "use_current_connection": "use current connection",
+  "use_current_connection": "Use current connection",
  "use_custom_date_range": "Use custom date range instead",
  "user": "User",
  "user_has_been_deleted": "This user has been deleted.",
@@ -2247,6 +2326,7 @@
  "video_hover_setting_description": "Play video thumbnail when mouse is hovering over item. Even when disabled, playback can be started by hovering over the play icon.",
  "videos": "Videos",
  "videos_count": "{count, plural, one {# Video} other {# Videos}}",
+  "videos_only": "Videos only",
  "view": "View",
  "view_album": "View Album",
  "view_all": "View All",
@@ -2296,6 +2376,7 @@
  "yes": "Yes",
  "you_dont_have_any_shared_links": "You don't have any shared links",
  "your_wifi_name": "Your Wi-Fi name",
+  "zero_to_clear_rating": "press 0 to clear asset rating",
  "zoom_image": "Zoom Image",
  "zoom_to_bounds": "Zoom to bounds"
 }
--- a/i18n/package.json
+++ b/i18n/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "immich-i18n",
+  "version": "1.0.0",
+  "private": true,
+  "scripts": {
+    "format": "prettier --check .",
+    "format:fix": "prettier --write ."
+  },
+  "devDependencies": {
+    "prettier": "^3.7.4",
+    "prettier-plugin-sort-json": "^4.1.1"
+  }
+}
--- a/machine-learning/Dockerfile
+++ b/machine-learning/Dockerfile
@@ -92,14 +92,14 @@ FROM python:3.13-slim-trixie@sha256:0222b795db95bf7412cede36ab46a266cfb31f632e64

 RUN apt-get update && \
    apt-get install --no-install-recommends -yqq ocl-icd-libopencl1 wget && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.24.8/intel-igc-core-2_2.24.8+20344_amd64.deb && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.24.8/intel-igc-opencl-2_2.24.8+20344_amd64.deb && \
-    wget -nv https://github.com/intel/compute-runtime/releases/download/25.48.36300.8/intel-opencl-icd_25.48.36300.8-0_amd64.deb &&  \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.27.10/intel-igc-core-2_2.27.10+20617_amd64.deb && \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.27.10/intel-igc-opencl-2_2.27.10+20617_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/26.01.36711.4/intel-opencl-icd_26.01.36711.4-0_amd64.deb &&  \
    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-core_1.0.17537.24_amd64.deb && \
    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-opencl_1.0.17537.24_amd64.deb && \
    wget -nv https://github.com/intel/compute-runtime/releases/download/24.35.30872.36/intel-opencl-icd-legacy1_24.35.30872.36_amd64.deb && \
    # TODO: Figure out how to get renovate to manage this differently versioned libigdgmm file
-    wget -nv https://github.com/intel/compute-runtime/releases/download/25.48.36300.8/libigdgmm12_22.8.2_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/26.01.36711.4/libigdgmm12_22.9.0_amd64.deb && \
    dpkg -i *.deb && \
    rm *.deb && \
    apt-get remove wget -yqq && \
--- a/mise.toml
+++ b/mise.toml
@@ -1,9 +1,9 @@
 experimental_monorepo_root = true

 [tools]
-node = "24.12.0"
+node = "24.13.0"
 flutter = "3.35.7"
-pnpm = "10.27.0"
+pnpm = "10.28.0"
 terragrunt = "0.93.10"
 opentofu = "1.10.7"
 java = "25.0.1"
@@ -34,4 +34,4 @@ run = { task = ":i18n:format-fix" }

 [tasks."i18n:format-fix"]
 dir = "i18n"
-run = "pnpm dlx sort-json *.json"
+run = "pnpm run format:fix"
--- a/mobile/android/app/CMakeLists.txt
+++ b/mobile/android/app/CMakeLists.txt
@@ -8,3 +8,5 @@ project(native_buffer LANGUAGES C)
 add_library(native_buffer SHARED
    src/main/cpp/native_buffer.c
 )
+
+target_link_libraries(native_buffer jnigraphics)
--- a/mobile/android/app/build.gradle
+++ b/mobile/android/app/build.gradle
@@ -31,7 +31,7 @@ if (keystorePropertiesFile.exists()) {

 android {
  compileSdkVersion 35
-  ndkVersion = "28.1.13356709"
+  ndkVersion = "28.2.13676358"

  compileOptions {
    sourceCompatibility JavaVersion.VERSION_17
@@ -48,6 +48,7 @@ android {
  }

  buildFeatures {
+    buildConfig true
    compose true
  }

@@ -105,8 +106,11 @@ dependencies {
  def serialization_version = '1.8.1'
  def compose_version = '1.1.1'
  def gson_version = '2.10.1'
+  def okhttp_version = '4.12.0'

  implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
+  implementation "com.squareup.okhttp3:okhttp:$okhttp_version"
+  implementation 'org.chromium.net:cronet-embedded:143.7445.0'
  implementation "org.jetbrains.kotlinx:kotlinx-coroutines-android:$kotlin_coroutines_version"
  implementation "androidx.work:work-runtime-ktx:$work_version"
  implementation "androidx.concurrent:concurrent-futures:$concurrent_version"
--- a/mobile/android/app/src/main/AndroidManifest.xml
+++ b/mobile/android/app/src/main/AndroidManifest.xml
@@ -117,6 +117,9 @@
        <data
          android:host="my.immich.app"
          android:pathPrefix="/memories/" />
+        <data
+          android:host="my.immich.app"
+          android:path="/memory" />
        <data
          android:host="my.immich.app"
          android:pathPrefix="/photos/" />
--- a/mobile/android/app/src/main/cpp/native_buffer.c
+++ b/mobile/android/app/src/main/cpp/native_buffer.c
@@ -1,40 +1,38 @@
 #include <jni.h>
 #include <stdlib.h>
+#include <string.h>

 JNIEXPORT jlong JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_00024Companion_allocateNative(
-        JNIEnv *env, jclass clazz, jint size) {
-    void *ptr = malloc(size);
-    return (jlong) ptr;
-}
-
-JNIEXPORT jlong JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_allocateNative(
+Java_app_alextran_immich_NativeBuffer_allocate(
        JNIEnv *env, jclass clazz, jint size) {
    void *ptr = malloc(size);
    return (jlong) ptr;
 }

 JNIEXPORT void JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_00024Companion_freeNative(
+Java_app_alextran_immich_NativeBuffer_free(
        JNIEnv *env, jclass clazz, jlong address) {
    free((void *) address);
 }

+JNIEXPORT jlong JNICALL
+Java_app_alextran_immich_NativeBuffer_realloc(
+        JNIEnv *env, jclass clazz, jlong address, jint size) {
+    void *ptr = realloc((void *) address, size);
+    return (jlong) ptr;
+}
+
+JNIEXPORT jobject JNICALL
+Java_app_alextran_immich_NativeBuffer_wrap(
+        JNIEnv *env, jclass clazz, jlong address, jint capacity) {
+    return (*env)->NewDirectByteBuffer(env, (void *) address, capacity);
+}
+
 JNIEXPORT void JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_freeNative(
-        JNIEnv *env, jclass clazz, jlong address) {
-    free((void *) address);
-}
-
-JNIEXPORT jobject JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_00024Companion_wrapAsBuffer(
-        JNIEnv *env, jclass clazz, jlong address, jint capacity) {
-    return (*env)->NewDirectByteBuffer(env, (void *) address, capacity);
-}
-
-JNIEXPORT jobject JNICALL
-Java_app_alextran_immich_images_ThumbnailsImpl_wrapAsBuffer(
-        JNIEnv *env, jclass clazz, jlong address, jint capacity) {
-    return (*env)->NewDirectByteBuffer(env, (void *) address, capacity);
+Java_app_alextran_immich_NativeBuffer_copy(
+        JNIEnv *env, jclass clazz, jobject buffer, jlong destAddress, jint offset, jint length) {
+    void *src = (*env)->GetDirectBufferAddress(env, buffer);
+    if (src != NULL) {
+        memcpy((void *) destAddress, (char *) src + offset, length);
+    }
 }
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/HttpSSLOptionsPlugin.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/HttpSSLOptionsPlugin.kt
@@ -2,6 +2,7 @@ package app.alextran.immich

 import android.annotation.SuppressLint
 import android.content.Context
+import app.alextran.immich.core.SSLConfig
 import io.flutter.embedding.engine.plugins.FlutterPlugin
 import io.flutter.plugin.common.BinaryMessenger
 import io.flutter.plugin.common.MethodCall
@@ -51,15 +52,18 @@ class HttpSSLOptionsPlugin : FlutterPlugin, MethodChannel.MethodCallHandler {
      when (call.method) {
        "apply" -> {
          val args = call.arguments<ArrayList<*>>()!!
+          val allowSelfSigned = args[0] as Boolean
+          val serverHost = args[1] as? String
+          val clientCertHash = (args[2] as? ByteArray)

          var tm: Array<TrustManager>? = null
-          if (args[0] as Boolean) {
-            tm = arrayOf(AllowSelfSignedTrustManager(args[1] as? String))
+          if (allowSelfSigned) {
+            tm = arrayOf(AllowSelfSignedTrustManager(serverHost))
          }

          var km: Array<KeyManager>? = null
-          if (args[2] != null) {
-            val cert = ByteArrayInputStream(args[2] as ByteArray)
+          if (clientCertHash != null) {
+            val cert = ByteArrayInputStream(clientCertHash)
            val password = (args[3] as String).toCharArray()
            val keyStore = KeyStore.getInstance("PKCS12")
            keyStore.load(cert, password)
@@ -69,6 +73,9 @@ class HttpSSLOptionsPlugin : FlutterPlugin, MethodChannel.MethodCallHandler {
            km = keyManagerFactory.keyManagers
          }

+          // Update shared SSL config for OkHttp and other HTTP clients
+          SSLConfig.apply(km, tm, allowSelfSigned, serverHost, clientCertHash?.contentHashCode() ?: 0)
+
          val sslContext = SSLContext.getInstance("TLS")
          sslContext.init(km, tm, null)
          HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/MainActivity.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/MainActivity.kt
@@ -10,8 +10,10 @@ import app.alextran.immich.background.BackgroundWorkerLockApi
 import app.alextran.immich.connectivity.ConnectivityApi
 import app.alextran.immich.connectivity.ConnectivityApiImpl
 import app.alextran.immich.core.ImmichPlugin
-import app.alextran.immich.images.ThumbnailApi
-import app.alextran.immich.images.ThumbnailsImpl
+import app.alextran.immich.images.LocalImageApi
+import app.alextran.immich.images.LocalImagesImpl
+import app.alextran.immich.images.RemoteImageApi
+import app.alextran.immich.images.RemoteImagesImpl
 import app.alextran.immich.sync.NativeSyncApi
 import app.alextran.immich.sync.NativeSyncApiImpl26
 import app.alextran.immich.sync.NativeSyncApiImpl30
@@ -36,7 +38,9 @@ class MainActivity : FlutterFragmentActivity() {
          NativeSyncApiImpl30(ctx)
        }
      NativeSyncApi.setUp(messenger, nativeSyncApiImpl)
-      ThumbnailApi.setUp(messenger, ThumbnailsImpl(ctx))
+      LocalImageApi.setUp(messenger, LocalImagesImpl(ctx))
+      RemoteImageApi.setUp(messenger, RemoteImagesImpl(ctx))
+
      BackgroundWorkerFgHostApi.setUp(messenger, BackgroundWorkerApiImpl(ctx))
      ConnectivityApi.setUp(messenger, ConnectivityApiImpl(ctx))

--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/NativeBuffer.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/NativeBuffer.kt
@@ -0,0 +1,52 @@
+package app.alextran.immich
+
+import java.nio.ByteBuffer
+
+const val INITIAL_BUFFER_SIZE = 32 * 1024
+
+object NativeBuffer {
+  init {
+    System.loadLibrary("native_buffer")
+  }
+
+  @JvmStatic
+  external fun allocate(size: Int): Long
+
+  @JvmStatic
+  external fun free(address: Long)
+
+  @JvmStatic
+  external fun realloc(address: Long, size: Int): Long
+
+  @JvmStatic
+  external fun wrap(address: Long, capacity: Int): ByteBuffer
+
+  @JvmStatic
+  external fun copy(buffer: ByteBuffer, destAddress: Long, offset: Int, length: Int)
+}
+
+class NativeByteBuffer(initialCapacity: Int) {
+  var pointer = NativeBuffer.allocate(initialCapacity)
+  var capacity = initialCapacity
+  var offset = 0
+
+  inline fun ensureHeadroom() {
+    if (offset == capacity) {
+      capacity *= 2
+      pointer = NativeBuffer.realloc(pointer, capacity)
+    }
+  }
+
+  inline fun wrapRemaining() = NativeBuffer.wrap(pointer + offset, capacity - offset)
+
+  inline fun advance(bytesRead: Int) {
+    offset += bytesRead
+  }
+
+  inline fun free() {
+    if (pointer != 0L) {
+      NativeBuffer.free(pointer)
+      pointer = 0L
+    }
+  }
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/SSLConfig.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/SSLConfig.kt
@@ -0,0 +1,73 @@
+package app.alextran.immich.core
+
+import java.security.KeyStore
+import javax.net.ssl.KeyManager
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509TrustManager
+
+/**
+ * Shared SSL configuration for OkHttp and HttpsURLConnection.
+ * Stores the SSLSocketFactory and X509TrustManager configured by HttpSSLOptionsPlugin.
+ */
+object SSLConfig {
+  var sslSocketFactory: SSLSocketFactory? = null
+    private set
+
+  var trustManager: X509TrustManager? = null
+    private set
+
+  var requiresCustomSSL: Boolean = false
+    private set
+
+  private val listeners = mutableListOf<() -> Unit>()
+  private var configHash: Int = 0
+
+  fun addListener(listener: () -> Unit) {
+    listeners.add(listener)
+  }
+
+  fun apply(
+    keyManagers: Array<KeyManager>?,
+    trustManagers: Array<TrustManager>?,
+    allowSelfSigned: Boolean,
+    serverHost: String?,
+    clientCertHash: Int
+  ) {
+    synchronized(this) {
+      val newHash = computeHash(allowSelfSigned, serverHost, clientCertHash)
+      val newRequiresCustomSSL = allowSelfSigned || keyManagers != null
+      if (newHash == configHash && sslSocketFactory != null && requiresCustomSSL == newRequiresCustomSSL) {
+        return  // Config unchanged, skip
+      }
+
+      val sslContext = SSLContext.getInstance("TLS")
+      sslContext.init(keyManagers, trustManagers, null)
+      sslSocketFactory = sslContext.socketFactory
+      trustManager = trustManagers?.filterIsInstance<X509TrustManager>()?.firstOrNull()
+        ?: getDefaultTrustManager()
+      requiresCustomSSL = newRequiresCustomSSL
+      configHash = newHash
+      notifyListeners()
+    }
+  }
+
+  private fun computeHash(allowSelfSigned: Boolean, serverHost: String?, clientCertHash: Int): Int {
+    var result = allowSelfSigned.hashCode()
+    result = 31 * result + (serverHost?.hashCode() ?: 0)
+    result = 31 * result + clientCertHash
+    return result
+  }
+
+  private fun notifyListeners() {
+    listeners.forEach { it() }
+  }
+
+  private fun getDefaultTrustManager(): X509TrustManager {
+    val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+    factory.init(null as KeyStore?)
+    return factory.trustManagers.filterIsInstance<X509TrustManager>().first()
+  }
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImages.g.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImages.g.kt
@@ -13,7 +13,7 @@ import io.flutter.plugin.common.StandardMethodCodec
 import io.flutter.plugin.common.StandardMessageCodec
 import java.io.ByteArrayOutputStream
 import java.nio.ByteBuffer
-private object ThumbnailsPigeonUtils {
+private object LocalImagesPigeonUtils {

  fun wrapResult(result: Any?): List<Any?> {
    return listOf(result)
@@ -47,7 +47,7 @@ class FlutterError (
  override val message: String? = null,
  val details: Any? = null
 ) : Throwable()
-private open class ThumbnailsPigeonCodec : StandardMessageCodec() {
+private open class LocalImagesPigeonCodec : StandardMessageCodec() {
  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
    return     super.readValueOfType(type, buffer)
  }
@@ -58,22 +58,22 @@ private open class ThumbnailsPigeonCodec : StandardMessageCodec() {


