Add design doc for chat message persistence

Design document for PR 2 of 2: Message Queue with Offline Support

This PR addresses messages being lost when:
- WebSocket is disconnected
- Runtime is starting up
- User submits while reconnecting

See PR 1 (Draft Persistence) for the related draft preservation feature.

Co-authored-by: openhands <openhands@all-hands.dev>

.agents/skills/upcoming-release/SKILL.md

@@ -0,0 +1,37 @@
+---
+name: upcoming-release
+description: This skill should be used when the user asks to "generate release notes", "list upcoming release PRs", "summarize upcoming release", "/upcoming-release", or needs to know what changes are part of an upcoming release.
+---
+
+# Upcoming Release Summary
+
+Generate a concise summary of PRs included in the upcoming release.
+
+## Prerequisites
+
+Two commit SHAs are required:
+- **First SHA**: The older commit (current release)
+- **Second SHA**: The newer commit (what's being released)
+
+If the user does not provide both SHAs, ask for them before proceeding.
+
+## Workflow
+
+1. Run the script from the repository root with the `--json` flag:
+   ```bash
+   .github/scripts/find_prs_between_commits.py <older-sha> <newer-sha> --json
+   ```
+
+2. Filter out PRs that are:
+   - Chores
+   - Dependency updates
+   - Adding logs
+   - Refactors
+
+3. Categorize the remaining PRs:
+   - **Features** - New functionality
+   - **Bug fixes** - Corrections to existing behavior
+   - **Security/CVE fixes** - Security-related changes
+   - **Other** - Everything else
+
+4. Format the output with PRs listed under their category, including the PR number and a brief description.

.agents/skills/update-sdk/SKILL.md

@@ -0,0 +1,123 @@
+---
+name: update-sdk
+description: This skill should be used when the user asks to "update SDK", "bump SDK version", "pin SDK to a commit", "test unreleased SDK", "update agent-server image", "bump the version", "prepare a release", "what files change for a release", or needs to know how SDK packages are managed in the OpenHands repository. For detailed reference material, see references/docker-image-locations.md and references/sdk-pinning-examples.md in this skill directory.
+---
+
+# Update SDK
+
+Bump SDK packages (`openhands-sdk`, `openhands-agent-server`, `openhands-tools`), pin them to unreleased commits for testing, and cut an OpenHands release.
+
+## Quick Summary — How Many Files Change?
+
+| Activity | Manual edits | Auto-regenerated | Total |
+|----------|:------------:|:----------------:|:-----:|
+| **SDK bump** (released PyPI version) | 2 | 3 | **5** |
+| **SDK pin** (unreleased git commit) | 3 | 3 | **6** |
+| **Release commit** (version bump) | 3 | 0 | **3** |
+
+The 3 auto-regenerated files are always: `poetry.lock`, `uv.lock`, `enterprise/poetry.lock`.
+
+## SDK Package Bump — 2 Files + 3 Lock Files
+
+Land as a separate PR before the release. Examples: `929dcc3` (SDK 1.11.5), `cd235cc` (SDK 1.11.4).
+
+| File | What to change |
+|------|----------------|
+| `pyproject.toml` | `openhands-sdk`, `openhands-agent-server`, `openhands-tools` in **two** sections: the `dependencies` array (PEP 508) **and** `[tool.poetry.dependencies]` |
+| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE` constant — set to `ghcr.io/openhands/agent-server:<version>-python` |
+
+Then regenerate lock files:
+```bash
+poetry lock && uv lock && cd enterprise && poetry lock && cd ..
+```
+
+## Docker Image Locations — All Hardcoded References
+
+For the complete inventory of every file containing a hardcoded Docker image tag or repository, see `references/docker-image-locations.md`. Key files that must stay in sync during an SDK bump:
+
+| File | Image reference | Updated during SDK bump? |
+|------|----------------|:------------------------:|
+| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<tag>-python'` | ✅ Yes |
+| `docker-compose.yml` | `AGENT_SERVER_IMAGE_TAG` default | ✅ Should be |
+| `containers/dev/compose.yml` | `AGENT_SERVER_IMAGE_REPOSITORY` + `_TAG` defaults | ✅ Should be |
+
+> **CI enforcement:** `.github/workflows/check-version-consistency.yml` validates version consistency and compose file image references on every PR and push to main.
+
+### ⚠️ Docker Image Tag Gotcha (merge-commit SHA)
+
+The SDK CI in `software-agent-sdk` repo tags Docker images with the **GitHub Actions merge-commit SHA**, NOT the PR head-commit SHA. When pinning to an SDK PR branch:
+
+1. Check the SDK PR description for the actual image tag (look for the `AGENT_SERVER_IMAGES` section)
+2. Or query the CI logs: the "Consolidate Build Information" job prints `"short_sha": "<tag>"`
+3. The merge-commit SHA differs from the head SHA shown in the PR
+
+For released SDK versions, images use a version tag (e.g., `1.12.0-python`) — no merge-commit ambiguity.
+
+## Cutting a Release — 3 Files
+
+A release commit updates the version string across 3 files. Gold-standard examples: 1.3.0 (`d063c8c`), 1.4.0 (`495f48b`).
+
+| File | What to change |
+|------|----------------|
+| `pyproject.toml` | `version = "X.Y.Z"` under `[tool.poetry]` |
+| `frontend/package.json` | `"version": "X.Y.Z"` |
+| `frontend/package-lock.json` | `"version": "X.Y.Z"` in **two** places (root object and `packages[""]`) |
+
+> **Note:** `openhands/version.py` reads the version from `pyproject.toml` at runtime — no manual edit needed there.
+
+### Compose Files (2 files)
+
+Both compose files should use `ghcr.io/openhands/agent-server` with the current SDK version tag.
+
+| File | What to verify |
+|------|----------------|
+| `docker-compose.yml` | `AGENT_SERVER_IMAGE_REPOSITORY` defaults to agent-server, `AGENT_SERVER_IMAGE_TAG` is current |
+| `containers/dev/compose.yml` | Same — must use agent-server, not runtime |
+
+### Release Workflow
+
+#### Step 1: Verify the SDK bump has landed
+
+```bash
+grep -n "openhands-sdk\|openhands-agent-server\|openhands-tools" pyproject.toml
+grep -n "AGENT_SERVER_IMAGE" openhands/app_server/sandbox/sandbox_spec_service.py
+grep "AGENT_SERVER_IMAGE_TAG" docker-compose.yml containers/dev/compose.yml
+```
+
+#### Step 2: Bump version numbers
+
+```bash
+# Edit pyproject.toml, frontend/package.json, frontend/package-lock.json
+git add pyproject.toml frontend/package.json frontend/package-lock.json
+git commit -m "Release X.Y.Z"
+git tag X.Y.Z
+```
+
+Create a `saas-rel-X.Y.Z` branch from the tagged commit for the SaaS deployment pipeline.
+
+#### Step 3: CI builds Docker images automatically
+
+The `ghcr-build.yml` workflow triggers on tag pushes and produces:
+- `ghcr.io/openhands/openhands:X.Y.Z`, `X.Y`, `X`, `latest`
+- `ghcr.io/openhands/runtime:X.Y.Z-nikolaik`, `X.Y-nikolaik`
+
+The tagging logic lives in `containers/build.sh` — when `GITHUB_REF_NAME` matches a semver pattern (`^[0-9]+\.[0-9]+\.[0-9]+$`), it auto-generates major, major.minor, and `latest` tags.
+
+## Development: Pin SDK to an Unreleased Commit
+
+For detailed examples of all pinning formats (commit, branch, uv-only), see `references/sdk-pinning-examples.md`.
+
+### Files to change (3 manual + 3 lock files)
+
+| File | What to change |
+|------|----------------|
+| `pyproject.toml` | Pin all 3 SDK packages in **both** `dependencies` and `[tool.poetry.dependencies]` |
+| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE` — use the merge-commit SHA tag, NOT the head-commit SHA |
+| `docker-compose.yml` | `AGENT_SERVER_IMAGE_TAG` default (for local development) |
+| `poetry.lock` | Auto-regenerated via `poetry lock` |
+| `uv.lock` | Auto-regenerated via `uv lock` |
+| `enterprise/poetry.lock` | Auto-regenerated via `cd enterprise && poetry lock` |
+
+### CI guard
+
+The `check-package-versions.yml` workflow blocks merging to `main` if `[tool.poetry.dependencies]` contains any `rev` fields. This ensures unreleased SDK pins do not accidentally ship in a release.

.agents/skills/update-sdk/references/docker-image-locations.md

@@ -0,0 +1,84 @@
+# Docker Image Locations — Complete Inventory
+
+Every file in the OpenHands repository containing a hardcoded Docker image tag, repository, or version-pinned image reference. Organized by update cadence.
+
+## Updated During SDK Bump (must change)
+
+These files contain image tags that **must** be updated whenever the SDK version or pinned commit changes.
+
+### `openhands/app_server/sandbox/sandbox_spec_service.py`
+- **Line:** `AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<tag>-python'`
+- **Format:** `<sdk-version>-python` for releases (e.g., `1.12.0-python`), `<7-char-commit-hash>-python` for dev pins
+- **Source of truth** for which agent-server image the app server pulls at runtime
+- **⚠️ Gotcha:** When pinning to an SDK PR, the image tag is the **merge-commit SHA** from GitHub Actions, not the PR head-commit SHA. Check the SDK PR description or CI logs for the correct tag.
+
+### `docker-compose.yml`
+- **Lines:**
+  ```yaml
+  - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
+  - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-<tag>-python}
+  ```
+- Used by `docker compose up` for local development
+
+### `containers/dev/compose.yml`
+- **Lines:**
+  ```yaml
+  - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
+  - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-<tag>-python}
+  ```
+- Used by the dev container setup
+- **Known issue:** On main as of 1.4.0, this file still points to `ghcr.io/openhands/runtime` instead of `agent-server`, and the tag is `1.2-nikolaik` (stale from the V0 era). The `check-version-consistency.yml` CI workflow catches this.
+
+## Updated During Release Commit (version string only)
+
+### `pyproject.toml`
+- **Line:** `version = "X.Y.Z"` under `[tool.poetry]`
+- The Python version is derived from this at runtime via `openhands/version.py`
+
+### `frontend/package.json`
+- **Line:** `"version": "X.Y.Z"`
+
+### `frontend/package-lock.json`
+- **Two places:** root `"version": "X.Y.Z"` and `packages[""].version`
+
+## Dynamic References (auto-derived, no manual update)
+
+### `openhands/version.py`
+- Reads version from `pyproject.toml` at runtime → `openhands.__version__`
+
+### `openhands/resolver/issue_resolver.py`
+- Builds `ghcr.io/openhands/runtime:{openhands.__version__}-nikolaik` dynamically
+
+### `openhands/runtime/utils/runtime_build.py`
+- Base repo URL `ghcr.io/openhands/runtime` is a constant; version comes from elsewhere
+
+### `.github/scripts/update_pr_description.sh`
+- Uses `${SHORT_SHA}` variable at CI runtime, not hardcoded
+
+### `enterprise/Dockerfile`
+- `ARG BASE="ghcr.io/openhands/openhands"` — base image, version supplied at build time
+
+## V0 Legacy Files (separate update cadence)
+
+These reference the V0 runtime image (`ghcr.io/openhands/runtime:X.Y-nikolaik`) for local Docker/Kubernetes paths. They are **not** updated as part of a V1 release but may be updated independently.
+
+### `Development.md`
+- `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:X.Y-nikolaik`
+
+### `openhands/runtime/impl/kubernetes/README.md`
+- `runtime_container_image = "docker.openhands.dev/openhands/runtime:X.Y-nikolaik"`
+
+### `enterprise/enterprise_local/README.md`
+- Uses `ghcr.io/openhands/runtime:main-nikolaik` (points to `main`, not versioned)
+
+### `third_party/runtime/impl/daytona/README.md`
+- Uses `${OPENHANDS_VERSION}` variable, not hardcoded
+
+## Image Registries
+
+| Registry | Usage |
+|----------|-------|
+| `ghcr.io/openhands/agent-server` | V1 agent-server (sandbox) — built by SDK repo CI |
+| `ghcr.io/openhands/openhands` | Main app image — built by `ghcr-build.yml` |
+| `ghcr.io/openhands/runtime` | V0 runtime sandbox — built by `ghcr-build.yml` |
+| `docker.openhands.dev/openhands/*` | Mirror/CDN for the above images |

.agents/skills/update-sdk/references/sdk-pinning-examples.md

@@ -0,0 +1,103 @@
+# SDK Pinning Examples
+
+Examples from real commits showing how to pin SDK packages to unreleased commits, branches, or released versions.
+
+## Pin to a Specific Commit
+
+Example from commit `169fb76` (pinning all 3 packages to SDK commit `100e9af`):
+
+### `dependencies` array (PEP 508 format)
+
+```toml
+"openhands-agent-server @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-agent-server",
+"openhands-sdk @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-sdk",
+"openhands-tools @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-tools",
+```
+
+### `[tool.poetry.dependencies]` (Poetry format)
+
+```toml
+openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-sdk" }
+openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-agent-server" }
+openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-tools" }
+```
+
+### `openhands/app_server/sandbox/sandbox_spec_service.py`
+
+```python
+AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<merge-commit-sha>-python'
+```
+
+**⚠️ Important:** The image tag is the **merge-commit SHA** from the SDK CI, not the commit hash used in `pyproject.toml`. Look up the correct tag from the SDK PR description or CI logs.
+
+## Pin to a Branch
+
+Example from commit `430ee1c` (pinning to branch `openhands/issue-2228-sdk-settings-schema`):
+
+### `[tool.poetry.dependencies]`
+
+```toml
+openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-sdk" }
+openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-agent-server" }
+openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-tools" }
+```
+
+## Using `[tool.uv.sources]` Override
+
+When only `uv` needs the override (keep PyPI versions in the main arrays), add a `[tool.uv.sources]` section. Example from commit `1daca49`:
+
+```toml
+[tool.uv.sources]
+openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-sdk", rev = "4170cca" }
+openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-agent-server", rev = "4170cca" }
+openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-tools", rev = "4170cca" }
+```
+
+## Released PyPI Version (standard release)
+
+Example from commit `929dcc3` (SDK 1.11.5):
+
+### `dependencies` array
+
+```toml
+"openhands-agent-server==1.11.5",
+"openhands-sdk==1.11.5",
+"openhands-tools==1.11.5",
+```
+
+### `[tool.poetry.dependencies]`
+
+```toml
+openhands-sdk = "1.11.5"
+openhands-agent-server = "1.11.5"
+openhands-tools = "1.11.5"
+```
+
+### `openhands/app_server/sandbox/sandbox_spec_service.py`
+
+For released versions, the image tag uses the version number:
+
+```python
+AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:1.11.5-python'
+```
+
+However, **some releases use a commit-hash tag** even for the released version. Check which tag format exists on GHCR. Example from `929dcc3`:
+
+```python
+AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:010e847-python'
+```
+
+## Regenerate Lock Files
+
+After any change to `pyproject.toml`, always regenerate:
+
+```bash
+poetry lock
+uv lock
+cd enterprise && poetry lock && cd ..
+```
+
+## CI Guards
+
+- **`check-package-versions.yml`**: Blocks merge to `main` if `[tool.poetry.dependencies]` contains `rev` fields (prevents shipping unreleased SDK pins)
+- **`check-version-consistency.yml`**: Validates version strings match across `pyproject.toml`, `package.json`, `package-lock.json`, and verifies compose files use `agent-server` images

.devcontainer/README.md

@@ -0,0 +1 @@
+This way of running OpenHands is not officially supported. It is maintained by the community.

.devcontainer/setup.sh

@@ -7,5 +7,8 @@ git config --global --add safe.directory "$(realpath .)"
 # Install `nc`
 sudo apt update && sudo apt install netcat -y
 
+# Install `uv` and `uvx`
+wget -qO- https://astral.sh/uv/install.sh | sh
+
 # Do common setup tasks
 source .openhands/setup.sh

.github/CODEOWNERS

@@ -1,12 +1,8 @@
 # CODEOWNERS file for OpenHands repository
 # See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
-# Frontend code owners
-/frontend/ @amanape
-/openhands-ui/ @amanape
-
-# Evaluation code owners
+/frontend/ @amanape @hieptl
+/openhands-ui/ @amanape @hieptl
+/openhands/ @tofarr @malhotra5 @hieptl
+/enterprise/ @chuckbutkus @tofarr @malhotra5
 /evaluation/ @xingyaoww @neubig
-
-# Documentation code owners
-/docs/ @mamoodi

.github/ISSUE_TEMPLATE/bug_template.yml

@@ -5,52 +5,113 @@ labels: ['bug']
 body:
   - type: markdown
     attributes:
-      value: Thank you for taking the time to fill out this bug report. Please provide as much information as possible
-       to help us understand and address the issue effectively.
+      value: |
+        ## Thank you for reporting a bug! 🐛
+
+        **Please fill out all required fields.** Issues missing critical information (version, installation method, reproduction steps, etc.) will be delayed or closed until complete details are provided.
+
+        Clear, detailed reports help us resolve issues faster.
 
   - type: checkboxes
     attributes:
-      label: Is there an existing issue for the same bug? (If one exists, thumbs up or comment on the issue instead).
-      description: Please check if an issue already exists for the bug you encountered.
+      label: Is there an existing issue for the same bug?
+      description: Please search existing issues before creating a new one. If found, react or comment to the duplicate issue instead of making a new one.
       options:
-      - label: I have checked the existing issues.
+      - label: I have searched existing issues and this is not a duplicate.
         required: true
 
   - type: textarea
     id: bug-description
     attributes:
-      label: Describe the bug and reproduction steps
-      description: Provide a description of the issue along with any reproduction steps.
+      label: Bug Description
+      description: Clearly describe what went wrong. Be specific and concise.
+      placeholder: Example - "When I run a Python task, OpenHands crashes after 30 seconds with a connection timeout error."
     validations:
       required: true
 
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected Behavior
+      description: What did you expect to happen?
+      placeholder: Example - "OpenHands should execute the Python script and return results."
+    validations:
+      required: false
+
+  - type: textarea
+    id: actual-behavior
+    attributes:
+      label: Actual Behavior
+      description: What actually happened?
+      placeholder: Example - "Connection timed out after 30 seconds, task failed with error code 500."
+    validations:
+      required: false
+
+  - type: textarea
+    id: reproduction-steps
+    attributes:
+      label: Steps to Reproduce
+      description: Provide clear, step-by-step instructions to reproduce the bug.
+      placeholder: |
+        1. Install OpenHands using Docker
+        2. Configure with Claude 3.5 Sonnet
+        3. Run command: `openhands run "write a python script"`
+        4. Wait 30 seconds
+        5. Error appears
+    validations:
+      required: false
+
   - type: dropdown
     id: installation
     attributes:
-      label: OpenHands Installation
+      label: OpenHands Installation Method
       description: How are you running OpenHands?
       options:
-        - Docker command in README
-        - GitHub resolver
+        - CLI (uv tool install)
+        - CLI (executable binary)
+        - CLI (Docker)
+        - Local GUI (Docker web interface)
+        - OpenHands Cloud (app.all-hands.dev)
+        - SDK (Python library)
         - Development workflow
-        - CLI
-        - app.all-hands.dev
         - Other
       default: 0
+    validations:
+      required: false
+
+  - type: input
+    id: installation-other
+    attributes:
+      label: If you selected "Other", please specify
+      description: Describe your installation method
+      placeholder: ex. Custom Kubernetes deployment, pip install from source, etc.
 
   - type: input
     id: openhands-version
     attributes:
       label: OpenHands Version
-      description: What version of OpenHands are you using?
-      placeholder: ex. 0.9.8, main, etc.
+      description: What version are you using? Find this in settings or by running `openhands --version`
+      placeholder: ex. 0.9.8, main, commit hash, etc.
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: version-confirmation
+    attributes:
+      label: Version Confirmation
+      description: Bugs on older versions may already be fixed. Please upgrade before submitting.
+      options:
+        - label: "I have confirmed this bug exists on the LATEST version of OpenHands"
+          required: false
 
   - type: input
     id: model-name
     attributes:
       label: Model Name
-      description: What model are you using?
-      placeholder: ex. gpt-4o, claude-3-5-sonnet, openrouter/deepseek-r1, etc.
+      description: Which LLM model are you using?
+      placeholder: ex. gpt-4o, claude-3-5-sonnet-20241022, openrouter/deepseek-r1, etc.
+    validations:
+      required: false
 
   - type: dropdown
     id: os
@@ -60,12 +121,46 @@ body:
         - MacOS
         - Linux
         - WSL on Windows
+        - Windows (Docker Desktop)
+        - Other
+    validations:
+      required: false
+
+  - type: input
+    id: browser
+    attributes:
+      label: Browser (if using web UI)
+      description: |
+        If applicable, which browser and version?
+
+      placeholder: ex. Chrome 131, Firefox 133, Safari 17.2
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs and Error Messages
+      description: |
+        **Paste relevant logs, error messages, or stack traces.** Use code blocks (```) for formatting.
+
+        LLM logs are in `logs/llm/default/`. Include timestamps if errors occurred at a specific time.
+      placeholder: |
+        ```
+        Paste error logs here
+        ```
 
   - type: textarea
     id: additional-context
     attributes:
-      label: Logs, Errors, Screenshots, and Additional Context
-      description: Please provide any additional information you think might help. If you want to share the chat history
-        you can click the thumbs-down (👎) button above the input field and you will get a shareable link
-        (you can also click thumbs up when things are going well of course!). LLM logs will be stored in the
-        `logs/llm/default` folder. Please add any additional context about the problem here.
+      label: Screenshots and Additional Context
+      description: |
+        Add screenshots, videos, runtime environment, or other context that helps explain the issue.
+
+        💡 **Share conversation history:** In the OpenHands chat UI, click the 👎 or 👍 button (above the message input) to generate a shareable link to your conversation.
+
+      placeholder: Drag and drop screenshots here, paste links, or add additional context.
+
+  - type: markdown
+    attributes:
+      value: |
+        ---
+        **Note:** Issues with incomplete information may be closed or deprioritized. Maintainers and community members have limited bandwidth and prioritize well-documented bugs that are easier to reproduce and fix. Thank you for your understanding!

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,2 @@
+# disable blank issue creation
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,17 +0,0 @@
----
-name: Feature Request or Enhancement
-about: Suggest an idea for an OpenHands feature or enhancement
-title: ''
-labels: 'enhancement'
-assignees: ''
-
----
-
-**What problem or use case are you trying to solve?**
-
-**Describe the UX or technical implementation you have in mind**
-
-**Additional context**
-
-
-### If you find this feature request or enhancement useful, make sure to add a 👍 to the issue

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,105 @@
+name: Feature Request or Enhancement
+description: Suggest a new feature or improvement for OpenHands
+title: '[Feature]: '
+labels: ['enhancement']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Thank you for suggesting a feature! 💡
+
+        **Please provide detailed information.** Vague or low-effort requests may be closed. Well-documented feature requests with strong community support are more likely to be added to the roadmap.
+
+  - type: checkboxes
+    attributes:
+      label: Is there an existing feature request for this?
+      description: Please search existing issues and feature requests before creating a new one. If found, react or comment to the duplicate issue instead of making a new one.
+      options:
+      - label: I have searched existing issues and feature requests, and this is not a duplicate.
+        required: true
+
+  - type: textarea
+    id: problem-statement
+    attributes:
+      label: Problem or Use Case
+      description: What problem are you trying to solve? What use case would this feature enable?
+      placeholder: |
+        Example - "As a developer working on large codebases, I need to search across multiple files simultaneously. Currently, I have to search file-by-file which is time-consuming and inefficient."
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposed-solution
+    attributes:
+      label: Proposed Solution
+      description: Describe your ideal solution. What should this feature do? How should it work?
+      placeholder: |
+        Example - "Add a global search feature that allows searching across all files in the workspace. Results should show file name, line number, and context around matches. Include regex support and filtering options."
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Have you considered any alternative solutions or workarounds? What are their limitations?
+      placeholder: Example - "I tried using grep in the terminal, but it's not integrated with the UI and doesn't provide click-to-navigate functionality."
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: Priority / Severity
+      description: How important is this feature to your workflow?
+      options:
+        - "Critical - Blocking my work, no workaround available"
+        - "High - Significant impact on productivity"
+        - "Medium - Would improve experience"
+        - "Low - Nice to have"
+      default: 2
+    validations:
+      required: true
+
+  - type: dropdown
+    id: scope
+    attributes:
+      label: Estimated Scope
+      description: To the best of your knowledge, how complex do you think this feature would be to implement?
+      options:
+        - "Small - UI tweak, config option, or minor change"
+        - "Medium - New feature with moderate complexity"
+        - "Large - Significant feature requiring architecture changes"
+        - "Unknown - Not sure about the technical complexity"
+      default: 3
+
+  - type: dropdown
+    id: feature-area
+    attributes:
+      label: Feature Area
+      description: Which part of OpenHands does this feature relate to? If you select "Other", please specify the area in the Additional Context section below.
+      options:
+        - "Agent / AI behavior"
+        - "User Interface / UX"
+        - "CLI / Command-line interface"
+        - "File system / Workspace management"
+        - "Configuration / Settings"
+        - "Integrations (GitHub, GitLab, etc.)"
+        - "Performance / Optimization"
+        - "Documentation"
+        - "Other"
+    validations:
+      required: true
+
+  - type: textarea
+    id: technical-details
+    attributes:
+      label: Technical Implementation Ideas (Optional)
+      description: If you have technical expertise, share implementation ideas, API suggestions, or relevant technical details.
+      placeholder: |
+        Example - "Could use ripgrep library for fast search. Expose results via /api/search endpoint. Frontend can use virtualized list for rendering large result sets."
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional Context
+      description: Add any other context, screenshots, mockups, or examples that help illustrate this feature request.
+      placeholder: Drag and drop screenshots, mockups, or links here.

.github/pull_request_template.md

@@ -1,10 +1,16 @@
+<!-- If you are still working on the PR, please mark it as draft. Maintainers will review PRs marked ready for review, which leads to lost time if your PR is actually not ready yet. Keep the PR marked as draft until it is finally ready for review -->
+
 ## Summary of PR
 
-<!-- Summarize what the PR does, explaining any non-trivial design decisions. -->
+<!-- Summarize what the PR does -->
+
+## Demo Screenshots/Videos
+
+<!-- AI/LLM AGENTS: This section is intended for a human author to add screenshots or videos demonstrating the PR in action (optional). While many pull requests may be generated by AI/LLM agents, we are fine with this as long as a human author has reviewed and tested the changes to ensure accuracy and functionality. -->
 
 ## Change Type
 
-<!-- Choose the types that apply to your PR and remove the rest. -->
+<!-- Choose the types that apply to your PR -->
 
 - [ ] Bug fix
 - [ ] New feature
@@ -13,6 +19,7 @@
 - [ ] Other (dependency update, docs, typo fixes, etc.)
 
 ## Checklist
+<!-- AI/LLM AGENTS: This checklist is for a human author to complete. Do NOT check either of the two boxes below. Leave them unchecked until a human has personally reviewed and tested the changes. -->
 
 - [ ] I have read and reviewed the code and I understand what the code is doing.
 - [ ] I have tested the code to the best of my ability and ensured it works as expected.