 /** Generated interface from Pigeon that represents a handler of messages from Flutter. */
-interface ThumbnailApi {
-  fun requestImage(assetId: String, requestId: Long, width: Long, height: Long, isVideo: Boolean, callback: (Result<Map<String, Long>>) -> Unit)
-  fun cancelImageRequest(requestId: Long)
+interface LocalImageApi {
+  fun requestImage(assetId: String, requestId: Long, width: Long, height: Long, isVideo: Boolean, callback: (Result<Map<String, Long>?>) -> Unit)
+  fun cancelRequest(requestId: Long)
  fun getThumbhash(thumbhash: String, callback: (Result<Map<String, Long>>) -> Unit)

  companion object {
-    /** The codec used by ThumbnailApi. */
+    /** The codec used by LocalImageApi. */
    val codec: MessageCodec<Any?> by lazy {
-      ThumbnailsPigeonCodec()
+      LocalImagesPigeonCodec()
    }
-    /** Sets up an instance of `ThumbnailApi` to handle messages through the `binaryMessenger`. */
+    /** Sets up an instance of `LocalImageApi` to handle messages through the `binaryMessenger`. */
    @JvmOverloads
-    fun setUp(binaryMessenger: BinaryMessenger, api: ThumbnailApi?, messageChannelSuffix: String = "") {
+    fun setUp(binaryMessenger: BinaryMessenger, api: LocalImageApi?, messageChannelSuffix: String = "") {
      val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.ThumbnailApi.requestImage$separatedMessageChannelSuffix", codec)
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.LocalImageApi.requestImage$separatedMessageChannelSuffix", codec)
        if (api != null) {
          channel.setMessageHandler { message, reply ->
            val args = message as List<Any?>
@@ -82,13 +82,13 @@ interface ThumbnailApi {
            val widthArg = args[2] as Long
            val heightArg = args[3] as Long
            val isVideoArg = args[4] as Boolean
-            api.requestImage(assetIdArg, requestIdArg, widthArg, heightArg, isVideoArg) { result: Result<Map<String, Long>> ->
+            api.requestImage(assetIdArg, requestIdArg, widthArg, heightArg, isVideoArg) { result: Result<Map<String, Long>?> ->
              val error = result.exceptionOrNull()
              if (error != null) {
-                reply.reply(ThumbnailsPigeonUtils.wrapError(error))
+                reply.reply(LocalImagesPigeonUtils.wrapError(error))
              } else {
                val data = result.getOrNull()
-                reply.reply(ThumbnailsPigeonUtils.wrapResult(data))
+                reply.reply(LocalImagesPigeonUtils.wrapResult(data))
              }
            }
          }
@@ -97,16 +97,16 @@ interface ThumbnailApi {
        }
      }
      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.ThumbnailApi.cancelImageRequest$separatedMessageChannelSuffix", codec)
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.LocalImageApi.cancelRequest$separatedMessageChannelSuffix", codec)
        if (api != null) {
          channel.setMessageHandler { message, reply ->
            val args = message as List<Any?>
            val requestIdArg = args[0] as Long
            val wrapped: List<Any?> = try {
-              api.cancelImageRequest(requestIdArg)
+              api.cancelRequest(requestIdArg)
              listOf(null)
            } catch (exception: Throwable) {
-              ThumbnailsPigeonUtils.wrapError(exception)
+              LocalImagesPigeonUtils.wrapError(exception)
            }
            reply.reply(wrapped)
          }
@@ -115,7 +115,7 @@ interface ThumbnailApi {
        }
      }
      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.ThumbnailApi.getThumbhash$separatedMessageChannelSuffix", codec)
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.LocalImageApi.getThumbhash$separatedMessageChannelSuffix", codec)
        if (api != null) {
          channel.setMessageHandler { message, reply ->
            val args = message as List<Any?>
@@ -123,10 +123,10 @@ interface ThumbnailApi {
            api.getThumbhash(thumbhashArg) { result: Result<Map<String, Long>> ->
              val error = result.exceptionOrNull()
              if (error != null) {
-                reply.reply(ThumbnailsPigeonUtils.wrapError(error))
+                reply.reply(LocalImagesPigeonUtils.wrapError(error))
              } else {
                val data = result.getOrNull()
-                reply.reply(ThumbnailsPigeonUtils.wrapResult(data))
+                reply.reply(LocalImagesPigeonUtils.wrapResult(data))
              }
            }
          }
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImagesImpl.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImagesImpl.kt
@@ -11,7 +11,8 @@ import android.os.OperationCanceledException
 import android.provider.MediaStore.Images
 import android.provider.MediaStore.Video
 import android.util.Size
-import java.nio.ByteBuffer
+import androidx.annotation.RequiresApi
+import app.alextran.immich.NativeBuffer
 import kotlin.math.*
 import java.util.concurrent.Executors
 import com.bumptech.glide.Glide
@@ -26,10 +27,42 @@ import java.util.concurrent.Future
 data class Request(
  val taskFuture: Future<*>,
  val cancellationSignal: CancellationSignal,
-  val callback: (Result<Map<String, Long>>) -> Unit
+  val callback: (Result<Map<String, Long>?>) -> Unit
 )

-class ThumbnailsImpl(context: Context) : ThumbnailApi {
+@RequiresApi(Build.VERSION_CODES.Q)
+inline fun ImageDecoder.Source.decodeBitmap(target: Size = Size(0, 0)): Bitmap {
+  return ImageDecoder.decodeBitmap(this) { decoder, info, _ ->
+    if (target.width > 0 && target.height > 0) {
+      val sample = max(1, min(info.size.width / target.width, info.size.height / target.height))
+      decoder.setTargetSampleSize(sample)
+    }
+    decoder.allocator = ImageDecoder.ALLOCATOR_SOFTWARE
+    decoder.setTargetColorSpace(ColorSpace.get(ColorSpace.Named.SRGB))
+  }
+}
+
+fun Bitmap.toNativeBuffer(): Map<String, Long>  {
+  val size = width * height * 4
+  val pointer = NativeBuffer.allocate(size)
+  try {
+    val buffer = NativeBuffer.wrap(pointer, size)
+    copyPixelsToBuffer(buffer)
+    recycle()
+    return mapOf(
+      "pointer" to pointer,
+      "width" to width.toLong(),
+      "height" to height.toLong(),
+      "rowBytes" to (width * 4).toLong()
+    )
+  } catch (e: Exception) {
+    NativeBuffer.free(pointer)
+    recycle()
+    throw e
+  }
+}
+
+class LocalImagesImpl(context: Context) : LocalImageApi {
  private val ctx: Context = context.applicationContext
  private val resolver: ContentResolver = ctx.contentResolver
  private val requestThread = Executors.newSingleThreadExecutor()
@@ -38,21 +71,8 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
  private val requestMap = ConcurrentHashMap<Long, Request>()

  companion object {
-    val CANCELLED = Result.success<Map<String, Long>>(mapOf())
+    val CANCELLED = Result.success<Map<String, Long>?>(null)
    val OPTIONS = BitmapFactory.Options().apply { inPreferredConfig = Bitmap.Config.ARGB_8888 }
-
-    init {
-      System.loadLibrary("native_buffer")
-    }
-
-    @JvmStatic
-    external fun allocateNative(size: Int): Long
-
-    @JvmStatic
-    external fun freeNative(pointer: Long)
-
-    @JvmStatic
-    external fun wrapAsBuffer(address: Long, capacity: Int): ByteBuffer
  }

  override fun getThumbhash(thumbhash: String, callback: (Result<Map<String, Long>>) -> Unit) {
@@ -63,7 +83,8 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
        val res = mapOf(
          "pointer" to image.pointer,
          "width" to image.width.toLong(),
-          "height" to image.height.toLong()
+          "height" to image.height.toLong(),
+          "rowBytes" to (image.width * 4).toLong()
        )
        callback(Result.success(res))
      } catch (e: Exception) {
@@ -78,7 +99,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
    width: Long,
    height: Long,
    isVideo: Boolean,
-    callback: (Result<Map<String, Long>>) -> Unit
+    callback: (Result<Map<String, Long>?>) -> Unit
  ) {
    val signal = CancellationSignal()
    val task = threadPool.submit {
@@ -98,7 +119,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
    requestMap[requestId] = request
  }

-  override fun cancelImageRequest(requestId: Long) {
+  override fun cancelRequest(requestId: Long) {
    val request = requestMap.remove(requestId) ?: return
    request.taskFuture.cancel(false)
    request.cancellationSignal.cancel()
@@ -117,7 +138,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
    width: Long,
    height: Long,
    isVideo: Boolean,
-    callback: (Result<Map<String, Long>>) -> Unit,
+    callback: (Result<Map<String, Long>?>) -> Unit,
    signal: CancellationSignal
  ) {
    signal.throwIfCanceled()
@@ -131,31 +152,12 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
      decodeImage(id, size, signal)
    }

-    processBitmap(bitmap, callback, signal)
-  }
-
-  private fun processBitmap(
-    bitmap: Bitmap, callback: (Result<Map<String, Long>>) -> Unit, signal: CancellationSignal
-  ) {
-    signal.throwIfCanceled()
-    val actualWidth = bitmap.width
-    val actualHeight = bitmap.height
-
-    val size = actualWidth * actualHeight * 4
-    val pointer = allocateNative(size)
-
    try {
      signal.throwIfCanceled()
-      val buffer = wrapAsBuffer(pointer, size)
-      bitmap.copyPixelsToBuffer(buffer)
-      bitmap.recycle()
+      val res = bitmap.toNativeBuffer()
      signal.throwIfCanceled()
-      val res = mapOf(
-        "pointer" to pointer, "width" to actualWidth.toLong(), "height" to actualHeight.toLong()
-      )
      callback(Result.success(res))
    } catch (e: Exception) {
-      freeNative(pointer)
      callback(if (e is OperationCanceledException) CANCELLED else Result.failure(e))
    }
  }
@@ -191,16 +193,7 @@ class ThumbnailsImpl(context: Context) : ThumbnailApi {
  private fun decodeSource(uri: Uri, target: Size, signal: CancellationSignal): Bitmap {
    signal.throwIfCanceled()
    return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
-      val source = ImageDecoder.createSource(resolver, uri)
-      signal.throwIfCanceled()
-      ImageDecoder.decodeBitmap(source) { decoder, info, _ ->
-        if (target.width > 0 && target.height > 0) {
-          val sample = max(1, min(info.size.width / target.width, info.size.height / target.height))
-          decoder.setTargetSampleSize(sample)
-        }
-        decoder.allocator = ImageDecoder.ALLOCATOR_SOFTWARE
-        decoder.setTargetColorSpace(ColorSpace.get(ColorSpace.Named.SRGB))
-      }
+      ImageDecoder.createSource(resolver, uri).decodeBitmap(target)
    } else {
      val ref =
        Glide.with(ctx).asBitmap().priority(Priority.IMMEDIATE).load(uri).disallowHardwareConfig()
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImages.g.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImages.g.kt
@@ -0,0 +1,123 @@
+// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+@file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")
+
+package app.alextran.immich.images
+
+import android.util.Log
+import io.flutter.plugin.common.BasicMessageChannel
+import io.flutter.plugin.common.BinaryMessenger
+import io.flutter.plugin.common.EventChannel
+import io.flutter.plugin.common.MessageCodec
+import io.flutter.plugin.common.StandardMethodCodec
+import io.flutter.plugin.common.StandardMessageCodec
+import java.io.ByteArrayOutputStream
+import java.nio.ByteBuffer
+private object RemoteImagesPigeonUtils {
+
+  fun wrapResult(result: Any?): List<Any?> {
+    return listOf(result)
+  }
+
+  fun wrapError(exception: Throwable): List<Any?> {
+    return if (exception is FlutterError) {
+      listOf(
+        exception.code,
+        exception.message,
+        exception.details
+      )
+    } else {
+      listOf(
+        exception.javaClass.simpleName,
+        exception.toString(),
+        "Cause: " + exception.cause + ", Stacktrace: " + Log.getStackTraceString(exception)
+      )
+    }
+  }
+}
+private open class RemoteImagesPigeonCodec : StandardMessageCodec() {
+  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
+    return     super.readValueOfType(type, buffer)
+  }
+  override fun writeValue(stream: ByteArrayOutputStream, value: Any?)   {
+    super.writeValue(stream, value)
+  }
+}
+
+
+/** Generated interface from Pigeon that represents a handler of messages from Flutter. */
+interface RemoteImageApi {
+  fun requestImage(url: String, headers: Map<String, String>, requestId: Long, callback: (Result<Map<String, Long>?>) -> Unit)
+  fun cancelRequest(requestId: Long)
+  fun clearCache(callback: (Result<Long>) -> Unit)
+
+  companion object {
+    /** The codec used by RemoteImageApi. */
+    val codec: MessageCodec<Any?> by lazy {
+      RemoteImagesPigeonCodec()
+    }
+    /** Sets up an instance of `RemoteImageApi` to handle messages through the `binaryMessenger`. */
+    @JvmOverloads
+    fun setUp(binaryMessenger: BinaryMessenger, api: RemoteImageApi?, messageChannelSuffix: String = "") {
+      val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.RemoteImageApi.requestImage$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val urlArg = args[0] as String
+            val headersArg = args[1] as Map<String, String>
+            val requestIdArg = args[2] as Long
+            api.requestImage(urlArg, headersArg, requestIdArg) { result: Result<Map<String, Long>?> ->
+              val error = result.exceptionOrNull()
+              if (error != null) {
+                reply.reply(RemoteImagesPigeonUtils.wrapError(error))
+              } else {
+                val data = result.getOrNull()
+                reply.reply(RemoteImagesPigeonUtils.wrapResult(data))
+              }
+            }
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.RemoteImageApi.cancelRequest$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val requestIdArg = args[0] as Long
+            val wrapped: List<Any?> = try {
+              api.cancelRequest(requestIdArg)
+              listOf(null)
+            } catch (exception: Throwable) {
+              RemoteImagesPigeonUtils.wrapError(exception)
+            }
+            reply.reply(wrapped)
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.RemoteImageApi.clearCache$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { _, reply ->
+            api.clearCache{ result: Result<Long> ->
+              val error = result.exceptionOrNull()
+              if (error != null) {
+                reply.reply(RemoteImagesPigeonUtils.wrapError(error))
+              } else {
+                val data = result.getOrNull()
+                reply.reply(RemoteImagesPigeonUtils.wrapResult(data))
+              }
+            }
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+    }
+  }
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt
@@ -0,0 +1,530 @@
+package app.alextran.immich.images
+
+import android.content.Context
+import android.os.CancellationSignal
+import android.os.OperationCanceledException
+import app.alextran.immich.BuildConfig
+import app.alextran.immich.INITIAL_BUFFER_SIZE
+import app.alextran.immich.NativeBuffer
+import app.alextran.immich.NativeByteBuffer
+import app.alextran.immich.core.SSLConfig
+import kotlinx.coroutines.*
+import okhttp3.Cache
+import okhttp3.Call
+import okhttp3.Callback
+import okhttp3.ConnectionPool
+import okhttp3.Dispatcher
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.Response
+import org.chromium.net.CronetEngine
+import org.chromium.net.CronetException
+import org.chromium.net.UrlRequest
+import org.chromium.net.UrlResponseInfo
+import java.io.EOFException
+import java.io.File
+import java.io.IOException
+import java.nio.ByteBuffer
+import java.nio.file.FileVisitResult
+import java.nio.file.Files
+import java.nio.file.Path
+import java.nio.file.SimpleFileVisitor
+import java.nio.file.attribute.BasicFileAttributes
+import java.util.concurrent.ConcurrentHashMap
+import java.util.concurrent.Executors
+import java.util.concurrent.TimeUnit
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.X509TrustManager
+
+
+private const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
+private const val MAX_REQUESTS_PER_HOST = 64
+private const val KEEP_ALIVE_CONNECTIONS = 10
+private const val KEEP_ALIVE_DURATION_MINUTES = 5L
+private const val CACHE_SIZE_BYTES = 1024L * 1024 * 1024
+
+private class RemoteRequest(val cancellationSignal: CancellationSignal)
+
+class RemoteImagesImpl(context: Context) : RemoteImageApi {
+  private val requestMap = ConcurrentHashMap<Long, RemoteRequest>()
+
+  init {
+    ImageFetcherManager.initialize(context)
+  }
+
+  companion object {
+    val CANCELLED = Result.success<Map<String, Long>?>(null)
+  }
+
+  override fun requestImage(
+    url: String,
+    headers: Map<String, String>,
+    requestId: Long,
+    callback: (Result<Map<String, Long>?>) -> Unit
+  ) {
+    val signal = CancellationSignal()
+    requestMap[requestId] = RemoteRequest(signal)
+
+    ImageFetcherManager.fetch(
+      url,
+      headers,
+      signal,
+      onSuccess = { buffer ->
+        requestMap.remove(requestId)
+        if (signal.isCanceled) {
+          NativeBuffer.free(buffer.pointer)
+          return@fetch callback(CANCELLED)
+        }
+
+        callback(
+          Result.success(
+            mapOf(
+              "pointer" to buffer.pointer,
+              "length" to buffer.offset.toLong()
+            )
+          )
+        )
+      },
+      onFailure = { e ->
+        requestMap.remove(requestId)
+        val result = if (signal.isCanceled) CANCELLED else Result.failure(e)
+        callback(result)
+      }
+    )
+  }
+
+  override fun cancelRequest(requestId: Long) {
+    requestMap.remove(requestId)?.cancellationSignal?.cancel()
+  }
+
+  override fun clearCache(callback: (Result<Long>) -> Unit) {
+    CoroutineScope(Dispatchers.IO).launch {
+      try {
+        ImageFetcherManager.clearCache(callback)
+      } catch (e: Exception) {
+        callback(Result.failure(e))
+      }
+    }
+  }
+}
+
+private object ImageFetcherManager {
+  private lateinit var appContext: Context
+  private lateinit var cacheDir: File
+  private lateinit var fetcher: ImageFetcher
+  private var initialized = false
+
+  fun initialize(context: Context) {
+    if (initialized) return
+    synchronized(this) {
+      if (initialized) return
+      appContext = context.applicationContext
+      cacheDir = context.cacheDir
+      fetcher = build()
+      SSLConfig.addListener(::invalidate)
+      initialized = true
+    }
+  }
+
+  fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  ) {
+    fetcher.fetch(url, headers, signal, onSuccess, onFailure)
+  }
+
+  fun clearCache(onCleared: (Result<Long>) -> Unit) {
+    fetcher.clearCache(onCleared)
+  }
+
+  private fun invalidate() {
+    synchronized(this) {
+      val oldFetcher = fetcher
+      if (oldFetcher is OkHttpImageFetcher && SSLConfig.requiresCustomSSL) {
+        fetcher = oldFetcher.reconfigure(SSLConfig.sslSocketFactory, SSLConfig.trustManager)
+        return
+      }
+      fetcher = build()
+      oldFetcher.drain()
+    }
+  }
+
+  private fun build(): ImageFetcher {
+    return if (SSLConfig.requiresCustomSSL) {
+      OkHttpImageFetcher.create(cacheDir, SSLConfig.sslSocketFactory, SSLConfig.trustManager)
+    } else {
+      CronetImageFetcher(appContext, cacheDir)
+    }
+  }
+}
+
+private sealed interface ImageFetcher {
+  fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  )
+
+  fun drain()
+
+  fun clearCache(onCleared: (Result<Long>) -> Unit)
+}
+
+private class CronetImageFetcher(context: Context, cacheDir: File) : ImageFetcher {
+  private val ctx = context
+  private var engine: CronetEngine
+  private val executor = Executors.newFixedThreadPool(4)
+  private val stateLock = Any()
+  private var activeCount = 0
+  private var draining = false
+  private var onCacheCleared: ((Result<Long>) -> Unit)? = null
+  private val storageDir = File(cacheDir, "cronet").apply { mkdirs() }
+
+  init {
+    engine = build(context)
+  }
+
+  override fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  ) {
+    synchronized(stateLock) {
+      if (draining) {
+        onFailure(IllegalStateException("Engine is draining"))
+        return
+      }
+      activeCount++
+    }
+
+    val callback = FetchCallback(onSuccess, onFailure, ::onComplete)
+    val requestBuilder = engine.newUrlRequestBuilder(url, callback, executor)
+    headers.forEach { (key, value) -> requestBuilder.addHeader(key, value) }
+    val request = requestBuilder.build()
+    signal.setOnCancelListener(request::cancel)
+    request.start()
+  }
+
+  private fun build(ctx: Context): CronetEngine {
+    return CronetEngine.Builder(ctx)
+      .enableHttp2(true)
+      .enableQuic(true)
+      .enableBrotli(true)
+      .setStoragePath(storageDir.absolutePath)
+      .setUserAgent(USER_AGENT)
+      .enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK, CACHE_SIZE_BYTES)
+      .build()
+  }
+
+  private fun onComplete() {
+    val didDrain = synchronized(stateLock) {
+      activeCount--
+      draining && activeCount == 0
+    }
+    if (didDrain) {
+      onDrained()
+    }
+  }
+
+  override fun drain() {
+    val didDrain = synchronized(stateLock) {
+      if (draining) return
+      draining = true
+      activeCount == 0
+    }
+    if (didDrain) {
+      onDrained()
+    }
+  }
+
+  private fun onDrained() {
+    engine.shutdown()
+    val onCacheCleared = synchronized(stateLock) {
+      val onCacheCleared = onCacheCleared
+      this.onCacheCleared = null
+      onCacheCleared
+    }
+    if (onCacheCleared == null) {
+      executor.shutdown()
+    } else {
+      CoroutineScope(Dispatchers.IO).launch {
+        val result = runCatching { deleteFolderAndGetSize(storageDir.toPath()) }
+        // Cronet is very good at self-repair, so it shouldn't fail here regardless of clear result
+        engine = build(ctx)
+        synchronized(stateLock) { draining = false }
+        onCacheCleared(result)
+      }
+    }
+  }
+
+  override fun clearCache(onCleared: (Result<Long>) -> Unit) {
+    synchronized(stateLock) {
+      if (onCacheCleared != null) {
+        return onCleared(Result.success(-1))
+      }
+      onCacheCleared = onCleared
+    }
+    drain()
+  }
+
+  private class FetchCallback(
+    private val onSuccess: (NativeByteBuffer) -> Unit,
+    private val onFailure: (Exception) -> Unit,
+    private val onComplete: () -> Unit,
+  ) : UrlRequest.Callback() {
+    private var buffer: NativeByteBuffer? = null
+    private var wrapped: ByteBuffer? = null
+    private var error: Exception? = null
+
+    override fun onRedirectReceived(request: UrlRequest, info: UrlResponseInfo, newUrl: String) {
+      request.followRedirect()
+    }
+
+    override fun onResponseStarted(request: UrlRequest, info: UrlResponseInfo) {
+      if (info.httpStatusCode !in 200..299) {
+        error = IOException("HTTP ${info.httpStatusCode}: ${info.httpStatusText}")
+        return request.cancel()
+      }
+
+      try {
+        val contentLength = info.allHeaders["content-length"]?.firstOrNull()?.toIntOrNull() ?: 0
+        if (contentLength > 0) {
+          buffer = NativeByteBuffer(contentLength + 1)
+          wrapped = NativeBuffer.wrap(buffer!!.pointer, contentLength + 1)
+          request.read(wrapped)
+        } else {
+          buffer = NativeByteBuffer(INITIAL_BUFFER_SIZE)
+          request.read(buffer!!.wrapRemaining())
+        }
+      } catch (e: Exception) {
+        error = e
+        return request.cancel()
+      }
+    }
+
+    override fun onReadCompleted(
+      request: UrlRequest,
+      info: UrlResponseInfo,
+      byteBuffer: ByteBuffer
+    ) {
+      try {
+        val buf = if (wrapped == null) {
+          buffer!!.run {
+            advance(byteBuffer.position())
+            ensureHeadroom()
+            wrapRemaining()
+          }
+        } else {
+          wrapped
+        }
+        request.read(buf)
+      } catch (e: Exception) {
+        error = e
+        return request.cancel()
+      }
+    }
+
+    override fun onSucceeded(request: UrlRequest, info: UrlResponseInfo) {
+      wrapped?.let { buffer!!.advance(it.position()) }
+      onSuccess(buffer!!)
+      onComplete()
+    }
+
+    override fun onFailed(request: UrlRequest, info: UrlResponseInfo?, error: CronetException) {
+      buffer?.free()
+      onFailure(error)
+      onComplete()
+    }
+
+    override fun onCanceled(request: UrlRequest, info: UrlResponseInfo?) {
+      buffer?.free()
+      onFailure(error ?: OperationCanceledException())
+      onComplete()
+    }
+  }
+
+  suspend fun deleteFolderAndGetSize(root: Path): Long = withContext(Dispatchers.IO) {
+    var totalSize = 0L
+
+    Files.walkFileTree(root, object : SimpleFileVisitor<Path>() {
+      override fun visitFile(file: Path, attrs: BasicFileAttributes): FileVisitResult {
+        totalSize += attrs.size()
+        Files.delete(file)
+        return FileVisitResult.CONTINUE
+      }
+
+      override fun postVisitDirectory(dir: Path, exc: IOException?): FileVisitResult {
+        if (dir != root) {
+          Files.delete(dir)
+        }
+        return FileVisitResult.CONTINUE
+      }
+    })
+
+    totalSize
+  }
+}
+
+private class OkHttpImageFetcher private constructor(
+  private val client: OkHttpClient,
+) : ImageFetcher {
+  private val stateLock = Any()
+  private var activeCount = 0
+  private var draining = false
+
+  companion object {
+    fun create(
+      cacheDir: File,
+      sslSocketFactory: SSLSocketFactory?,
+      trustManager: X509TrustManager?,
+    ): OkHttpImageFetcher {
+      val dir = File(cacheDir, "okhttp")
+      val connectionPool = ConnectionPool(
+        maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
+        keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
+        timeUnit = TimeUnit.MINUTES
+      )
+
+      val builder = OkHttpClient.Builder()
+        .addInterceptor { chain ->
+          chain.proceed(
+            chain.request().newBuilder()
+              .header("User-Agent", USER_AGENT)
+              .build()
+          )
+        }
+        .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
+        .connectionPool(connectionPool)
+        .cache(Cache(File(dir, "thumbnails"), CACHE_SIZE_BYTES))
+
+      if (sslSocketFactory != null && trustManager != null) {
+        builder.sslSocketFactory(sslSocketFactory, trustManager)
+      }
+
+      return OkHttpImageFetcher(builder.build())
+    }
+  }
+
+  fun reconfigure(
+    sslSocketFactory: SSLSocketFactory?,
+    trustManager: X509TrustManager?,
+  ): OkHttpImageFetcher {
+    val builder = client.newBuilder()
+    if (sslSocketFactory != null && trustManager != null) {
+      builder.sslSocketFactory(sslSocketFactory, trustManager)
+    }
+    // Evict idle connections using old SSL config
+    client.connectionPool.evictAll()
+    return OkHttpImageFetcher(builder.build())
+  }
+
+  private fun onComplete() {
+    val shouldClose = synchronized(stateLock) {
+      activeCount--
+      draining && activeCount == 0
+    }
+    if (shouldClose) {
+      client.cache?.close()
+    }
+  }
+
+  override fun fetch(
+    url: String,
+    headers: Map<String, String>,
+    signal: CancellationSignal,
+    onSuccess: (NativeByteBuffer) -> Unit,
+    onFailure: (Exception) -> Unit,
+  ) {
+    synchronized(stateLock) {
+      if (draining) {
+        return onFailure(IllegalStateException("Client is draining"))
+      }
+      activeCount++
+    }
+
+    val requestBuilder = Request.Builder().url(url)
+    headers.forEach { (key, value) -> requestBuilder.addHeader(key, value) }
+    val call = client.newCall(requestBuilder.build())
+    signal.setOnCancelListener(call::cancel)
+
+    call.enqueue(object : Callback {
+      override fun onFailure(call: Call, e: IOException) {
+        onFailure(e)
+        onComplete()
+      }
+
+      override fun onResponse(call: Call, response: Response) {
+        response.use {
+          if (!response.isSuccessful) {
+            return onFailure(IOException("HTTP ${response.code}: ${response.message}")).also { onComplete() }
+          }
+
+          val body = response.body
+            ?: return onFailure(IOException("Empty response body")).also { onComplete() }
+
+          if (call.isCanceled()) {
+            onFailure(OperationCanceledException())
+            return onComplete()
+          }
+
+          body.source().use { source ->
+            val length = body.contentLength().toInt()
+            val buffer = NativeByteBuffer(if (length > 0) length else INITIAL_BUFFER_SIZE)
+            try {
+              if (length > 0) {
+                val wrapped = NativeBuffer.wrap(buffer.pointer, length)
+                while (wrapped.hasRemaining()) {
+                  if (call.isCanceled()) throw OperationCanceledException()
+                  if (source.read(wrapped) == -1) throw EOFException()
+                }
+                buffer.advance(length)
+              } else {
+                while (true) {
+                  if (call.isCanceled()) throw OperationCanceledException()
+                  val bytesRead = source.read(buffer.wrapRemaining())
+                  if (bytesRead == -1) break
+                  buffer.advance(bytesRead)
+                  buffer.ensureHeadroom()
+                }
+              }
+              onSuccess(buffer)
+            } catch (e: Exception) {
+              buffer.free()
+              onFailure(e)
+            }
+            onComplete()
+          }
+        }
+      }
+    })
+  }
+
+  override fun drain() {
+    val shouldClose = synchronized(stateLock) {
+      if (draining) return
+      draining = true
+      activeCount == 0
+    }
+    client.connectionPool.evictAll()
+    if (shouldClose) {
+      client.cache?.close()
+    }
+  }
+
+  override fun clearCache(onCleared: (Result<Long>) -> Unit) {
+    try {
+      val size = client.cache!!.size()
+      client.cache!!.evictAll()
+      onCleared(Result.success(size))
+    } catch (e: Exception) {
+      onCleared(Result.failure(e))
+    }
+  }
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/ThumbHash.java
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/ThumbHash.java
@@ -7,6 +7,8 @@ package app.alextran.immich.images;