.github/scripts/check_version_consistency.py

@@ -1,73 +0,0 @@
-#!/usr/bin/env python3
-import os
-import re
-import sys
-
-
-def find_version_references(directory: str) -> tuple[set[str], set[str]]:
-    openhands_versions = set()
-    runtime_versions = set()
-
-    version_pattern_openhands = re.compile(r'openhands:(\d{1})\.(\d{2})')
-    version_pattern_runtime = re.compile(r'runtime:(\d{1})\.(\d{2})')
-
-    for root, _, files in os.walk(directory):
-        # Skip .git directory and docs/build directory
-        if '.git' in root or 'docs/build' in root:
-            continue
-
-        for file in files:
-            if file.endswith(
-                ('.md', '.yml', '.yaml', '.txt', '.html', '.py', '.js', '.ts')
-            ):
-                file_path = os.path.join(root, file)
-                try:
-                    with open(file_path, 'r', encoding='utf-8') as f:
-                        content = f.read()
-
-                        # Find all openhands version references
-                        matches = version_pattern_openhands.findall(content)
-                        if matches:
-                            print(f'Found openhands version {matches} in {file_path}')
-                            openhands_versions.update(matches)
-
-                        # Find all runtime version references
-                        matches = version_pattern_runtime.findall(content)
-                        if matches:
-                            print(f'Found runtime version {matches} in {file_path}')
-                            runtime_versions.update(matches)
-                except Exception as e:
-                    print(f'Error reading {file_path}: {e}', file=sys.stderr)
-
-    return openhands_versions, runtime_versions
-
-
-def main():
-    repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..'))
-    print(f'Checking version consistency in {repo_root}')
-    openhands_versions, runtime_versions = find_version_references(repo_root)
-
-    print(f'Found openhands versions: {sorted(openhands_versions)}')
-    print(f'Found runtime versions: {sorted(runtime_versions)}')
-
-    exit_code = 0
-
-    if len(openhands_versions) > 1:
-        print('Error: Multiple openhands versions found:', file=sys.stderr)
-        print('Found versions:', sorted(openhands_versions), file=sys.stderr)
-        exit_code = 1
-    elif len(openhands_versions) == 0:
-        print('Warning: No openhands version references found', file=sys.stderr)
-
-    if len(runtime_versions) > 1:
-        print('Error: Multiple runtime versions found:', file=sys.stderr)
-        print('Found versions:', sorted(runtime_versions), file=sys.stderr)
-        exit_code = 1
-    elif len(runtime_versions) == 0:
-        print('Warning: No runtime version references found', file=sys.stderr)
-
-    sys.exit(exit_code)
-
-
-if __name__ == '__main__':
-    main()

.github/scripts/find_prs_between_commits.py

@@ -0,0 +1,330 @@
+#!/usr/bin/env python3
+"""
+Find all PRs that went in between two commits in the OpenHands/OpenHands repository.
+Handles cherry-picks and different merge strategies.
+
+This script is designed to run from within the OpenHands repository under .github/scripts:
+    .github/scripts/find_prs_between_commits.py
+
+Usage: find_prs_between_commits <older_commit> <newer_commit> [--repo <path>]
+"""
+
+import json
+import os
+import re
+import subprocess
+import sys
+from collections import defaultdict
+from pathlib import Path
+from typing import Optional
+
+
+def find_openhands_repo() -> Optional[Path]:
+    """
+    Find the OpenHands repository.
+    Since this script is designed to live in .github/scripts/, it assumes
+    the repository root is two levels up from the script location.
+    Tries:
+    1. Repository root (../../ from script location)
+    2. Current directory
+    3. Environment variable OPENHANDS_REPO
+    """
+    # Check repository root (assuming script is in .github/scripts/)
+    script_dir = Path(__file__).parent.absolute()
+    repo_root = (
+        script_dir.parent.parent
+    )  # Go up two levels: scripts -> .github -> repo root
+    if (repo_root / '.git').exists():
+        return repo_root
+
+    # Check current directory
+    if (Path.cwd() / '.git').exists():
+        return Path.cwd()
+
+    # Check environment variable
+    if 'OPENHANDS_REPO' in os.environ:
+        repo_path = Path(os.environ['OPENHANDS_REPO'])
+        if (repo_path / '.git').exists():
+            return repo_path
+
+    return None
+
+
+def run_git_command(cmd: list[str], repo_path: Path) -> str:
+    """Run a git command in the repository directory and return its output."""
+    try:
+        result = subprocess.run(
+            cmd, capture_output=True, text=True, check=True, cwd=str(repo_path)
+        )
+        return result.stdout.strip()
+    except subprocess.CalledProcessError as e:
+        print(f'Error running git command: {" ".join(cmd)}', file=sys.stderr)
+        print(f'Error: {e.stderr}', file=sys.stderr)
+        sys.exit(1)
+
+
+def extract_pr_numbers_from_message(message: str) -> set[int]:
+    """Extract PR numbers from commit message in any common format."""
+    # Match #12345 anywhere, including in patterns like (#12345) or "Merge pull request #12345"
+    matches = re.findall(r'#(\d+)', message)
+    return set(int(m) for m in matches)
+
+
+def get_commit_info(commit_hash: str, repo_path: Path) -> tuple[str, str, str]:
+    """Get commit subject, body, and author from a commit hash."""
+    subject = run_git_command(
+        ['git', 'log', '-1', '--format=%s', commit_hash], repo_path
+    )
+    body = run_git_command(['git', 'log', '-1', '--format=%b', commit_hash], repo_path)
+    author = run_git_command(
+        ['git', 'log', '-1', '--format=%an <%ae>', commit_hash], repo_path
+    )
+    return subject, body, author
+
+
+def get_commits_between(
+    older_commit: str, newer_commit: str, repo_path: Path
+) -> list[str]:
+    """Get all commit hashes between two commits."""
+    commits_output = run_git_command(
+        ['git', 'rev-list', f'{older_commit}..{newer_commit}'], repo_path
+    )
+
+    if not commits_output:
+        return []
+
+    return commits_output.split('\n')
+
+
+def get_pr_info_from_github(pr_number: int, repo_path: Path) -> Optional[dict]:
+    """Get PR information from GitHub API if GITHUB_TOKEN is available."""
+    try:
+        # Set up environment with GitHub token
+        env = os.environ.copy()
+        if 'GITHUB_TOKEN' in env:
+            env['GH_TOKEN'] = env['GITHUB_TOKEN']
+
+        result = subprocess.run(
+            [
+                'gh',
+                'pr',
+                'view',
+                str(pr_number),
+                '--json',
+                'number,title,author,mergedAt,baseRefName,headRefName,url',
+            ],
+            capture_output=True,
+            text=True,
+            check=True,
+            env=env,
+            cwd=str(repo_path),
+        )
+        return json.loads(result.stdout)
+    except (subprocess.CalledProcessError, FileNotFoundError, json.JSONDecodeError):
+        return None
+
+
+def find_prs_between_commits(
+    older_commit: str, newer_commit: str, repo_path: Path
+) -> dict[int, dict]:
+    """
+    Find all PRs that went in between two commits.
+    Returns a dictionary mapping PR numbers to their information.
+    """
+    print(f'Repository: {repo_path}', file=sys.stderr)
+    print('Finding PRs between commits:', file=sys.stderr)
+    print(f'  Older: {older_commit}', file=sys.stderr)
+    print(f'  Newer: {newer_commit}', file=sys.stderr)
+    print(file=sys.stderr)
+
+    # Verify commits exist
+    try:
+        run_git_command(['git', 'rev-parse', '--verify', older_commit], repo_path)
+        run_git_command(['git', 'rev-parse', '--verify', newer_commit], repo_path)
+    except SystemExit:
+        print('Error: One or both commits not found in repository', file=sys.stderr)
+        sys.exit(1)
+
+    # Extract PRs from the older commit itself (to exclude from results)
+    # These PRs are already included at or before the older commit
+    older_subject, older_body, _ = get_commit_info(older_commit, repo_path)
+    older_message = f'{older_subject}\n{older_body}'
+    excluded_prs = extract_pr_numbers_from_message(older_message)
+
+    if excluded_prs:
+        print(
+            f'Excluding PRs already in older commit: {", ".join(f"#{pr}" for pr in sorted(excluded_prs))}',
+            file=sys.stderr,
+        )
+        print(file=sys.stderr)
+
+    # Get all commits between the two
+    commits = get_commits_between(older_commit, newer_commit, repo_path)
+    print(f'Found {len(commits)} commits to analyze', file=sys.stderr)
+    print(file=sys.stderr)
+
+    # Extract PR numbers from all commits
+    pr_info: dict[int, dict] = {}
+    commits_by_pr: dict[int, list[str]] = defaultdict(list)
+
+    for commit_hash in commits:
+        subject, body, author = get_commit_info(commit_hash, repo_path)
+        full_message = f'{subject}\n{body}'
+
+        pr_numbers = extract_pr_numbers_from_message(full_message)
+
+        for pr_num in pr_numbers:
+            # Skip PRs that are already in the older commit
+            if pr_num in excluded_prs:
+                continue
+
+            commits_by_pr[pr_num].append(commit_hash)
+
+            if pr_num not in pr_info:
+                pr_info[pr_num] = {
+                    'number': pr_num,
+                    'first_commit': commit_hash[:8],
+                    'first_commit_subject': subject,
+                    'commits': [],
+                    'github_info': None,
+                }
+
+            pr_info[pr_num]['commits'].append(
+                {'hash': commit_hash[:8], 'subject': subject, 'author': author}
+            )
+
+    # Try to get additional info from GitHub API
+    print('Fetching additional info from GitHub API...', file=sys.stderr)
+    for pr_num in pr_info.keys():
+        github_info = get_pr_info_from_github(pr_num, repo_path)
+        if github_info:
+            pr_info[pr_num]['github_info'] = github_info
+
+    print(file=sys.stderr)
+
+    return pr_info
+
+
+def print_results(pr_info: dict[int, dict]):
+    """Print the results in a readable format."""
+    sorted_prs = sorted(pr_info.items(), key=lambda x: x[0])
+
+    print(f'{"=" * 80}')
+    print(f'Found {len(sorted_prs)} PRs')
+    print(f'{"=" * 80}')
+    print()
+
+    for pr_num, info in sorted_prs:
+        print(f'PR #{pr_num}')
+
+        if info['github_info']:
+            gh = info['github_info']
+            print(f'  Title: {gh["title"]}')
+            print(f'  Author: {gh["author"]["login"]}')
+            print(f'  URL: {gh["url"]}')
+            if gh.get('mergedAt'):
+                print(f'  Merged: {gh["mergedAt"]}')
+            if gh.get('baseRefName'):
+                print(f'  Base: {gh["baseRefName"]} ← {gh["headRefName"]}')
+        else:
+            print(f'  Subject: {info["first_commit_subject"]}')
+
+        # Show if this PR has multiple commits (cherry-picked or multiple commits)
+        commit_count = len(info['commits'])
+        if commit_count > 1:
+            print(
+                f'  ⚠️  Found {commit_count} commits (possible cherry-pick or multi-commit PR):'
+            )
+            for commit in info['commits'][:3]:  # Show first 3
+                print(f'      {commit["hash"]}: {commit["subject"][:60]}')
+            if commit_count > 3:
+                print(f'      ... and {commit_count - 3} more')
+        else:
+            print(f'  Commit: {info["first_commit"]}')
+
+        print()
+
+
+def main():
+    if len(sys.argv) < 3:
+        print('Usage: find_prs_between_commits <older_commit> <newer_commit> [options]')
+        print()
+        print('Arguments:')
+        print('  <older_commit>  The older commit hash (or ref)')
+        print('  <newer_commit>  The newer commit hash (or ref)')
+        print()
+        print('Options:')
+        print('  --json          Output results in JSON format')
+        print('  --repo <path>   Path to OpenHands repository (default: auto-detect)')
+        print()
+        print('Example:')
+        print(
+            '  find_prs_between_commits c79e0cd3c7a2501a719c9296828d7a31e4030585 35bddb14f15124a3dc448a74651a6592911d99e9'
+        )
+        print()
+        print('Repository Detection:')
+        print('  The script will try to find the OpenHands repository in this order:')
+        print('  1. --repo argument')
+        print('  2. Repository root (../../ from script location)')
+        print('  3. Current directory')
+        print('  4. OPENHANDS_REPO environment variable')
+        print()
+        print('Environment variables:')
+        print(
+            '  GITHUB_TOKEN    Optional. If set, will fetch additional PR info from GitHub API'
+        )
+        print('  OPENHANDS_REPO  Optional. Path to OpenHands repository')
+        sys.exit(1)
+
+    older_commit = sys.argv[1]
+    newer_commit = sys.argv[2]
+    json_output = '--json' in sys.argv
+
+    # Check for --repo argument
+    repo_path = None
+    if '--repo' in sys.argv:
+        repo_idx = sys.argv.index('--repo')
+        if repo_idx + 1 < len(sys.argv):
+            repo_path = Path(sys.argv[repo_idx + 1])
+            if not (repo_path / '.git').exists():
+                print(f'Error: {repo_path} is not a git repository', file=sys.stderr)
+                sys.exit(1)
+
+    # Auto-detect repository if not specified
+    if repo_path is None:
+        repo_path = find_openhands_repo()
+        if repo_path is None:
+            print('Error: Could not find OpenHands repository', file=sys.stderr)
+            print('Please either:', file=sys.stderr)
+            print(
+                '  1. Place this script in .github/scripts/ within the OpenHands repository',
+                file=sys.stderr,
+            )
+            print('  2. Run from the OpenHands repository directory', file=sys.stderr)
+            print(
+                '  3. Use --repo <path> to specify the repository location',
+                file=sys.stderr,
+            )
+            print('  4. Set OPENHANDS_REPO environment variable', file=sys.stderr)
+            sys.exit(1)
+
+    # Find PRs
+    pr_info = find_prs_between_commits(older_commit, newer_commit, repo_path)
+
+    if json_output:
+        # Output as JSON
+        print(json.dumps(pr_info, indent=2))
+    else:
+        # Print results in human-readable format
+        print_results(pr_info)
+
+        # Also print a simple list for easy copying
+        print(f'{"=" * 80}')
+        print('PR Numbers (for easy copying):')
+        print(f'{"=" * 80}')
+        sorted_pr_nums = sorted(pr_info.keys())
+        print(', '.join(f'#{pr}' for pr in sorted_pr_nums))
+
+
+if __name__ == '__main__':
+    main()

.github/scripts/update_pr_description.sh

@@ -13,12 +13,9 @@ DOCKER_RUN_COMMAND="docker run -it --rm \
   -p 3000:3000 \
   -v /var/run/docker.sock:/var/run/docker.sock \
   --add-host host.docker.internal:host-gateway \
-  -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:${SHORT_SHA}-nikolaik \
+  -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.openhands.dev/openhands/runtime:${SHORT_SHA}-nikolaik \
   --name openhands-app-${SHORT_SHA} \
-  docker.all-hands.dev/all-hands-ai/openhands:${SHORT_SHA}"
-
-# Define the uvx command
-UVX_RUN_COMMAND="uvx --python 3.12 --from git+https://github.com/All-Hands-AI/OpenHands@${BRANCH_NAME}#subdirectory=openhands-cli openhands"
+  docker.openhands.dev/openhands/openhands:${SHORT_SHA}"
 
 # Get the current PR body
 PR_BODY=$(gh pr view "$PR_NUMBER" --json body --jq .body)
@@ -37,11 +34,6 @@ GUI with Docker:
 \`\`\`
 ${DOCKER_RUN_COMMAND}
 \`\`\`
-
-CLI with uvx:
-\`\`\`
-${UVX_RUN_COMMAND}
-\`\`\`
 EOF
 )
 else
@@ -57,11 +49,6 @@ GUI with Docker:
 \`\`\`
 ${DOCKER_RUN_COMMAND}
 \`\`\`
-
-CLI with uvx:
-\`\`\`
-${UVX_RUN_COMMAND}
-\`\`\`
 EOF
 )
 fi

.github/workflows/check-package-versions.yml

@@ -0,0 +1,65 @@
+name: Check Package Versions
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  check-package-versions:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Check for any 'rev' fields in pyproject.toml
+        run: |
+          python - <<'PY'
+          import sys, tomllib, pathlib
+
+          path = pathlib.Path("pyproject.toml")
+          if not path.exists():
+              print("❌ ERROR: pyproject.toml not found")
+              sys.exit(1)
+
+          try:
+              data = tomllib.loads(path.read_text(encoding="utf-8"))
+          except Exception as e:
+              print(f"❌ ERROR: Failed to parse pyproject.toml: {e}")
+              sys.exit(1)
+
+          poetry = data.get("tool", {}).get("poetry", {})
+          sections = {
+              "dependencies": poetry.get("dependencies", {}),
+          }
+
+          errors = []
+
+          print("🔍 Checking for any dependencies with 'rev' fields...\n")
+          for section_name, deps in sections.items():
+              if not isinstance(deps, dict):
+                  continue
+
+              for pkg_name, cfg in deps.items():
+                  if isinstance(cfg, dict) and "rev" in cfg:
+                      msg = f"  ✖ {pkg_name} in [{section_name}] uses rev='{cfg['rev']}' (NOT ALLOWED)"
+                      print(msg)
+                      errors.append(msg)
+                  else:
+                      print(f"  • {pkg_name}: OK")
+
+          if errors:
+              print("\n❌ FAILED: Found dependencies using 'rev' fields:\n" + "\n".join(errors))
+              print("\nPlease use versioned releases instead, e.g.:")
+              print('  my-package = "1.0.0"')
+              sys.exit(1)
+
+          print("\n✅ SUCCESS: No 'rev' fields found. All dependencies are using proper versioned releases.")
+          PY

.github/workflows/check-version-consistency.yml

@@ -0,0 +1,122 @@
+name: Check Version Consistency
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  check-version-consistency:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Check version and Docker image tag consistency
+        run: |
+          python - <<'PY'
+          import json
+          import re
+          import sys
+          import tomllib
+
+          errors = []
+          warnings = []
+
+          # ── 1. Extract the canonical version from pyproject.toml ──────────
+          with open("pyproject.toml", "rb") as f:
+              pyproject = tomllib.load(f)
+          version = pyproject["tool"]["poetry"]["version"]
+          major_minor = ".".join(version.split(".")[:2])
+          print(f"📦 pyproject.toml version: {version} (major.minor: {major_minor})")
+
+          # ── 2. Check frontend/package.json ────────────────────────────────
+          with open("frontend/package.json") as f:
+              pkg = json.load(f)
+          if pkg["version"] != version:
+              errors.append(
+                  f"frontend/package.json version is '{pkg['version']}', expected '{version}'"
+              )
+          else:
+              print(f"  ✔ frontend/package.json: {pkg['version']}")
+
+          # ── 3. Check frontend/package-lock.json (2 places) ───────────────
+          with open("frontend/package-lock.json") as f:
+              lock = json.load(f)
+          for key, val in [
+              ("root.version", lock.get("version")),
+              ('packages[""].version', lock.get("packages", {}).get("", {}).get("version")),
+          ]:
+              if val != version:
+                  errors.append(
+                      f"frontend/package-lock.json {key} is '{val}', expected '{version}'"
+                  )
+              else:
+                  print(f"  ✔ frontend/package-lock.json {key}: {val}")
+
+          # ── 4. Check compose files use agent-server images ─────────────────
+          # Both compose files should use ghcr.io/.../agent-server (not runtime).
+          # Agent-server tags use SDK version (e.g. "1.12.0-python") or commit
+          # hashes (e.g. "31536c8-python") — both are acceptable.
+          repo_pattern = re.compile(r"AGENT_SERVER_IMAGE_REPOSITORY[^}]*:-([^}]+)")
+          tag_pattern = re.compile(r"AGENT_SERVER_IMAGE_TAG:-([^}]+)")
+
+          for filepath in ["docker-compose.yml", "containers/dev/compose.yml"]:
+              try:
+                  with open(filepath) as f:
+                      content = f.read()
+              except FileNotFoundError:
+                  warnings.append(f"{filepath}: file not found")
+                  continue
+
+              repos = repo_pattern.findall(content)
+              tags = tag_pattern.findall(content)
+
+              if not repos:
+                  warnings.append(f"{filepath}: no AGENT_SERVER_IMAGE_REPOSITORY default found")
+              else:
+                  repo = repos[0]
+                  if "agent-server" not in repo:
+                      errors.append(
+                          f"{filepath}: AGENT_SERVER_IMAGE_REPOSITORY defaults to '{repo}', "
+                          f"expected an agent-server image (not runtime)"
+                      )
+                  else:
+                      print(f"  ✔ {filepath} image repository: {repo}")
+
+              if not tags:
+                  warnings.append(f"{filepath}: no AGENT_SERVER_IMAGE_TAG default found")
+              else:
+                  tag = tags[0]
+                  if not tag:
+                      errors.append(f"{filepath}: AGENT_SERVER_IMAGE_TAG default is empty")
+                  else:
+                      print(f"  ✔ {filepath} image tag: {tag}")
+
+          # ── 5. Report ─────────────────────────────────────────────────────
+          print()
+          if warnings:
+              print("⚠ Warnings:")
+              for w in warnings:
+                  print(f"  {w}")
+              print()
+
+          if errors:
+              print("❌ FAILED: Version inconsistencies found:\n")
+              for e in errors:
+                  print(f"  ✖ {e}")
+              print(
+                  "\nAll version numbers and Docker image tags must be consistent."
+                  "\nSee .agents/skills/update-sdk/SKILL.md for the full checklist."
+              )
+              sys.exit(1)
+          else:
+              print("✅ All version numbers and Docker image tags are consistent.")
+          PY

.github/workflows/clean-up.yml

@@ -1,69 +0,0 @@
-# Workflow that cleans up outdated and old workflows to prevent out of disk issues
-name: Delete old workflow runs
-
-# This workflow is currently only triggered manually
-on:
-  workflow_dispatch:
-    inputs:
-      days:
-        description: 'Days-worth of runs to keep for each workflow'
-        required: true
-        default: '30'
-      minimum_runs:
-        description: 'Minimum runs to keep for each workflow'
-        required: true
-        default: '10'
-      delete_workflow_pattern:
-        description: 'Name or filename of the workflow (if not set, all workflows are targeted)'
-        required: false
-      delete_workflow_by_state_pattern:
-        description: 'Filter workflows by state: active, deleted, disabled_fork, disabled_inactivity, disabled_manually'
-        required: true
-        default: "ALL"
-        type: choice
-        options:
-          - "ALL"
-          - active
-          - deleted
-          - disabled_inactivity
-          - disabled_manually
-      delete_run_by_conclusion_pattern:
-        description: 'Remove runs based on conclusion: action_required, cancelled, failure, skipped, success'
-        required: true
-        default: 'ALL'
-        type: choice
-        options:
-          - 'ALL'
-          - 'Unsuccessful: action_required,cancelled,failure,skipped'
-          - action_required
-          - cancelled
-          - failure
-          - skipped
-          - success
-      dry_run:
-        description: 'Logs simulated changes, no deletions are performed'
-        required: false
-
-jobs:
-  del_runs:
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    permissions:
-      actions: write
-      contents: read
-    steps:
-      - name: Delete workflow runs
-        uses: Mattraks/delete-workflow-runs@v2
-        with:
-          token: ${{ github.token }}
-          repository: ${{ github.repository }}
-          retain_days: ${{ github.event.inputs.days }}
-          keep_minimum_runs: ${{ github.event.inputs.minimum_runs }}
-          delete_workflow_pattern: ${{ github.event.inputs.delete_workflow_pattern }}
-          delete_workflow_by_state_pattern: ${{ github.event.inputs.delete_workflow_by_state_pattern }}
-          delete_run_by_conclusion_pattern: >-
-            ${{
-              startsWith(github.event.inputs.delete_run_by_conclusion_pattern, 'Unsuccessful:')
-              && 'action_required,cancelled,failure,skipped'
-              || github.event.inputs.delete_run_by_conclusion_pattern
-            }}
-          dry_run: ${{ github.event.inputs.dry_run }}

.github/workflows/cli-build-binary-and-optionally-release.yml

@@ -1,114 +0,0 @@
-# Workflow that builds and tests the CLI binary executable
-name: CLI - Build binary and optionally release
-
-# Run on pushes to main branch and CLI tags, and on pull requests when CLI files change
-on:
-  push:
-    branches:
-      - main
-    tags:
-      - "*-cli"
-  pull_request:
-    paths:
-      - "openhands-cli/**"
-
-permissions:
-  contents: write       # needed to create releases or upload assets
-
-# Cancel previous runs if a new commit is pushed
-concurrency:
-  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build-binary:
-    name: Build binary executable
-    strategy:
-      matrix:
-        include:
-          # Build on Ubuntu 22.04 for maximum GLIBC compatibility (GLIBC 2.31)
-          - os: ubuntu-22.04
-            platform: linux
-            artifact_name: openhands-cli-linux
-          # Build on macOS for macOS users
-          - os: macos-15
-            platform: macos
-            artifact_name: openhands-cli-macos
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.12
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v3
-        with:
-          version: "latest"
-
-      - name: Install dependencies
-        working-directory: openhands-cli
-        run: |
-          uv sync
-
-      - name: Build binary executable
-        working-directory: openhands-cli
-        run: |
-          ./build.sh --install-pyinstaller | tee output.log
-          echo "Full output:"
-          cat output.log
-
-          if grep -q "❌" output.log; then
-            echo "❌ Found failure marker in output"
-            exit 1
-          fi
-
-          echo "✅ Build & test finished without ❌ markers"
-
-      - name: Upload binary artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.artifact_name }}
-          path: openhands-cli/dist/openhands*
-          retention-days: 30
-
-  create-github-release:
-    name: Create GitHub Release
-    runs-on: ubuntu-latest
-    needs: build-binary
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: artifacts
-
-      - name: Prepare release assets
-        run: |
-          mkdir -p release-assets
-          # Copy binaries with appropriate names for release
-          if [ -f artifacts/openhands-cli-linux/openhands ]; then
-            cp artifacts/openhands-cli-linux/openhands release-assets/openhands-linux
-          fi
-          if [ -f artifacts/openhands-cli-macos/openhands ]; then
-            cp artifacts/openhands-cli-macos/openhands release-assets/openhands-macos
-          fi
-          ls -la release-assets/
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: release-assets/*
-          draft: true
-          prerelease: false
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dispatch-to-docs.yml

@@ -1,23 +0,0 @@
-name: Dispatch to docs repo
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'docs/**'
-  workflow_dispatch:
-
-jobs:
-  dispatch:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        repo: ["All-Hands-AI/docs"]
-    steps:
-      - name: Push to docs repo
-        uses: peter-evans/repository-dispatch@v3
-        with:
-          token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
-          repository: ${{ matrix.repo }}
-          event-type: update
-          client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "module": "openhands", "branch": "main"}'

.github/workflows/e2e-tests.yml

@@ -27,7 +27,7 @@ jobs:
           poetry-version: 2.1.3
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
           cache: 'poetry'
@@ -38,7 +38,7 @@ jobs:
           sudo apt-get install -y libgtk-3-0 libnotify4 libnss3 libxss1 libxtst6 xauth xvfb libgbm1 libasound2t64 netcat-openbsd
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '22'
           cache: 'npm'
@@ -192,7 +192,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: playwright-report
           path: tests/e2e/test-results/
@@ -200,7 +200,7 @@ jobs:
 
       - name: Upload OpenHands logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: openhands-logs
           path: |

.github/workflows/enterprise-check-migrations.yml

@@ -43,7 +43,7 @@ jobs:
             ⚠️ This PR contains **migrations**
 
       - name: Comment warning on PR
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@v5
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-id: ${{ steps.find-comment.outputs.comment-id }}

.github/workflows/enterprise-preview.yml

@@ -1,29 +0,0 @@
-# Feature branch preview for enterprise code
-name: Enterprise Preview
-
-# Run on PRs labeled
-on:
-  pull_request:
-    types: [labeled]
-
-# Match ghcr-build.yml, but don't interrupt it.
-concurrency:
-  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
-  cancel-in-progress: false
-
-jobs:
-  # This must happen for the PR Docker workflow when the label is present,
-  # and also if it's added after the fact. Thus, it exists in both places.
-  enterprise-preview:
-    name: Enterprise preview
-    if: github.event.label.name == 'deploy'
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    steps:
-      # This should match the version in ghcr-build.yml
-      - name: Trigger remote job
-        run: |
-          curl --fail-with-body -sS -X POST \
-            -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \
-            -H "Accept: application/vnd.github+json" \
-            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
-            https://api.github.com/repos/All-Hands-AI/deploy/actions/workflows/deploy.yaml/dispatches

.github/workflows/fe-e2e-tests.yml

@@ -0,0 +1,47 @@
+# Workflow that runs frontend e2e tests with Playwright
+name: Run Frontend E2E Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - "frontend/**"
+      - ".github/workflows/fe-e2e-tests.yml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  fe-e2e-test:
+    name: FE E2E Tests
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    strategy:
+      matrix:
+        node-version: [22]
+      fail-fast: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: useblacksmith/setup-node@v5
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install dependencies
+        working-directory: ./frontend
+        run: npm ci
+      - name: Install Playwright browsers
+        working-directory: ./frontend
+        run: npx playwright install --with-deps chromium
+      - name: Run Playwright tests
+        working-directory: ./frontend
+        run: npx playwright test --project=chromium
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v6
+        if: always()
+        with:
+          name: playwright-report
+          path: frontend/playwright-report/
+          retention-days: 30

.github/workflows/ghcr-build.yml

@@ -9,6 +9,7 @@ on:
   push:
     branches:
       - main
+      - "saas-rel-*"
     tags:
       - "*"
   pull_request:
@@ -37,16 +38,13 @@ jobs:
         shell: bash
         id: define-base-images
         run: |
-          # Only build nikolaik on PRs, otherwise build both nikolaik and ubuntu.
           if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
             json=$(jq -n -c '[
-                { image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" },
-                { image: "ubuntu:24.04", tag: "ubuntu" }
+                { image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" }
               ]')
           else
             json=$(jq -n -c '[
                 { image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" },
-                { image: "ghcr.io/all-hands-ai/python-nodejs:python3.13-nodejs22-trixie", tag: "trixie" },
                 { image: "ubuntu:24.04", tag: "ubuntu" }
               ]')
           fi
@@ -66,7 +64,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.7.0
         with:
           image: tonistiigi/binfmt:latest
       - name: Login to GHCR
@@ -88,7 +86,7 @@ jobs:
 
   # Builds the runtime Docker images
   ghcr_build_runtime:
-    name: Build Image
+    name: Build Runtime Image
     runs-on: blacksmith-8vcpu-ubuntu-2204
     if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
     permissions:
@@ -104,7 +102,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.7.0
         with:
           image: tonistiigi/binfmt:latest
       - name: Login to GHCR
@@ -151,6 +149,9 @@ jobs:
           push: true
           tags: ${{ env.DOCKER_TAGS }}
           platforms: ${{ env.DOCKER_PLATFORM }}
+          # Caching directives to boost performance
+          cache-from: type=registry,ref=ghcr.io/${{ env.REPO_OWNER }}/runtime:buildcache-${{ matrix.base_image.tag }}
+          cache-to: type=registry,ref=ghcr.io/${{ env.REPO_OWNER }}/runtime:buildcache-${{ matrix.base_image.tag }},mode=max
           build-args: ${{ env.DOCKER_BUILD_ARGS }}
           context: containers/runtime
           provenance: false
@@ -163,7 +164,7 @@ jobs:
           context: containers/runtime
       - name: Upload runtime source for fork
         if: github.event.pull_request.head.repo.fork
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: runtime-src-${{ matrix.base_image.tag }}
           path: containers/runtime
@@ -200,7 +201,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/all-hands-ai/enterprise-server
+          images: ghcr.io/openhands/enterprise-server
           tags: |
             type=ref,event=branch
             type=ref,event=pr
@@ -239,166 +240,15 @@ jobs:
           # Add build attestations for better security
           sbom: true
 