 import java.nio.ByteBuffer;

+import app.alextran.immich.NativeBuffer;
+
 // modified to use native allocations
 public final class ThumbHash {
  /**
@@ -56,8 +58,8 @@ public final class ThumbHash {
    int w = Math.round(ratio > 1.0f ? 32.0f : 32.0f * ratio);
    int h = Math.round(ratio > 1.0f ? 32.0f / ratio : 32.0f);
    int size = w * h * 4;
-    long pointer = ThumbnailsImpl.allocateNative(size);
-    ByteBuffer rgba = ThumbnailsImpl.wrapAsBuffer(pointer, size);
+    long pointer = NativeBuffer.allocate(size);
+    ByteBuffer rgba = NativeBuffer.wrap(pointer, size);
    int cx_stop = Math.max(lx, hasAlpha ? 5 : 3);
    int cy_stop = Math.max(ly, hasAlpha ? 5 : 3);
    float[] fx = new float[cx_stop];
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/Messages.g.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/Messages.g.kt
@@ -252,6 +252,40 @@ data class HashResult (

  override fun hashCode(): Int = toList().hashCode()
 }
+
+/** Generated class from Pigeon that represents data sent in messages. */
+data class CloudIdResult (
+  val assetId: String,
+  val error: String? = null,
+  val cloudId: String? = null
+)
+ {
+  companion object {
+    fun fromList(pigeonVar_list: List<Any?>): CloudIdResult {
+      val assetId = pigeonVar_list[0] as String
+      val error = pigeonVar_list[1] as String?
+      val cloudId = pigeonVar_list[2] as String?
+      return CloudIdResult(assetId, error, cloudId)
+    }
+  }
+  fun toList(): List<Any?> {
+    return listOf(
+      assetId,
+      error,
+      cloudId,
+    )
+  }
+  override fun equals(other: Any?): Boolean {
+    if (other !is CloudIdResult) {
+      return false
+    }
+    if (this === other) {
+      return true
+    }
+    return MessagesPigeonUtils.deepEquals(toList(), other.toList())  }
+
+  override fun hashCode(): Int = toList().hashCode()
+}
 private open class MessagesPigeonCodec : StandardMessageCodec() {
  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
    return when (type) {
@@ -275,6 +309,11 @@ private open class MessagesPigeonCodec : StandardMessageCodec() {
          HashResult.fromList(it)
        }
      }
+      133.toByte() -> {
+        return (readValue(buffer) as? List<Any?>)?.let {
+          CloudIdResult.fromList(it)
+        }
+      }
      else -> super.readValueOfType(type, buffer)
    }
  }
@@ -296,6 +335,10 @@ private open class MessagesPigeonCodec : StandardMessageCodec() {
        stream.write(132)
        writeValue(stream, value.toList())
      }
+      is CloudIdResult -> {
+        stream.write(133)
+        writeValue(stream, value.toList())
+      }
      else -> super.writeValue(stream, value)
    }
  }
@@ -315,6 +358,7 @@ interface NativeSyncApi {
  fun hashAssets(assetIds: List<String>, allowNetworkAccess: Boolean, callback: (Result<List<HashResult>>) -> Unit)
  fun cancelHashing()
  fun getTrashedAssets(): Map<String, List<PlatformAsset>>
+  fun getCloudIdForAssetIds(assetIds: List<String>): List<CloudIdResult>

  companion object {
    /** The codec used by NativeSyncApi. */
@@ -508,6 +552,23 @@ interface NativeSyncApi {
          channel.setMessageHandler(null)
        }
      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds$separatedMessageChannelSuffix", codec, taskQueue)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val assetIdsArg = args[0] as List<String>
+            val wrapped: List<Any?> = try {
+              listOf(api.getCloudIdForAssetIds(assetIdsArg))
+            } catch (exception: Throwable) {
+              MessagesPigeonUtils.wrapError(exception)
+            }
+            reply.reply(wrapped)
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
    }
  }
 }
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/MessagesImplBase.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/sync/MessagesImplBase.kt
@@ -14,6 +14,7 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.async
 import kotlinx.coroutines.awaitAll
+import kotlinx.coroutines.currentCoroutineContext
 import kotlinx.coroutines.ensureActive
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.sync.Semaphore
@@ -21,7 +22,6 @@ import kotlinx.coroutines.sync.withPermit
 import java.io.File
 import java.security.MessageDigest
 import kotlin.coroutines.cancellation.CancellationException
-import kotlin.coroutines.coroutineContext

 sealed class AssetResult {
  data class ValidAsset(val asset: PlatformAsset, val albumId: String) : AssetResult()
@@ -298,7 +298,7 @@ open class NativeSyncApiImplBase(context: Context) : ImmichPlugin() {
        var bytesRead: Int
        val buffer = ByteArray(HASH_BUFFER_SIZE)
        while (inputStream.read(buffer).also { bytesRead = it } > 0) {
-          coroutineContext.ensureActive()
+          currentCoroutineContext().ensureActive()
          digest.update(buffer, 0, bytesRead)
        }
      } ?: return HashResult(assetId, "Cannot open input stream for asset", null)
@@ -316,4 +316,10 @@ open class NativeSyncApiImplBase(context: Context) : ImmichPlugin() {
    hashTask?.cancel()
    hashTask = null
  }
+
+  // This method is only implemented on iOS; on Android, we do not have a concept of cloud IDs
+  @Suppress("unused", "UNUSED_PARAMETER")
+  fun getCloudIdForAssetIds(assetIds: List<String>): List<CloudIdResult> {
+    return emptyList()
+  }
 }
--- a/mobile/drift_schemas/main/drift_schema_v15.json
+++ b/mobile/drift_schemas/main/drift_schema_v15.json
--- a/mobile/drift_schemas/main/drift_schema_v16.json
+++ b/mobile/drift_schemas/main/drift_schema_v16.json
--- a/mobile/drift_schemas/main/drift_schema_v17.json
+++ b/mobile/drift_schemas/main/drift_schema_v17.json
--- a/mobile/fonts/GoogleSans/GoogleSans-Bold.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Bold.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-Italic.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Italic.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-Medium.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Medium.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-Regular.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-Regular.ttf
--- a/mobile/fonts/GoogleSans/GoogleSans-SemiBold.ttf
+++ b/mobile/fonts/GoogleSans/GoogleSans-SemiBold.ttf
--- a/mobile/fonts/GoogleSansCode/GoogleSansCode-Medium.ttf
+++ b/mobile/fonts/GoogleSansCode/GoogleSansCode-Medium.ttf
--- a/mobile/fonts/GoogleSansCode/GoogleSansCode-Regular.ttf
+++ b/mobile/fonts/GoogleSansCode/GoogleSansCode-Regular.ttf
--- a/mobile/fonts/GoogleSansCode/GoogleSansCode-SemiBold.ttf
+++ b/mobile/fonts/GoogleSansCode/GoogleSansCode-SemiBold.ttf
--- a/mobile/ios/.gitignore
+++ b/mobile/ios/.gitignore
@@ -33,4 +33,5 @@ Runner/GeneratedPluginRegistrant.*
 !default.perspectivev3

 fastlane/report.xml
-Gemfile.lock
+Gemfile.lock
+certs/
--- a/mobile/ios/Podfile.lock
+++ b/mobile/ios/Podfile.lock
@@ -6,6 +6,9 @@ PODS:
    - FlutterMacOS
  - connectivity_plus (0.0.1):
    - Flutter
+  - cupertino_http (0.0.1):
+    - Flutter
+    - FlutterMacOS
  - device_info_plus (0.0.1):
    - Flutter
  - DKImagePickerController/Core (4.3.9):
@@ -136,6 +139,7 @@ DEPENDENCIES:
  - background_downloader (from `.symlinks/plugins/background_downloader/ios`)
  - bonsoir_darwin (from `.symlinks/plugins/bonsoir_darwin/darwin`)
  - connectivity_plus (from `.symlinks/plugins/connectivity_plus/ios`)
+  - cupertino_http (from `.symlinks/plugins/cupertino_http/darwin`)
  - device_info_plus (from `.symlinks/plugins/device_info_plus/ios`)
  - file_picker (from `.symlinks/plugins/file_picker/ios`)
  - Flutter (from `Flutter`)
@@ -184,6 +188,8 @@ EXTERNAL SOURCES:
    :path: ".symlinks/plugins/bonsoir_darwin/darwin"
  connectivity_plus:
    :path: ".symlinks/plugins/connectivity_plus/ios"
+  cupertino_http:
+    :path: ".symlinks/plugins/cupertino_http/darwin"
  device_info_plus:
    :path: ".symlinks/plugins/device_info_plus/ios"
  file_picker:
@@ -249,6 +255,7 @@ SPEC CHECKSUMS:
  background_downloader: 50e91d979067b82081aba359d7d916b3ba5fadad
  bonsoir_darwin: 29c7ccf356646118844721f36e1de4b61f6cbd0e
  connectivity_plus: cb623214f4e1f6ef8fe7403d580fdad517d2f7dd
+  cupertino_http: 94ac07f5ff090b8effa6c5e2c47871d48ab7c86c
  device_info_plus: 21fcca2080fbcd348be798aa36c3e5ed849eefbe
  DKImagePickerController: 946cec48c7873164274ecc4624d19e3da4c1ef3c
  DKPhotoGallery: b3834fecb755ee09a593d7c9e389d8b5d6deed60
--- a/mobile/ios/Runner.xcodeproj/project.pbxproj
+++ b/mobile/ios/Runner.xcodeproj/project.pbxproj
@@ -3,7 +3,7 @@
 	archiveVersion = 1;
 	classes = {
 	};
-	objectVersion = 54;
+	objectVersion = 77;
 	objects = {

 /* Begin PBXBuildFile section */
@@ -29,9 +29,11 @@
 		FAC6F89B2D287C890078CB2F /* ShareExtension.appex in Embed Foundation Extensions */ = {isa = PBXBuildFile; fileRef = FAC6F8902D287C890078CB2F /* ShareExtension.appex */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
 		FAC6F8B72D287F120078CB2F /* ShareViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = FAC6F8B52D287F120078CB2F /* ShareViewController.swift */; };
 		FAC6F8B92D287F120078CB2F /* MainInterface.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = FAC6F8B32D287F120078CB2F /* MainInterface.storyboard */; };
+		FE5499F32F1197D8006016CB /* LocalImages.g.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F12F1197D8006016CB /* LocalImages.g.swift */; };
+		FE5499F42F1197D8006016CB /* RemoteImages.g.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F22F1197D8006016CB /* RemoteImages.g.swift */; };
+		FE5499F62F11980E006016CB /* LocalImagesImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F52F11980E006016CB /* LocalImagesImpl.swift */; };
+		FE5499F82F1198E2006016CB /* RemoteImagesImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */; };
 		FEAFA8732E4D42F4001E47FE /* Thumbhash.swift in Sources */ = {isa = PBXBuildFile; fileRef = FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */; };
-		FED3B1962E253E9B0030FD97 /* ThumbnailsImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FED3B1942E253E9B0030FD97 /* ThumbnailsImpl.swift */; };
-		FED3B1972E253E9B0030FD97 /* Thumbnails.g.swift in Sources */ = {isa = PBXBuildFile; fileRef = FED3B1932E253E9B0030FD97 /* Thumbnails.g.swift */; };
 		FEE084F82EC172460045228E /* SQLiteData in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084F72EC172460045228E /* SQLiteData */; };
 		FEE084FB2EC1725A0045228E /* RawStructuredFieldValues in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084FA2EC1725A0045228E /* RawStructuredFieldValues */; };
 		FEE084FD2EC1725A0045228E /* StructuredFieldValues in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084FC2EC1725A0045228E /* StructuredFieldValues */; };
@@ -118,9 +120,11 @@
 		FAC6F8B42D287F120078CB2F /* ShareExtension.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = ShareExtension.entitlements; sourceTree = "<group>"; };
 		FAC6F8B52D287F120078CB2F /* ShareViewController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ShareViewController.swift; sourceTree = "<group>"; };
 		FAC7416727DB9F5500C668D8 /* RunnerProfile.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = RunnerProfile.entitlements; sourceTree = "<group>"; };
+		FE5499F12F1197D8006016CB /* LocalImages.g.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LocalImages.g.swift; sourceTree = "<group>"; };
+		FE5499F22F1197D8006016CB /* RemoteImages.g.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RemoteImages.g.swift; sourceTree = "<group>"; };
+		FE5499F52F11980E006016CB /* LocalImagesImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LocalImagesImpl.swift; sourceTree = "<group>"; };
+		FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RemoteImagesImpl.swift; sourceTree = "<group>"; };
 		FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Thumbhash.swift; sourceTree = "<group>"; };
-		FED3B1932E253E9B0030FD97 /* Thumbnails.g.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Thumbnails.g.swift; sourceTree = "<group>"; };
-		FED3B1942E253E9B0030FD97 /* ThumbnailsImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ThumbnailsImpl.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */

 /* Begin PBXFileSystemSynchronizedBuildFileExceptionSet section */
@@ -136,15 +140,11 @@
 /* Begin PBXFileSystemSynchronizedRootGroup section */
 		B231F52D2E93A44A00BC45D1 /* Core */ = {
 			isa = PBXFileSystemSynchronizedRootGroup;
-			exceptions = (
-			);
 			path = Core;
 			sourceTree = "<group>";
 		};
 		B2CF7F8C2DDE4EBB00744BF6 /* Sync */ = {
 			isa = PBXFileSystemSynchronizedRootGroup;
-			exceptions = (
-			);
 			path = Sync;
 			sourceTree = "<group>";
 		};
@@ -158,8 +158,6 @@
 		};
 		FEE084F22EC172080045228E /* Schemas */ = {
 			isa = PBXFileSystemSynchronizedRootGroup;
-			exceptions = (
-			);
 			path = Schemas;
 			sourceTree = "<group>";
 		};
@@ -321,9 +319,11 @@
 		FED3B1952E253E9B0030FD97 /* Images */ = {
 			isa = PBXGroup;
 			children = (
+				FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */,
+				FE5499F52F11980E006016CB /* LocalImagesImpl.swift */,
+				FE5499F12F1197D8006016CB /* LocalImages.g.swift */,
+				FE5499F22F1197D8006016CB /* RemoteImages.g.swift */,
 				FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */,
-				FED3B1932E253E9B0030FD97 /* Thumbnails.g.swift */,
-				FED3B1942E253E9B0030FD97 /* ThumbnailsImpl.swift */,
 			);
 			path = Images;
 			sourceTree = "<group>";
@@ -549,10 +549,14 @@
 			inputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-resources-${CONFIGURATION}-input-files.xcfilelist",
 			);
+			inputPaths = (
+			);
 			name = "[CP] Copy Pods Resources";
 			outputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-resources-${CONFIGURATION}-output-files.xcfilelist",
 			);
+			outputPaths = (
+			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
 			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-resources.sh\"\n";
@@ -581,10 +585,14 @@
 			inputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-input-files.xcfilelist",
 			);
+			inputPaths = (
+			);
 			name = "[CP] Embed Pods Frameworks";
 			outputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-output-files.xcfilelist",
 			);
+			outputPaths = (
+			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
 			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks.sh\"\n";
@@ -600,12 +608,14 @@
 				65F32F31299BD2F800CE9261 /* BackgroundServicePlugin.swift in Sources */,
 				74858FAF1ED2DC5600515810 /* AppDelegate.swift in Sources */,
 				B21E34AC2E5B09190031FDB9 /* BackgroundWorker.swift in Sources */,
+				FE5499F32F1197D8006016CB /* LocalImages.g.swift in Sources */,
+				FE5499F62F11980E006016CB /* LocalImagesImpl.swift in Sources */,
+				FE5499F42F1197D8006016CB /* RemoteImages.g.swift in Sources */,
 				B25D377A2E72CA15008B6CA7 /* Connectivity.g.swift in Sources */,
+				FE5499F82F1198E2006016CB /* RemoteImagesImpl.swift in Sources */,
 				FEAFA8732E4D42F4001E47FE /* Thumbhash.swift in Sources */,
 				B25D377C2E72CA26008B6CA7 /* ConnectivityApiImpl.swift in Sources */,
-				FED3B1962E253E9B0030FD97 /* ThumbnailsImpl.swift in Sources */,
 				B21E34AA2E5AFD2B0031FDB9 /* BackgroundWorkerApiImpl.swift in Sources */,
-				FED3B1972E253E9B0030FD97 /* Thumbnails.g.swift in Sources */,
 				1498D2341E8E89220040F4C2 /* GeneratedPluginRegistrant.m in Sources */,
 				B2BE315F2E5E5229006EEF88 /* BackgroundWorker.g.swift in Sources */,
 				65F32F33299D349D00CE9261 /* BackgroundSyncWorker.swift in Sources */,
--- a/mobile/ios/Runner/AppDelegate.swift
+++ b/mobile/ios/Runner/AppDelegate.swift
@@ -53,8 +53,10 @@ import UIKit
  
  public static func registerPlugins(with engine: FlutterEngine) {
    NativeSyncApiImpl.register(with: engine.registrar(forPlugin: NativeSyncApiImpl.name)!)
-    ThumbnailApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: ThumbnailApiImpl())
+    LocalImageApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: LocalImageApiImpl())
+    RemoteImageApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: RemoteImageApiImpl())
    BackgroundWorkerFgHostApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: BackgroundWorkerApiImpl())
+    ConnectivityApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: ConnectivityApiImpl())
  }
  
  public static func cancelPlugins(with engine: FlutterEngine) {
--- a/mobile/ios/Runner/Connectivity/ConnectivityApiImpl.swift
+++ b/mobile/ios/Runner/Connectivity/ConnectivityApiImpl.swift
@@ -1,6 +1,60 @@
+import Network

 class ConnectivityApiImpl: ConnectivityApi {
+  private let monitor = NWPathMonitor()
+  private let queue = DispatchQueue(label: "ConnectivityMonitor")
+  private var currentPath: NWPath?
+  
+  init() {
+    monitor.pathUpdateHandler = { [weak self] path in
+      self?.currentPath = path
+    }
+    monitor.start(queue: queue)
+    // Get initial state synchronously
+    currentPath = monitor.currentPath
+  }
+  
+  deinit {
+    monitor.cancel()
+  }
+  
  func getCapabilities() throws -> [NetworkCapability] {
-    []
+    guard let path = currentPath else {
+      return []
+    }
+    
+    guard path.status == .satisfied else {
+      return []
+    }
+    
+    var capabilities: [NetworkCapability] = []
+    
+    if path.usesInterfaceType(.wifi) {
+      capabilities.append(.wifi)
+    }
+    
+    if path.usesInterfaceType(.cellular) {
+      capabilities.append(.cellular)
+    }
+    
+    // Check for VPN - iOS reports VPN as .other interface type in many cases
+    // or through the path's expensive property when on cellular with VPN
+    if path.usesInterfaceType(.other) {
+      capabilities.append(.vpn)
+    }
+    
+    // Determine if connection is unmetered:
+    // - Must be on WiFi (not cellular)
+    // - Must not be expensive (rules out personal hotspot)
+    // - Must not be constrained (Low Data Mode)
+    // Note: VPN over cellular should still be considered metered
+    let isOnCellular = path.usesInterfaceType(.cellular)
+    let isOnWifi = path.usesInterfaceType(.wifi)
+    
+    if isOnWifi && !isOnCellular && !path.isExpensive && !path.isConstrained {
+      capabilities.append(.unmetered)
+    }
+    
+    return capabilities
  }
 }
--- a/mobile/ios/Runner/Images/LocalImages.g.swift
+++ b/mobile/ios/Runner/Images/LocalImages.g.swift
@@ -47,41 +47,41 @@ private func nilOrValue<T>(_ value: Any?) -> T? {
 }


-private class ThumbnailsPigeonCodecReader: FlutterStandardReader {
+private class LocalImagesPigeonCodecReader: FlutterStandardReader {
 }

-private class ThumbnailsPigeonCodecWriter: FlutterStandardWriter {
+private class LocalImagesPigeonCodecWriter: FlutterStandardWriter {
 }

-private class ThumbnailsPigeonCodecReaderWriter: FlutterStandardReaderWriter {
+private class LocalImagesPigeonCodecReaderWriter: FlutterStandardReaderWriter {
  override func reader(with data: Data) -> FlutterStandardReader {
-    return ThumbnailsPigeonCodecReader(data: data)
+    return LocalImagesPigeonCodecReader(data: data)
  }

  override func writer(with data: NSMutableData) -> FlutterStandardWriter {
-    return ThumbnailsPigeonCodecWriter(data: data)
+    return LocalImagesPigeonCodecWriter(data: data)
  }
 }

-class ThumbnailsPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
-  static let shared = ThumbnailsPigeonCodec(readerWriter: ThumbnailsPigeonCodecReaderWriter())
+class LocalImagesPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
+  static let shared = LocalImagesPigeonCodec(readerWriter: LocalImagesPigeonCodecReaderWriter())
 }


 /// Generated protocol from Pigeon that represents a handler of messages from Flutter.
-protocol ThumbnailApi {
-  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64], Error>) -> Void)
-  func cancelImageRequest(requestId: Int64) throws
+protocol LocalImageApi {
+  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64]?, Error>) -> Void)
+  func cancelRequest(requestId: Int64) throws
  func getThumbhash(thumbhash: String, completion: @escaping (Result<[String: Int64], Error>) -> Void)
 }

 /// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
-class ThumbnailApiSetup {
-  static var codec: FlutterStandardMessageCodec { ThumbnailsPigeonCodec.shared }
-  /// Sets up an instance of `ThumbnailApi` to handle messages through the `binaryMessenger`.
-  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: ThumbnailApi?, messageChannelSuffix: String = "") {
+class LocalImageApiSetup {
+  static var codec: FlutterStandardMessageCodec { LocalImagesPigeonCodec.shared }
+  /// Sets up an instance of `LocalImageApi` to handle messages through the `binaryMessenger`.
+  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: LocalImageApi?, messageChannelSuffix: String = "") {
    let channelSuffix = messageChannelSuffix.count > 0 ? ".\(messageChannelSuffix)" : ""
-    let requestImageChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.ThumbnailApi.requestImage\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    let requestImageChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.LocalImageApi.requestImage\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
    if let api = api {
      requestImageChannel.setMessageHandler { message, reply in
        let args = message as! [Any?]
@@ -102,22 +102,22 @@ class ThumbnailApiSetup {
    } else {
      requestImageChannel.setMessageHandler(nil)
    }
-    let cancelImageRequestChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.ThumbnailApi.cancelImageRequest\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    let cancelRequestChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.LocalImageApi.cancelRequest\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
    if let api = api {
-      cancelImageRequestChannel.setMessageHandler { message, reply in
+      cancelRequestChannel.setMessageHandler { message, reply in
        let args = message as! [Any?]
        let requestIdArg = args[0] as! Int64
        do {
-          try api.cancelImageRequest(requestId: requestIdArg)
+          try api.cancelRequest(requestId: requestIdArg)
          reply(wrapResult(nil))
        } catch {
          reply(wrapError(error))
        }
      }
    } else {
-      cancelImageRequestChannel.setMessageHandler(nil)
+      cancelRequestChannel.setMessageHandler(nil)
    }
-    let getThumbhashChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.ThumbnailApi.getThumbhash\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    let getThumbhashChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.LocalImageApi.getThumbhash\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
    if let api = api {
      getThumbhashChannel.setMessageHandler { message, reply in
        let args = message as! [Any?]
--- a/mobile/ios/Runner/Images/LocalImagesImpl.swift
+++ b/mobile/ios/Runner/Images/LocalImagesImpl.swift
@@ -1,19 +1,19 @@
-import CryptoKit
+import Accelerate
 import Flutter
 import MobileCoreServices
 import Photos

-class Request {
+class LocalImageRequest {
  weak var workItem: DispatchWorkItem?
  var isCancelled = false
-  let callback: (Result<[String: Int64], any Error>) -> Void
+  let callback: (Result<[String: Int64]?, any Error>) -> Void
  
-  init(callback: @escaping (Result<[String: Int64], any Error>) -> Void) {
+  init(callback: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
    self.callback = callback
  }
 }

-class ThumbnailApiImpl: ThumbnailApi {
+class LocalImageApiImpl: LocalImageApi {
  private static let imageManager = PHImageManager.default()
  private static let fetchOptions = {
    let fetchOptions = PHFetchOptions()
@@ -36,47 +36,39 @@ class ThumbnailApiImpl: ThumbnailApi {
  private static let cancelQueue = DispatchQueue(label: "thumbnail.cancellation", qos: .default)
  private static let processingQueue = DispatchQueue(label: "thumbnail.processing", qos: .userInteractive, attributes: .concurrent)
  