-  enterprise-preview:
-    name: Enterprise preview
-    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy')
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    needs: [ghcr_build_enterprise]
-    steps:
-      # This should match the version in enterprise-preview.yml
-      - name: Trigger remote job
-        run: |
-          curl --fail-with-body -sS -X POST \
-            -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \
-            -H "Accept: application/vnd.github+json" \
-            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
-            https://api.github.com/repos/All-Hands-AI/deploy/actions/workflows/deploy.yaml/dispatches
-
-  # Run unit tests with the Docker runtime Docker images as root
-  test_runtime_root:
-    name: RT Unit Tests (Root)
-    needs: [ghcr_build_runtime, define-matrix]
-    runs-on: blacksmith-8vcpu-ubuntu-2204
-    strategy:
-      fail-fast: false
-      matrix:
-        base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Download runtime source for fork
-        if: github.event.pull_request.head.repo.fork
-        uses: actions/download-artifact@v4
-        with:
-          name: runtime-src-${{ matrix.base_image.tag }}
-          path: containers/runtime
-      - name: Lowercase Repository Owner
-        run: |
-          echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
-      # Forked repos can't push to GHCR, so we need to rebuild using cache
-      - name: Build runtime image ${{ matrix.base_image.image }} for fork
-        if: github.event.pull_request.head.repo.fork
-        uses: useblacksmith/build-push-action@v1
-        with:
-          load: true
-          tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
-          context: containers/runtime
-      - name: Install poetry via pipx
-        run: pipx install poetry
-      - name: Set up Python
-        uses: useblacksmith/setup-python@v6
-        with:
-          python-version: "3.12"
-          cache: poetry
-      - name: Install Python dependencies using Poetry
-        run: make install-python-dependencies INSTALL_PLAYWRIGHT=0
-      - name: Run docker runtime tests
-        shell: bash
-        run: |
-          # We install pytest-xdist in order to run tests across CPUs
-          poetry run pip install pytest-xdist
-
-          # Install to be able to retry on failures for flaky tests
-          poetry run pip install pytest-rerunfailures
-
-          image_name=ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
-
-          # Setting RUN_AS_OPENHANDS to false means use root.
-          # That should mean SANDBOX_USER_ID is ignored but some tests do not check for RUN_AS_OPENHANDS.
-
-          TEST_RUNTIME=docker \
-          SANDBOX_USER_ID=$(id -u) \
-          SANDBOX_RUNTIME_CONTAINER_IMAGE=$image_name \
-          TEST_IN_CI=true \
-          RUN_AS_OPENHANDS=false \
-          poetry run pytest -n 0 -raRs --reruns 2 --reruns-delay 5 -s ./tests/runtime --ignore=tests/runtime/test_browsergym_envs.py --durations=10
-        env:
-          DEBUG: "1"
-
-  # Run unit tests with the Docker runtime Docker images as openhands user
-  test_runtime_oh:
-    name: RT Unit Tests (openhands)
-    runs-on: blacksmith-8vcpu-ubuntu-2204
-    needs: [ghcr_build_runtime, define-matrix]
-    strategy:
-      matrix:
-        base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Download runtime source for fork
-        if: github.event.pull_request.head.repo.fork
-        uses: actions/download-artifact@v4
-        with:
-          name: runtime-src-${{ matrix.base_image.tag }}
-          path: containers/runtime
-      - name: Lowercase Repository Owner
-        run: |
-          echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
-      # Forked repos can't push to GHCR, so we need to rebuild using cache
-      - name: Build runtime image ${{ matrix.base_image.image }} for fork
-        if: github.event.pull_request.head.repo.fork
-        uses: useblacksmith/build-push-action@v1
-        with:
-          load: true
-          tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
-          context: containers/runtime
-      - name: Install poetry via pipx
-        run: pipx install poetry
-      - name: Set up Python
-        uses: useblacksmith/setup-python@v6
-        with:
-          python-version: "3.12"
-          cache: poetry
-      - name: Install Python dependencies using Poetry
-        run: make install-python-dependencies POETRY_GROUP=main,test,runtime INSTALL_PLAYWRIGHT=0
-      - name: Run runtime tests
-        shell: bash
-        run: |
-          # We install pytest-xdist in order to run tests across CPUs
-          poetry run pip install pytest-xdist
-
-          # Install to be able to retry on failures for flaky tests
-          poetry run pip install pytest-rerunfailures
-
-          image_name=ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
-
-          TEST_RUNTIME=docker \
-          SANDBOX_USER_ID=$(id -u) \
-          SANDBOX_RUNTIME_CONTAINER_IMAGE=$image_name \
-          TEST_IN_CI=true \
-          RUN_AS_OPENHANDS=true \
-          poetry run pytest -n 0 -raRs --reruns 2 --reruns-delay 5 -s ./tests/runtime --ignore=tests/runtime/test_browsergym_envs.py --durations=10
-        env:
-          DEBUG: "1"
-
-  # The two following jobs (named identically) are to check whether all the runtime tests have passed as the
   # "All Runtime Tests Passed" is a required job for PRs to merge
-  # Due to this bug: https://github.com/actions/runner/issues/2566, we want to create a job that runs when the
-  # prerequisites have been cancelled or failed so merging is disallowed, otherwise Github considers "skipped" as "success"
+  # We can remove this once the config changes
   runtime_tests_check_success:
     name: All Runtime Tests Passed
-    if: ${{ !cancelled() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
     runs-on: blacksmith-4vcpu-ubuntu-2204
-    needs: [test_runtime_root, test_runtime_oh]
     steps:
       - name: All tests passed
         run: echo "All runtime tests have passed successfully!"
 
-  runtime_tests_check_fail:
-    name: All Runtime Tests Passed
-    if: ${{ cancelled() || contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    needs: [test_runtime_root, test_runtime_oh]
-    steps:
-      - name: Some tests failed
-        run: |
-          echo "Some runtime tests failed or were cancelled"
-          exit 1
   update_pr_description:
     name: Update PR Description
     if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'

.github/workflows/integration-runner.yml

@@ -1,199 +0,0 @@
-name: Run Integration Tests
-
-on:
-  pull_request:
-    types: [labeled]
-  workflow_dispatch:
-    inputs:
-      reason:
-        description: 'Reason for manual trigger'
-        required: true
-        default: ''
-  schedule:
-    - cron: '30 22 * * *'  # Runs at 10:30pm UTC every day
-
-env:
-  N_PROCESSES: 10 # Global configuration for number of parallel processes for evaluation
-
-jobs:
-  run-integration-tests:
-    if: github.event.label.name == 'integration-test' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    permissions:
-      contents: "read"
-      id-token: "write"
-      pull-requests: "write"
-      issues: "write"
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Install poetry via pipx
-        run: pipx install poetry
-
-      - name: Set up Python
-        uses: useblacksmith/setup-python@v6
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: "poetry"
-
-      - name: Setup Node.js
-        uses: useblacksmith/setup-node@v5
-        with:
-          node-version: '22.x'
-
-      - name: Comment on PR if 'integration-test' label is present
-        if: github.event_name == 'pull_request' && github.event.label.name == 'integration-test'
-        uses: KeisukeYamashita/create-comment@v1
-        with:
-          unique: false
-          comment: |
-            Hi! I started running the integration tests on your PR. You will receive a comment with the results shortly.
-
-      - name: Install Python dependencies using Poetry
-        run: poetry install --with dev,test,runtime,evaluation
-
-      - name: Configure config.toml for testing with Haiku
-        env:
-          LLM_MODEL: "litellm_proxy/claude-3-5-haiku-20241022"
-          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
-          MAX_ITERATIONS: 10
-        run: |
-          echo "[llm.eval]" > config.toml
-          echo "model = \"$LLM_MODEL\"" >> config.toml
-          echo "api_key = \"$LLM_API_KEY\"" >> config.toml
-          echo "base_url = \"$LLM_BASE_URL\"" >> config.toml
-          echo "temperature = 0.0" >> config.toml
-
-      - name: Build environment
-        run: make build
-
-      - name: Run integration test evaluation for Haiku
-        env:
-          SANDBOX_FORCE_REBUILD_RUNTIME: True
-        run: |
-          poetry run ./evaluation/integration_tests/scripts/run_infer.sh llm.eval HEAD CodeActAgent '' 10 $N_PROCESSES '' 'haiku_run'
-
-          # get integration tests report
-          REPORT_FILE_HAIKU=$(find evaluation/evaluation_outputs/outputs/integration_tests/CodeActAgent/*haiku*_maxiter_10_N* -name "report.md" -type f | head -n 1)
-          echo "REPORT_FILE: $REPORT_FILE_HAIKU"
-          echo "INTEGRATION_TEST_REPORT_HAIKU<<EOF" >> $GITHUB_ENV
-          cat $REPORT_FILE_HAIKU >> $GITHUB_ENV
-          echo >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
-
-      - name: Wait a little bit
-        run: sleep 10
-
-      - name: Configure config.toml for testing with DeepSeek
-        env:
-          LLM_MODEL: "litellm_proxy/deepseek-chat"
-          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
-          MAX_ITERATIONS: 10
-        run: |
-          echo "[llm.eval]" > config.toml
-          echo "model = \"$LLM_MODEL\"" >> config.toml
-          echo "api_key = \"$LLM_API_KEY\"" >> config.toml
-          echo "base_url = \"$LLM_BASE_URL\"" >> config.toml
-          echo "temperature = 0.0" >> config.toml
-
-      - name: Run integration test evaluation for DeepSeek
-        env:
-          SANDBOX_FORCE_REBUILD_RUNTIME: True
-        run: |
-          poetry run ./evaluation/integration_tests/scripts/run_infer.sh llm.eval HEAD CodeActAgent '' 10 $N_PROCESSES '' 'deepseek_run'
-
-          # get integration tests report
-          REPORT_FILE_DEEPSEEK=$(find evaluation/evaluation_outputs/outputs/integration_tests/CodeActAgent/deepseek*_maxiter_10_N* -name "report.md" -type f | head -n 1)
-          echo "REPORT_FILE: $REPORT_FILE_DEEPSEEK"
-          echo "INTEGRATION_TEST_REPORT_DEEPSEEK<<EOF" >> $GITHUB_ENV
-          cat $REPORT_FILE_DEEPSEEK >> $GITHUB_ENV
-          echo >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
-
-      # -------------------------------------------------------------
-      # Run VisualBrowsingAgent tests for DeepSeek, limited to t05 and t06
-      - name: Wait a little bit (again)
-        run: sleep 5
-
-      - name: Configure config.toml for testing VisualBrowsingAgent (DeepSeek)
-        env:
-          LLM_MODEL: "litellm_proxy/deepseek-chat"
-          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
-          MAX_ITERATIONS: 15
-        run: |
-          echo "[llm.eval]" > config.toml
-          echo "model = \"$LLM_MODEL\"" >> config.toml
-          echo "api_key = \"$LLM_API_KEY\"" >> config.toml
-          echo "base_url = \"$LLM_BASE_URL\"" >> config.toml
-          echo "temperature = 0.0" >> config.toml
-      - name: Run integration test evaluation for VisualBrowsingAgent (DeepSeek)
-        env:
-          SANDBOX_FORCE_REBUILD_RUNTIME: True
-        run: |
-          poetry run ./evaluation/integration_tests/scripts/run_infer.sh llm.eval HEAD VisualBrowsingAgent '' 15 $N_PROCESSES "t05_simple_browsing,t06_github_pr_browsing.py" 'visualbrowsing_deepseek_run'
-
-          # Find and export the visual browsing agent test results
-          REPORT_FILE_VISUALBROWSING_DEEPSEEK=$(find evaluation/evaluation_outputs/outputs/integration_tests/VisualBrowsingAgent/deepseek*_maxiter_15_N* -name "report.md" -type f | head -n 1)
-          echo "REPORT_FILE_VISUALBROWSING_DEEPSEEK: $REPORT_FILE_VISUALBROWSING_DEEPSEEK"
-          echo "INTEGRATION_TEST_REPORT_VISUALBROWSING_DEEPSEEK<<EOF" >> $GITHUB_ENV
-          cat $REPORT_FILE_VISUALBROWSING_DEEPSEEK >> $GITHUB_ENV
-          echo >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
-
-      - name: Create archive of evaluation outputs
-        run: |
-          TIMESTAMP=$(date +'%y-%m-%d-%H-%M')
-          cd evaluation/evaluation_outputs/outputs  # Change to the outputs directory
-          tar -czvf ../../../integration_tests_${TIMESTAMP}.tar.gz integration_tests/CodeActAgent/* integration_tests/VisualBrowsingAgent/* # Only include the actual result directories
-
-      - name: Upload evaluation results as artifact
-        uses: actions/upload-artifact@v4
-        id: upload_results_artifact
-        with:
-          name: integration-test-outputs-${{ github.run_id }}-${{ github.run_attempt }}
-          path: integration_tests_*.tar.gz
-
-      - name: Get artifact URLs
-        run: |
-          echo "ARTIFACT_URL=${{ steps.upload_results_artifact.outputs.artifact-url }}" >> $GITHUB_ENV
-
-      - name: Set timestamp and trigger reason
-        run: |
-          echo "TIMESTAMP=$(date +'%Y-%m-%d-%H-%M')" >> $GITHUB_ENV
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "TRIGGER_REASON=pr-${{ github.event.pull_request.number }}" >> $GITHUB_ENV
-          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "TRIGGER_REASON=manual-${{ github.event.inputs.reason }}" >> $GITHUB_ENV
-          else
-            echo "TRIGGER_REASON=nightly-scheduled" >> $GITHUB_ENV
-          fi
-
-      - name: Comment with results and artifact link
-        id: create_comment
-        uses: KeisukeYamashita/create-comment@v1
-        with:
-          # if triggered by PR, use PR number, otherwise use 9745 as fallback issue number for manual triggers
-          number: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || 9745 }}
-          unique: false
-          comment: |
-              Trigger by: ${{ github.event_name == 'pull_request' && format('Pull Request (integration-test label on PR #{0})', github.event.pull_request.number) || (github.event_name == 'workflow_dispatch' && format('Manual Trigger: {0}', github.event.inputs.reason)) || 'Nightly Scheduled Run' }}
-              Commit: ${{ github.sha }}
-              **Integration Tests Report (Haiku)**
-              Haiku LLM Test Results:
-              ${{ env.INTEGRATION_TEST_REPORT_HAIKU }}
-              ---
-              **Integration Tests Report (DeepSeek)**
-              DeepSeek LLM Test Results:
-              ${{ env.INTEGRATION_TEST_REPORT_DEEPSEEK }}
-              ---
-              **Integration Tests Report VisualBrowsing (DeepSeek)**
-              ${{ env.INTEGRATION_TEST_REPORT_VISUALBROWSING_DEEPSEEK }}
-              ---
-              Download testing outputs (includes both Haiku and DeepSeek results): [Download](${{ steps.upload_results_artifact.outputs.artifact-url }})

.github/workflows/lint.yml

@@ -72,34 +72,3 @@ jobs:
       - name: Run pre-commit hooks
         working-directory: ./enterprise
         run: pre-commit run --all-files --show-diff-on-failure --config ./dev_config/python/.pre-commit-config.yaml
-
-  lint-cli-python:
-    name: Lint CLI python
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Set up python
-        uses: useblacksmith/setup-python@v6
-        with:
-          python-version: 3.12
-          cache: "pip"
-      - name: Install pre-commit
-        run: pip install pre-commit==4.2.0
-      - name: Run pre-commit hooks
-        working-directory: ./openhands-cli
-        run: pre-commit run --all-files --config ./dev_config/python/.pre-commit-config.yaml
-
-  # Check version consistency across documentation
-  check-version-consistency:
-    name: Check version consistency
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up python
-        uses: useblacksmith/setup-python@v6
-        with:
-          python-version: 3.12
-      - name: Run version consistency check
-        run: .github/scripts/check_version_consistency.py

.github/workflows/mdx-lint.yml

@@ -1,70 +0,0 @@
-# Workflow that checks MDX format in docs/ folder
-name: MDX Lint
-
-# Run on pushes to main and on pull requests that modify docs/ files
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - 'docs/**/*.mdx'
-  pull_request:
-    paths:
-      - 'docs/**/*.mdx'
-
-# If triggered by a PR, it will be in the same group. However, each commit on main will be in its own unique group
-concurrency:
-  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  mdx-lint:
-    name: Lint MDX files
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install Node.js 22
-        uses: useblacksmith/setup-node@v5
-        with:
-          node-version: 22
-
-      - name: Install MDX dependencies
-        run: |
-          npm install @mdx-js/mdx@3 glob@10
-
-      - name: Validate MDX files
-        run: |
-          node -e "
-          const {compile} = require('@mdx-js/mdx');
-          const fs = require('fs');
-          const path = require('path');
-          const glob = require('glob');
-
-          async function validateMDXFiles() {
-            const files = glob.sync('docs/**/*.mdx');
-            console.log('Found', files.length, 'MDX files to validate');
-
-            let hasErrors = false;
-
-            for (const file of files) {
-              try {
-                const content = fs.readFileSync(file, 'utf8');
-                await compile(content);
-                console.log('✅ MDX parsing successful for', file);
-              } catch (err) {
-                console.error('❌ MDX parsing failed for', file, ':', err.message);
-                hasErrors = true;
-              }
-            }
-
-            if (hasErrors) {
-              console.error('\\n❌ Some MDX files have parsing errors. Please fix them before merging.');
-              process.exit(1);
-            } else {
-              console.log('\\n✅ All MDX files are valid!');
-            }
-          }
-
-          validateMDXFiles();
-          "

.github/workflows/openhands-resolver.yml

@@ -89,7 +89,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.12"
       - name: Upgrade pip
@@ -118,7 +118,7 @@ jobs:
               contains(github.event.review.body, '@openhands-agent-exp')
             )
           )
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pythonLocation }}/lib/python3.12/site-packages/*
           key: ${{ runner.os }}-pip-openhands-resolver-${{ hashFiles('/tmp/requirements.txt') }}
@@ -201,7 +201,7 @@ jobs:
               issue_number: ${{ env.ISSUE_NUMBER }},
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `[OpenHands](https://github.com/All-Hands-AI/OpenHands) started fixing the ${issueType}! You can monitor the progress [here](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}).`
+              body: `[OpenHands](https://github.com/OpenHands/OpenHands) started fixing the ${issueType}! You can monitor the progress [here](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}).`
             });
 
       - name: Install OpenHands
@@ -233,7 +233,7 @@ jobs:
             if (isExperimentalLabel || isIssueCommentExperimental || isReviewCommentExperimental) {
               console.log("Installing experimental OpenHands...");
 
-              await exec.exec("pip install git+https://github.com/all-hands-ai/openhands.git");
+              await exec.exec("pip install git+https://github.com/openhands/openhands.git");
             } else {
               console.log("Installing from requirements.txt...");
 
@@ -269,7 +269,7 @@ jobs:
           fi
 
       - name: Upload output.jsonl as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         if: always() # Upload even if the previous steps fail
         with:
           name: resolver-output

.github/workflows/pr-review-by-openhands.yml

@@ -0,0 +1,48 @@
+---
+name: PR Review by OpenHands
+
+on:
+    # TEMPORARY MITIGATION (Clinejection hardening)
+    #
+    # We temporarily avoid `pull_request_target` here. We'll restore it after the PR review
+    # workflow is fully hardened for untrusted execution.
+    pull_request:
+        types: [opened, ready_for_review, labeled, review_requested]
+
+permissions:
+    contents: read
+    pull-requests: write
+    issues: write
+
+jobs:
+    pr-review:
+        # Note: fork PRs will not have access to repository secrets under `pull_request`.
+        # Skip forks to avoid noisy failures until we restore a hardened `pull_request_target` flow.
+        if: |
+            github.event.pull_request.head.repo.full_name == github.repository &&
+            (
+                (github.event.action == 'opened' && github.event.pull_request.draft == false) ||
+                github.event.action == 'ready_for_review' ||
+                (github.event.action == 'labeled' && github.event.label.name == 'review-this') ||
+                (
+                    github.event.action == 'review_requested' &&
+                    (
+                        github.event.requested_reviewer.login == 'openhands-agent' ||
+                        github.event.requested_reviewer.login == 'all-hands-bot'
+                    )
+                )
+            )
+        concurrency:
+            group: pr-review-${{ github.event.pull_request.number }}
+            cancel-in-progress: true
+        runs-on: ubuntu-24.04
+        steps:
+            - name: Run PR Review
+              uses: OpenHands/extensions/plugins/pr-review@main
+              with:
+                  llm-model: litellm_proxy/claude-sonnet-4-5-20250929
+                  llm-base-url: https://llm-proxy.app.all-hands.dev
+                  review-style: roasted
+                  llm-api-key: ${{ secrets.LLM_API_KEY }}
+                  github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+                  lmnr-api-key: ${{ secrets.LMNR_SKILLS_API_KEY }}

.github/workflows/pr-review-evaluation.yml

@@ -0,0 +1,85 @@
+---
+name: PR Review Evaluation
+
+# This workflow evaluates how well PR review comments were addressed.
+# It runs when a PR is closed to assess review effectiveness.
+#
+# Security note: pull_request_target is safe here because:
+# 1. Only triggers on PR close (not on code changes)
+# 2. Does not checkout PR code - only downloads artifacts from trusted workflow runs
+# 3. Runs evaluation scripts from the extensions repo, not from the PR
+
+on:
+    pull_request_target:
+        types: [closed]
+
+permissions:
+    contents: read
+    pull-requests: read
+
+jobs:
+    evaluate:
+        runs-on: ubuntu-24.04
+        env:
+            PR_NUMBER: ${{ github.event.pull_request.number }}
+            REPO_NAME: ${{ github.repository }}
+            PR_MERGED: ${{ github.event.pull_request.merged }}
+
+        steps:
+            - name: Download review trace artifact
+              id: download-trace
+              uses: dawidd6/action-download-artifact@v6
+              continue-on-error: true
+              with:
+                  workflow: pr-review-by-openhands.yml
+                  name: pr-review-trace-${{ github.event.pull_request.number }}
+                  path: trace-info
+                  search_artifacts: true
+                  if_no_artifact_found: warn
+
+            - name: Check if trace file exists
+              id: check-trace
+              run: |
+                  if [ -f "trace-info/laminar_trace_info.json" ]; then
+                    echo "trace_exists=true" >> $GITHUB_OUTPUT
+                    echo "Found trace file for PR #$PR_NUMBER"
+                  else
+                    echo "trace_exists=false" >> $GITHUB_OUTPUT
+                    echo "No trace file found for PR #$PR_NUMBER - skipping evaluation"
+                  fi
+
+            # Always checkout main branch for security - cannot test script changes in PRs
+            - name: Checkout extensions repository
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              uses: actions/checkout@v5
+              with:
+                  repository: OpenHands/extensions
+                  path: extensions
+
+            - name: Set up Python
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              uses: actions/setup-python@v6
+              with:
+                  python-version: '3.12'
+
+            - name: Install dependencies
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              run: pip install lmnr
+
+            - name: Run evaluation
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              env:
+                  # Script expects LMNR_PROJECT_API_KEY; org secret is named LMNR_SKILLS_API_KEY
+                  LMNR_PROJECT_API_KEY: ${{ secrets.LMNR_SKILLS_API_KEY }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              run: |
+                  python extensions/plugins/pr-review/scripts/evaluate_review.py \
+                      --trace-file trace-info/laminar_trace_info.json
+
+            - name: Upload evaluation logs
+              uses: actions/upload-artifact@v5
+              if: always() && steps.check-trace.outputs.trace_exists == 'true'
+              with:
+                  name: pr-review-evaluation-${{ github.event.pull_request.number }}
+                  path: '*.log'
+                  retention-days: 30

.github/workflows/py-tests.yml

@@ -48,7 +48,10 @@ jobs:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
       - name: Install Python dependencies using Poetry
-        run: poetry install --with dev,test,runtime
+        run: |
+          poetry install --with dev,test,runtime
+          poetry run pip install pytest-xdist
+          poetry run pip install pytest-rerunfailures
       - name: Build Environment
         run: make build
       - name: Run Unit Tests
@@ -56,48 +59,18 @@ jobs:
         env:
           COVERAGE_FILE: ".coverage.${{ matrix.python_version }}"
       - name: Run Runtime Tests with CLIRuntime
-        run: PYTHONPATH=".:$PYTHONPATH" TEST_RUNTIME=cli poetry run pytest -s tests/runtime/test_bash.py --cov=openhands --cov-branch
+        run: PYTHONPATH=".:$PYTHONPATH" TEST_RUNTIME=cli poetry run pytest -n 5 --reruns 2 --reruns-delay 3 -s tests/runtime/test_bash.py --cov=openhands --cov-branch
         env:
           COVERAGE_FILE: ".coverage.runtime.${{ matrix.python_version }}"
       - name: Store coverage file
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-openhands
           path: |
             .coverage.${{ matrix.python_version }}
             .coverage.runtime.${{ matrix.python_version }}
           include-hidden-files: true
-  # Run specific Windows python tests
-  test-on-windows:
-    name: Python Tests on Windows
-    runs-on: windows-latest
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install pipx
-        run: pip install pipx
-      - name: Install poetry via pipx
-        run: pipx install poetry
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: "poetry"
-      - name: Install Python dependencies using Poetry
-        run: poetry install --with dev,test,runtime
-      - name: Run Windows unit tests
-        run: poetry run pytest -svv tests/unit/runtime/utils/test_windows_bash.py
-        env:
-          PYTHONPATH: ".;$env:PYTHONPATH"
-          DEBUG: "1"
-      - name: Run Windows runtime tests with LocalRuntime
-        run: $env:TEST_RUNTIME="local"; poetry run pytest -svv tests/runtime/test_bash.py
-        env:
-          PYTHONPATH: ".;$env:PYTHONPATH"
-          TEST_RUNTIME: local
-          DEBUG: "1"
+
   test-enterprise:
     name: Enterprise Python Unit Tests
     runs-on: blacksmith-4vcpu-ubuntu-2404
@@ -122,63 +95,17 @@ jobs:
         env:
           COVERAGE_FILE: ".coverage.enterprise.${{ matrix.python_version }}"
       - name: Store coverage file
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-enterprise
           path: ".coverage.enterprise.${{ matrix.python_version }}"
           include-hidden-files: true
 
-  # Run CLI unit tests
-  test-cli-python:
-    name: CLI Unit Tests
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Python
-        uses: useblacksmith/setup-python@v6
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v3
-        with:
-          version: "latest"
-
-      - name: Install dependencies
-        working-directory: ./openhands-cli
-        run: |
-          uv sync --group dev
-
-      - name: Run CLI unit tests
-        working-directory: ./openhands-cli
-        env:
-          # write coverage to repo root so the merge step finds it
-          COVERAGE_FILE: "${{ github.workspace }}/.coverage.openhands-cli.${{ matrix.python-version }}"
-        run: |
-          uv run pytest --forked -n auto -s \
-            -p no:ddtrace -p no:ddtrace.pytest_bdd -p no:ddtrace.pytest_benchmark \
-            tests --cov=openhands_cli --cov-branch
-
-      - name: Store coverage file
-        uses: actions/upload-artifact@v4
-        with:
-          name: coverage-openhands-cli
-          path: ".coverage.openhands-cli.${{ matrix.python-version }}"
-          include-hidden-files: true
-
-
   coverage-comment:
     name: Coverage Comment
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
-    needs: [test-on-linux, test-enterprise, test-cli-python]
+    needs: [test-on-linux, test-enterprise]
 
     permissions:
       pull-requests: write
@@ -186,15 +113,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@v6
         id: download
         with:
           pattern: coverage-*
           merge-multiple: true
 
-      - name: Create symlink for CLI source files
-        run: ln -sf openhands-cli/openhands_cli openhands_cli
-
       - name: Coverage comment
         id: coverage_comment
         uses: py-cov-action/python-coverage-comment-action@v3

.github/workflows/pypi-release.yml

@@ -10,7 +10,6 @@ on:
         type: choice
         options:
           - app server
-          - cli
         default: app server
   push:
     tags:
@@ -39,36 +38,3 @@ jobs:
         run: ./build.sh
       - name: publish
         run: poetry publish -u __token__ -p ${{ secrets.PYPI_TOKEN }}
-
-  release-cli:
-    name: Publish CLI to PyPI
-    runs-on: ubuntu-latest
-    # Run when manually dispatched for "cli" OR for tag pushes that contain '-cli'
-    if: |
-      (github.event_name == 'workflow_dispatch' && github.event.inputs.reason == 'cli')
-      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-cli'))
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.12
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v3
-        with:
-          version: "latest"
-
-      - name: Build CLI package
-        working-directory: openhands-cli
-        run: |
-          # Clean dist directory to avoid conflicts with binary builds
-          rm -rf dist/
-          uv build
-
-      - name: Publish CLI to PyPI
-        working-directory: openhands-cli
-        run: |
-          uv publish --token ${{ secrets.PYPI_TOKEN_OPENHANDS }}