-  private static let rgbColorSpace = CGColorSpaceCreateDeviceRGB()
-  private static let bitmapInfo = CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue).rawValue
-  private static var requests = [Int64: Request]()
-  private static let cancelledResult = Result<[String: Int64], any Error>.success([:])
+  private static var rgbaFormat = vImage_CGImageFormat(
+    bitsPerComponent: 8,
+    bitsPerPixel: 32,
+    colorSpace: CGColorSpaceCreateDeviceRGB(),
+    bitmapInfo: CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue),
+    renderingIntent: .defaultIntent
+  )!
+  private static var requests = [Int64: LocalImageRequest]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
  private static let concurrencySemaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
  private static let assetCache = {
    let assetCache = NSCache<NSString, PHAsset>()
    assetCache.countLimit = 10000
    return assetCache
  }()
-  private static let activitySemaphore = DispatchSemaphore(value: 1)
-  private static let willResignActiveObserver = NotificationCenter.default.addObserver(
-    forName: UIApplication.willResignActiveNotification,
-    object: nil,
-    queue: .main
-  ) { _ in
-    processingQueue.suspend()
-    activitySemaphore.wait()
-  }
-  private static let didBecomeActiveObserver = NotificationCenter.default.addObserver(
-    forName: UIApplication.didBecomeActiveNotification,
-    object: nil,
-    queue: .main
-  ) { _ in
-    processingQueue.resume()
-    activitySemaphore.signal()
-  }
  
  func getThumbhash(thumbhash: String, completion: @escaping (Result<[String : Int64], any Error>) -> Void) {
    Self.processingQueue.async {
      guard let data = Data(base64Encoded: thumbhash)
      else { return completion(.failure(PigeonError(code: "", message: "Invalid base64 string: \(thumbhash)", details: nil)))}
-
+      
      let (width, height, pointer) = thumbHashToRGBA(hash: data)
-      self.waitForActiveState()
-      completion(.success(["pointer": Int64(Int(bitPattern: pointer.baseAddress)), "width": Int64(width), "height": Int64(height)]))
+      completion(.success([
+        "pointer": Int64(Int(bitPattern: pointer.baseAddress)),
+        "width": Int64(width),
+        "height": Int64(height),
+        "rowBytes": Int64(width * 4)
+      ]))
    }
  }
  
-  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64], any Error>) -> Void) {
-    let request = Request(callback: completion)
+  func requestImage(assetId: String, requestId: Int64, width: Int64, height: Int64, isVideo: Bool, completion: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
+    let request = LocalImageRequest(callback: completion)
    let item = DispatchWorkItem {
      if request.isCancelled {
        return completion(Self.cancelledResult)
@@ -93,7 +85,7 @@ class ThumbnailApiImpl: ThumbnailApi {
      
      guard let asset = Self.requestAsset(assetId: assetId)
      else {
-        Self.removeRequest(requestId: requestId)
+        Self.remove(requestId: requestId)
        completion(.failure(PigeonError(code: "", message: "Could not get asset data for \(assetId)", details: nil)))
        return
      }
@@ -119,70 +111,54 @@ class ThumbnailApiImpl: ThumbnailApi {
      
      guard let image = image,
            let cgImage = image.cgImage else {
-        Self.removeRequest(requestId: requestId)
+        Self.remove(requestId: requestId)
        return completion(.failure(PigeonError(code: "", message: "Could not get pixel data for \(assetId)", details: nil)))
      }
      
-      let pointer = UnsafeMutableRawPointer.allocate(
-        byteCount: Int(cgImage.width) * Int(cgImage.height) * 4,
-        alignment: MemoryLayout<UInt8>.alignment
-      )
-      
      if request.isCancelled {
-        pointer.deallocate()
        return completion(Self.cancelledResult)
      }
      
-      guard let context = CGContext(
-        data: pointer,
-        width: cgImage.width,
-        height: cgImage.height,
-        bitsPerComponent: 8,
-        bytesPerRow: cgImage.width * 4,
-        space: Self.rgbColorSpace,
-        bitmapInfo: Self.bitmapInfo
-      ) else {
-        pointer.deallocate()
-        Self.removeRequest(requestId: requestId)
-        return completion(.failure(PigeonError(code: "", message: "Could not create context for \(assetId)", details: nil)))
+      do {
+        let buffer = try vImage_Buffer(cgImage: cgImage, format: Self.rgbaFormat)
+        
+        if request.isCancelled {
+          buffer.free()
+          return completion(Self.cancelledResult)
+        }
+        
+        request.callback(.success([
+          "pointer": Int64(Int(bitPattern: buffer.data)),
+          "width": Int64(buffer.width),
+          "height": Int64(buffer.height),
+          "rowBytes": Int64(buffer.rowBytes)
+        ]))
+        print("Successful response for \(requestId)")
+        Self.remove(requestId: requestId)
+      } catch {
+        Self.remove(requestId: requestId)
+        return completion(.failure(PigeonError(code: "", message: "Failed to convert image for \(assetId): \(error)", details: nil)))
      }
-      
-      if request.isCancelled {
-        pointer.deallocate()
-        return completion(Self.cancelledResult)
-      }
-      
-      context.interpolationQuality = .none
-      context.draw(cgImage, in: CGRect(x: 0, y: 0, width: cgImage.width, height: cgImage.height))
-      
-      if request.isCancelled {
-        pointer.deallocate()
-        return completion(Self.cancelledResult)
-      }
-      
-      self.waitForActiveState()
-      completion(.success(["pointer": Int64(Int(bitPattern: pointer)), "width": Int64(cgImage.width), "height": Int64(cgImage.height)]))
-      Self.removeRequest(requestId: requestId)
    }
    
    request.workItem = item
-    Self.addRequest(requestId: requestId, request: request)
+    Self.add(requestId: requestId, request: request)
    Self.processingQueue.async(execute: item)
  }
  
-  func cancelImageRequest(requestId: Int64) {
-    Self.cancelRequest(requestId: requestId)
+  func cancelRequest(requestId: Int64) {
+    Self.cancel(requestId: requestId)
  }
  
-  private static func addRequest(requestId: Int64, request: Request) -> Void {
+  private static func add(requestId: Int64, request: LocalImageRequest) -> Void {
    requestQueue.sync { requests[requestId] = request }
  }
  
-  private static func removeRequest(requestId: Int64) -> Void {
+  private static func remove(requestId: Int64) -> Void {
    requestQueue.sync { requests[requestId] = nil }
  }
  
-  private static func cancelRequest(requestId: Int64) -> Void {
+  private static func cancel(requestId: Int64) -> Void {
    requestQueue.async {
      guard let request = requests.removeValue(forKey: requestId) else { return }
      request.isCancelled = true
@@ -203,9 +179,4 @@ class ThumbnailApiImpl: ThumbnailApi {
    assetQueue.async { assetCache.setObject(asset, forKey: assetId as NSString) }
    return asset
  }
-  
-  func waitForActiveState() {
-    Self.activitySemaphore.wait()
-    Self.activitySemaphore.signal()
-  }
 }
--- a/mobile/ios/Runner/Images/RemoteImages.g.swift
+++ b/mobile/ios/Runner/Images/RemoteImages.g.swift
@@ -0,0 +1,134 @@
+// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+
+import Foundation
+
+#if os(iOS)
+  import Flutter
+#elseif os(macOS)
+  import FlutterMacOS
+#else
+  #error("Unsupported platform.")
+#endif
+
+private func wrapResult(_ result: Any?) -> [Any?] {
+  return [result]
+}
+
+private func wrapError(_ error: Any) -> [Any?] {
+  if let pigeonError = error as? PigeonError {
+    return [
+      pigeonError.code,
+      pigeonError.message,
+      pigeonError.details,
+    ]
+  }
+  if let flutterError = error as? FlutterError {
+    return [
+      flutterError.code,
+      flutterError.message,
+      flutterError.details,
+    ]
+  }
+  return [
+    "\(error)",
+    "\(type(of: error))",
+    "Stacktrace: \(Thread.callStackSymbols)",
+  ]
+}
+
+private func isNullish(_ value: Any?) -> Bool {
+  return value is NSNull || value == nil
+}
+
+private func nilOrValue<T>(_ value: Any?) -> T? {
+  if value is NSNull { return nil }
+  return value as! T?
+}
+
+
+private class RemoteImagesPigeonCodecReader: FlutterStandardReader {
+}
+
+private class RemoteImagesPigeonCodecWriter: FlutterStandardWriter {
+}
+
+private class RemoteImagesPigeonCodecReaderWriter: FlutterStandardReaderWriter {
+  override func reader(with data: Data) -> FlutterStandardReader {
+    return RemoteImagesPigeonCodecReader(data: data)
+  }
+
+  override func writer(with data: NSMutableData) -> FlutterStandardWriter {
+    return RemoteImagesPigeonCodecWriter(data: data)
+  }
+}
+
+class RemoteImagesPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
+  static let shared = RemoteImagesPigeonCodec(readerWriter: RemoteImagesPigeonCodecReaderWriter())
+}
+
+
+/// Generated protocol from Pigeon that represents a handler of messages from Flutter.
+protocol RemoteImageApi {
+  func requestImage(url: String, headers: [String: String], requestId: Int64, completion: @escaping (Result<[String: Int64]?, Error>) -> Void)
+  func cancelRequest(requestId: Int64) throws
+  func clearCache(completion: @escaping (Result<Int64, Error>) -> Void)
+}
+
+/// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
+class RemoteImageApiSetup {
+  static var codec: FlutterStandardMessageCodec { RemoteImagesPigeonCodec.shared }
+  /// Sets up an instance of `RemoteImageApi` to handle messages through the `binaryMessenger`.
+  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: RemoteImageApi?, messageChannelSuffix: String = "") {
+    let channelSuffix = messageChannelSuffix.count > 0 ? ".\(messageChannelSuffix)" : ""
+    let requestImageChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.RemoteImageApi.requestImage\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      requestImageChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let urlArg = args[0] as! String
+        let headersArg = args[1] as! [String: String]
+        let requestIdArg = args[2] as! Int64
+        api.requestImage(url: urlArg, headers: headersArg, requestId: requestIdArg) { result in
+          switch result {
+          case .success(let res):
+            reply(wrapResult(res))
+          case .failure(let error):
+            reply(wrapError(error))
+          }
+        }
+      }
+    } else {
+      requestImageChannel.setMessageHandler(nil)
+    }
+    let cancelRequestChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.RemoteImageApi.cancelRequest\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      cancelRequestChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let requestIdArg = args[0] as! Int64
+        do {
+          try api.cancelRequest(requestId: requestIdArg)
+          reply(wrapResult(nil))
+        } catch {
+          reply(wrapError(error))
+        }
+      }
+    } else {
+      cancelRequestChannel.setMessageHandler(nil)
+    }
+    let clearCacheChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.RemoteImageApi.clearCache\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      clearCacheChannel.setMessageHandler { _, reply in
+        api.clearCache { result in
+          switch result {
+          case .success(let res):
+            reply(wrapResult(res))
+          case .failure(let error):
+            reply(wrapError(error))
+          }
+        }
+      }
+    } else {
+      clearCacheChannel.setMessageHandler(nil)
+    }
+  }
+}
--- a/mobile/ios/Runner/Images/RemoteImagesImpl.swift
+++ b/mobile/ios/Runner/Images/RemoteImagesImpl.swift
@@ -0,0 +1,185 @@
+import Accelerate
+import Flutter
+import MobileCoreServices
+import Photos
+
+class RemoteImageRequest {
+  weak var task: URLSessionDataTask?
+  let id: Int64
+  var isCancelled = false
+  var data: CFMutableData?
+  let completion: (Result<[String: Int64]?, any Error>) -> Void
+  
+  init(id: Int64, task: URLSessionDataTask, completion: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
+    self.id = id
+    self.task = task
+    self.data = nil
+    self.completion = completion
+  }
+}
+
+class RemoteImageApiImpl: NSObject, RemoteImageApi {
+  private static let delegate = RemoteImageApiDelegate()
+  static let cacheDir = FileManager.default.temporaryDirectory.appendingPathComponent(
+    "thumbnails", isDirectory: true)
+  static let session = {
+    let config = URLSessionConfiguration.default
+    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
+    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
+    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
+    config.urlCache = URLCache(
+      memoryCapacity: 0,
+      diskCapacity: 1 << 30,
+      directory: cacheDir
+    )
+    config.httpMaximumConnectionsPerHost = 16
+    return URLSession(configuration: config, delegate: delegate, delegateQueue: nil)
+  }()
+  
+  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
+    var urlRequest = URLRequest(url: URL(string: url)!)
+    for (key, value) in headers {
+      urlRequest.setValue(value, forHTTPHeaderField: key)
+    }
+    let task = Self.session.dataTask(with: urlRequest)
+    
+    let imageRequest = RemoteImageRequest(id: requestId, task: task, completion: completion)
+    Self.delegate.add(taskId: task.taskIdentifier, request: imageRequest)
+    
+    task.resume()
+  }
+  
+  func cancelRequest(requestId: Int64) {
+    Self.delegate.cancel(requestId: requestId)
+  }
+  
+  func clearCache(completion: @escaping (Result<Int64, any Error>) -> Void) {
+    Task {
+      let cache = Self.session.configuration.urlCache!
+      let cacheSize = Int64(cache.currentDiskUsage)
+      cache.removeAllCachedResponses()
+      completion(.success(cacheSize))
+    }
+  }
+}
+
+class RemoteImageApiDelegate: NSObject, URLSessionDataDelegate {
+  private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated, attributes: .concurrent)
+  private static var rgbaFormat = vImage_CGImageFormat(
+    bitsPerComponent: 8,
+    bitsPerPixel: 32,
+    colorSpace: CGColorSpaceCreateDeviceRGB(),
+    bitmapInfo: CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue),
+    renderingIntent: .perceptual
+  )!
+  private static var requestByTaskId = [Int: RemoteImageRequest]()
+  private static var taskIdByRequestId = [Int64: Int]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
+  private static let decodeOptions = [
+    kCGImageSourceShouldCache: false,
+    kCGImageSourceShouldCacheImmediately: true,
+    kCGImageSourceCreateThumbnailWithTransform: true,
+  ] as CFDictionary
+  
+  func urlSession(
+    _ session: URLSession, dataTask: URLSessionDataTask,
+    didReceive response: URLResponse,
+    completionHandler: @escaping (URLSession.ResponseDisposition) -> Void
+  ) {
+    guard let request = get(taskId: dataTask.taskIdentifier)
+    else {
+      return completionHandler(.cancel)
+    }
+    
+    let capacity = max(Int(response.expectedContentLength), 0)
+    request.data = CFDataCreateMutable(nil, capacity)
+    
+    completionHandler(.allow)
+  }
+  
+  func urlSession(_ session: URLSession, dataTask: URLSessionDataTask,
+                  didReceive data: Data) {
+    guard let request = get(taskId: dataTask.taskIdentifier) else { return }
+    
+    data.withUnsafeBytes { bytes in
+      CFDataAppendBytes(request.data, bytes.bindMemory(to: UInt8.self).baseAddress, data.count)
+    }
+  }
+  
+  func urlSession(_ session: URLSession, task: URLSessionTask,
+                  didCompleteWithError error: Error?) {
+    guard let request = get(taskId: task.taskIdentifier) else { return }
+        
+    defer { remove(taskId: task.taskIdentifier, requestId: request.id) }
+    
+    if let error = error {
+      if request.isCancelled || (error as NSError).code == NSURLErrorCancelled {
+        return request.completion(Self.cancelledResult)
+      }
+      return request.completion(.failure(error))
+    }
+    
+    if request.isCancelled {
+      return request.completion(Self.cancelledResult)
+    }
+    
+    guard let data = request.data else {
+      return request.completion(.failure(PigeonError(code: "", message: "No data received", details: nil)))
+    }
+    
+    guard let imageSource = CGImageSourceCreateWithData(data, nil),
+          let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, Self.decodeOptions) else {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
+    }
+    
+    if request.isCancelled {
+      return request.completion(Self.cancelledResult)
+    }
+    
+    do {
+      let buffer = try vImage_Buffer(cgImage: cgImage, format: Self.rgbaFormat)
+      
+      if request.isCancelled {
+        buffer.free()
+        return request.completion(Self.cancelledResult)
+      }
+      
+      request.completion(
+        .success([
+          "pointer": Int64(Int(bitPattern: buffer.data)),
+          "width": Int64(buffer.width),
+          "height": Int64(buffer.height),
+          "rowBytes": Int64(buffer.rowBytes),
+        ]))
+    } catch {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
+    }
+  }
+  
+  @inline(__always) func get(taskId: Int) -> RemoteImageRequest? {
+    Self.requestQueue.sync { Self.requestByTaskId[taskId] }
+  }
+  
+  @inline(__always) func add(taskId: Int, request: RemoteImageRequest) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.requestByTaskId[taskId] = request
+      Self.taskIdByRequestId[request.id] = taskId
+    }
+  }
+  
+  @inline(__always) func remove(taskId: Int, requestId: Int64) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.taskIdByRequestId[requestId] = nil
+      Self.requestByTaskId[taskId] = nil
+    }
+  }
+  
+  @inline(__always) func cancel(requestId: Int64) -> Void {
+    guard let request: RemoteImageRequest = (Self.requestQueue.sync {
+      guard let taskId = Self.taskIdByRequestId[requestId] else { return nil }
+      return Self.requestByTaskId[taskId]
+    }) else { return }
+    request.isCancelled = true
+    request.task?.cancel()
+  }
+}
--- a/mobile/ios/Runner/Sync/Messages.g.swift
+++ b/mobile/ios/Runner/Sync/Messages.g.swift
@@ -312,6 +312,39 @@ struct HashResult: Hashable {
  }
 }