.github/workflows/run-eval.yml

@@ -1,135 +0,0 @@
-# Run evaluation on a PR, after releases, or manually
-name: Run Eval
-
-# Runs when a PR is labeled with one of the "run-eval-" labels, after releases, or manually triggered
-on:
-  pull_request:
-    types: [labeled]
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      branch:
-        description: 'Branch to evaluate'
-        required: true
-        default: 'main'
-      eval_instances:
-        description: 'Number of evaluation instances'
-        required: true
-        default: '50'
-        type: choice
-        options:
-          - '1'
-          - '2'
-          - '50'
-          - '100'
-      reason:
-        description: 'Reason for manual trigger'
-        required: false
-        default: ''
-
-env:
-  # Environment variable for the master GitHub issue number where all evaluation results will be commented
-  # This should be set to the issue number where you want all evaluation results to be posted
-  MASTER_EVAL_ISSUE_NUMBER: ${{ vars.MASTER_EVAL_ISSUE_NUMBER || '0' }}
-
-jobs:
-  trigger-job:
-    name: Trigger remote eval job
-    if: ${{ (github.event_name == 'pull_request' && (github.event.label.name == 'run-eval-1' || github.event.label.name == 'run-eval-2' || github.event.label.name == 'run-eval-50' || github.event.label.name == 'run-eval-100')) || github.event_name == 'release' || github.event_name == 'workflow_dispatch' }}
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-
-    steps:
-      - name: Checkout branch
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.head_ref || (github.event_name == 'workflow_dispatch' && github.event.inputs.branch) || github.ref }}
-
-      - name: Set evaluation parameters
-        id: eval_params
-        run: |
-          REPO_URL="https://github.com/${{ github.repository }}"
-          echo "Repository URL: $REPO_URL"
-
-          # Determine branch based on trigger type
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            EVAL_BRANCH="${{ github.head_ref }}"
-            echo "PR Branch: $EVAL_BRANCH"
-          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            EVAL_BRANCH="${{ github.event.inputs.branch }}"
-            echo "Manual Branch: $EVAL_BRANCH"
-          else
-            # For release events, use the tag name or main branch
-            EVAL_BRANCH="${{ github.ref_name }}"
-            echo "Release Branch/Tag: $EVAL_BRANCH"
-          fi
-
-          # Determine evaluation instances based on trigger type
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            if [[ "${{ github.event.label.name }}" == "run-eval-1" ]]; then
-              EVAL_INSTANCES="1"
-            elif [[ "${{ github.event.label.name }}" == "run-eval-2" ]]; then
-              EVAL_INSTANCES="2"
-            elif [[ "${{ github.event.label.name }}" == "run-eval-50" ]]; then
-              EVAL_INSTANCES="50"
-            elif [[ "${{ github.event.label.name }}" == "run-eval-100" ]]; then
-              EVAL_INSTANCES="100"
-            fi
-          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            EVAL_INSTANCES="${{ github.event.inputs.eval_instances }}"
-          else
-            # For release events, default to 50 instances
-            EVAL_INSTANCES="50"
-          fi
-
-          echo "Evaluation instances: $EVAL_INSTANCES"
-          echo "repo_url=$REPO_URL" >> $GITHUB_OUTPUT
-          echo "eval_branch=$EVAL_BRANCH" >> $GITHUB_OUTPUT
-          echo "eval_instances=$EVAL_INSTANCES" >> $GITHUB_OUTPUT
-
-      - name: Trigger remote job
-        run: |
-          # Determine PR number for the remote evaluation system
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            PR_NUMBER="${{ github.event.pull_request.number }}"
-          else
-            # For non-PR triggers, use the master issue number as PR number
-            PR_NUMBER="${{ env.MASTER_EVAL_ISSUE_NUMBER }}"
-          fi
-
-          curl -X POST \
-            -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \
-            -H "Accept: application/vnd.github+json" \
-            -d "{\"ref\": \"main\", \"inputs\": {\"github-repo\": \"${{ steps.eval_params.outputs.repo_url }}\", \"github-branch\": \"${{ steps.eval_params.outputs.eval_branch }}\", \"pr-number\": \"${PR_NUMBER}\", \"eval-instances\": \"${{ steps.eval_params.outputs.eval_instances }}\"}}" \
-            https://api.github.com/repos/All-Hands-AI/evaluation/actions/workflows/create-branch.yml/dispatches
-
-          # Send Slack message
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            TRIGGER_URL="https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}"
-            slack_text="PR $TRIGGER_URL has triggered evaluation on ${{ steps.eval_params.outputs.eval_instances }} instances..."
-          elif [[ "${{ github.event_name }}" == "release" ]]; then
-            TRIGGER_URL="https://github.com/${{ github.repository }}/releases/tag/${{ github.ref_name }}"
-            slack_text="Release $TRIGGER_URL has triggered evaluation on ${{ steps.eval_params.outputs.eval_instances }} instances..."
-          else
-            TRIGGER_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-            slack_text="Manual trigger (${{ github.event.inputs.reason || 'No reason provided' }}) has triggered evaluation on ${{ steps.eval_params.outputs.eval_instances }} instances for branch ${{ steps.eval_params.outputs.eval_branch }}..."
-          fi
-
-          curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$slack_text"'"}' \
-            https://hooks.slack.com/services/${{ secrets.SLACK_TOKEN }}
-
-      - name: Comment on issue/PR
-        uses: KeisukeYamashita/create-comment@v1
-        with:
-          # For PR triggers, comment on the PR. For other triggers, comment on the master issue
-          number: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || env.MASTER_EVAL_ISSUE_NUMBER }}
-          unique: false
-          comment: |
-            **Evaluation Triggered**
-
-            **Trigger:** ${{ github.event_name == 'pull_request' && format('Pull Request #{0}', github.event.pull_request.number) || (github.event_name == 'release' && 'Release') || format('Manual Trigger: {0}', github.event.inputs.reason || 'No reason provided') }}
-            **Branch:** ${{ steps.eval_params.outputs.eval_branch }}
-            **Instances:** ${{ steps.eval_params.outputs.eval_instances }}
-            **Commit:** ${{ github.sha }}
-
-            Running evaluation on the specified branch. Once eval is done, the results will be posted here.

.github/workflows/stale.yml

@@ -9,6 +9,7 @@ on:
 jobs:
   stale:
     runs-on: blacksmith-4vcpu-ubuntu-2204
+    if: github.repository == 'OpenHands/OpenHands'
     steps:
       - uses: actions/stale@v9
         with:

.github/workflows/vscode-extension-build.yml

@@ -1,156 +0,0 @@
-# Workflow that validates the VSCode extension builds correctly
-name: VSCode Extension CI
-
-# * Always run on "main"
-# * Run on PRs that have changes in the VSCode extension folder or this workflow
-# * Run on tags that start with "ext-v"
-on:
-  push:
-    branches:
-      - main
-    tags:
-      - 'ext-v*'
-  pull_request:
-    paths:
-      - 'openhands/integrations/vscode/**'
-      - 'build_vscode.py'
-      - '.github/workflows/vscode-extension-build.yml'
-
-# If triggered by a PR, it will be in the same group. However, each commit on main will be in its own unique group
-concurrency:
-  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  # Validate VSCode extension builds correctly
-  validate-vscode-extension:
-    name: Validate VSCode Extension Build
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Node.js
-        uses: useblacksmith/setup-node@v5
-        with:
-          node-version: '22'
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-
-      - name: Install VSCode extension dependencies
-        working-directory: ./openhands/integrations/vscode
-        run: npm ci
-
-      - name: Build VSCode extension via build_vscode.py
-        run: python build_vscode.py
-        env:
-          # Ensure we don't skip the build
-          SKIP_VSCODE_BUILD: ""
-
-      - name: Validate .vsix file
-        run: |
-          # Verify the .vsix was created and is valid
-          if [ -f "openhands/integrations/vscode/openhands-vscode-0.0.1.vsix" ]; then
-            echo "✅ VSCode extension built successfully"
-            ls -la openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
-
-            # Basic validation that the .vsix is a valid zip file
-            echo "🔍 Validating .vsix structure..."
-            file openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
-            unzip -t openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
-
-            echo "✅ VSCode extension validation passed"
-          else
-            echo "❌ VSCode extension build failed - .vsix not found"
-            exit 1
-          fi
-
-      - name: Upload VSCode extension artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: vscode-extension
-          path: openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
-          retention-days: 7
-
-      - name: Comment on PR with artifact link
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-
-            // Get file size for display
-            const vsixPath = 'openhands/integrations/vscode/openhands-vscode-0.0.1.vsix';
-            const stats = fs.statSync(vsixPath);
-            const fileSizeKB = Math.round(stats.size / 1024);
-
-            const comment = `## 🔧 VSCode Extension Built Successfully!
-
-            The VSCode extension has been built and is ready for testing.
-
-            **📦 Download**: [openhands-vscode-0.0.1.vsix](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) (${fileSizeKB} KB)
-
-            **🚀 To install**:
-            1. Download the artifact from the workflow run above
-            2. In VSCode: \`Ctrl+Shift+P\` → "Extensions: Install from VSIX..."
-            3. Select the downloaded \`.vsix\` file
-
-            **✅ Tested with**: Node.js 22
-            **🔍 Validation**: File structure and integrity verified
-
-            ---
-            *Built from commit ${{ github.sha }}*`;
-
-            // Check if we already commented on this PR and delete it
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            });
-
-            const botComment = comments.find(comment =>
-              comment.user.login === 'github-actions[bot]' &&
-              comment.body.includes('VSCode Extension Built Successfully')
-            );
-
-            if (botComment) {
-              await github.rest.issues.deleteComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: botComment.id,
-              });
-            }
-
-            // Create a new comment
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              body: comment
-            });
-
-  release:
-    name: Create GitHub Release
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    needs: validate-vscode-extension
-    if: startsWith(github.ref, 'refs/tags/ext-v')
-
-    steps:
-      - name: Download .vsix artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: vscode-extension
-          path: ./
-
-      - name: Create Release
-        uses: ncipollo/release-action@v1.16.0
-        with:
-          artifacts: "*.vsix"
-          token: ${{ secrets.GITHUB_TOKEN }}
-          draft: true
-          allowUpdates: true

.github/workflows/welcome-good-first-issue.yml

@@ -45,7 +45,7 @@ jobs:
                     "This issue has been labeled as **good first issue**, which means it's a great place to get started with the OpenHands project.\n\n" +
                     "If you're interested in working on it, feel free to! No need to ask for permission.\n\n" +
                     "Be sure to check out our [development setup guide](" + repoUrl + "/blob/main/Development.md) to get your environment set up, and follow our [contribution guidelines](" + repoUrl + "/blob/main/CONTRIBUTING.md) when you're ready to submit a fix.\n\n" +
-                    "Feel free to join our developer community on [Slack](https://all-hands.dev/joinslack). You can ask for [help](https://openhands-ai.slack.com/archives/C078L0FUGUX), [feedback](https://openhands-ai.slack.com/archives/C086ARSNMGA), and even ask for a [PR review](https://openhands-ai.slack.com/archives/C08D8FJ5771).\n\n" +
+                    "Feel free to join our developer community on [Slack](https://openhands.dev/joinslack). You can ask for [help](https://openhands-ai.slack.com/archives/C078L0FUGUX), [feedback](https://openhands-ai.slack.com/archives/C086ARSNMGA), and even ask for a [PR review](https://openhands-ai.slack.com/archives/C08D8FJ5771).\n\n" +
                     "🙌 Happy hacking! 🙌\n\n" +
                     "<!-- auto-comment:good-first-issue -->"
             });

.gitignore

@@ -185,6 +185,9 @@ cython_debug/
 .repomix
 repomix-output.txt
 
+# Emacs backup
+*~
+
 # evaluation
 evaluation/evaluation_outputs
 evaluation/outputs

.openhands/pre-commit.sh

@@ -13,7 +13,6 @@ STAGED_FILES=$(git diff --cached --name-only)
 # Check if any files match specific patterns
 has_frontend_changes=false
 has_backend_changes=false
-has_vscode_changes=false
 
 # Check each file individually to avoid issues with grep
 for file in $STAGED_FILES; do
@@ -21,17 +20,12 @@ for file in $STAGED_FILES; do
         has_frontend_changes=true
     elif [[ $file == openhands/* || $file == evaluation/* || $file == tests/* ]]; then
         has_backend_changes=true
-        # Check for VSCode extension changes (subset of backend changes)
-        if [[ $file == openhands/integrations/vscode/* ]]; then
-            has_vscode_changes=true
-        fi
     fi
 done
 
 echo "Analyzing changes..."
 echo "- Frontend changes: $has_frontend_changes"
 echo "- Backend changes: $has_backend_changes"
-echo "- VSCode extension changes: $has_vscode_changes"
 
 # Run frontend linting if needed
 if [ "$has_frontend_changes" = true ]; then
@@ -92,51 +86,6 @@ else
     echo "Skipping backend checks (no backend changes detected)."
 fi
 
-# Run VSCode extension checks if needed
-if [ "$has_vscode_changes" = true ]; then
-    # Check if we're in a CI environment
-    if [ -n "$CI" ]; then
-        echo "Skipping VSCode extension checks (CI environment detected)."
-        echo "WARNING: VSCode extension files have changed but checks are being skipped."
-        echo "Please run VSCode extension checks manually before submitting your PR."
-    else
-        echo "Running VSCode extension checks..."
-        if [ -d "openhands/integrations/vscode" ]; then
-            cd openhands/integrations/vscode || exit 1
-
-            echo "Running npm lint:fix..."
-            npm run lint:fix
-            if [ $? -ne 0 ]; then
-                echo "VSCode extension linting failed. Please fix the issues before committing."
-                EXIT_CODE=1
-            else
-                echo "VSCode extension linting passed!"
-            fi
-
-            echo "Running npm typecheck..."
-            npm run typecheck
-            if [ $? -ne 0 ]; then
-                echo "VSCode extension type checking failed. Please fix the issues before committing."
-                EXIT_CODE=1
-            else
-                echo "VSCode extension type checking passed!"
-            fi
-
-            echo "Running npm compile..."
-            npm run compile
-            if [ $? -ne 0 ]; then
-                echo "VSCode extension compilation failed. Please fix the issues before committing."
-                EXIT_CODE=1
-            else
-                echo "VSCode extension compilation passed!"
-            fi
-
-            cd ../../..
-        fi
-    fi
-else
-    echo "Skipping VSCode extension checks (no VSCode extension changes detected)."
-fi
 
 # If no specific code changes detected, run basic checks
 if [ "$has_frontend_changes" = false ] && [ "$has_backend_changes" = false ]; then

.vscode/settings.json

@@ -3,4 +3,20 @@
     "files.eol": "\n",
     "files.trimTrailingWhitespace": true,
     "files.insertFinalNewline": true,
+
+    "python.defaultInterpreterPath": "./.venv/bin/python",
+    "python.terminal.activateEnvironment": true,
+    "python.analysis.autoImportCompletions": true,
+    "python.analysis.autoSearchPaths": true,
+    "python.analysis.extraPaths": [
+        "./.venv/lib/python3.12/site-packages"
+    ],
+    "python.analysis.packageIndexDepths": [
+        {
+            "name": "openhands",
+            "depth": 10,
+            "includeAllSymbols": true
+        }
+    ],
+    "python.analysis.stubPath": "./.venv/lib/python3.12/site-packages",
 }

AGENTS.md

@@ -63,7 +63,7 @@ Frontend:
   - We use TanStack Query (fka React Query) for data fetching and cache management
   - Data Access Layer: API client methods are located in `frontend/src/api` and should never be called directly from UI components - they must always be wrapped with TanStack Query
   - Custom hooks are located in `frontend/src/hooks/query/` and `frontend/src/hooks/mutation/`
-  - Query hooks should follow the pattern use[Resource] (e.g., `useConversationMicroagents`)
+  - Query hooks should follow the pattern use[Resource] (e.g., `useConversationSkills`)
   - Mutation hooks should follow the pattern use[Action] (e.g., `useDeleteConversation`)
   - Architecture rule: UI components → TanStack Query hooks → Data Access Layer (`frontend/src/api`) → API endpoints
 
@@ -83,6 +83,116 @@ VSCode Extension:
   - Use `vscode.window.createOutputChannel()` for debug logging instead of `showErrorMessage()` popups
   - Pre-commit process runs both frontend and backend checks when committing extension changes
 
+## Enterprise Directory
+
+The `enterprise/` directory contains additional functionality that extends the open-source OpenHands codebase. This includes:
+- Authentication and user management (Keycloak integration)
+- Database migrations (Alembic)
+- Integration services (GitHub, GitLab, Jira, Linear, Slack)
+- Billing and subscription management (Stripe)
+- Telemetry and analytics (PostHog, custom metrics framework)
+
+### Enterprise Development Setup
+
+**Prerequisites:**
+- Python 3.12
+- Poetry (for dependency management)
+- Node.js 22.x (for frontend)
+- Docker (optional)
+
+**Setup Steps:**
+1. First, build the main OpenHands project: `make build`
+2. Then install enterprise dependencies: `cd enterprise && poetry install --with dev,test` (This can take a very long time. Be patient.)
+3. Set up enterprise pre-commit hooks: `poetry run pre-commit install --config ./dev_config/python/.pre-commit-config.yaml`
+
+**Running Enterprise Tests:**
+```bash
+# Enterprise unit tests (full suite)
+PYTHONPATH=".:$PYTHONPATH" poetry run --project=enterprise pytest --forked -n auto -s -p no:ddtrace -p no:ddtrace.pytest_bdd -p no:ddtrace.pytest_benchmark ./enterprise/tests/unit --cov=enterprise --cov-branch
+
+# Test specific modules (faster for development)
+cd enterprise
+PYTHONPATH=".:$PYTHONPATH" poetry run pytest tests/unit/telemetry/ --confcutdir=tests/unit/telemetry
+
+# Enterprise linting (IMPORTANT: use --show-diff-on-failure to match GitHub CI)
+poetry run pre-commit run --all-files --show-diff-on-failure --config ./dev_config/python/.pre-commit-config.yaml
+```
+
+**Running Enterprise Server:**
+```bash
+cd enterprise
+make start-backend  # Development mode with hot reload
+# or
+make run  # Full application (backend + frontend)
+```
+
+**Key Configuration Files:**
+- `enterprise/pyproject.toml` - Enterprise-specific dependencies
+- `enterprise/Makefile` - Enterprise build and run commands
+- `enterprise/dev_config/python/` - Linting and type checking configuration
+- `enterprise/migrations/` - Database migration files
+
+**Database Migrations:**
+Enterprise uses Alembic for database migrations. When making schema changes:
+1. Create migration files in `enterprise/migrations/versions/`
+2. Test migrations thoroughly
+3. The CI will check for migration conflicts on PRs
+
+**Integration Development:**
+The enterprise codebase includes integrations for:
+- **GitHub** - PR management, webhooks, app installations
+- **GitLab** - Similar to GitHub but for GitLab instances
+- **Jira** - Issue tracking and project management
+- **Linear** - Modern issue tracking
+- **Slack** - Team communication and notifications
+
+Each integration follows a consistent pattern with service classes, storage models, and API endpoints.
+
+**Important Notes:**
+- Enterprise code is licensed under Polyform Free Trial License (30-day limit)
+- The enterprise server extends the OpenHands server through dynamic imports
+- Database changes require careful migration planning in `enterprise/migrations/`
+- Always test changes in both OpenHands and enterprise contexts
+- Use the enterprise-specific Makefile commands for development
+
+**Enterprise Testing Best Practices:**
+
+**Database Testing:**
+- Use SQLite in-memory databases (`sqlite:///:memory:`) for unit tests instead of real PostgreSQL
+- Create module-specific `conftest.py` files with database fixtures
+- Mock external database connections in unit tests to avoid dependency on running services
+- Use real database connections only for integration tests
+
+**Import Patterns:**
+- Use relative imports without `enterprise.` prefix in enterprise code
+- Example: `from storage.database import a_session_maker` not `from enterprise.storage.database import a_session_maker`
+- This ensures code works in both OpenHands and enterprise contexts
+
+**Test Structure:**
+- Place tests in `enterprise/tests/unit/` following the same structure as the source code
+- Use `--confcutdir=tests/unit/[module]` when testing specific modules
+- Create comprehensive fixtures for complex objects (databases, external services)
+- Write platform-agnostic tests (avoid hardcoded OS-specific assertions)
+
+**Mocking Strategy:**
+- Use `AsyncMock` for async operations and `MagicMock` for complex objects
+- Mock all external dependencies (databases, APIs, file systems) in unit tests
+- Use `patch` with correct import paths (e.g., `telemetry.registry.logger` not `enterprise.telemetry.registry.logger`)
+- Test both success and failure scenarios with proper error handling
+
+**Coverage Goals:**
+- Aim for 90%+ test coverage on new enterprise modules
+- Focus on critical business logic and error handling paths
+- Use `--cov-report=term-missing` to identify uncovered lines
+
+**Troubleshooting:**
+- If tests fail, ensure all dependencies are installed: `poetry install --with dev,test`
+- For database issues, check migration status and run migrations if needed
+- For frontend issues, ensure the main OpenHands frontend is built: `make build`
+- Check logs in the `logs/` directory for runtime issues
+- If tests fail with import errors, verify `PYTHONPATH=".:$PYTHONPATH"` is set
+- **If GitHub CI fails but local linting passes**: Always use `--show-diff-on-failure` flag to match CI behavior exactly
+
 ## Template for Github Pull Request
 
 If you are starting a pull request (PR), please follow the template in `.github/pull_request_template.md`.

CNAME

@@ -0,0 +1 @@
+docs.all-hands.dev

CODE_OF_CONDUCT.md

@@ -61,7 +61,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-contact@all-hands.dev.
+contact@openhands.dev.
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the
@@ -115,7 +115,9 @@ community.
 
 ### Slack Etiquettes
 
-These Slack etiquette guidelines are designed to foster an inclusive, respectful, and productive environment for all community members. By following these best practices, we ensure effective communication and collaboration while minimizing disruptions. Let’s work together to build a supportive and welcoming community!
+These Slack etiquette guidelines are designed to foster an inclusive, respectful, and productive environment for all
+community members. By following these best practices, we ensure effective communication and collaboration while
+minimizing disruptions. Let’s work together to build a supportive and welcoming community!
 
 - Communicate respectfully and professionally, avoiding sarcasm or harsh language, and remember that tone can be difficult to interpret in text.
 - Use threads for specific discussions to keep channels organized and easier to follow.
@@ -124,8 +126,11 @@ These Slack etiquette guidelines are designed to foster an inclusive, respectful
 - Post questions or discussions in the most relevant channel (e.g., for [slack - #general](https://openhands-ai.slack.com/archives/C06P5NCGSFP) for general topics, [slack - #questions](https://openhands-ai.slack.com/archives/C06U8UTKSAD) for queries/questions.
 - When asking for help or raising issues, include necessary details like links, screenshots, or clear explanations to provide context.
 - Keep discussions in public channels whenever possible to allow others to benefit from the conversation, unless the matter is sensitive or private.
-- Always adhere to [our standards](https://github.com/All-Hands-AI/OpenHands/blob/main/CODE_OF_CONDUCT.md#our-standards) to ensure a welcoming and collaborative environment.
-- If you choose to mute a channel, consider setting up alerts for topics that still interest you to stay engaged. For Slack, Go to Settings → Notifications → My Keywords to add specific keywords that will notify you when mentioned. For example, if you're here for discussions about LLMs, mute the channel if it’s too busy, but set notifications to alert you only when “LLMs” appears in messages.
+- Always adhere to [our standards](https://github.com/OpenHands/OpenHands/blob/main/CODE_OF_CONDUCT.md#our-standards) to ensure a welcoming and collaborative environment.
+- If you choose to mute a channel, consider setting up alerts for topics that still interest you to stay engaged.
+   For Slack, Go to Settings → Notifications → My Keywords to add specific keywords that will notify you when mentioned.
+   For example, if you're here for discussions about LLMs, mute the channel if it’s too busy, but set notifications to
+   alert you only when “LLMs” appears in messages.
 
 ## Attribution
 

COMMUNITY.md

@@ -1,43 +1,58 @@
-# 🙌 The OpenHands Community
+# The OpenHands Community
 
-The OpenHands community is built around the belief that (1) AI and AI agents are going to fundamentally change the way
-we build software, and (2) if this is true, we should do everything we can to make sure that the benefits provided by
-such powerful technology are accessible to everyone.
+OpenHands is a community of engineers, academics, and enthusiasts reimagining software development for an AI-powered
+world.
 
-If this resonates with you, we'd love to have you join us in our quest!
+## Mission
 
-## 🤝 How to Join
+It’s very clear that AI is changing software development. We want the developer community to drive that change
+organically, through open source.
 
-Check out our [How to Join the Community section.](https://github.com/All-Hands-AI/OpenHands?tab=readme-ov-file#-how-to-join-the-community)
+So we’re not just building friendly interfaces for AI-driven development. We’re publishing _building blocks_ that
+empower developers to create new experiences, tailored to your own habits, needs, and imagination.
 
-## 💪 Becoming a Contributor
+## Ethos
 
-We welcome contributions from everyone! Whether you're a developer, a researcher, or simply enthusiastic about advancing
-the field of software engineering with AI, there are many ways to get involved:
+We have two core values: **high openness** and **high agency**. While we don’t expect everyone in the community to
+embody these values, we want to establish them as norms.
 
-- **Code Contributions:** Help us develop new core functionality, improve our agents, improve the frontend and other
-interfaces, or anything else that would help make OpenHands better.
-- **Research and Evaluation:** Contribute to our understanding of LLMs in software engineering, participate in
-evaluating the models, or suggest improvements.
-- **Feedback and Testing:** Use the OpenHands toolset, report bugs, suggest features, or provide feedback on usability.
+### High Openness
 
-For details, please check [CONTRIBUTING.md](./CONTRIBUTING.md).
+We welcome anyone and everyone into our community by default. You don’t have to be a software developer to help us
+build. You don’t have to be pro-AI to help us learn.
 
-## Code of Conduct
+Our plans, our work, our successes, and our failures are all public record. We want the world to see not just the
+fruits of our work, but the whole process of growing it.
 
-We have a [Code of Conduct](./CODE_OF_CONDUCT.md) that we expect all contributors to adhere to.
-Long story short, we are aiming for an open, welcoming, diverse, inclusive, and healthy community.
-All contributors are expected to contribute to building this sort of community.
+We welcome thoughtful criticism, whether it’s a comment on a PR or feedback on the community as a whole.
 
-## 🛠️ Becoming a Maintainer
+### High Agency
 
-For contributors who have made significant and sustained contributions to the project, there is a possibility of joining
-the maintainer team. The process for this is as follows:
+Everyone should feel empowered to contribute to OpenHands. Whether it’s by making a PR, hosting an event, sharing
+feedback, or just asking a question, don’t hold back!
 
-1. Any contributor who has made sustained and high-quality contributions to the codebase can be nominated by any
-maintainer. If you feel that you may qualify you can reach out to any of the maintainers that have reviewed your PRs and ask if you can be nominated.
-2. Once a maintainer nominates a new maintainer, there will be a discussion period among the maintainers for at least 3 days.
-3. If no concerns are raised the nomination will be accepted by acclamation, and if concerns are raised there will be a discussion and possible vote.
+OpenHands gives everyone the building blocks to create state-of-the-art developer experiences. We experiment constantly
+and love building new things.
 
-Note that just making many PRs does not immediately imply that you will become a maintainer. We will be looking
-at sustained high-quality contributions over a period of time, as well as good teamwork and adherence to our [Code of Conduct](./CODE_OF_CONDUCT.md).
+Coding, development practices, and communities are changing rapidly. We won’t hesitate to change direction and make big bets.
+
+## Relationship to All Hands
+
+OpenHands is supported by the for-profit organization [All Hands AI, Inc](https://www.openhands.dev/).
+
+All Hands was founded by three of the first major contributors to OpenHands:
+
+- Xingyao Wang, a UIUC PhD candidate who got OpenHands to the top of the SWE-bench leaderboards
+- Graham Neubig, a CMU Professor who rallied the academic community around OpenHands
+- Robert Brennan, a software engineer who architected the user-facing features of OpenHands
+
+All Hands is an important part of the OpenHands ecosystem. We’ve raised over $20M--mainly to hire developers and
+researchers who can work on OpenHands full-time, and to provide them with expensive infrastructure. ([Join us!](https://allhandsai.applytojob.com/apply/))
+
+But we see OpenHands as much larger, and ultimately more important, than All Hands. When our financial responsibility
+to investors is at odds with our social responsibility to the community—as it inevitably will be, from time to time—we
+promise to navigate that conflict thoughtfully and transparently.
+
+At some point, we may transfer custody of OpenHands to an open source foundation. But for now,
+the [Benevolent Dictator approach](http://www.catb.org/~esr/writings/cathedral-bazaar/homesteading/ar01s16.html) helps us move forward with speed and intention. If we ever forget the
+“benevolent” part, please: fork us.

CONTRIBUTING.md

@@ -6,36 +6,41 @@ Thanks for your interest in contributing to OpenHands! We welcome and appreciate
 
 To understand the codebase, please refer to the README in each module:
 - [frontend](./frontend/README.md)
-- [evaluation](./evaluation/README.md)
 - [openhands](./openhands/README.md)
    - [agenthub](./openhands/agenthub/README.md)
    - [server](./openhands/server/README.md)
 
+For benchmarks and evaluation, see the [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks) repository.
+
 ## Setting up Your Development Environment
 
-We have a separate doc [Development.md](https://github.com/All-Hands-AI/OpenHands/blob/main/Development.md) that tells you how to set up a development workflow.
+We have a separate doc [Development.md](https://github.com/OpenHands/OpenHands/blob/main/Development.md) that tells
+you how to set up a development workflow.
 
 ## How Can I Contribute?
 
 There are many ways that you can contribute:
 
-1. **Download and use** OpenHands, and send [issues](https://github.com/All-Hands-AI/OpenHands/issues) when you encounter something that isn't working or a feature that you'd like to see.
-2. **Send feedback** after each session by [clicking the thumbs-up thumbs-down buttons](https://docs.all-hands.dev/usage/feedback), so we can see where things are working and failing, and also build an open dataset for training code agents.
-3. **Improve the Codebase** by sending [PRs](#sending-pull-requests-to-openhands) (see details below). In particular, we have some [good first issues](https://github.com/All-Hands-AI/OpenHands/labels/good%20first%20issue) that may be ones to start on.
+1. **Download and use** OpenHands, and send [issues](https://github.com/OpenHands/OpenHands/issues) when you encounter something that isn't working or a feature that you'd like to see.
+2. **Send feedback** after each session by [clicking the thumbs-up thumbs-down buttons](https://docs.openhands.dev/usage/feedback), so we can see where things are working and failing, and also build an open dataset for training code agents.
+3. **Improve the Codebase** by sending [PRs](#sending-pull-requests-to-openhands) (see details below). In particular, we have some [good first issues](https://github.com/OpenHands/OpenHands/labels/good%20first%20issue) that may be ones to start on.
 