+/// Generated class from Pigeon that represents data sent in messages.
+struct CloudIdResult: Hashable {
+  var assetId: String
+  var error: String? = nil
+  var cloudId: String? = nil
+
+
+  // swift-format-ignore: AlwaysUseLowerCamelCase
+  static func fromList(_ pigeonVar_list: [Any?]) -> CloudIdResult? {
+    let assetId = pigeonVar_list[0] as! String
+    let error: String? = nilOrValue(pigeonVar_list[1])
+    let cloudId: String? = nilOrValue(pigeonVar_list[2])
+
+    return CloudIdResult(
+      assetId: assetId,
+      error: error,
+      cloudId: cloudId
+    )
+  }
+  func toList() -> [Any?] {
+    return [
+      assetId,
+      error,
+      cloudId,
+    ]
+  }
+  static func == (lhs: CloudIdResult, rhs: CloudIdResult) -> Bool {
+    return deepEqualsMessages(lhs.toList(), rhs.toList())  }
+  func hash(into hasher: inout Hasher) {
+    deepHashMessages(value: toList(), hasher: &hasher)
+  }
+}
+
 private class MessagesPigeonCodecReader: FlutterStandardReader {
  override func readValue(ofType type: UInt8) -> Any? {
    switch type {
@@ -323,6 +356,8 @@ private class MessagesPigeonCodecReader: FlutterStandardReader {
      return SyncDelta.fromList(self.readValue() as! [Any?])
    case 132:
      return HashResult.fromList(self.readValue() as! [Any?])
+    case 133:
+      return CloudIdResult.fromList(self.readValue() as! [Any?])
    default:
      return super.readValue(ofType: type)
    }
@@ -343,6 +378,9 @@ private class MessagesPigeonCodecWriter: FlutterStandardWriter {
    } else if let value = value as? HashResult {
      super.writeByte(132)
      super.writeValue(value.toList())
+    } else if let value = value as? CloudIdResult {
+      super.writeByte(133)
+      super.writeValue(value.toList())
    } else {
      super.writeValue(value)
    }
@@ -377,6 +415,7 @@ protocol NativeSyncApi {
  func hashAssets(assetIds: [String], allowNetworkAccess: Bool, completion: @escaping (Result<[HashResult], Error>) -> Void)
  func cancelHashing() throws
  func getTrashedAssets() throws -> [String: [PlatformAsset]]
+  func getCloudIdForAssetIds(assetIds: [String]) throws -> [CloudIdResult]
 }

 /// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
@@ -560,5 +599,22 @@ class NativeSyncApiSetup {
    } else {
      getTrashedAssetsChannel.setMessageHandler(nil)
    }
+    let getCloudIdForAssetIdsChannel = taskQueue == nil
+      ? FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+      : FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NativeSyncApi.getCloudIdForAssetIds\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec, taskQueue: taskQueue)
+    if let api = api {
+      getCloudIdForAssetIdsChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let assetIdsArg = args[0] as! [String]
+        do {
+          let result = try api.getCloudIdForAssetIds(assetIds: assetIdsArg)
+          reply(wrapResult(result))
+        } catch {
+          reply(wrapError(error))
+        }
+      }
+    } else {
+      getCloudIdForAssetIdsChannel.setMessageHandler(nil)
+    }
  }
 }
--- a/mobile/ios/Runner/Sync/MessagesImpl.swift
+++ b/mobile/ios/Runner/Sync/MessagesImpl.swift
@@ -19,31 +19,31 @@ struct AssetWrapper: Hashable, Equatable {

 class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
  static let name = "NativeSyncApi"
-
+  
  static func register(with registrar: any FlutterPluginRegistrar) {
    let instance = NativeSyncApiImpl()
    NativeSyncApiSetup.setUp(binaryMessenger: registrar.messenger(), api: instance)
    registrar.publish(instance)
  }
-
+  
  func detachFromEngine(for registrar: any FlutterPluginRegistrar) {
    super.detachFromEngine()
  }
-
+  
  private let defaults: UserDefaults
  private let changeTokenKey = "immich:changeToken"
  private let albumTypes: [PHAssetCollectionType] = [.album, .smartAlbum]
  private let recoveredAlbumSubType = 1000000219
-
+  
  private var hashTask: Task<Void?, Error>?
  private static let hashCancelledCode = "HASH_CANCELLED"
  private static let hashCancelled = Result<[HashResult], Error>.failure(PigeonError(code: hashCancelledCode, message: "Hashing cancelled", details: nil))
-
-
+  
+  
  init(with defaults: UserDefaults = .standard) {
    self.defaults = defaults
  }
-
+  
  @available(iOS 16, *)
  private func getChangeToken() -> PHPersistentChangeToken? {
    guard let data = defaults.data(forKey: changeTokenKey) else {
@@ -51,7 +51,7 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    return try? NSKeyedUnarchiver.unarchivedObject(ofClass: PHPersistentChangeToken.self, from: data)
  }
-
+  
  @available(iOS 16, *)
  private func saveChangeToken(token: PHPersistentChangeToken) -> Void {
    guard let data = try? NSKeyedArchiver.archivedData(withRootObject: token, requiringSecureCoding: true) else {
@@ -59,18 +59,18 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    defaults.set(data, forKey: changeTokenKey)
  }
-
+  
  func clearSyncCheckpoint() -> Void {
    defaults.removeObject(forKey: changeTokenKey)
  }
-
+  
  func checkpointSync() {
    guard #available(iOS 16, *) else {
      return
    }
    saveChangeToken(token: PHPhotoLibrary.shared().currentChangeToken)
  }
-
+  
  func shouldFullSync() -> Bool {
    guard #available(iOS 16, *),
          PHPhotoLibrary.authorizationStatus(for: .readWrite) == .authorized,
@@ -78,36 +78,36 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      // When we do not have access to photo library, older iOS version or No token available, fallback to full sync
      return true
    }
-
+    
    guard let _ = try? PHPhotoLibrary.shared().fetchPersistentChanges(since: storedToken) else {
      // Cannot fetch persistent changes
      return true
    }
-
+    
    return false
  }
-
+  
  func getAlbums() throws -> [PlatformAlbum] {
    var albums: [PlatformAlbum] = []
-
+    
    albumTypes.forEach { type in
      let collections = PHAssetCollection.fetchAssetCollections(with: type, subtype: .any, options: nil)
      for i in 0..<collections.count {
        let album = collections.object(at: i)
-
+        
        // Ignore recovered album
        if(album.assetCollectionSubtype.rawValue == self.recoveredAlbumSubType) {
          continue;
        }
-
+        
        let options = PHFetchOptions()
        options.sortDescriptors = [NSSortDescriptor(key: "modificationDate", ascending: false)]
        options.includeHiddenAssets = false
-
+        
        let assets = getAssetsFromAlbum(in: album, options: options)
-
+        
        let isCloud = album.assetCollectionSubtype == .albumCloudShared || album.assetCollectionSubtype == .albumMyPhotoStream
-
+        
        var domainAlbum = PlatformAlbum(
          id: album.localIdentifier,
          name: album.localizedTitle!,
@@ -115,57 +115,57 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
          isCloud: isCloud,
          assetCount: Int64(assets.count)
        )
-
+        
        if let firstAsset = assets.firstObject {
          domainAlbum.updatedAt = firstAsset.modificationDate.map { Int64($0.timeIntervalSince1970) }
        }
-
+        
        albums.append(domainAlbum)
      }
    }
    return albums.sorted { $0.id < $1.id }
  }
-
+  
  func getMediaChanges() throws -> SyncDelta {
    guard #available(iOS 16, *) else {
      throw PigeonError(code: "UNSUPPORTED_OS", message: "This feature requires iOS 16 or later.", details: nil)
    }
-
+    
    guard PHPhotoLibrary.authorizationStatus(for: .readWrite) == .authorized else {
      throw PigeonError(code: "NO_AUTH", message: "No photo library access", details: nil)
    }
-
+    
    guard let storedToken = getChangeToken() else {
      // No token exists, definitely need a full sync
      print("MediaManager::getMediaChanges: No token found")
      throw PigeonError(code: "NO_TOKEN", message: "No stored change token", details: nil)
    }
-
+    
    let currentToken = PHPhotoLibrary.shared().currentChangeToken
    if storedToken == currentToken {
      return SyncDelta(hasChanges: false, updates: [], deletes: [], assetAlbums: [:])
    }
-
+    
    do {
      let changes = try PHPhotoLibrary.shared().fetchPersistentChanges(since: storedToken)
-
+      
      var updatedAssets: Set<AssetWrapper> = []
      var deletedAssets: Set<String> = []
-
+      
      for change in changes {
        guard let details = try? change.changeDetails(for: PHObjectType.asset) else { continue }
-
+        
        let updated = details.updatedLocalIdentifiers.union(details.insertedLocalIdentifiers)
        deletedAssets.formUnion(details.deletedLocalIdentifiers)
-
+        
        if (updated.isEmpty) { continue }
-
+        
        let options = PHFetchOptions()
        options.includeHiddenAssets = false
        let result = PHAsset.fetchAssets(withLocalIdentifiers: Array(updated), options: options)
        for i in 0..<result.count {
          let asset = result.object(at: i)
-
+          
          // Asset wrapper only uses the id for comparison. Multiple change can contain the same asset, skip duplicate changes
          let predicate = PlatformAsset(
            id: asset.localIdentifier,
@@ -178,25 +178,25 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
          if (updatedAssets.contains(AssetWrapper(with: predicate))) {
            continue
          }
-
+          
          let domainAsset = AssetWrapper(with: asset.toPlatformAsset())
          updatedAssets.insert(domainAsset)
        }
      }
-
+      
      let updates = Array(updatedAssets.map { $0.asset })
      return SyncDelta(hasChanges: true, updates: updates, deletes: Array(deletedAssets), assetAlbums: buildAssetAlbumsMap(assets: updates))
    }
  }
-
-
+  
+  
  private func buildAssetAlbumsMap(assets: Array<PlatformAsset>) -> [String: [String]] {
    guard !assets.isEmpty else {
      return [:]
    }
-
+    
    var albumAssets: [String: [String]] = [:]
-
+    
    for type in albumTypes {
      let collections = PHAssetCollection.fetchAssetCollections(with: type, subtype: .any, options: nil)
      collections.enumerateObjects { (album, _, _) in
@@ -211,13 +211,13 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    return albumAssets
  }
-
+  
  func getAssetIdsForAlbum(albumId: String) throws -> [String] {
    let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
    guard let album = collections.firstObject else {
      return []
    }
-
+    
    var ids: [String] = []
    let options = PHFetchOptions()
    options.includeHiddenAssets = false
@@ -227,13 +227,13 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    }
    return ids
  }
-
+  
  func getAssetsCountSince(albumId: String, timestamp: Int64) throws -> Int64 {
    let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
    guard let album = collections.firstObject else {
      return 0
    }
-
+    
    let date = NSDate(timeIntervalSince1970: TimeInterval(timestamp))
    let options = PHFetchOptions()
    options.predicate = NSPredicate(format: "creationDate > %@ OR modificationDate > %@", date, date)
@@ -241,32 +241,32 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
    let assets = getAssetsFromAlbum(in: album, options: options)
    return Int64(assets.count)
  }
-
+  
  func getAssetsForAlbum(albumId: String, updatedTimeCond: Int64?) throws -> [PlatformAsset] {
    let collections = PHAssetCollection.fetchAssetCollections(withLocalIdentifiers: [albumId], options: nil)
    guard let album = collections.firstObject else {
      return []
    }
-
+    
    let options = PHFetchOptions()
    options.includeHiddenAssets = false
    if(updatedTimeCond != nil) {
      let date = NSDate(timeIntervalSince1970: TimeInterval(updatedTimeCond!))
      options.predicate = NSPredicate(format: "creationDate > %@ OR modificationDate > %@", date, date)
    }
-
+    
    let result = getAssetsFromAlbum(in: album, options: options)
    if(result.count == 0) {
      return []
    }
-
+    
    var assets: [PlatformAsset] = []
    result.enumerateObjects { (asset, _, _) in
      assets.append(asset.toPlatformAsset())
    }
    return assets
  }
-
+  
  func hashAssets(assetIds: [String], allowNetworkAccess: Bool, completion: @escaping (Result<[HashResult], Error>) -> Void) {
    if let prevTask = hashTask {
      prevTask.cancel()
@@ -284,11 +284,11 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
        missingAssetIds.remove(asset.localIdentifier)
        assets.append(asset)
      }
-
+      
      if Task.isCancelled {
        return self?.completeWhenActive(for: completion, with: Self.hashCancelled)
      }
-
+      
      await withTaskGroup(of: HashResult?.self) { taskGroup in
        var results = [HashResult]()
        results.reserveCapacity(assets.count)
@@ -301,28 +301,28 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
            return await self.hashAsset(asset, allowNetworkAccess: allowNetworkAccess)
          }
        }
-
+        
        for await result in taskGroup {
          guard let result = result else {
            return self?.completeWhenActive(for: completion, with: Self.hashCancelled)
          }
          results.append(result)
        }
-
+        
        for missing in missingAssetIds {
          results.append(HashResult(assetId: missing, error: "Asset not found in library", hash: nil))
        }
-
+        
        return self?.completeWhenActive(for: completion, with: .success(results))
      }
    }
  }
-
+  
  func cancelHashing() {
    hashTask?.cancel()
    hashTask = nil
  }
-
+  
  private func hashAsset(_ asset: PHAsset, allowNetworkAccess: Bool) async -> HashResult? {
    class RequestRef {
      var id: PHAssetResourceDataRequestID?
@@ -332,21 +332,21 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      if Task.isCancelled {
        return nil
      }
-
+      
      guard let resource = asset.getResource() else {
        return HashResult(assetId: asset.localIdentifier, error: "Cannot get asset resource", hash: nil)
      }
-
+      
      if Task.isCancelled {
        return nil
      }
-
+      
      let options = PHAssetResourceRequestOptions()
      options.isNetworkAccessAllowed = allowNetworkAccess
-
+      
      return await withCheckedContinuation { continuation in
        var hasher = Insecure.SHA1()
-
+        
        requestRef.id = PHAssetResourceManager.default().requestData(
          for: resource,
          options: options,
@@ -377,11 +377,11 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      PHAssetResourceManager.default().cancelDataRequest(requestId)
    })
  }
-
+  
  func getTrashedAssets() throws -> [String: [PlatformAsset]] {
    throw PigeonError(code: "UNSUPPORTED_OS", message: "This feature not supported on iOS.", details: nil)
  }
-
+  
  private func getAssetsFromAlbum(in album: PHAssetCollection, options: PHFetchOptions) -> PHFetchResult<PHAsset> {
    // Ensure to actually getting all assets for the Recents album
    if (album.assetCollectionSubtype == .smartAlbumUserLibrary) {
@@ -390,4 +390,28 @@ class NativeSyncApiImpl: ImmichPlugin, NativeSyncApi, FlutterPlugin {
      return PHAsset.fetchAssets(in: album, options: options)
    }
  }
+  
+  func getCloudIdForAssetIds(assetIds: [String]) throws -> [CloudIdResult] {
+    guard #available(iOS 16, *) else {
+      return assetIds.map { CloudIdResult(assetId: $0) }
+    }
+    
+    var mappings: [CloudIdResult] = []
+    let result = PHPhotoLibrary.shared().cloudIdentifierMappings(forLocalIdentifiers: assetIds)
+    for (key, value) in result {
+      switch value {
+      case .success(let cloudIdentifier):
+        let cloudId = cloudIdentifier.stringValue
+        // Ignores invalid cloud ids of the format "GUID:ID:". Valid Ids are of the form "GUID:ID:HASH"
+        if !cloudId.hasSuffix(":") {
+          mappings.append(CloudIdResult(assetId: key, cloudId: cloudId))
+        } else {
+          mappings.append(CloudIdResult(assetId: key, error: "Incomplete Cloud Id: \(cloudId)"))
+        }
+      case .failure(let error):
+        mappings.append(CloudIdResult(assetId: key, error: "Error getting Cloud Id: \(error.localizedDescription)"))
+      }
+    }
+    return mappings;
+  }
 }
--- a/mobile/ios/fastlane/Fastfile
+++ b/mobile/ios/fastlane/Fastfile
@@ -21,20 +21,6 @@ platform :ios do
  CODE_SIGN_IDENTITY = "Apple Distribution: Hau Tran (#{TEAM_ID})"
  BASE_BUNDLE_ID = "app.alextran.immich"
  