 ## What Can I Build?
+
 Here are a few ways you can help improve the codebase.
 
 #### UI/UX
+
 We're always looking to improve the look and feel of the application. If you've got a small fix
 for something that's bugging you, feel free to open up a PR that changes the [`./frontend`](./frontend) directory.
 
 If you're looking to make a bigger change, add a new UI element, or significantly alter the style
-of the application, please open an issue first, or better, join the #eng-ui-ux channel in our Slack
+of the application, please open an issue first, or better, join the #dev-ui-ux channel in our Slack
 to gather consensus from our design team first.
 
 #### Improving the agent
-Our main agent is the CodeAct agent. You can [see its prompts here](https://github.com/All-Hands-AI/OpenHands/tree/main/openhands/agenthub/codeact_agent).
+
+Our main agent is the CodeAct agent. You can [see its prompts here](https://github.com/OpenHands/OpenHands/tree/main/openhands/agenthub/codeact_agent).
 
 Changes to these prompts, and to the underlying behavior in Python, can have a huge impact on user experience.
 You can try modifying the prompts to see how they change the behavior of the agent as you use the app
@@ -46,19 +51,24 @@ We use the [SWE-bench](https://www.swebench.com/) benchmark to test our agent. Y
 channel in Slack to learn more.
 
 #### Adding a new agent
+
 You may want to experiment with building new types of agents. You can add an agent to [`openhands/agenthub`](./openhands/agenthub)
 to help expand the capabilities of OpenHands.
 
 #### Adding a new runtime
+
 The agent needs a place to run code and commands. When you run OpenHands on your laptop, it uses a Docker container
 to do this by default. But there are other ways of creating a sandbox for the agent.
 
 If you work for a company that provides a cloud-based runtime, you could help us add support for that runtime
-by implementing the [interface specified here](https://github.com/All-Hands-AI/OpenHands/blob/main/openhands/runtime/base.py).
+by implementing the [interface specified here](https://github.com/OpenHands/OpenHands/blob/main/openhands/runtime/base.py).
 
 #### Testing
-When you write code, it is also good to write tests. Please navigate to the [`./tests`](./tests) folder to see existing test suites.
-At the moment, we have two kinds of tests: [`unit`](./tests/unit) and [`integration`](./evaluation/integration_tests). Please refer to the README for each test suite. These tests also run on GitHub's continuous integration to ensure quality of the project.
+
+When you write code, it is also good to write tests. Please navigate to the [`./tests`](./tests) folder to see existing
+test suites. At the moment, we have these kinds of tests: [`unit`](./tests/unit), [`runtime`](./tests/runtime), and [`end-to-end (e2e)`](./tests/e2e).
+Please refer to the README for each test suite. These tests also run on GitHub's continuous integration to ensure
+quality of the project.
 
 ## Sending Pull Requests to OpenHands
 
@@ -66,7 +76,8 @@ You'll need to fork our repository to send us a Pull Request. You can learn more
 about how to fork a GitHub repo and open a PR with your changes in [this article](https://medium.com/swlh/forks-and-pull-requests-how-to-contribute-to-github-repos-8843fac34ce8).
 
 ### Pull Request title
-As described [here](https://github.com/commitizen/conventional-commit-types/blob/master/index.json), a valid PR title should begin with one of the following prefixes:
+
+As described [here](https://github.com/commitizen/conventional-commit-types/blob/master/index.json), ideally a valid PR title should begin with one of the following prefixes:
 
 - `feat`: A new feature
 - `fix`: A bug fix
@@ -84,9 +95,10 @@ For example, a PR title could be:
 - `refactor: modify package path`
 - `feat(frontend): xxxx`, where `(frontend)` means that this PR mainly focuses on the frontend component.
 
-You may also check out previous PRs in the [PR list](https://github.com/All-Hands-AI/OpenHands/pulls).
+You may also check out previous PRs in the [PR list](https://github.com/OpenHands/OpenHands/pulls).
 
 ### Pull Request description
+
 - If your PR is small (such as a typo fix), you can go brief.
 - If it contains a lot of changes, it's better to write more details.
 
@@ -97,7 +109,9 @@ please include a short message that we can add to our changelog.
 
 ### Opening Issues
 
-If you notice any bugs or have any feature requests please open them via the [issues page](https://github.com/All-Hands-AI/OpenHands/issues). We will triage based on how critical the bug is or how potentially useful the improvement is, discuss, and implement the ones that the community has interest/effort for.
+If you notice any bugs or have any feature requests please open them via the [issues page](https://github.com/OpenHands/OpenHands/issues). We will triage
+based on how critical the bug is or how potentially useful the improvement is, discuss, and implement the ones that
+the community has interest/effort for.
 
 Further, if you see an issue you like, please leave a "thumbs-up" or a comment, which will help us prioritize.
 
@@ -108,11 +122,13 @@ We're generally happy to consider all pull requests with the evaluation process
 #### For Small Improvements
 
 Small improvements with few downsides are typically reviewed and approved quickly.
-One thing to check when making changes is to ensure that all continuous integration tests pass, which you can check before getting a review.
+One thing to check when making changes is to ensure that all continuous integration tests pass, which you can check
+before getting a review.
 
 #### For Core Agent Changes
 
-We need to be more careful with changes to the core agent, as it is imperative to maintain high quality. These PRs are evaluated based on three key metrics:
+We need to be more careful with changes to the core agent, as it is imperative to maintain high quality. These PRs are
+evaluated based on three key metrics:
 
 1. **Accuracy**
 2. **Efficiency**

CREDITS.md

@@ -2,11 +2,13 @@
 
 ## Contributors
 
-We would like to thank all the [contributors](https://github.com/All-Hands-AI/OpenHands/graphs/contributors) who have helped make OpenHands possible. We greatly appreciate your dedication and hard work.
+We would like to thank all the [contributors](https://github.com/OpenHands/OpenHands/graphs/contributors) who have
+helped make OpenHands possible. We greatly appreciate your dedication and hard work.
 
 ## Open Source Projects
 
-OpenHands includes and adapts the following open source projects. We are grateful for their contributions to the open source community:
+OpenHands includes and adapts the following open source projects. We are grateful for their contributions to the
+open source community:
 
 #### [SWE Agent](https://github.com/princeton-nlp/swe-agent)
    - License: MIT License
@@ -14,14 +16,14 @@ OpenHands includes and adapts the following open source projects. We are gratefu
 
 #### [Aider](https://github.com/paul-gauthier/aider)
    - License: Apache License 2.0
-   - Description: AI pair programming tool. OpenHands has adapted and integrated its linter module for code-related tasks in [`agentskills utilities`](https://github.com/All-Hands-AI/OpenHands/tree/main/openhands/runtime/plugins/agent_skills/utils/aider)
+   - Description: AI pair programming tool. OpenHands has adapted and integrated its linter module for code-related tasks in [`agentskills utilities`](https://github.com/OpenHands/OpenHands/tree/main/openhands/runtime/plugins/agent_skills/utils/aider)
 
 #### [BrowserGym](https://github.com/ServiceNow/BrowserGym)
    - License: Apache License 2.0
    - Description: Adapted in implementing the browsing agent
 
-
 ### Reference Implementations for Evaluation Benchmarks
+
 OpenHands integrates code of the reference implementations for the following agent evaluation benchmarks:
 
 #### [HumanEval](https://github.com/openai/human-eval)
@@ -52,28 +54,44 @@ OpenHands integrates code of the reference implementations for the following age
 #### [ProntoQA](https://github.com/asaparov/prontoqa)
    - License: Apache License 2.0
 
-
 ## Open Source licenses
 
 ### MIT License
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
+OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 ### BSD 3-Clause License
 
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
+following conditions are met:
 
-1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
+   disclaimer.
 
-2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
+   disclaimer in the documentation and/or other materials provided with the distribution.
 
-3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote
+   products derived from this software without specific prior written permission.
 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 ### Apache License 2.0
 
@@ -268,8 +286,6 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 
    Copyright [yyyy] [name of copyright owner]
 
-
-
 ### Non-Open Source Reference Implementations:
 
 #### [MultiPL-E](https://github.com/nuprl/MultiPL-E)

Development.md

@@ -2,7 +2,7 @@
 
 This guide is for people working on OpenHands and editing the source code.
 If you wish to contribute your changes, check out the
-[CONTRIBUTING.md](https://github.com/All-Hands-AI/OpenHands/blob/main/CONTRIBUTING.md)
+[CONTRIBUTING.md](https://github.com/OpenHands/OpenHands/blob/main/CONTRIBUTING.md)
 on how to clone and setup the project initially before moving on. Otherwise,
 you can clone the OpenHands project directly.
 
@@ -76,7 +76,7 @@ variables in your terminal. The final configurations are set from highest to low
 Environment variables > config.toml variables > default variables
 
 **Note on Alternative Models:**
-See [our documentation](https://docs.all-hands.dev/usage/llms) for recommended models.
+See [our documentation](https://docs.openhands.dev/usage/llms) for recommended models.
 
 ### 4. Running the application
 
@@ -91,14 +91,14 @@ make run
 #### Option B: Individual Server Startup
 
 - **Start the Backend Server:** If you prefer, you can start the backend server independently to focus on
-backend-related tasks or configurations.
+  backend-related tasks or configurations.
 
   ```bash
   make start-backend
   ```
 
 - **Start the Frontend Server:** Similarly, you can start the frontend server on its own to work on frontend-related
-components or interface enhancements.
+  components or interface enhancements.
   ```bash
   make start-frontend
   ```
@@ -110,6 +110,7 @@ You can use OpenHands to develop and improve OpenHands itself! This is a powerfu
 #### Quick Start
 