-  # App identifiers for production
-  PROD_APP_IDENTIFIERS = [
-    "app.alextran.immich",
-    "app.alextran.immich.ShareExtension",
-    "app.alextran.immich.Widget"
-  ]
-  
-  # App identifiers for development
-  DEV_APP_IDENTIFIERS = [
-    "app.alextran.immich.development",
-    "app.alextran.immich.development.ShareExtension",
-    "app.alextran.immich.development.Widget"
-  ]
-  
  # Helper method to get App Store Connect API key
  def get_api_key
    app_store_connect_api_key(
@@ -46,17 +32,6 @@ platform :ios do
    )
  end
  
-  # Helper method to sync certificates and profiles using match
-  def sync_code_signing(app_identifiers:, readonly: true)
-    match(
-      type: "appstore",
-      app_identifier: app_identifiers,
-      readonly: readonly,
-      keychain_name: ENV["KEYCHAIN_NAME"] || "login.keychain",
-      keychain_password: ENV["KEYCHAIN_PASSWORD"] || ""
-    )
-  end
-  
  # Helper method to get version from pubspec.yaml
 def get_version_from_pubspec
  require 'yaml'
@@ -69,7 +44,7 @@ def get_version_from_pubspec
 end
  
  # Helper method to configure code signing for all targets
-  def configure_code_signing(bundle_id_suffix: "")
+  def configure_code_signing(bundle_id_suffix: "", profile_name_main:, profile_name_share:, profile_name_widget:)
    bundle_suffix = bundle_id_suffix.empty? ? "" : ".#{bundle_id_suffix}"
    
    # Runner (main app)
@@ -79,7 +54,7 @@ end
      team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
      code_sign_identity: CODE_SIGN_IDENTITY,
      bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}",
-      profile_name: "match AppStore #{BASE_BUNDLE_ID}#{bundle_suffix}",
+      profile_name: profile_name_main,
      targets: ["Runner"]
    )
    
@@ -90,7 +65,7 @@ end
      team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
      code_sign_identity: CODE_SIGN_IDENTITY,
      bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}.ShareExtension",
-      profile_name: "match AppStore #{BASE_BUNDLE_ID}#{bundle_suffix}.ShareExtension",
+      profile_name: profile_name_share,
      targets: ["ShareExtension"]
    )
    
@@ -101,7 +76,7 @@ end
      team_id: ENV["FASTLANE_TEAM_ID"] || TEAM_ID,
      code_sign_identity: CODE_SIGN_IDENTITY,
      bundle_identifier: "#{BASE_BUNDLE_ID}#{bundle_suffix}.Widget",
-      profile_name: "match AppStore #{BASE_BUNDLE_ID}#{bundle_suffix}.Widget",
+      profile_name: profile_name_widget,
      targets: ["WidgetExtension"]
    )
  end
@@ -112,7 +87,10 @@ end
    bundle_id_suffix: "",
    configuration: "Release",
    distribute_external: true,
-    version_number: nil
+    version_number: nil,
+    profile_name_main:,
+    profile_name_share:,
+    profile_name_widget:
  )
    bundle_suffix = bundle_id_suffix.empty? ? "" : ".#{bundle_id_suffix}"
    app_identifier = "#{BASE_BUNDLE_ID}#{bundle_suffix}"
@@ -140,9 +118,9 @@ end
      xcargs: "-skipMacroValidation CODE_SIGN_IDENTITY='#{CODE_SIGN_IDENTITY}' CODE_SIGN_STYLE=Manual",
      export_options: {
        provisioningProfiles: {
-          "#{app_identifier}" => "match AppStore #{app_identifier}",
-          "#{app_identifier}.ShareExtension" => "match AppStore #{app_identifier}.ShareExtension",
-          "#{app_identifier}.Widget" => "match AppStore #{app_identifier}.Widget"
+          "#{app_identifier}" => profile_name_main,
+          "#{app_identifier}.ShareExtension" => profile_name_share,
+          "#{app_identifier}.Widget" => profile_name_widget
        },
        signingStyle: "manual",
        signingCertificate: CODE_SIGN_IDENTITY
@@ -161,18 +139,35 @@ end
  lane :gha_testflight_dev do
    api_key = get_api_key
    
-    # Sync certificates and profiles using match
-    sync_code_signing(app_identifiers: DEV_APP_IDENTIFIERS)
+    # Download and install provisioning profiles from App Store Connect
+    # Certificate is imported by GHA workflow into build.keychain
+    # Capture profile names after each sigh call
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development", force: true)
+    main_profile_name = lane_context[SharedValues::SIGH_NAME]
    
-    # Configure code signing for dev bundle IDs
-    configure_code_signing(bundle_id_suffix: "development")
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.ShareExtension", force: true)
+    share_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.Widget", force: true)
+    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    # Configure code signing for dev bundle IDs using the downloaded profile names
+    configure_code_signing(
+      bundle_id_suffix: "development",
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
+    )
    
    # Build and upload
    build_and_upload(
      api_key: api_key,
      bundle_id_suffix: "development",
      configuration: "Profile",
-      distribute_external: false
+      distribute_external: false,
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
    )
  end

@@ -180,17 +175,33 @@ end
  lane :gha_release_prod do
    api_key = get_api_key
    
-    # Sync certificates and profiles using match
-    sync_code_signing(app_identifiers: PROD_APP_IDENTIFIERS)
+    # Download and install provisioning profiles from App Store Connect
+    # Certificate is imported by GHA workflow into build.keychain
+    sigh(api_key: api_key, app_identifier: BASE_BUNDLE_ID, force: true)
+    main_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.ShareExtension", force: true)
+    share_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.Widget", force: true)
+    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
    
    # Configure code signing for production bundle IDs
-    configure_code_signing
+    configure_code_signing(
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
+    )

    # Build and upload with version number
    build_and_upload(
      api_key: api_key,
      version_number: get_version_from_pubspec,
      distribute_external: false,
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
    )
  end

@@ -235,11 +246,26 @@ end
    # Use the same build process as production, just skip the upload
    # This ensures PR builds validate the same way as production builds
    
-    # Sync certificates and profiles using match
-    sync_code_signing(app_identifiers: DEV_APP_IDENTIFIERS)
+    api_key = get_api_key
+    
+    # Download and install provisioning profiles from App Store Connect
+    # Certificate is imported by GHA workflow into build.keychain
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development", force: true)
+    main_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.ShareExtension", force: true)
+    share_profile_name = lane_context[SharedValues::SIGH_NAME]
+    
+    sigh(api_key: api_key, app_identifier: "#{BASE_BUNDLE_ID}.development.Widget", force: true)
+    widget_profile_name = lane_context[SharedValues::SIGH_NAME]
    
    # Configure code signing for dev bundle IDs
-    configure_code_signing(bundle_id_suffix: "development")
+    configure_code_signing(
+      bundle_id_suffix: "development",
+      profile_name_main: main_profile_name,
+      profile_name_share: share_profile_name,
+      profile_name_widget: widget_profile_name
+    )
    
    # Build the app (same as gha_testflight_dev but without upload)
    build_app(
@@ -251,9 +277,9 @@ end
      xcargs: "-skipMacroValidation CODE_SIGN_IDENTITY='#{CODE_SIGN_IDENTITY}' CODE_SIGN_STYLE=Manual",
      export_options: {
        provisioningProfiles: {
-          "#{BASE_BUNDLE_ID}.development" => "match AppStore #{BASE_BUNDLE_ID}.development",
-          "#{BASE_BUNDLE_ID}.development.ShareExtension" => "match AppStore #{BASE_BUNDLE_ID}.development.ShareExtension",
-          "#{BASE_BUNDLE_ID}.development.Widget" => "match AppStore #{BASE_BUNDLE_ID}.development.Widget"
+          "#{BASE_BUNDLE_ID}.development" => main_profile_name,
+          "#{BASE_BUNDLE_ID}.development.ShareExtension" => share_profile_name,
+          "#{BASE_BUNDLE_ID}.development.Widget" => widget_profile_name
        },
        signingStyle: "manual",
        signingCertificate: CODE_SIGN_IDENTITY
@@ -261,30 +287,4 @@ end
    )
  end

-  desc "Sync all certificates and profiles (run locally to update match repo)"
-  lane :sync_certificates do
-    # Sync production certificates and profiles
-    match(
-      type: "appstore",
-      app_identifier: PROD_APP_IDENTIFIERS,
-      readonly: false
-    )
-    
-    # Sync development certificates and profiles
-    match(
-      type: "appstore",
-      app_identifier: DEV_APP_IDENTIFIERS,
-      readonly: false
-    )
-  end
-
-  desc "Regenerate all certificates and profiles (use when expired)"
-  lane :regenerate_certificates do
-    # Nuke existing certificates
-    match_nuke(type: "appstore")
-    
-    # Generate new ones
-    sync_certificates
-  end
-
 end
--- a/mobile/ios/fastlane/Matchfile
+++ b/mobile/ios/fastlane/Matchfile
@@ -1,19 +0,0 @@
-git_url(ENV["MATCH_GIT_URL"] || "https://github.com/immich-app/ios-certs")
-
-storage_mode("git")
-
-type("appstore")
-
-team_id("2F67MQ8R79")
-
-app_identifier([
-  "app.alextran.immich",
-  "app.alextran.immich.ShareExtension",
-  "app.alextran.immich.Widget",
-  "app.alextran.immich.development",
-  "app.alextran.immich.development.ShareExtension",
-  "app.alextran.immich.development.Widget"
-])
-
-# For all available options run `fastlane match --help`
-# The docs are available on https://docs.fastlane.tools/actions/match
--- a/mobile/ios/fastlane/README.md
+++ b/mobile/ios/fastlane/README.md
@@ -39,30 +39,6 @@ iOS Release to TestFlight

 iOS Manual Release

-### ios gha_build_only
-
-```sh
-[bundle exec] fastlane ios gha_build_only
-```
-
-iOS Build Only (no TestFlight upload)
-
-### ios sync_certificates
-
-```sh
-[bundle exec] fastlane ios sync_certificates
-```
-
-Sync all certificates and profiles (run locally to update match repo)
-
-### ios regenerate_certificates
-
-```sh
-[bundle exec] fastlane ios regenerate_certificates
-```
-
-Regenerate all certificates and profiles (use when expired)
-
 ----

 This README.md is auto-generated and will be re-generated every time [_fastlane_](https://fastlane.tools) is run.
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .12.0
 .13.0