 1. **Build and run OpenHands:**
+
    ```bash
    export INSTALL_DOCKER=0
    export RUNTIME=local
@@ -117,6 +118,7 @@ You can use OpenHands to develop and improve OpenHands itself! This is a powerfu
    ```
 
 2. **Access the interface:**
+
    - Local development: http://localhost:3001
    - Remote/cloud environments: Use the appropriate external URL
 
@@ -159,7 +161,7 @@ poetry run pytest ./tests/unit/test_*.py
 To reduce build time (e.g., if no changes were made to the client-runtime component), you can use an existing Docker
 container image by setting the SANDBOX_RUNTIME_CONTAINER_IMAGE environment variable to the desired Docker image.
 
-Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/all-hands-ai/runtime:0.59-nikolaik`
+Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:1.2-nikolaik`
 
 ## Develop inside Docker container
 
@@ -193,12 +195,12 @@ Here's a guide to the important documentation files in the repository:
 - [/README.md](./README.md): Main project overview, features, and basic setup instructions
 - [/Development.md](./Development.md) (this file): Comprehensive guide for developers working on OpenHands
 - [/CONTRIBUTING.md](./CONTRIBUTING.md): Guidelines for contributing to the project, including code style and PR process
-- [/docs/DOC_STYLE_GUIDE.md](./docs/DOC_STYLE_GUIDE.md): Standards for writing and maintaining project documentation
+- [DOC_STYLE_GUIDE.md](https://github.com/OpenHands/docs/blob/main/openhands/DOC_STYLE_GUIDE.md): Standards for writing and maintaining project documentation
 - [/openhands/README.md](./openhands/README.md): Details about the backend Python implementation
 - [/frontend/README.md](./frontend/README.md): Frontend React application setup and development guide
 - [/containers/README.md](./containers/README.md): Information about Docker containers and deployment
 - [/tests/unit/README.md](./tests/unit/README.md): Guide to writing and running unit tests
-- [/evaluation/README.md](./evaluation/README.md): Documentation for the evaluation framework and benchmarks
-- [/microagents/README.md](./microagents/README.md): Information about the microagents architecture and implementation
+- [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks): Documentation for the evaluation framework and benchmarks
+- [/skills/README.md](./skills/README.md): Information about the skills architecture and implementation
 - [/openhands/server/README.md](./openhands/server/README.md): Server implementation details and API documentation
 - [/openhands/runtime/README.md](./openhands/runtime/README.md): Documentation for the runtime environment and execution model

ISSUE_TRIAGE.md

@@ -3,14 +3,14 @@ These are the procedures and guidelines on how issues are triaged in this repo b
 
 ## General
 * All issues must be tagged with **enhancement**, **bug** or **troubleshooting/help**.
-* Issues may be tagged with what it relates to (**agent quality**, **resolver**, **CLI**, etc.).
+* Issues may be tagged with what it relates to (**llm**, **app tab**, **UI/UX**, etc.).
 
 ## Severity
 * **High**: High visibility issues or affecting many users.
 * **Critical**: Affecting all users or potential security issues.
 
 ## Difficulty
-* Issues with low implementation difficulty may be tagged with **good first issue**.
+* Issues good for newcomers may be tagged with **good first issue**.
 
 ## Not Enough Information
 * User is asked to provide more information (logs, how to reproduce, etc.) when the issue is not clear.
@@ -22,6 +22,6 @@ the issue may be closed as **not planned** (Usually after a week).
 * Issues may be broken down into multiple issues if required.
 
 ## Stale and Auto Closures
-* In order to keep a maintainable backlog, issues that have no activity within 30 days are automatically marked as **Stale**.
-* If issues marked as **Stale** continue to have no activity for 7 more days, they will automatically be closed as not planned.
+* In order to keep a maintainable backlog, issues that have no activity within 40 days are automatically marked as **Stale**.
+* If issues marked as **Stale** continue to have no activity for 10 more days, they will automatically be closed as not planned.
 * Issues may be reopened by maintainers if deemed important.

README.md

@@ -1,184 +1,86 @@
 <a name="readme-top"></a>
 
 <div align="center">
-  <img src="https://raw.githubusercontent.com/All-Hands-AI/docs/main/openhands/static/img/logo.png" alt="Logo" width="200">
-  <h1 align="center">OpenHands: Code Less, Make More</h1>
+  <img src="https://raw.githubusercontent.com/OpenHands/docs/main/openhands/static/img/logo.png" alt="Logo" width="200">
+  <h1 align="center" style="border-bottom: none">OpenHands: AI-Driven Development</h1>
 </div>
 
 
 <div align="center">
-  <a href="https://github.com/All-Hands-AI/OpenHands/graphs/contributors"><img src="https://img.shields.io/github/contributors/All-Hands-AI/OpenHands?style=for-the-badge&color=blue" alt="Contributors"></a>
-  <a href="https://github.com/All-Hands-AI/OpenHands/stargazers"><img src="https://img.shields.io/github/stars/All-Hands-AI/OpenHands?style=for-the-badge&color=blue" alt="Stargazers"></a>
-  <a href="https://github.com/All-Hands-AI/OpenHands/blob/main/LICENSE"><img src="https://img.shields.io/github/license/All-Hands-AI/OpenHands?style=for-the-badge&color=blue" alt="MIT License"></a>
+  <a href="https://github.com/OpenHands/OpenHands/blob/main/LICENSE"><img src="https://img.shields.io/badge/LICENSE-MIT-20B2AA?style=for-the-badge" alt="MIT License"></a>
+  <a href="https://docs.google.com/spreadsheets/d/1wOUdFCMyY6Nt0AIqF705KN4JKOWgeI4wUGUP60krXXs/edit?gid=811504672#gid=811504672"><img src="https://img.shields.io/badge/SWEBench-77.6-00cc00?logoColor=FFE165&style=for-the-badge" alt="Benchmark Score"></a>
   <br/>
-  <a href="https://all-hands.dev/joinslack"><img src="https://img.shields.io/badge/Slack-Join%20Us-red?logo=slack&logoColor=white&style=for-the-badge" alt="Join our Slack community"></a>
-  <a href="https://github.com/All-Hands-AI/OpenHands/blob/main/CREDITS.md"><img src="https://img.shields.io/badge/Project-Credits-blue?style=for-the-badge&color=FFE165&logo=github&logoColor=white" alt="Credits"></a>
-  <br/>
-  <a href="https://docs.all-hands.dev/usage/getting-started"><img src="https://img.shields.io/badge/Documentation-000?logo=googledocs&logoColor=FFE165&style=for-the-badge" alt="Check out the documentation"></a>
-  <a href="https://arxiv.org/abs/2407.16741"><img src="https://img.shields.io/badge/Paper%20on%20Arxiv-000?logoColor=FFE165&logo=arxiv&style=for-the-badge" alt="Paper on Arxiv"></a>
-  <a href="https://docs.google.com/spreadsheets/d/1wOUdFCMyY6Nt0AIqF705KN4JKOWgeI4wUGUP60krXXs/edit?gid=0#gid=0"><img src="https://img.shields.io/badge/Benchmark%20score-000?logoColor=FFE165&logo=huggingface&style=for-the-badge" alt="Evaluation Benchmark Score"></a>
+  <a href="https://docs.openhands.dev/sdk"><img src="https://img.shields.io/badge/Documentation-000?logo=googledocs&logoColor=FFE165&style=for-the-badge" alt="Check out the documentation"></a>
+  <a href="https://arxiv.org/abs/2511.03690"><img src="https://img.shields.io/badge/Paper-000?logoColor=FFE165&logo=arxiv&style=for-the-badge" alt="Tech Report"></a>
+
 
   <!-- Keep these links. Translations will automatically update with the README. -->
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=de">Deutsch</a> |
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=es">Español</a> |
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=fr">français</a> |
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=ja">日本語</a> |
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=ko">한국어</a> |
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=pt">Português</a> |
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=ru">Русский</a> |
-  <a href="https://www.readme-i18n.com/All-Hands-AI/OpenHands?lang=zh">中文</a>
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=de">Deutsch</a> |
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=es">Español</a> |
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=fr">français</a> |
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=ja">日本語</a> |
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=ko">한국어</a> |
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=pt">Português</a> |
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=ru">Русский</a> |
+  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=zh">中文</a>
 
-  <hr>
 </div>
 
-Welcome to OpenHands (formerly OpenDevin), a platform for software development agents powered by AI.
+<hr>
 
-OpenHands agents can do anything a human developer can: modify code, run commands, browse the web,
-call APIs, and yes—even copy code snippets from StackOverflow.
+🙌 Welcome to OpenHands, a [community](COMMUNITY.md) focused on AI-driven development. We’d love for you to [join us on Slack](https://dub.sh/openhands).
 
-Learn more at [docs.all-hands.dev](https://docs.all-hands.dev), or [sign up for OpenHands Cloud](https://app.all-hands.dev) to get started.
+There are a few ways to work with OpenHands:
 
+### OpenHands Software Agent SDK
+The SDK is a composable Python library that contains all of our agentic tech. It's the engine that powers everything else below.
 
-> [!IMPORTANT]
-> **Upcoming change**: We are renaming our GitHub Org from `All-Hands-AI` to `OpenHands` on October 20th, 2025.
-> Check the [tracking issue](https://github.com/All-Hands-AI/OpenHands/issues/11376) for more information.
+Define agents in code, then run them locally, or scale to 1000s of agents in the cloud.
 
+[Check out the docs](https://docs.openhands.dev/sdk) or [view the source](https://github.com/OpenHands/software-agent-sdk/)
 
-> [!IMPORTANT]
-> Using OpenHands for work? We'd love to chat! Fill out
-> [this short form](https://docs.google.com/forms/d/e/1FAIpQLSet3VbGaz8z32gW9Wm-Grl4jpt5WgMXPgJ4EDPVmCETCBpJtQ/viewform)
-> to join our Design Partner program, where you'll get early access to commercial features and the opportunity to provide input on our product roadmap.
+### OpenHands CLI
+The CLI is the easiest way to start using OpenHands. The experience will be familiar to anyone who has worked
+with e.g. Claude Code or Codex. You can power it with Claude, GPT, or any other LLM.
 
-## ☁️ OpenHands Cloud
-The easiest way to get started with OpenHands is on [OpenHands Cloud](https://app.all-hands.dev),
-which comes with $20 in free credits for new users.
+[Check out the docs](https://docs.openhands.dev/openhands/usage/run-openhands/cli-mode) or [view the source](https://github.com/OpenHands/OpenHands-CLI)
 
-## 💻 Running OpenHands Locally
+### OpenHands Local GUI
+Use the Local GUI for running agents on your laptop. It comes with a REST API and a single-page React application.
+The experience will be familiar to anyone who has used Devin or Jules.
 
-### Option 1: CLI Launcher (Recommended)
+[Check out the docs](https://docs.openhands.dev/openhands/usage/run-openhands/local-setup) or view the source in this repo.
 
-The easiest way to run OpenHands locally is using the CLI launcher with [uv](https://docs.astral.sh/uv/). This provides better isolation from your current project's virtual environment and is required for OpenHands' default MCP servers.
+### OpenHands Cloud
+This is a deployment of OpenHands GUI, running on hosted infrastructure.
 
-**Install uv** (if you haven't already):
+You can try it for free using the Minimax model by [signing in with your GitHub or GitLab account](https://app.all-hands.dev).
 
-See the [uv installation guide](https://docs.astral.sh/uv/getting-started/installation/) for the latest installation instructions for your platform.
+OpenHands Cloud comes with source-available features and integrations:
+- Integrations with Slack, Jira, and Linear
+- Multi-user support
+- RBAC and permissions
+- Collaboration features (e.g., conversation sharing)
 
-**Launch OpenHands**:
-```bash
-# Launch the GUI server
-uvx --python 3.12 --from openhands-ai openhands serve
+### OpenHands Enterprise
+Large enterprises can work with us to self-host OpenHands Cloud in their own VPC, via Kubernetes.
+OpenHands Enterprise can also work with the CLI and SDK above.
 
-# Or launch the CLI
-uvx --python 3.12 --from openhands-ai openhands
-```
+OpenHands Enterprise is source-available--you can see all the source code here in the enterprise/ directory,
+but you'll need to purchase a license if you want to run it for more than one month.
 
-You'll find OpenHands running at [http://localhost:3000](http://localhost:3000) (for GUI mode)!
+Enterprise contracts also come with extended support and access to our research team.
 
-### Option 2: Docker
+Learn more at [openhands.dev/enterprise](https://openhands.dev/enterprise)
 
-<details>
-<summary>Click to expand Docker command</summary>
+### Everything Else
 
-You can also run OpenHands directly with Docker:
+Check out our [Product Roadmap](https://github.com/orgs/openhands/projects/1), and feel free to
+[open up an issue](https://github.com/OpenHands/OpenHands/issues) if there's something you'd like to see!
 
-```bash
-docker pull docker.all-hands.dev/all-hands-ai/runtime:0.59-nikolaik
+You might also be interested in our [evaluation infrastructure](https://github.com/OpenHands/benchmarks), our [chrome extension](https://github.com/OpenHands/openhands-chrome-extension/), or our [Theory-of-Mind module](https://github.com/OpenHands/ToM-SWE).
 
-docker run -it --rm --pull=always \
-    -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.59-nikolaik \
-    -e LOG_ALL_EVENTS=true \
-    -v /var/run/docker.sock:/var/run/docker.sock \
-    -v ~/.openhands:/.openhands \
-    -p 3000:3000 \
-    --add-host host.docker.internal:host-gateway \
-    --name openhands-app \
-    docker.all-hands.dev/all-hands-ai/openhands:0.59
-```
+All our work is available under the MIT license, except for the `enterprise/` directory in this repository (see the [enterprise license](enterprise/LICENSE) for details).
+The core `openhands` and `agent-server` Docker images are fully MIT-licensed as well.
 
-</details>
-
-> **Note**: If you used OpenHands before version 0.44, you may want to run `mv ~/.openhands-state ~/.openhands` to migrate your conversation history to the new location.
-
-> [!WARNING]
-> On a public network? See our [Hardened Docker Installation Guide](https://docs.all-hands.dev/usage/runtimes/docker#hardened-docker-installation)
-> to secure your deployment by restricting network binding and implementing additional security measures.
-
-### Getting Started
-
-When you open the application, you'll be asked to choose an LLM provider and add an API key.
-[Anthropic's Claude Sonnet 4.5](https://www.anthropic.com/api) (`anthropic/claude-sonnet-4-5-20250929`)
-works best, but you have [many options](https://docs.all-hands.dev/usage/llms).
-
-See the [Running OpenHands](https://docs.all-hands.dev/usage/installation) guide for
-system requirements and more information.
-
-## 💡 Other ways to run OpenHands
-
-> [!WARNING]
-> OpenHands is meant to be run by a single user on their local workstation.
-> It is not appropriate for multi-tenant deployments where multiple users share the same instance. There is no built-in authentication, isolation, or scalability.
->
-> If you're interested in running OpenHands in a multi-tenant environment, check out the source-available, commercially-licensed
-> [OpenHands Cloud Helm Chart](https://github.com/all-Hands-AI/OpenHands-cloud)
-
-You can [connect OpenHands to your local filesystem](https://docs.all-hands.dev/usage/runtimes/docker#connecting-to-your-filesystem),
-interact with it via a [friendly CLI](https://docs.all-hands.dev/usage/how-to/cli-mode),
-run OpenHands in a scriptable [headless mode](https://docs.all-hands.dev/usage/how-to/headless-mode),
-or run it on tagged issues with [a github action](https://docs.all-hands.dev/usage/how-to/github-action).
-
-Visit [Running OpenHands](https://docs.all-hands.dev/usage/installation) for more information and setup instructions.
-
-If you want to modify the OpenHands source code, check out [Development.md](https://github.com/All-Hands-AI/OpenHands/blob/main/Development.md).
-
-Having issues? The [Troubleshooting Guide](https://docs.all-hands.dev/usage/troubleshooting) can help.
-
-## 📖 Documentation
-
-To learn more about the project, and for tips on using OpenHands,
-check out our [documentation](https://docs.all-hands.dev/usage/getting-started).
-
-There you'll find resources on how to use different LLM providers,
-troubleshooting resources, and advanced configuration options.
-
-## 🤝 How to Join the Community
-
-OpenHands is a community-driven project, and we welcome contributions from everyone. We do most of our communication
-through Slack, so this is the best place to start, but we also are happy to have you contact us on Github:
-
-- [Join our Slack workspace](https://all-hands.dev/joinslack) - Here we talk about research, architecture, and future development.
-- [Read or post Github Issues](https://github.com/All-Hands-AI/OpenHands/issues) - Check out the issues we're working on, or add your own ideas.
-
-See more about the community in [COMMUNITY.md](./COMMUNITY.md) or find details on contributing in [CONTRIBUTING.md](./CONTRIBUTING.md).
-
-## 📈 Progress
-
-See the monthly OpenHands roadmap [here](https://github.com/orgs/All-Hands-AI/projects/1) (updated at the maintainer's meeting at the end of each month).
-
-<p align="center">
-  <a href="https://star-history.com/#All-Hands-AI/OpenHands&Date">
-    <img src="https://api.star-history.com/svg?repos=All-Hands-AI/OpenHands&type=Date" width="500" alt="Star History Chart">
-  </a>
-</p>
-
-## 📜 License
-
-Distributed under the MIT License, with the exception of the `enterprise/` folder. See [`LICENSE`](./LICENSE) for more information.
-
-## 🙏 Acknowledgements
-
-OpenHands is built by a large number of contributors, and every contribution is greatly appreciated! We also build upon other open source projects, and we are deeply thankful for their work.
-
-For a list of open source projects and licenses used in OpenHands, please see our [CREDITS.md](./CREDITS.md) file.
-
-## 📚 Cite
-
-```
-@inproceedings{
-  wang2025openhands,
-  title={OpenHands: An Open Platform for {AI} Software Developers as Generalist Agents},
-  author={Xingyao Wang and Boxuan Li and Yufan Song and Frank F. Xu and Xiangru Tang and Mingchen Zhuge and Jiayi Pan and Yueqi Song and Bowen Li and Jaskirat Singh and Hoang H. Tran and Fuqiang Li and Ren Ma and Mingzhang Zheng and Bill Qian and Yanjun Shao and Niklas Muennighoff and Yizhe Zhang and Binyuan Hui and Junyang Lin and Robert Brennan and Hao Peng and Heng Ji and Graham Neubig},
-  booktitle={The Thirteenth International Conference on Learning Representations},
-  year={2025},
-  url={https://openreview.net/forum?id=OJd3ayDDoF}
-}
-```
+If you need help with anything, or just want to chat, [come find us on Slack](https://dub.sh/openhands).

build_vscode.py

@@ -1,113 +0,0 @@
-import os
-import pathlib
-import subprocess
-
-# This script is intended to be run by Poetry during the build process.
-
-# Define the expected name of the .vsix file based on the extension's package.json
-# This should match the name and version in openhands-vscode/package.json
-EXTENSION_NAME = 'openhands-vscode'
-EXTENSION_VERSION = '0.0.1'
-VSIX_FILENAME = f'{EXTENSION_NAME}-{EXTENSION_VERSION}.vsix'
-
-# Paths
-ROOT_DIR = pathlib.Path(__file__).parent.resolve()
-VSCODE_EXTENSION_DIR = ROOT_DIR / 'openhands' / 'integrations' / 'vscode'
-
-
-def check_node_version():
-    """Check if Node.js version is sufficient for building the extension."""
-    try:
-        result = subprocess.run(
-            ['node', '--version'], capture_output=True, text=True, check=True
-        )
-        version_str = result.stdout.strip()
-        # Extract major version number (e.g., "v12.22.9" -> 12)
-        major_version = int(version_str.lstrip('v').split('.')[0])
-        return major_version >= 18  # Align with frontend actual usage (18.20.1)
-    except (subprocess.CalledProcessError, FileNotFoundError, ValueError):
-        return False
-
-
-def build_vscode_extension():
-    """Builds the VS Code extension."""
-    vsix_path = VSCODE_EXTENSION_DIR / VSIX_FILENAME
-
-    # Check if VSCode extension build is disabled via environment variable
-    if os.environ.get('SKIP_VSCODE_BUILD', '').lower() in ('1', 'true', 'yes'):
-        print('--- Skipping VS Code extension build (SKIP_VSCODE_BUILD is set) ---')
-        if vsix_path.exists():
-            print(f'--- Using existing VS Code extension: {vsix_path} ---')
-        else:
-            print('--- No pre-built VS Code extension found ---')
-        return
-
-    # Check Node.js version - if insufficient, use pre-built extension as fallback
-    if not check_node_version():
-        print('--- Warning: Node.js version < 18 detected or Node.js not found ---')
-        print('--- Skipping VS Code extension build (requires Node.js >= 18) ---')
-        print('--- Using pre-built extension if available ---')
-
-        if not vsix_path.exists():
-            print('--- Warning: No pre-built VS Code extension found ---')
-            print('--- VS Code extension will not be available ---')
-        else:
-            print(f'--- Using pre-built VS Code extension: {vsix_path} ---')
-        return
-
-    print(f'--- Building VS Code extension in {VSCODE_EXTENSION_DIR} ---')
-
-    try:
-        # Ensure npm dependencies are installed
-        print('--- Running npm install for VS Code extension ---')
-        subprocess.run(
-            ['npm', 'install'],
-            cwd=VSCODE_EXTENSION_DIR,
-            check=True,
-            shell=os.name == 'nt',
-        )
-
-        # Package the extension
-        print(f'--- Packaging VS Code extension ({VSIX_FILENAME}) ---')
-        subprocess.run(
-            ['npm', 'run', 'package-vsix'],
-            cwd=VSCODE_EXTENSION_DIR,
-            check=True,
-            shell=os.name == 'nt',
-        )
-
-        # Verify the generated .vsix file exists
-        if not vsix_path.exists():
-            raise FileNotFoundError(
-                f'VS Code extension package not found after build: {vsix_path}'
-            )
-
-        print(f'--- VS Code extension built successfully: {vsix_path} ---')
-
-    except subprocess.CalledProcessError as e:
-        print(f'--- Warning: Failed to build VS Code extension: {e} ---')
-        print('--- Continuing without building extension ---')
-        if not vsix_path.exists():
-            print('--- Warning: No pre-built VS Code extension found ---')
-            print('--- VS Code extension will not be available ---')
-
-
-def build(setup_kwargs):
-    """This function is called by Poetry during the build process.
-    `setup_kwargs` is a dictionary that will be passed to `setuptools.setup()`.
-    """
-    print('--- Running custom Poetry build script (build_vscode.py) ---')
-
-    # Build the VS Code extension and place the .vsix file
-    build_vscode_extension()
-
-    # Poetry will handle including files based on pyproject.toml `include` patterns.
-    # Ensure openhands/integrations/vscode/*.vsix is included there.
-
-    print('--- Custom Poetry build script (build_vscode.py) finished ---')
-
-
-if __name__ == '__main__':
-    print('Running build_vscode.py directly for testing VS Code extension packaging...')
-    build_vscode_extension()
-    print('Direct execution of build_vscode.py finished.')

config.template.toml

@@ -189,7 +189,7 @@ model = "gpt-4o"
 # Whether to use native tool calling if supported by the model. Can be true, false, or None by default, which chooses the model's default behavior based on the evaluation.
 # ATTENTION: Based on evaluation, enabling native function calling may lead to worse results
 # in some scenarios. Use with caution and consider testing with your specific use case.
-# https://github.com/All-Hands-AI/OpenHands/pull/4711
+# https://github.com/OpenHands/OpenHands/pull/4711
 #native_tool_calling = None
 
 
@@ -440,12 +440,6 @@ type = "noop"
 #temperature = 0.1
 #max_input_tokens = 1024
 
-#################################### Eval ####################################
-# Configuration for the evaluation, please refer to the specific evaluation
-# plugin for the available options
-##############################################################################
-
-
 ########################### Kubernetes #######################################
 # Kubernetes configuration when using the Kubernetes runtime
 ##############################################################################

containers/app/Dockerfile

@@ -1,5 +1,5 @@
 ARG OPENHANDS_BUILD_VERSION=dev
-FROM node:24.8-trixie-slim AS frontend-builder
+FROM node:25.2-trixie-slim AS frontend-builder
 
 WORKDIR /app
 
@@ -73,7 +73,7 @@ ENV VIRTUAL_ENV=/app/.venv \
 
 COPY --chown=openhands:openhands --chmod=770 --from=backend-builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 
-COPY --chown=openhands:openhands --chmod=770 ./microagents ./microagents
+COPY --chown=openhands:openhands --chmod=770 ./skills ./skills
 COPY --chown=openhands:openhands --chmod=770 ./openhands ./openhands
 COPY --chown=openhands:openhands --chmod=777 ./openhands/runtime/plugins ./openhands/runtime/plugins
 COPY --chown=openhands:openhands pyproject.toml poetry.lock README.md MANIFEST.in LICENSE ./

containers/app/config.sh

@@ -1,4 +1,4 @@
 DOCKER_REGISTRY=ghcr.io
-DOCKER_ORG=all-hands-ai
+DOCKER_ORG=openhands
 DOCKER_IMAGE=openhands
 DOCKER_BASE_DIR="."

containers/dev/Dockerfile

@@ -104,6 +104,9 @@ RUN apt-get update && apt-get install -y \
 	&& apt-get clean \
 	&& apt-get autoremove -y
 
+# mark /app as safe git directory to avoid pre-commit errors
+RUN git config --system --add safe.directory /app
+
 WORKDIR /app
 
 # cache build dependencies

containers/dev/README.md

@@ -1,7 +1,7 @@
 # Develop in Docker
 
 > [!WARNING]
-> This is not officially supported and may not work.
+> This way of running OpenHands is not officially supported. It is maintained by the community and may not work.
 
 Install [Docker](https://docs.docker.com/engine/install/) on your host machine and run:
 

containers/dev/compose.yml

@@ -12,7 +12,8 @@ services:
       - SANDBOX_API_HOSTNAME=host.docker.internal
       - DOCKER_HOST_ADDR=host.docker.internal
       #
-      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-ghcr.io/all-hands-ai/runtime:0.59-nikolaik}
+      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
+      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.12.0-python}
       - SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234}
       - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
     ports:

containers/runtime/config.sh

@@ -1,5 +1,5 @@
 DOCKER_REGISTRY=ghcr.io
-DOCKER_ORG=all-hands-ai
+DOCKER_ORG=openhands
 DOCKER_BASE_DIR="./containers/runtime"
 DOCKER_IMAGE=runtime
 # These variables will be appended by the runtime_build.py script

dev_config/python/.pre-commit-config.yaml

@@ -3,13 +3,22 @@ repos:
     rev: v5.0.0
     hooks:
       - id: trailing-whitespace
-        exclude: ^(docs/|modules/|python/|openhands-ui/|third_party/|enterprise/|openhands-cli/)
+        exclude: ^(docs/|modules/|python/|openhands-ui/|third_party/|enterprise/)
       - id: end-of-file-fixer
-        exclude: ^(docs/|modules/|python/|openhands-ui/|third_party/|enterprise/|openhands-cli/)
+        exclude: ^(docs/|modules/|python/|openhands-ui/|third_party/|enterprise/)
       - id: check-yaml
         args: ["--allow-multiple-documents"]
       - id: debug-statements
 
+
+  - repo: local
+    hooks:
+      - id: warn-appmode-oss
+        name: "Warn on AppMode.OSS in backend (use AppMode.OPENHANDS)"
+        language: system
+        entry: bash -lc 'if rg -n "\\bAppMode\\.OSS\\b" openhands tests/unit; then echo "Found AppMode.OSS usage. Prefer AppMode.OPENHANDS."; exit 1; fi'
+        pass_filenames: false
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.5.1
     hooks:
@@ -28,12 +37,12 @@ repos:
         entry: ruff check --config dev_config/python/ruff.toml
         types_or: [python, pyi, jupyter]
         args: [--fix, --unsafe-fixes]
-        exclude: ^(third_party/|enterprise/|openhands-cli/)
+        exclude: ^(third_party/|enterprise/)
       # Run the formatter.
       - id: ruff-format
         entry: ruff format --config dev_config/python/ruff.toml
         types_or: [python, pyi, jupyter]
-        exclude: ^(third_party/|enterprise/|openhands-cli/)
+        exclude: ^(third_party/|enterprise/)
 
   - repo: https://github.com/pre-commit/mirrors-mypy
     rev: v1.15.0

docker-compose.yml

@@ -7,7 +7,8 @@ services:
     image: openhands:latest
     container_name: openhands-app-${DATE:-}
     environment:
-      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-docker.all-hands.dev/all-hands-ai/runtime:0.59-nikolaik}
+      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
+      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.12.0-python}
       #- SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234} # enable this only if you want a specific non-root sandbox user but you will have to manually adjust permissions of ~/.openhands for this user
       - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
     ports:

enterprise/Dockerfile

@@ -1,5 +1,5 @@
 ARG OPENHANDS_VERSION=latest
-ARG BASE="ghcr.io/all-hands-ai/openhands"
+ARG BASE="ghcr.io/openhands/openhands"
 FROM ${BASE}:${OPENHANDS_VERSION}
 
 # Datadog labels
@@ -23,17 +23,27 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-# Install Python packages with security fixes
-RUN pip install alembic psycopg2-binary cloud-sql-python-connector pg8000 gspread stripe python-keycloak asyncpg sqlalchemy[asyncio] resend tenacity slack-sdk ddtrace "posthog>=6.0.0" "limits==5.2.0" coredis prometheus-client shap scikit-learn pandas numpy && \
-    # Update packages with known CVE fixes
-    pip install --upgrade \
-        "mcp>=1.10.0" \
-        "pillow>=11.3.0"
+# Install poetry and export before importing current code.
+RUN /app/.venv/bin/pip install poetry poetry-plugin-export
+
+# Install Python dependencies from poetry.lock for reproducible builds
+# Copy lock files first for better Docker layer caching
+COPY --chown=openhands:openhands enterprise/pyproject.toml enterprise/poetry.lock /tmp/enterprise/
+RUN cd /tmp/enterprise && \
+    # Export only main dependencies with hashes for supply chain security
+    /app/.venv/bin/poetry export --only main -o requirements.txt && \
+    # Remove the local path dependency (openhands-ai is already in base image)
+    sed -i '/^-e /d; /openhands-ai/d' requirements.txt && \
+    # Install pinned dependencies from lock file
+    /app/.venv/bin/pip install -r requirements.txt && \
+    # Cleanup - return to /app before removing /tmp/enterprise
+    cd /app && \
+    rm -rf /tmp/enterprise && \
+    /app/.venv/bin/pip uninstall -y poetry poetry-plugin-export
 
 WORKDIR /app
-COPY enterprise .
+COPY --chown=openhands:openhands --chmod=770 enterprise .
 
-RUN chown -R openhands:openhands /app && chmod -R 770 /app
 USER openhands
 
 # Command will be overridden by Kubernetes deployment template

enterprise/Makefile

@@ -2,7 +2,7 @@ BACKEND_HOST ?= "127.0.0.1"
 BACKEND_PORT = 3000
 BACKEND_HOST_PORT = "$(BACKEND_HOST):$(BACKEND_PORT)"
 FRONTEND_PORT = 3001
-OPENHANDS_PATH ?= "../../OpenHands"
+OPENHANDS_PATH ?= ".."
 OPENHANDS := $(OPENHANDS_PATH)
 OPENHANDS_FRONTEND_PATH = $(OPENHANDS)/frontend/build
 

enterprise/README.md

@@ -1,6 +1,6 @@
 # OpenHands Enterprise Server
 > [!WARNING]
-> This software is licensed under the [Polyform Free Trial License](./LICENSE). This is **NOT** an open source license. Usage is limited to 30 days per calendar year without a commercial license. If you would like to use it beyond 30 days, please [contact us](https://www.all-hands.dev/contact).
+> This software is licensed under the [Polyform Free Trial License](./LICENSE). This is **NOT** an open source license. Usage is limited to 30 days per calendar year without a commercial license. If you would like to use it beyond 30 days, please [contact us](https://www.openhands.dev/contact).
 
 > [!WARNING]
 > This is a work in progress and may contain bugs, incomplete features, or breaking changes.
@@ -8,15 +8,15 @@
 This directory contains the enterprise server used by [OpenHands Cloud](https://github.com/All-Hands-AI/OpenHands-Cloud/). The official, public version of OpenHands Cloud is available at
 [app.all-hands.dev](https://app.all-hands.dev).
 
-You may also want to check out the MIT-licensed [OpenHands](https://github.com/All-Hands-AI/OpenHands)
+You may also want to check out the MIT-licensed [OpenHands](https://github.com/OpenHands/OpenHands)
 
-## Extension of OpenHands (OSS)
+## Extension of OpenHands
 
-The code in `/enterprise` directory builds on top of open source (OSS) code, extending its functionality. The enterprise code is entangled with the OSS code in two ways
+The code in `/enterprise` builds on top of OpenHands (MIT-licensed), extending its functionality. The enterprise code is entangled with OpenHands in two ways:
 
-- Enterprise stacks on top of OSS. For example, the middleware in enterprise is stacked right on top of the middlewares in OSS. In `SAAS`, the middleware from BOTH repos will be present and running (which can sometimes cause conflicts)
+- Enterprise stacks on top of OpenHands. For example, the middleware in enterprise is stacked right on top of the middlewares in OpenHands. In `SAAS`, the middleware from BOTH repos will be present and running (which can sometimes cause conflicts)
 
-- Enterprise overrides the implementation in OSS (only one is present at a time). For example, the server config SaasServerConfig which overrides [`ServerConfig`](https://github.com/All-Hands-AI/OpenHands/blob/main/openhands/server/config/server_config.py#L8) on OSS. This is done through dynamic imports ([see here](https://github.com/All-Hands-AI/OpenHands/blob/main/openhands/server/config/server_config.py#L37-#L45))
+- Enterprise overrides the implementation in OpenHands (only one is present at a time). For example, the server config SaasServerConfig overrides [`ServerConfig`](https://github.com/OpenHands/OpenHands/blob/main/openhands/server/config/server_config.py#L8) in OpenHands. This is done through dynamic imports ([see here](https://github.com/OpenHands/OpenHands/blob/main/openhands/server/config/server_config.py#L37-#L45))
 
 Key areas that change on `SAAS` are
 
@@ -26,11 +26,11 @@ Key areas that change on `SAAS` are
 
 ### Authentication
 
-| Aspect                    | OSS                                                    | Enterprise                                                                                                                                 |
+| Aspect                    | OpenHands                                              | Enterprise                                                                                                                                 |
 | ------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
-| **Authentication Method** | User adds a personal access token (PAT) through the UI | User performs OAuth through the UI. The Github app provides a short-lived access token and refresh token                            |
+| **Authentication Method** | User adds a personal access token (PAT) through the UI | User performs OAuth through the UI. The GitHub app provides a short-lived access token and refresh token                            |
 | **Token Storage**         | PAT is stored in **Settings**                          | Token is stored in **GithubTokenManager** (a file store in our backend)                                                             |
-| **Authenticated status**  | We simply check if token exists in `Settings`          | We issue a signed cookie with `github_user_id` during oauth, so subsequent requests with the cookie can be considered authenticated |
+| **Authenticated status**  | We simply check if token exists in `Settings`          | We issue a signed cookie with `github_user_id` during OAuth, so subsequent requests with the cookie can be considered authenticated |
 
 Note that in the future, authentication will happen via keycloak. All modifications for authentication will happen in enterprise.
 
@@ -38,7 +38,7 @@ Note that in the future, authentication will happen via keycloak. All modificati
 
 The github service is responsible for interacting with Github APIs. As a consequence, it uses the user's token and refreshes it if need be
 
-| Aspect                    | OSS                                    | Enterprise                                            |
+| Aspect                    | OpenHands                               | Enterprise                                            |
 | ------------------------- | -------------------------------------- | ---------------------------------------------- |
 | **Class used**            | `GitHubService`                        | `SaaSGitHubService`                            |
 | **Token used**            | User's PAT fetched from `Settings`     | User's token fetched from `GitHubTokenManager` |
@@ -50,7 +50,7 @@ NOTE: in the future we will simply replace the `GithubTokenManager` with keycloa
 
 ## User ID vs User Token
 
-- On OSS, the entire APP revolves around the Github token the user sets. `openhands/server` uses `request.state.github_token` for the entire app
+- In OpenHands, the entire app revolves around the GitHub token the user sets. `openhands/server` uses `request.state.github_token` for the entire app
 - On Enterprise, the entire APP resolves around the Github User ID. This is because the cookie sets it, so `openhands/server` AND `enterprise/server` depend on it and completly ignore `request.state.github_token` (token is fetched from `GithubTokenManager` instead)
 
-Note that introducing Github User ID on OSS, for instance, will cause large breakages.
+Note that introducing GitHub User ID in OpenHands, for instance, will cause large breakages.

enterprise/allhands-realm-github-provider.json.tmpl

@@ -721,6 +721,7 @@
         "https://$WEB_HOST/oauth/keycloak/callback",
         "https://$WEB_HOST/oauth/keycloak/offline/callback",
         "https://$WEB_HOST/slack/keycloak-callback",
+        "https://$WEB_HOST/oauth/device/keycloak-callback",
         "https://$WEB_HOST/api/email/verified",
         "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*"
       ],
@@ -1771,6 +1772,40 @@
         "sendIdTokenOnLogout": "true",
         "passMaxAge": "false"
       }
+    },
+    {
+      "alias": "bitbucket_data_center",
+      "displayName": "Bitbucket Data Center",
+      "internalId": "b77b4ead-20e8-451c-ad27-99f92d561616",
+      "providerId": "oauth2",
+      "enabled": true,
+      "updateProfileFirstLoginMode": "on",
+      "trustEmail": true,
+      "storeToken": true,
+      "addReadTokenRoleOnCreate": false,
+      "authenticateByDefault": false,
+      "linkOnly": false,
+      "hideOnLogin": false,
+      "config": {
+        "givenNameClaim": "given_name",
+        "userInfoUrl": "https://${WEB_HOST}/bitbucket-dc-proxy/oauth2/userinfo",
+        "clientId": "$BITBUCKET_DATA_CENTER_CLIENT_ID",
+        "tokenUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/token",
+        "acceptsPromptNoneForwardFromClient": "false",
+        "fullNameClaim": "name",
+        "userIDClaim": "sub",
+        "emailClaim": "email",
+        "userNameClaim": "preferred_username",
+        "caseSensitiveOriginalUsername": "false",
+        "familyNameClaim": "family_name",
+        "pkceEnabled": "false",
+        "authorizationUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/authorize",
+        "clientAuthMethod": "client_secret_post",
+        "syncMode": "IMPORT",
+        "clientSecret": "$BITBUCKET_DATA_CENTER_CLIENT_SECRET",
+        "allowedClockSkew": "0",
+        "defaultScope": "REPO_WRITE"
+      }
     }
   ],
   "identityProviderMappers": [
@@ -1828,6 +1863,26 @@
         "syncMode": "FORCE",
         "attribute": "identity_provider"
       }
+    },
+    {
+      "name": "id-mapper",
+      "identityProviderAlias": "bitbucket_data_center",
+      "identityProviderMapper": "oidc-user-attribute-idp-mapper",
+      "config": {
+        "syncMode": "FORCE",
+        "claim": "sub",
+        "user.attribute": "bitbucket_data_center_id"
+      }
+    },
+    {
+      "name": "identity-provider",
+      "identityProviderAlias": "bitbucket_data_center",
+      "identityProviderMapper": "hardcoded-attribute-idp-mapper",
+      "config": {
+        "attribute.value": "bitbucket_data_center",
+        "syncMode": "FORCE",
+        "attribute": "identity_provider"
+      }
     }
   ],
   "components": {

enterprise/dev_config/python/.pre-commit-config.yaml

@@ -50,8 +50,10 @@ repos:
           - ./
           - stripe==11.5.0
           - pygithub==2.6.1
-        # To see gaps add `--html-report mypy-report/`
-        entry: mypy --config-file enterprise/dev_config/python/mypy.ini enterprise/
+        # Use -p (package) to avoid dual module name conflict when using MYPYPATH
+        # MYPYPATH=enterprise allows resolving bare imports like "from integrations.xxx"
+        # Note: tests package excluded to avoid conflict with core openhands tests
+        entry: bash -c 'MYPYPATH=enterprise mypy --config-file enterprise/dev_config/python/mypy.ini -p integrations -p server -p storage -p sync'
         always_run: true
         pass_filenames: false
         files: ^enterprise/

enterprise/dev_config/python/mypy.ini

@@ -2,7 +2,6 @@
 warn_unused_configs = True
 ignore_missing_imports = True
 check_untyped_defs = True
-explicit_package_bases = True
 warn_unreachable = True
 warn_redundant_casts = True
 no_implicit_optional = True

enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md

@@ -0,0 +1,883 @@
+# OpenHands Enterprise Usage Telemetry Service
+
+## Table of Contents
+
+1. [Introduction](#1-introduction)
+   - 1.1 [Problem Statement](#11-problem-statement)
+   - 1.2 [Proposed Solution](#12-proposed-solution)
+2. [User Interface](#2-user-interface)
+   - 2.1 [License Warning Banner](#21-license-warning-banner)
+   - 2.2 [Administrator Experience](#22-administrator-experience)
+3. [Other Context](#3-other-context)
+   - 3.1 [Replicated Platform Integration](#31-replicated-platform-integration)
+   - 3.2 [Administrator Email Detection Strategy](#32-administrator-email-detection-strategy)
+   - 3.3 [Metrics Collection Framework](#33-metrics-collection-framework)
+4. [Technical Design](#4-technical-design)
+   - 4.1 [Database Schema](#41-database-schema)
+     - 4.1.1 [Telemetry Metrics Table](#411-telemetry-metrics-table)
+     - 4.1.2 [Telemetry Identity Table](#412-telemetry-identity-table)
+   - 4.2 [Metrics Collection Framework](#42-metrics-collection-framework)
+     - 4.2.1 [Base Collector Interface](#421-base-collector-interface)
+     - 4.2.2 [Collector Registry](#422-collector-registry)
+     - 4.2.3 [Example Collector Implementation](#423-example-collector-implementation)
+   - 4.3 [Collection and Upload System](#43-collection-and-upload-system)
+     - 4.3.1 [Metrics Collection Processor](#431-metrics-collection-processor)
+     - 4.3.2 [Replicated Upload Processor](#432-replicated-upload-processor)
+   - 4.4 [License Warning System](#44-license-warning-system)
+     - 4.4.1 [License Status Endpoint](#441-license-status-endpoint)
+     - 4.4.2 [UI Integration](#442-ui-integration)
+   - 4.5 [Cronjob Configuration](#45-cronjob-configuration)
+     - 4.5.1 [Collection Cronjob](#451-collection-cronjob)
+     - 4.5.2 [Upload Cronjob](#452-upload-cronjob)
+5. [Implementation Plan](#5-implementation-plan)
+   - 5.1 [Database Schema and Models (M1)](#51-database-schema-and-models-m1)
+     - 5.1.1 [OpenHands - Database Migration](#511-openhands---database-migration)
+     - 5.1.2 [OpenHands - Model Tests](#512-openhands---model-tests)
+   - 5.2 [Metrics Collection Framework (M2)](#52-metrics-collection-framework-m2)
+     - 5.2.1 [OpenHands - Core Collection Framework](#521-openhands---core-collection-framework)
+     - 5.2.2 [OpenHands - Example Collectors](#522-openhands---example-collectors)
+     - 5.2.3 [OpenHands - Framework Tests](#523-openhands---framework-tests)
+   - 5.3 [Collection and Upload Processors (M3)](#53-collection-and-upload-processors-m3)
+     - 5.3.1 [OpenHands - Collection Processor](#531-openhands---collection-processor)
+     - 5.3.2 [OpenHands - Upload Processor](#532-openhands---upload-processor)
+     - 5.3.3 [OpenHands - Integration Tests](#533-openhands---integration-tests)
+   - 5.4 [License Warning API (M4)](#54-license-warning-api-m4)
+     - 5.4.1 [OpenHands - License Status API](#541-openhands---license-status-api)
+     - 5.4.2 [OpenHands - API Integration](#542-openhands---api-integration)
+   - 5.5 [UI Warning Banner (M5)](#55-ui-warning-banner-m5)
+     - 5.5.1 [OpenHands - UI Warning Banner](#551-openhands---ui-warning-banner)
+     - 5.5.2 [OpenHands - UI Integration](#552-openhands---ui-integration)
+   - 5.6 [Helm Chart Deployment Configuration (M6)](#56-helm-chart-deployment-configuration-m6)
+     - 5.6.1 [OpenHands-Cloud - Cronjob Manifests](#561-openhands-cloud---cronjob-manifests)
+     - 5.6.2 [OpenHands-Cloud - Configuration Management](#562-openhands-cloud---configuration-management)
+   - 5.7 [Documentation and Enhanced Collectors (M7)](#57-documentation-and-enhanced-collectors-m7)
+     - 5.7.1 [OpenHands - Advanced Collectors](#571-openhands---advanced-collectors)
+     - 5.7.2 [OpenHands - Monitoring and Testing](#572-openhands---monitoring-and-testing)
+     - 5.7.3 [OpenHands - Technical Documentation](#573-openhands---technical-documentation)
+
+## 1. Introduction
+
+### 1.1 Problem Statement
+
+OpenHands Enterprise (OHE) helm charts are publicly available but not open source, creating a visibility gap for the sales team. Unknown users can install and use OHE without the vendor's knowledge, preventing proper customer engagement and sales pipeline management. Without usage telemetry, the vendor cannot identify potential customers, track installation health, or proactively support users who may need assistance.
+
+### 1.2 Proposed Solution
+
+We propose implementing a comprehensive telemetry service that leverages the Replicated metrics platform and Python SDK to track OHE installations and usage. The solution provides automatic customer discovery, instance monitoring, and usage metrics collection while maintaining a clear license compliance pathway.
+
+The system consists of three main components: (1) a pluggable metrics collection framework that allows developers to easily define and register custom metrics collectors, (2) automated cronjobs that periodically collect metrics and upload them to Replicated's vendor portal, and (3) a license compliance warning system that displays UI notifications when telemetry uploads fail, indicating potential license expiration.
+
+The design ensures that telemetry cannot be easily disabled without breaking core OHE functionality by tying the warning system to environment variables that are essential for OHE operation. This approach balances user transparency with business requirements for customer visibility.
+
+## 2. User Interface
+
+### 2.1 License Warning Banner
+
+When telemetry uploads fail for more than 4 days, users will see a prominent warning banner in the OpenHands Enterprise UI:
+
+```
+⚠️ Your OpenHands Enterprise license will expire in 30 days. Please contact support if this issue persists.
+```
+
+The banner appears at the top of all pages and cannot be permanently dismissed while the condition persists. Users can temporarily dismiss it, but it will reappear on page refresh until telemetry uploads resume successfully.
+
+### 2.2 Administrator Experience
+
+System administrators will not need to configure the telemetry system manually. The service automatically:
+
+1. **Detects OHE installations** using existing required environment variables (`GITHUB_APP_CLIENT_ID`, `KEYCLOAK_SERVER_URL`, etc.)
+
+2. **Generates unique customer identifiers** using administrator contact information:
+   - Customer email: Determined by the following priority order:
+     1. `OPENHANDS_ADMIN_EMAIL` environment variable (if set in helm values)
+     2. Email of the first user who accepted Terms of Service (earliest `accepted_tos` timestamp)
+   - Instance ID: Automatically generated by Replicated SDK using machine fingerprinting (IOPlatformUUID on macOS, D-Bus machine ID on Linux, Machine GUID on Windows)
+   - **No Fallback**: If neither email source is available, telemetry collection is skipped until at least one user exists
+
+3. **Collects and uploads metrics transparently** in the background via weekly collection and daily upload cronjobs
+
+4. **Displays warnings only when necessary** for license compliance - no notifications appear during normal operation
+
+## 3. Other Context
+
+### 3.1 Replicated Platform Integration
+
+The Replicated platform provides vendor-hosted infrastructure for collecting customer and instance telemetry. The Python SDK handles authentication, state management, and reliable metric delivery. Key concepts:
+
+- **Customer**: Represents a unique OHE installation, identified by email or installation fingerprint
+- **Instance**: Represents a specific deployment of OHE for a customer
+- **Metrics**: Custom key-value data points collected from the installation
+- **Status**: Instance health indicators (running, degraded, updating, etc.)
+
+The SDK automatically handles machine fingerprinting, local state caching, and retry logic for failed uploads.
+
+### 3.2 Administrator Email Detection Strategy
+
+To identify the appropriate administrator contact for sales outreach, the system uses a three-tier approach that avoids performance penalties on user authentication:
+
+**Tier 1: Explicit Configuration** - The `OPENHANDS_ADMIN_EMAIL` environment variable allows administrators to explicitly specify the contact email during deployment.
+
+**Tier 2: First Active User Detection** - If no explicit email is configured, the system identifies the first user who accepted Terms of Service (earliest `accepted_tos` timestamp with a valid email). This represents the first person to actively engage with the system and is very likely the administrator or installer.
+
+**No Fallback Needed** - If neither email source is available, telemetry collection is skipped entirely. This ensures we only report meaningful usage data when there are actual active users.
+
+**Performance Optimization**: The admin email determination is performed only during telemetry upload attempts, ensuring zero performance impact on user login flows.
+
+### 3.3 Metrics Collection Framework
+
+The proposed collector framework allows developers to define metrics in a single file change:
+
+```python
+@register_collector("user_activity")
+class UserActivityCollector(MetricsCollector):
+    def collect(self) -> Dict[str, Any]:
+        # Query database and return metrics
+        return {"active_users_7d": count, "conversations_created": total}
+```
+
+Collectors are automatically discovered and executed by the collection cronjob, making the system extensible without modifying core collection logic.
+
+## 4. Technical Design
+
+### 4.1 Database Schema
+
+#### 4.1.1 Telemetry Metrics Table
+
+Stores collected metrics with transmission status tracking:
+
+```sql
+CREATE TABLE telemetry_metrics (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    collected_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    metrics_data JSONB NOT NULL,
+    uploaded_at TIMESTAMP WITH TIME ZONE NULL,
+    upload_attempts INTEGER DEFAULT 0,
+    last_upload_error TEXT NULL,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX idx_telemetry_metrics_collected_at ON telemetry_metrics(collected_at);
+CREATE INDEX idx_telemetry_metrics_uploaded_at ON telemetry_metrics(uploaded_at);
+```
+
+#### 4.1.2 Telemetry Identity Table
+
+Stores persistent identity information that must survive container restarts:
+
+```sql
+CREATE TABLE telemetry_identity (
+    id INTEGER PRIMARY KEY DEFAULT 1,
+    customer_id VARCHAR(255) NULL,
+    instance_id VARCHAR(255) NULL,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT single_identity_row CHECK (id = 1)
+);
+```
+
+**Design Rationale:**
+- **Separation of Concerns**: Identity data (customer_id, instance_id) is separated from operational data
+- **Persistent vs Computed**: Only data that cannot be reliably recomputed is persisted
+- **Upload Tracking**: Upload timestamps are tied directly to the metrics they represent
+- **Simplified Queries**: System state can be derived from metrics table (e.g., `MAX(uploaded_at)` for last successful upload)
+
+### 4.2 Metrics Collection Framework
+
+#### 4.2.1 Base Collector Interface
+
+```python
+from abc import ABC, abstractmethod
+from typing import Dict, Any, List
+from dataclasses import dataclass
+
+@dataclass
+class MetricResult:
+    key: str
+    value: Any
+
+class MetricsCollector(ABC):
+    """Base class for metrics collectors."""
+
+    @abstractmethod
+    async def collect(self) -> List[MetricResult]:
+        """Collect metrics and return results."""
+        pass
+
+    @property
+    @abstractmethod
+    def collector_name(self) -> str:
+        """Unique name for this collector."""
+        pass
+
+    def should_collect(self) -> bool:
+        """Override to add collection conditions."""
+        return True
+```
+
+#### 4.2.2 Collector Registry
+
+```python
+from typing import Dict, Type, List
+import importlib
+import pkgutil
+
+class CollectorRegistry:
+    """Registry for metrics collectors."""
+
+    def __init__(self):
+        self._collectors: Dict[str, Type[MetricsCollector]] = {}
+
+    def register(self, collector_class: Type[MetricsCollector]) -> None:
+        """Register a collector class."""
+        collector = collector_class()
+        self._collectors[collector.collector_name] = collector_class
+
+    def get_all_collectors(self) -> List[MetricsCollector]:
+        """Get instances of all registered collectors."""
+        return [cls() for cls in self._collectors.values()]
+
+    def discover_collectors(self, package_path: str) -> None:
+        """Auto-discover collectors in a package."""
+        # Implementation to scan for @register_collector decorators
+        pass
+
+# Global registry instance
+collector_registry = CollectorRegistry()
+
+def register_collector(name: str):
+    """Decorator to register a collector."""
+    def decorator(cls: Type[MetricsCollector]) -> Type[MetricsCollector]:
+        collector_registry.register(cls)
+        return cls
+    return decorator
+```
+
+#### 4.2.3 Example Collector Implementation
+
+```python
+@register_collector("system_metrics")
+class SystemMetricsCollector(MetricsCollector):
+    """Collects basic system and usage metrics."""
+
+    @property
+    def collector_name(self) -> str:
+        return "system_metrics"
+
+    async def collect(self) -> List[MetricResult]:
+        results = []
+
+        # Collect user count
+        async with a_session_maker() as session:
+            user_count_result = await session.execute(select(func.count()).select_from(UserSettings))
+            user_count = user_count_result.scalar()
+            results.append(MetricResult(
+                key="total_users",
+                value=user_count
+            ))
+
+            # Collect conversation count (last 30 days)
+            thirty_days_ago = datetime.now(timezone.utc) - timedelta(days=30)
+            conversation_count_result = await session.execute(
+                select(func.count()).select_from(StoredConversationMetadata)
+                .where(StoredConversationMetadata.created_at >= thirty_days_ago)
+            )
+            conversation_count = conversation_count_result.scalar()
+
+            results.append(MetricResult(
+                key="conversations_30d",
+                value=conversation_count
+            ))
+
+        return results
+```
+
+### 4.3 Collection and Upload System
+
+#### 4.3.1 Metrics Collection Processor
+
+```python
+class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
+    """Maintenance task processor for collecting metrics."""
+
+    collection_interval_days: int = 7
+
+    async def __call__(self, task: MaintenanceTask) -> dict:
+        """Collect metrics from all registered collectors."""
+
+        # Check if collection is needed
+        if not await self._should_collect():
+            return {"status": "skipped", "reason": "too_recent"}
+
+        # Collect metrics from all registered collectors
+        all_metrics = {}
+        collector_results = {}
+
+        for collector in collector_registry.get_all_collectors():
+            try:
+                if collector.should_collect():
+                    results = await collector.collect()
+                    for result in results:
+                        all_metrics[result.key] = result.value
+                    collector_results[collector.collector_name] = len(results)
+            except Exception as e:
+                logger.error(f"Collector {collector.collector_name} failed: {e}")
+                collector_results[collector.collector_name] = f"error: {e}"
+
+        # Store metrics in database
+        async with a_session_maker() as session:
+            telemetry_record = TelemetryMetrics(
+                metrics_data=all_metrics,
+                collected_at=datetime.now(timezone.utc)
+            )
+            session.add(telemetry_record)
+            await session.commit()
+
+            # Note: No need to track last_collection_at separately
+            # Can be derived from MAX(collected_at) in telemetry_metrics
+
+        return {
+            "status": "completed",
+            "metrics_collected": len(all_metrics),
+            "collectors_run": collector_results
+        }
+
+    async def _should_collect(self) -> bool:
+        """Check if collection is needed based on interval."""
+        async with a_session_maker() as session:
+            # Get last collection time from metrics table
+            result = await session.execute(select(func.max(TelemetryMetrics.collected_at)))
+            last_collected = result.scalar()
+            if not last_collected:
+                return True
+
+            time_since_last = datetime.now(timezone.utc) - last_collected
+            return time_since_last.days >= self.collection_interval_days
+```
+
+#### 4.3.2 Replicated Upload Processor
+
+```python
+from replicated import AsyncReplicatedClient, InstanceStatus
+
+class TelemetryUploadProcessor(MaintenanceTaskProcessor):
+    """Maintenance task processor for uploading metrics to Replicated."""
+
+    replicated_publishable_key: str
+    replicated_app_slug: str
+
+    async def __call__(self, task: MaintenanceTask) -> dict:
+        """Upload pending metrics to Replicated."""
+
+        # Get pending metrics
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(TelemetryMetrics)
+                .where(TelemetryMetrics.uploaded_at.is_(None))
+                .order_by(TelemetryMetrics.collected_at)
+            )
+            pending_metrics = result.scalars().all()
+
+        if not pending_metrics:
+            return {"status": "no_pending_metrics"}
+
+        # Get admin email - skip if not available
+        admin_email = await self._get_admin_email()
+        if not admin_email:
+            logger.info("Skipping telemetry upload - no admin email available")
+            return {
+                "status": "skipped",
+                "reason": "no_admin_email",
+                "total_processed": 0
+            }
+
+        uploaded_count = 0
+        failed_count = 0
+
+        async with AsyncReplicatedClient(
+            publishable_key=self.replicated_publishable_key,
+            app_slug=self.replicated_app_slug
+        ) as client:
+
+            # Get or create customer and instance
+            customer = await client.customer.get_or_create(
+                email_address=admin_email
+            )
+            instance = await customer.get_or_create_instance()
+
+            # Store customer/instance IDs for future use
+            await self._update_telemetry_identity(customer.customer_id, instance.instance_id)
+
+            # Upload each metric batch
+            for metric_record in pending_metrics:
+                try:
+                    # Send individual metrics
+                    for key, value in metric_record.metrics_data.items():
+                        await instance.send_metric(key, value)
+
+                    # Update instance status
+                    await instance.set_status(InstanceStatus.RUNNING)
+
+                    # Mark as uploaded
+                    async with a_session_maker() as session:
+                        result = await session.execute(
+                            select(TelemetryMetrics)
+                            .where(TelemetryMetrics.id == metric_record.id)
+                        )
+                        record = result.scalar_one_or_none()
+                        if record:
+                            record.uploaded_at = datetime.now(timezone.utc)
+                            await session.commit()
+
+                    uploaded_count += 1
+
+                except Exception as e:
+                    logger.error(f"Failed to upload metrics {metric_record.id}: {e}")
+
+                    # Update error info
+                    async with a_session_maker() as session:
+                        result = await session.execute(
+                            select(TelemetryMetrics)
+                            .where(TelemetryMetrics.id == metric_record.id)
+                        )
+                        record = result.scalar_one_or_none()
+                        if record:
+                            record.upload_attempts += 1
+                            record.last_upload_error = str(e)
+                            await session.commit()
+
+                    failed_count += 1
+
+        # Note: No need to track last_successful_upload_at separately
+        # Can be derived from MAX(uploaded_at) in telemetry_metrics
+
+        return {
+            "status": "completed",
+            "uploaded": uploaded_count,
+            "failed": failed_count,
+            "total_processed": len(pending_metrics)
+        }
+
+    async def _get_admin_email(self) -> str | None:
+        """Get administrator email for customer identification."""
+        # 1. Check environment variable first
+        env_admin_email = os.getenv('OPENHANDS_ADMIN_EMAIL')
+        if env_admin_email:
+            logger.info("Using admin email from environment variable")
+            return env_admin_email
+
+        # 2. Use first active user's email (earliest accepted_tos)
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(UserSettings)
+                .where(UserSettings.email.isnot(None))
+                .where(UserSettings.accepted_tos.isnot(None))
+                .order_by(UserSettings.accepted_tos.asc())
+                .limit(1)
+            )
+            first_user = result.scalar_one_or_none()
+
+            if first_user and first_user.email:
+                logger.info(f"Using first active user email: {first_user.email}")
+                return first_user.email
+
+        # No admin email available - skip telemetry
+        logger.info("No admin email available - skipping telemetry collection")
+        return None
+
+    async def _update_telemetry_identity(self, customer_id: str, instance_id: str) -> None:
+        """Update or create telemetry identity record."""
+        async with a_session_maker() as session:
+            result = await session.execute(select(TelemetryIdentity).limit(1))
+            identity = result.scalar_one_or_none()
+            if not identity:
+                identity = TelemetryIdentity()
+                session.add(identity)
+
+            identity.customer_id = customer_id
+            identity.instance_id = instance_id
+            await session.commit()
+```
+
+### 4.4 License Warning System
+
+#### 4.4.1 License Status Endpoint
+
+```python
+from fastapi import APIRouter
+from datetime import datetime, timezone, timedelta
+
+license_router = APIRouter()
+
+@license_router.get("/license-status")
+async def get_license_status():
+    """Get license warning status for UI display."""
+
+    # Only show warnings for OHE installations
+    if not _is_openhands_enterprise():
+        return {"warn": False, "message": ""}
+
+    async with a_session_maker() as session:
+        # Get last successful upload time from metrics table
+        result = await session.execute(
+            select(func.max(TelemetryMetrics.uploaded_at))
+            .where(TelemetryMetrics.uploaded_at.isnot(None))
+        )
+        last_upload = result.scalar()
+
+        if not last_upload:
+            # No successful uploads yet - show warning after 4 days
+            return {
+                "warn": True,
+                "message": "OpenHands Enterprise license verification pending. Please ensure network connectivity."
+            }
+
+        # Check if last successful upload was more than 4 days ago
+        days_since_upload = (datetime.now(timezone.utc) - last_upload).days
+
+        if days_since_upload > 4:
+            # Find oldest unsent batch
+            result = await session.execute(
+                select(TelemetryMetrics)
+                .where(TelemetryMetrics.uploaded_at.is_(None))
+                .order_by(TelemetryMetrics.collected_at)
+                .limit(1)
+            )
+            oldest_unsent = result.scalar_one_or_none()
+
+            if oldest_unsent:
+                # Calculate expiration date (oldest unsent + 34 days)
+                expiration_date = oldest_unsent.collected_at + timedelta(days=34)
+                days_until_expiration = (expiration_date - datetime.now(timezone.utc)).days
+
+                if days_until_expiration <= 0:
+                    message = "Your OpenHands Enterprise license has expired. Please contact support immediately."
+                else:
+                    message = f"Your OpenHands Enterprise license will expire in {days_until_expiration} days. Please contact support if this issue persists."
+
+                return {"warn": True, "message": message}
+
+        return {"warn": False, "message": ""}
+
+def _is_openhands_enterprise() -> bool:
+    """Detect if this is an OHE installation."""
+    # Check for required OHE environment variables
+    required_vars = [
+        'GITHUB_APP_CLIENT_ID',
+        'KEYCLOAK_SERVER_URL',
+        'KEYCLOAK_REALM_NAME'
+    ]
+
+    return all(os.getenv(var) for var in required_vars)
+```
+
+#### 4.4.2 UI Integration
+
+The frontend will poll the license status endpoint and display warnings using the existing banner component pattern:
+
+```typescript
+// New component: LicenseWarningBanner.tsx
+interface LicenseStatus {
+  warn: boolean;
+  message: string;
+}
+
+export function LicenseWarningBanner() {
+  const [licenseStatus, setLicenseStatus] = useState<LicenseStatus>({ warn: false, message: "" });
+
+  useEffect(() => {
+    const checkLicenseStatus = async () => {
+      try {
+        const response = await fetch('/api/license-status');
+        const status = await response.json();
+        setLicenseStatus(status);
+      } catch (error) {
+        console.error('Failed to check license status:', error);
+      }
+    };
+
+    // Check immediately and then every hour
+    checkLicenseStatus();
+    const interval = setInterval(checkLicenseStatus, 60 * 60 * 1000);
+
+    return () => clearInterval(interval);
+  }, []);
+
+  if (!licenseStatus.warn) {
+    return null;
+  }
+
+  return (
+    <div className="bg-red-600 text-white p-4 rounded flex items-center justify-between">
+      <div className="flex items-center">
+        <FaExclamationTriangle className="mr-3" />
+        <span>{licenseStatus.message}</span>
+      </div>
+    </div>
+  );
+}
+```
+
+### 4.5 Cronjob Configuration
+
+The cronjob configurations will be deployed via the OpenHands-Cloud helm charts.
+
+#### 4.5.1 Collection Cronjob
+
+The collection cronjob runs weekly to gather metrics:
+
+```yaml
+# charts/openhands/templates/telemetry-collection-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "openhands.fullname" . }}-telemetry-collection
+  labels:
+    {{- include "openhands.labels" . | nindent 4 }}
+spec:
+  schedule: "0 2 * * 0"  # Weekly on Sunday at 2 AM
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: telemetry-collector
+            image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+            env:
+            {{- include "openhands.env" . | nindent 12 }}
+            command:
+            - python
+            - -c
+            - |
+              import asyncio
+              from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
+              from enterprise.storage.database import a_session_maker
+              from enterprise.server.telemetry.collection_processor import TelemetryCollectionProcessor
+
+              async def main():
+                  # Create collection task
+                  processor = TelemetryCollectionProcessor()
+                  task = MaintenanceTask()
+                  task.set_processor(processor)
+                  task.status = MaintenanceTaskStatus.PENDING
+
+                  async with a_session_maker() as session:
+                      session.add(task)
+                      await session.commit()
+
+              asyncio.run(main())
+          restartPolicy: OnFailure
+```
+
+#### 4.5.2 Upload Cronjob
+
+The upload cronjob runs daily to send metrics to Replicated:
+
+```yaml
+# charts/openhands/templates/telemetry-upload-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "openhands.fullname" . }}-telemetry-upload
+  labels:
+    {{- include "openhands.labels" . | nindent 4 }}
+spec:
+  schedule: "0 3 * * *"  # Daily at 3 AM
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: telemetry-uploader
+            image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+            env:
+            {{- include "openhands.env" . | nindent 12 }}
+            - name: REPLICATED_PUBLISHABLE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "openhands.fullname" . }}-replicated-config
+                  key: publishable-key
+            - name: REPLICATED_APP_SLUG
+              value: {{ .Values.telemetry.replicatedAppSlug | default "openhands-enterprise" | quote }}
+            command:
+            - python
+            - -c
+            - |
+              import asyncio
+              from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
+              from enterprise.storage.database import a_session_maker
+              from enterprise.server.telemetry.upload_processor import TelemetryUploadProcessor
+              import os
+
+              async def main():
+                  # Create upload task
+                  processor = TelemetryUploadProcessor(
+                      replicated_publishable_key=os.getenv('REPLICATED_PUBLISHABLE_KEY'),
+                      replicated_app_slug=os.getenv('REPLICATED_APP_SLUG', 'openhands-enterprise')
+                  )
+                  task = MaintenanceTask()
+                  task.set_processor(processor)
+                  task.status = MaintenanceTaskStatus.PENDING
+
+                  async with a_session_maker() as session:
+                      session.add(task)
+                      await session.commit()
+
+              asyncio.run(main())
+          restartPolicy: OnFailure
+```
+
+## 5. Implementation Plan
+
+All implementation must pass existing lints and tests. New functionality requires comprehensive unit tests with >90% coverage. Integration tests should verify end-to-end telemetry flow including collection, storage, upload, and warning display.
+
+### 5.1 Database Schema and Models (M1)
+
+**Repository**: OpenHands
+Establish the foundational database schema and SQLAlchemy models for telemetry data storage.
+
+#### 5.1.1 OpenHands - Database Migration
+
+- [ ] `enterprise/migrations/versions/077_create_telemetry_tables.py`
+- [ ] `enterprise/storage/telemetry_metrics.py`
+- [ ] `enterprise/storage/telemetry_config.py`
+
+#### 5.1.2 OpenHands - Model Tests
+
+- [ ] `enterprise/tests/unit/storage/test_telemetry_metrics.py`
+- [ ] `enterprise/tests/unit/storage/test_telemetry_config.py`
+
+**Demo**: Database tables created and models can store/retrieve telemetry data.
+
+### 5.2 Metrics Collection Framework (M2)
+
+**Repository**: OpenHands
+Implement the pluggable metrics collection system with registry and base classes.
+
+#### 5.2.1 OpenHands - Core Collection Framework
+
+- [ ] `enterprise/server/telemetry/__init__.py`
+- [ ] `enterprise/server/telemetry/collector_base.py`
+- [ ] `enterprise/server/telemetry/collector_registry.py`
+- [ ] `enterprise/server/telemetry/decorators.py`
+
+#### 5.2.2 OpenHands - Example Collectors
+
+- [ ] `enterprise/server/telemetry/collectors/__init__.py`
+- [ ] `enterprise/server/telemetry/collectors/system_metrics.py`
+- [ ] `enterprise/server/telemetry/collectors/user_activity.py`
+
+#### 5.2.3 OpenHands - Framework Tests
+
+- [ ] `enterprise/tests/unit/telemetry/test_collector_base.py`
+- [ ] `enterprise/tests/unit/telemetry/test_collector_registry.py`
+- [ ] `enterprise/tests/unit/telemetry/test_system_metrics.py`
+
+**Demo**: Developers can create new collectors with a single file change using the @register_collector decorator.
+
+### 5.3 Collection and Upload Processors (M3)
+
+**Repository**: OpenHands
+Implement maintenance task processors for collecting metrics and uploading to Replicated.
+
+#### 5.3.1 OpenHands - Collection Processor
+
+- [ ] `enterprise/server/telemetry/collection_processor.py`
+- [ ] `enterprise/tests/unit/telemetry/test_collection_processor.py`
+
+#### 5.3.2 OpenHands - Upload Processor
+
+- [ ] `enterprise/server/telemetry/upload_processor.py`
+- [ ] `enterprise/tests/unit/telemetry/test_upload_processor.py`
+
+#### 5.3.3 OpenHands - Integration Tests
+
+- [ ] `enterprise/tests/integration/test_telemetry_flow.py`
+
+**Demo**: Metrics are automatically collected weekly and uploaded daily to Replicated vendor portal.
+
+### 5.4 License Warning API (M4)
+
+**Repository**: OpenHands
+Implement the license status endpoint for the warning system.
+
+#### 5.4.1 OpenHands - License Status API
+
+- [ ] `enterprise/server/routes/license.py`
+- [ ] `enterprise/tests/unit/routes/test_license.py`
+
+#### 5.4.2 OpenHands - API Integration
+
+- [ ] Update `enterprise/saas_server.py` to include license router
+
+**Demo**: License status API returns warning status based on telemetry upload success.
+
+### 5.5 UI Warning Banner (M5)
+
+**Repository**: OpenHands
+Implement the frontend warning banner component and integration.
+
+#### 5.5.1 OpenHands - UI Warning Banner
+
+- [ ] `frontend/src/components/features/license/license-warning-banner.tsx`
+- [ ] `frontend/src/components/features/license/license-warning-banner.test.tsx`
+
+#### 5.5.2 OpenHands - UI Integration
+
+- [ ] Update main UI layout to include license warning banner
+- [ ] Add license status polling service
+
+**Demo**: License warnings appear in UI when telemetry uploads fail for >4 days, with accurate expiration countdown.
+
+### 5.6 Helm Chart Deployment Configuration (M6)
+
+**Repository**: OpenHands-Cloud
+Create Kubernetes cronjob configurations and deployment scripts.
+
+#### 5.6.1 OpenHands-Cloud - Cronjob Manifests
+
+- [ ] `charts/openhands/templates/telemetry-collection-cronjob.yaml`
+- [ ] `charts/openhands/templates/telemetry-upload-cronjob.yaml`
+
+#### 5.6.2 OpenHands-Cloud - Configuration Management
+
+- [ ] `charts/openhands/templates/replicated-secret.yaml`
+- [ ] Update `charts/openhands/values.yaml` with telemetry configuration options:
+  ```yaml
+  # Add to values.yaml
+  telemetry:
+    enabled: true
+    replicatedAppSlug: "openhands-enterprise"
+    adminEmail: ""  # Optional: admin email for customer identification
+
+  # Add to deployment environment variables
+  env:
+    OPENHANDS_ADMIN_EMAIL: "{{ .Values.telemetry.adminEmail }}"
+  ```
+
+**Demo**: Complete telemetry system deployed via helm chart with configurable collection intervals and Replicated integration.
+
+### 5.7 Documentation and Enhanced Collectors (M7)
+
+**Repository**: OpenHands
+Add comprehensive metrics collectors, monitoring capabilities, and documentation.
+
+#### 5.7.1 OpenHands - Advanced Collectors
+
+- [ ] `enterprise/server/telemetry/collectors/conversation_metrics.py`
+- [ ] `enterprise/server/telemetry/collectors/integration_usage.py`
+- [ ] `enterprise/server/telemetry/collectors/performance_metrics.py`
+
+#### 5.7.2 OpenHands - Monitoring and Testing
+
+- [ ] `enterprise/server/telemetry/monitoring.py`
+- [ ] `enterprise/tests/e2e/test_telemetry_system.py`
+- [ ] Performance tests for large-scale metric collection
+
+#### 5.7.3 OpenHands - Technical Documentation
+
+- [ ] `enterprise/server/telemetry/README.md`
+- [ ] Update deployment documentation with telemetry configuration instructions
+- [ ] Add troubleshooting guide for telemetry issues
+
+**Demo**: Rich telemetry data flowing to vendor portal with comprehensive monitoring, alerting for system health, and complete documentation.

enterprise/doc/design-doc/plugin-launch-flow.md

@@ -0,0 +1,131 @@
+# Plugin Launch Flow
+
+This document describes how plugins are launched in OpenHands Saas / Enterprise, from the plugin directory through to agent execution.
+
+## Architecture Overview
+
+```
+Plugin Directory ──▶ Frontend /launch ──▶ App Server ──▶ Agent Server ──▶ SDK
+    (external)           (modal)           (API)        (in sandbox)    (plugin loading)
+```
+
+| Component | Responsibility |
+|-----------|---------------|
+| **Plugin Directory** | Index plugins, present to user, construct launch URLs |
+| **Frontend** | Display confirmation modal, collect parameters, call API |
+| **App Server** | Validate request, pass plugin specs to agent server |
+| **Agent Server** | Run inside sandbox, delegate plugin loading to SDK |
+| **SDK** | Fetch plugins, load contents, merge skills/hooks/MCP into agent |
+
+## User Experience
+
+### Plugin Directory
+
+The plugin directory presents users with a catalog of available plugins. For each plugin, users see:
+- Plugin name and description (from `plugin.json`)
+- Author and version information
+- A "Launch" button
+
+When a user clicks "Launch", the plugin directory:
+1. Reads the plugin's `entry_command` to know which slash command to invoke
+2. Determines what parameters the plugin accepts (if any)
+3. Redirects to OpenHands with this information encoded in the URL
+
+### Parameter Collection
+
+If a plugin requires user input (API keys, configuration values, etc.), the frontend displays a form modal before starting the conversation. Parameters are passed in the launch URL and rendered as form fields based on their type:
+
+- **String values** → Text input
+- **Number values** → Number input
+- **Boolean values** → Checkbox
+
+Only primitive types are supported. Complex types (arrays, objects) are not currently supported for parameter input.
+
+The user fills in required values, then clicks "Start Conversation" to proceed.
+
+## Launch Flow
+
+1. **Plugin Directory** (external) constructs a launch URL to the OpenHands app server when user clicks "Launch":
+   ```
+   /launch?plugins=BASE64_JSON&message=/city-weather:now%20Tokyo
+   ```
+
+   The `plugins` parameter includes any parameter definitions with default values:
+   ```json
+   [{
+     "source": "github:owner/repo",
+     "repo_path": "plugins/my-plugin",
+     "parameters": {"api_key": "", "timeout": 30, "debug": false}
+   }]
+   ```
+
+2. **OpenHands Frontend** (`/launch` route, [PR #12699](https://github.com/OpenHands/OpenHands/pull/12699)) displays modal with parameter form, collects user input
+
+3. **OpenHands App Server** ([PR #12338](https://github.com/OpenHands/OpenHands/pull/12338)) receives the API call:
+   ```
+   POST /api/v1/app-conversations
+   {
+     "plugins": [{"source": "github:owner/repo", "repo_path": "plugins/city-weather"}],
+     "initial_message": {"content": [{"type": "text", "text": "/city-weather:now Tokyo"}]}
+   }
+   ```
+
+   Call stack:
+   - `AppConversationRouter` receives request with `PluginSpec` list
+   - `LiveStatusAppConversationService._finalize_conversation_request()` converts `PluginSpec` → `PluginSource`
+   - Creates `StartConversationRequest(plugins=sdk_plugins, ...)` and sends to agent server
+
+4. **Agent Server** (inside sandbox, [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651)) stores specs, defers loading:
+
+   Call stack:
+   - `ConversationService.start_conversation()` receives `StartConversationRequest`
+   - Creates `StoredConversation` with plugin specs
+   - Creates `LocalConversation(plugins=request.plugins, ...)`
+   - Plugin loading deferred until first `run()` or `send_message()`
+
+5. **SDK** fetches and loads plugins on first use:
+
+   Call stack:
+   - `LocalConversation._ensure_plugins_loaded()` triggered by first message
+   - For each plugin spec:
+     - `Plugin.fetch(source, ref, repo_path)` → clones/caches git repo
+     - `Plugin.load(path)` → parses `plugin.json`, loads commands/skills/hooks
+     - `plugin.add_skills_to(context)` → merges skills into agent
+     - `plugin.add_mcp_config_to(config)` → merges MCP servers
+
+6. **Agent** receives message, `/city-weather:now` triggers the skill
+
+## Key Design Decisions
+
+### Plugin Loading in Sandbox
+
+Plugins load **inside the sandbox** because:
+- Plugin hooks and scripts need isolated execution
+- MCP servers run inside the sandbox
+- Skills may reference sandbox filesystem
+
+### Entry Command Handling
+
+The `entry_command` field in `plugin.json` allows plugin authors to declare a default command:
+
+```json
+{
+  "name": "city-weather",
+  "entry_command": "now"
+}
+```
+
+This flows through the system:
+1. Plugin author declares `entry_command` in plugin.json
+2. Plugin directory reads it when indexing
+3. Plugin directory includes `/city-weather:now` in the launch URL's `message` parameter
+4. Message passes through to agent as `initial_message`
+
+The SDK exposes this field but does not auto-invoke it—callers control the initial message.
+
+## Related
+
+- [OpenHands PR #12338](https://github.com/OpenHands/OpenHands/pull/12338) - App server plugin support
+- [OpenHands PR #12699](https://github.com/OpenHands/OpenHands/pull/12699) - Frontend `/launch` route
+- [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651) - Agent server plugin loading
+- [SDK PR #1647](https://github.com/OpenHands/software-agent-sdk/pull/1647) - Plugin.fetch() for remote plugin fetching

enterprise/enterprise_local/README.md

@@ -0,0 +1,274 @@
+# Instructions for developing SAAS locally
+
+You have a few options here, which are expanded on below:
+
+- A simple local development setup, with live reloading for both OpenHands and this repo
+- A more complex setup that includes Redis
+- An even more complex setup that includes GitHub events
+
+## Prerequisites
+
+Before starting, make sure you have the following tools installed:
+
+### Required for all options:
+
+- [gcloud CLI](https://cloud.google.com/sdk/docs/install) - For authentication and secrets management
+- [sops](https://github.com/mozilla/sops) - For secrets decryption
+  - macOS: `brew install sops`
+  - Linux: `sudo apt-get install sops` or download from GitHub releases
+  - Windows: Install via Chocolatey `choco install sops` or download from GitHub releases
+
+### Additional requirements for enabling GitHub webhook events
+
+- make
+- Python development tools (build-essential, python3-dev)
+- [ngrok](https://ngrok.com/download) - For creating tunnels to localhost
+
+## Option 1: Simple local development
+
+This option will allow you to modify both the OpenHands code and the code in this repo,
+and see the changes in real-time.
+
+This option works best for most scenarios. The only thing it's missing is
+the GitHub events webhook, which is not necessary for most development.
+
+### 1. OpenHands location
+
+The open source OpenHands repo should be cloned as a sibling directory,
+in `../OpenHands`. This is hard-coded in the pyproject.toml (edit if necessary)
+
+If you're doing this the first time, you may need to run
+
+```
+poetry update openhands-ai
+```
+
+### 2. Set up env
+
+First run this to retrieve Github App secrets
+
+```
+gcloud auth application-default login
+gcloud config set project global-432717
+enterprise_local/decrypt_env.sh /path/to/root/of/deploy/repo
+```
+
+Now run this to generate a `.env` file, which will used to run SAAS locally
+
+```
+python -m pip install PyYAML
+export LITE_LLM_API_KEY=<your LLM API key>
+python enterprise_local/convert_to_env.py
+```
+
+You'll also need to set up the runtime image, so that the dev server doesn't try to rebuild it.
+
+```
+export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:main-nikolaik
+docker pull $SANDBOX_RUNTIME_CONTAINER_IMAGE
+```
+
+By default the application will log in json, you can override.
+
+```
+export LOG_PLAIN_TEXT=1
+```
+
+### 3. Start the OpenHands frontend
+
+Start the frontend like you normally would in the open source OpenHands repo.
+
+### 4. Start the SaaS backend
+
+```
+make build
+
+make start-backend
+```
+
+You should have a server running on `localhost:3000`, similar to the open source backend.
+Oauth should work properly.
+
+## Option 2: With Redis
+
+Follow all the steps above, then setup redis:
+
+```bash
+docker run  -p 6379:6379 --name openhands-redis -d redis
+export REDIS_HOST=host.docker.internal # you may want this to be localhost
+export REDIS_PORT=6379
+```
+
+## Option 3: Work with GitHub events
+
+### 1. Setup env file
+
+(see above)
+
+### 2. Build OpenHands
+
+Develop on [Openhands](https://github.com/OpenHands/OpenHands) locally. When ready, run the following inside Openhands repo (not the Deploy repo)
+
+```
+docker build -f containers/app/Dockerfile -t openhands .
+```
+
+### 3. Build SAAS Openhands
+
+Build the SAAS image locally inside Deploy repo. Note that `openhands` is the name of the image built in Step 2
+
+```
+docker build -t openhands-saas ./app/ --build-arg BASE="openhands"
+```
+
+### 4. Create a tunnel
+
+Run in a separate terminal
+
+```
+ngrok http 3000
+```
+
+There will be a line
+
+```
+Forwarding                    https://bc71-2603-7000-5000-1575-e4a6-697b-589e-5801.ngrok-free.app
+```
+
+Remember this URL as it will be used in Step 5 and 6
+
+### 5. Setup Staging Github App callback/webhook urls
+
+Using the URL found in Step 4, add another callback URL (`https://bc71-2603-7000-5000-1575-e4a6-697b-589e-5801.ngrok-free.app/oauth/github/callback`)
+
+### 6. Run
+
+This is the last step! Run SAAS openhands locally using
+
+```
+docker run --env-file ./app/.env -p 3000:3000 openhands-saas
+```
+
+Note `--env-file` is what injects the `.env` file created in Step 1
+
+Visit the tunnel domain found in Step 4 to run the app (`https://bc71-2603-7000-5000-1575-e4a6-697b-589e-5801.ngrok-free.app`)
+
+### Local Debugging with VSCode
+
+Local Development necessitates running a version of OpenHands that is as similar as possible to the version running in the SAAS Environment. Before running these steps, it is assumed you have a local development version of OpenHands running.
+
+#### Redis
+
+A Local redis instance is required for clustered communication between server nodes. The standard docker instance will suffice.
+`docker run -it -p 6379:6379 --name my-redis -d redis`
+
+#### Postgres
+
+A Local postgres instance is required. I used the official docker image:
+`docker run -p 5432:5432 --name my-postgres -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=openhands -d postgres`
+Run the alembic migrations:
+`poetry run alembic upgrade head `
+
+#### VSCode launch.json
+
+The VSCode launch.json below sets up 2 servers to test clustering, running independently on localhost:3030 and localhost:3031. Running only the server on 3030 is usually sufficient unless tests of the clustered functionality are required. Secrets may be harvested directly from staging by connecting...
+`kubectl exec --stdin --tty <POD_NAME> -n <NAMESPACE> -- /bin/bash`
+And then invoking `printenv`. NOTE: _DO NOT DO THIS WITH PROD!!!_ (Hopefully by the time you read this, nobody will have access.)
+
+```
+{
+    "configurations": [
+        {
+            "name": "Python Debugger: Python File",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}"
+        },
+        {
+            "name": "OpenHands Deploy",
+            "type": "debugpy",
+            "request": "launch",
+            "module": "uvicorn",
+            "args": [
+                "saas_server:app",
+                "--reload",
+                "--host",
+                "0.0.0.0",
+                "--port",
+                "3030"
+            ],
+            "env": {
+                "DEBUG": "1",
+                "FILE_STORE": "local",
+                "REDIS_HOST": "localhost:6379",
+                "OPENHANDS": "<YOUR LOCAL OPENHANDS DIR>",
+                "FRONTEND_DIRECTORY": "<YOUR LOCAL OPENHANDS DIR>/frontend/build",
+                "SANDBOX_RUNTIME_CONTAINER_IMAGE": "ghcr.io/openhands/runtime:main-nikolaik",
+                "FILE_STORE_PATH": "<YOUR HOME DIRECTORY>>/.openhands-state",
+                "OPENHANDS_CONFIG_CLS": "server.config.SaaSServerConfig",
+                "GITHUB_APP_ID": "1062351",
+                "GITHUB_APP_PRIVATE_KEY": "<GITHUB PRIVATE KEY>",
+                "GITHUB_APP_CLIENT_ID": "Iv23lis7eUWDQHIq8US0",
+                "GITHUB_APP_CLIENT_SECRET": "<GITHUB CLIENT SECRET>",
+                "POSTHOG_CLIENT_KEY": "<POSTHOG CLIENT KEY>",
+                "LITE_LLM_API_URL": "https://llm-proxy.staging.all-hands.dev",
+                "LITE_LLM_TEAM_ID": "62ea39c4-8886-44f3-b7ce-07ed4fe42d2c",
+                "LITE_LLM_API_KEY": "<LITE LLM API KEY>"
+            },
+            "justMyCode": false,
+            "cwd": "${workspaceFolder}/app"
+        },
+        {
+            "name": "OpenHands Deploy 2",
+            "type": "debugpy",
+            "request": "launch",
+            "module": "uvicorn",
+            "args": [
+                "saas_server:app",
+                "--reload",
+                "--host",
+                "0.0.0.0",
+                "--port",
+                "3031"
+            ],
+            "env": {
+                "DEBUG": "1",
+                "FILE_STORE": "local",
+                "REDIS_HOST": "localhost:6379",
+                "OPENHANDS": "<YOUR LOCAL OPENHANDS DIR>",
+                "FRONTEND_DIRECTORY": "<YOUR LOCAL OPENHANDS DIR>/frontend/build",
+                "SANDBOX_RUNTIME_CONTAINER_IMAGE": "ghcr.io/openhands/runtime:main-nikolaik",
+                "FILE_STORE_PATH": "<YOUR HOME DIRECTORY>>/.openhands-state",
+                "OPENHANDS_CONFIG_CLS": "server.config.SaaSServerConfig",
+                "GITHUB_APP_ID": "1062351",
+                "GITHUB_APP_PRIVATE_KEY": "<GITHUB PRIVATE KEY>",
+                "GITHUB_APP_CLIENT_ID": "Iv23lis7eUWDQHIq8US0",
+                "GITHUB_APP_CLIENT_SECRET": "<GITHUB CLIENT SECRET>",
+                "POSTHOG_CLIENT_KEY": "<POSTHOG CLIENT KEY>",
+                "LITE_LLM_API_URL": "https://llm-proxy.staging.all-hands.dev",
+                "LITE_LLM_TEAM_ID": "62ea39c4-8886-44f3-b7ce-07ed4fe42d2c",
+                "LITE_LLM_API_KEY": "<LITE LLM API KEY>"
+            },
+            "justMyCode": false,
+            "cwd": "${workspaceFolder}/app"
+        },
+        {
+            "name": "Unit Tests",
+            "type": "debugpy",
+            "request": "launch",
+            "module": "pytest",
+            "args": [
+                "./tests/unit",
+                //"./tests/unit/test_clustered_conversation_manager.py",
+                "--durations=0"
+            ],
+            "env": {
+                "DEBUG": "1"
+            },
+            "justMyCode": false,
+            "cwd": "${workspaceFolder}/app"
+        },
+        // set working directory...
+    ]
+}
+```

enterprise/enterprise_local/convert_to_env.py

@@ -0,0 +1,130 @@
+import base64
+import os
+import sys
+
+import yaml
+
+
+def convert_yaml_to_env(yaml_file, target_parameters, output_env_file, prefix):
+    """Converts a YAML file into .env file format for specified target parameters under 'stringData' and 'data'.
+
+    :param yaml_file: Path to the YAML file.
+    :param target_parameters: List of keys to extract from the YAML file.
+    :param output_env_file: Path to the output .env file.
+    :param prefix: Prefix for environment variables.
+    """
+    try:
+        # Load the YAML file
+        with open(yaml_file, 'r') as file:
+            yaml_data = yaml.safe_load(file)
+
+        # Extract sections
+        string_data = yaml_data.get('stringData', None)
+        data = yaml_data.get('data', None)
+
+        if string_data:
+            env_source = string_data
+            process_base64 = False
+        elif data:
+            env_source = data
+            process_base64 = True
+        else:
+            print(
+                "Error: Neither 'stringData' nor 'data' section found in the YAML file."
+            )
+            return
+
+        env_lines = []
+
+        for param in target_parameters:
+            if param in env_source:
+                value = env_source[param]
+                if process_base64:
+                    try:
+                        decoded_value = base64.b64decode(value).decode('utf-8')
+                        formatted_value = (
+                            decoded_value.replace('\n', '\\n')
+                            if '\n' in decoded_value
+                            else decoded_value
+                        )
+                    except Exception as decode_error:
+                        print(f"Error decoding base64 for '{param}': {decode_error}")
+                        continue
+                else:
+                    formatted_value = (
+                        value.replace('\n', '\\n')
+                        if isinstance(value, str) and '\n' in value
+                        else value
+                    )
+
+                new_key = prefix + param.upper().replace('-', '_')
+                env_lines.append(f'{new_key}={formatted_value}')
+            else:
+                print(
+                    f"Warning: Parameter '{param}' not found in the selected section."
+                )
+
+        # Write to the .env file
+        with open(output_env_file, 'a') as env_file:
+            env_file.write('\n'.join(env_lines) + '\n')
+
+    except Exception as e:
+        print(f'Error: {e}')
+
+
+lite_llm_api_key = os.getenv('LITE_LLM_API_KEY')
+if not lite_llm_api_key:
+    print('Set the LITE_LLM_API_KEY environment variable to your API key')
+    sys.exit(1)
+
+yaml_file = 'github_decrypted.yaml'
+target_parameters = ['client-id', 'client-secret', 'webhook-secret', 'private-key']
+output_env_file = './enterprise/.env'
+
+if os.path.exists(output_env_file):
+    os.remove(output_env_file)
+convert_yaml_to_env(yaml_file, target_parameters, output_env_file, 'GITHUB_APP_')
+os.remove(yaml_file)
+
+yaml_file = 'keycloak_realm_decrypted.yaml'
+target_parameters = ['client-id', 'client-secret', 'provider-name', 'realm-name']
+convert_yaml_to_env(yaml_file, target_parameters, output_env_file, 'KEYCLOAK_')
+os.remove(yaml_file)
+
+yaml_file = 'keycloak_admin_decrypted.yaml'
+target_parameters = ['admin-password']
+convert_yaml_to_env(yaml_file, target_parameters, output_env_file, 'KEYCLOAK_')
+os.remove(yaml_file)
+
+lines = []
+lines.append('KEYCLOAK_SERVER_URL=https://auth.staging.all-hands.dev/')
+lines.append('KEYCLOAK_SERVER_URL_EXT=https://auth.staging.all-hands.dev/')
+lines.append('OPENHANDS_CONFIG_CLS=server.config.SaaSServerConfig')
+lines.append(
+    'OPENHANDS_GITHUB_SERVICE_CLS=integrations.github.github_service.SaaSGitHubService'
+)
+lines.append(
+    'OPENHANDS_GITLAB_SERVICE_CLS=integrations.gitlab.gitlab_service.SaaSGitLabService'
+)
+lines.append(
+    'OPENHANDS_BITBUCKET_SERVICE_CLS=integrations.bitbucket.bitbucket_service.SaaSBitBucketService'
+)
+lines.append(
+    'OPENHANDS_BITBUCKET_DATA_CENTER_SERVICE_CLS=integrations.bitbucket_data_center.bitbucket_dc_service.SaaSBitbucketDCService'
+)
+lines.append(
+    'OPENHANDS_CONVERSATION_VALIDATOR_CLS=storage.saas_conversation_validator.SaasConversationValidator'
+)
+lines.append('POSTHOG_CLIENT_KEY=test')
+lines.append('ENABLE_PROACTIVE_CONVERSATION_STARTERS=true')
+lines.append('MAX_CONCURRENT_CONVERSATIONS=10')
+lines.append('LITE_LLM_API_URL=https://llm-proxy.eval.all-hands.dev')
+lines.append('LITELLM_DEFAULT_MODEL=litellm_proxy/claude-opus-4-5-20251101')
+lines.append(f'LITE_LLM_API_KEY={lite_llm_api_key}')
+lines.append('LOCAL_DEPLOYMENT=true')
+lines.append('DB_HOST=localhost')
+
+with open(output_env_file, 'a') as env_file:
+    env_file.write('\n'.join(lines))
+
+print(f'.env file created at: {output_env_file}')

enterprise/enterprise_local/decrypt_env.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+set -euo pipefail
+
+# Check if DEPLOY_DIR argument was provided
+if [ $# -lt 1 ]; then
+  echo "Usage: $0 <DEPLOY_DIR>"
+  echo "Example: $0 /path/to/root/of/deploy/repo"
+  exit 1
+fi
+
+# Normalize path (remove trailing slash)
+DEPLOY_DIR="${1%/}"
+
+# Function to decrypt and rename
+decrypt_and_move() {
+  local secret_path="$1"
+  local output_name="$2"
+
+  ${DEPLOY_DIR}/scripts/decrypt.sh "${DEPLOY_DIR}/${secret_path}"
+  mv decrypted.yaml "${output_name}"
+  echo "Moved decrypted.yaml to ${output_name}"
+}
+
+# Decrypt each secret file
+decrypt_and_move "openhands/envs/feature/secrets/github-app.yaml" "github_decrypted.yaml"
+decrypt_and_move "openhands/envs/staging/secrets/keycloak-realm.yaml" "keycloak_realm_decrypted.yaml"
+decrypt_and_move "openhands/envs/staging/secrets/keycloak-admin.yaml" "keycloak_admin_decrypted.yaml"

enterprise/experiments/constants.py

@@ -1,47 +0,0 @@
-import os
-
-import posthog
-
-from openhands.core.logger import openhands_logger as logger
-
-# Initialize PostHog
-posthog.api_key = os.environ.get('POSTHOG_CLIENT_KEY', 'phc_placeholder')
-posthog.host = os.environ.get('POSTHOG_HOST', 'https://us.i.posthog.com')
-
-# Log PostHog configuration with masked API key for security
-api_key = posthog.api_key
-if api_key and len(api_key) > 8:
-    masked_key = f'{api_key[:4]}...{api_key[-4:]}'
-else:
-    masked_key = 'not_set_or_too_short'
-logger.info('posthog_configuration', extra={'posthog_api_key_masked': masked_key})
-
-# Global toggle for the experiment manager
-ENABLE_EXPERIMENT_MANAGER = (
-    os.environ.get('ENABLE_EXPERIMENT_MANAGER', 'false').lower() == 'true'
-)
-
-# Get the current experiment type from environment variable
-# If None, no experiment is running
-EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT = os.environ.get(
-    'EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT', ''
-)
-# System prompt experiment toggle
-EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT = os.environ.get(
-    'EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT', ''
-)
-
-EXPERIMENT_CLAUDE4_VS_GPT5 = os.environ.get('EXPERIMENT_CLAUDE4_VS_GPT5', '')
-
-EXPERIMENT_CONDENSER_MAX_STEP = os.environ.get('EXPERIMENT_CONDENSER_MAX_STEP', '')
-
-logger.info(
-    'experiment_manager:run_conversation_variant_test:experiment_config',
-    extra={
-        'enable_experiment_manager': ENABLE_EXPERIMENT_MANAGER,
-        'experiment_litellm_default_model_experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
-        'experiment_system_prompt_experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
-        'experiment_claude4_vs_gpt5_experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
-        'experiment_condenser_max_step': EXPERIMENT_CONDENSER_MAX_STEP,
-    },
-)

enterprise/experiments/experiment_manager.py

@@ -1,89 +0,0 @@
-from experiments.constants import (
-    ENABLE_EXPERIMENT_MANAGER,
-)
-from experiments.experiment_versions import (
-    handle_condenser_max_step_experiment,
-    handle_system_prompt_experiment,
-)
-
-from openhands.core.config.openhands_config import OpenHandsConfig
-from openhands.core.logger import openhands_logger as logger
-from openhands.experiments.experiment_manager import ExperimentManager
-from openhands.server.session.conversation_init_data import ConversationInitData
-
-
-class SaaSExperimentManager(ExperimentManager):
-    @staticmethod
-    def run_conversation_variant_test(
-        user_id, conversation_id, conversation_settings
-    ) -> ConversationInitData:
-        """
-        Run conversation variant test and potentially modify the conversation settings
-        based on the PostHog feature flags.
-
-        Args:
-            user_id: The user ID
-            conversation_id: The conversation ID
-            conversation_settings: The conversation settings that may include convo_id and llm_model
-
-        Returns:
-            The modified conversation settings
-        """
-        logger.debug(
-            'experiment_manager:run_conversation_variant_test:started',
-            extra={'user_id': user_id},
-        )
-
-        # Skip all experiment processing if the experiment manager is disabled
-        if not ENABLE_EXPERIMENT_MANAGER:
-            logger.info(
-                'experiment_manager:run_conversation_variant_test:skipped',
-                extra={'reason': 'experiment_manager_disabled'},
-            )
-            return conversation_settings
-
-        # Apply conversation-scoped experiments
-        conversation_settings = handle_condenser_max_step_experiment(
-            user_id, conversation_id, conversation_settings
-        )
-
-        return conversation_settings
-
-    @staticmethod
-    def run_config_variant_test(
-        user_id: str | None, conversation_id: str, config: OpenHandsConfig
-    ) -> OpenHandsConfig:
-        """
-        Run agent config variant test and potentially modify the OpenHands config
-        based on the current experiment type and PostHog feature flags.
-
-        Args:
-            user_id: The user ID
-            conversation_id: The conversation ID
-            config: The OpenHands configuration
-
-        Returns:
-            The modified OpenHands configuration
-        """
-        logger.info(
-            'experiment_manager:run_config_variant_test:started',
-            extra={'user_id': user_id},
-        )
-
-        # Skip all experiment processing if the experiment manager is disabled
-        if not ENABLE_EXPERIMENT_MANAGER:
-            logger.info(
-                'experiment_manager:run_config_variant_test:skipped',
-                extra={'reason': 'experiment_manager_disabled'},
-            )
-            return config
-
-        # Pass the entire OpenHands config to the system prompt experiment
-        # Let the experiment handler directly modify the config as needed
-        modified_config = handle_system_prompt_experiment(
-            user_id, conversation_id, config
-        )
-
-        # Condenser max step experiment is applied via conversation variant test,
-        # not config variant test. Return modified config from system prompt only.
-        return modified_config

enterprise/experiments/experiment_versions/_001_litellm_default_model_experiment.py

@@ -1,107 +0,0 @@
-"""
-LiteLLM model experiment handler.
-
-This module contains the handler for the LiteLLM model experiment.
-"""
-
-import posthog
-from experiments.constants import EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT
-from server.constants import (
-    IS_FEATURE_ENV,
-    build_litellm_proxy_model_path,
-    get_default_litellm_model,
-)
-
-from openhands.core.logger import openhands_logger as logger
-
-
-def handle_litellm_default_model_experiment(
-    user_id, conversation_id, conversation_settings
-):
-    """
-    Handle the LiteLLM model experiment.
-
-    Args:
-        user_id: The user ID
-        conversation_id: The conversation ID
-        conversation_settings: The conversation settings
-
-    Returns:
-        Modified conversation settings
-    """
-    # No-op if the specific experiment is not enabled
-    if not EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT:
-        logger.info(
-            'experiment_manager:ab_testing:skipped',
-            extra={
-                'convo_id': conversation_id,
-                'reason': 'experiment_not_enabled',
-                'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
-            },
-        )
-        return conversation_settings
-
-    # Use experiment name as the flag key
-    try:
-        enabled_variant = posthog.get_feature_flag(
-            EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT, conversation_id
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:get_feature_flag:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
-                'error': str(e),
-            },
-        )
-        return conversation_settings
-
-    # Log the experiment event
-    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
-    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
-
-    try:
-        posthog.capture(
-            distinct_id=posthog_user_id,
-            event='model_set',
-            properties={
-                'conversation_id': conversation_id,
-                'variant': enabled_variant,
-                'original_user_id': user_id,
-                'is_feature_env': IS_FEATURE_ENV,
-            },
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:posthog_capture:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
-                'error': str(e),
-            },
-        )
-        # Continue execution as this is not critical
-
-    logger.info(
-        'posthog_capture',
-        extra={
-            'event': 'model_set',
-            'posthog_user_id': posthog_user_id,
-            'is_feature_env': IS_FEATURE_ENV,
-            'conversation_id': conversation_id,
-            'variant': enabled_variant,
-        },
-    )
-
-    # Set the model based on the feature flag variant
-    if enabled_variant == 'claude37':
-        # Use the shared utility to construct the LiteLLM proxy model path
-        model = build_litellm_proxy_model_path('claude-3-7-sonnet-20250219')
-        # Update the conversation settings with the selected model
-        conversation_settings.llm_model = model
-    else:
-        # Update the conversation settings with the default model for the current version
-        conversation_settings.llm_model = get_default_litellm_model()
-
-    return conversation_settings

enterprise/experiments/experiment_versions/_002_system_prompt_experiment.py

@@ -1,181 +0,0 @@
-"""
-System prompt experiment handler.
-
-This module contains the handler for the system prompt experiment that uses
-the PostHog variant as the system prompt filename.
-"""
-
-import copy
-
-import posthog
-from experiments.constants import EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT
-from server.constants import IS_FEATURE_ENV
-from storage.experiment_assignment_store import ExperimentAssignmentStore
-
-from openhands.core.config.openhands_config import OpenHandsConfig
-from openhands.core.logger import openhands_logger as logger
-
-
-def _get_system_prompt_variant(user_id, conversation_id):
-    """
-    Get the system prompt variant for the experiment.
-
-    Args:
-        user_id: The user ID
-        conversation_id: The conversation ID
-
-    Returns:
-        str or None: The PostHog variant name or None if experiment is not enabled or error occurs
-    """
-    # No-op if the specific experiment is not enabled
-    if not EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT:
-        logger.info(
-            'experiment_manager_002:ab_testing:skipped',
-            extra={
-                'convo_id': conversation_id,
-                'reason': 'experiment_not_enabled',
-                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
-            },
-        )
-        return None
-
-    # Use experiment name as the flag key
-    try:
-        enabled_variant = posthog.get_feature_flag(
-            EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, conversation_id
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:get_feature_flag:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
-                'error': str(e),
-            },
-        )
-        return None
-
-    # Store the experiment assignment in the database
-    try:
-        experiment_store = ExperimentAssignmentStore()
-        experiment_store.update_experiment_variant(
-            conversation_id=conversation_id,
-            experiment_name='system_prompt_experiment',
-            variant=enabled_variant,
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:store_assignment:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
-                'variant': enabled_variant,
-                'error': str(e),
-            },
-        )
-        # Fail the experiment if we cannot track the splits - results would not be explainable
-        return None
-
-    # Log the experiment event
-    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
-    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
-
-    try:
-        posthog.capture(
-            distinct_id=posthog_user_id,
-            event='system_prompt_set',
-            properties={
-                'conversation_id': conversation_id,
-                'variant': enabled_variant,
-                'original_user_id': user_id,
-                'is_feature_env': IS_FEATURE_ENV,
-            },
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:posthog_capture:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
-                'error': str(e),
-            },
-        )
-        # Continue execution as this is not critical
-
-    logger.info(
-        'posthog_capture',
-        extra={
-            'event': 'system_prompt_set',
-            'posthog_user_id': posthog_user_id,
-            'is_feature_env': IS_FEATURE_ENV,
-            'conversation_id': conversation_id,
-            'variant': enabled_variant,
-        },
-    )
-
-    return enabled_variant
-
-
-def handle_system_prompt_experiment(
-    user_id, conversation_id, config: OpenHandsConfig
-) -> OpenHandsConfig:
-    """
-    Handle the system prompt experiment for OpenHands config.
-
-    Args:
-        user_id: The user ID
-        conversation_id: The conversation ID
-        config: The OpenHands configuration
-
-    Returns:
-        Modified OpenHands configuration
-    """
-    enabled_variant = _get_system_prompt_variant(user_id, conversation_id)
-
-    # If variant is None, experiment is not enabled or there was an error
-    if enabled_variant is None:
-        return config
-
-    # Deep copy the config to avoid modifying the original
-    modified_config = copy.deepcopy(config)
-
-    # Set the system prompt filename based on the variant
-    if enabled_variant == 'control':
-        # Use the long-horizon system prompt for the control variant
-        agent_config = modified_config.get_agent_config(modified_config.default_agent)
-        agent_config.system_prompt_filename = 'system_prompt_long_horizon.j2'
-        agent_config.enable_plan_mode = True
-    elif enabled_variant == 'interactive':
-        modified_config.get_agent_config(
-            modified_config.default_agent
-        ).system_prompt_filename = 'system_prompt_interactive.j2'
-    elif enabled_variant == 'no_tools':
-        modified_config.get_agent_config(
-            modified_config.default_agent
-        ).system_prompt_filename = 'system_prompt.j2'
-    else:
-        logger.error(
-            'system_prompt_experiment:unknown_variant',
-            extra={
-                'user_id': user_id,
-                'convo_id': conversation_id,
-                'variant': enabled_variant,
-                'reason': 'no explicit mapping; returning original config',
-            },
-        )
-        return config
-
-    # Log which prompt is being used
-    logger.info(
-        'system_prompt_experiment:prompt_selected',
-        extra={
-            'user_id': user_id,
-            'convo_id': conversation_id,
-            'system_prompt_filename': modified_config.get_agent_config(
-                modified_config.default_agent
-            ).system_prompt_filename,
-            'variant': enabled_variant,
-        },
-    )
-
-    return modified_config

enterprise/experiments/experiment_versions/_003_llm_claude4_vs_gpt5_experiment.py

@@ -1,137 +0,0 @@
-"""
-LiteLLM model experiment handler.
-
-This module contains the handler for the LiteLLM model experiment.
-"""
-
-import posthog
-from experiments.constants import EXPERIMENT_CLAUDE4_VS_GPT5
-from server.constants import (
-    IS_FEATURE_ENV,
-    build_litellm_proxy_model_path,
-    get_default_litellm_model,
-)
-from storage.experiment_assignment_store import ExperimentAssignmentStore
-
-from openhands.core.logger import openhands_logger as logger
-from openhands.server.session.conversation_init_data import ConversationInitData
-
-
-def _get_model_variant(user_id: str | None, conversation_id: str) -> str | None:
-    if not EXPERIMENT_CLAUDE4_VS_GPT5:
-        logger.info(
-            'experiment_manager:ab_testing:skipped',
-            extra={
-                'convo_id': conversation_id,
-                'reason': 'experiment_not_enabled',
-                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
-            },
-        )
-        return None
-
-    try:
-        enabled_variant = posthog.get_feature_flag(
-            EXPERIMENT_CLAUDE4_VS_GPT5, conversation_id
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:get_feature_flag:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
-                'error': str(e),
-            },
-        )
-        return None
-
-    # Store the experiment assignment in the database
-    try:
-        experiment_store = ExperimentAssignmentStore()
-        experiment_store.update_experiment_variant(
-            conversation_id=conversation_id,
-            experiment_name='claude4_vs_gpt5_experiment',
-            variant=enabled_variant,
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:store_assignment:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
-                'variant': enabled_variant,
-                'error': str(e),
-            },
-        )
-        # Fail the experiment if we cannot track the splits - results would not be explainable
-        return None
-
-    # Log the experiment event
-    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
-    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
-
-    try:
-        posthog.capture(
-            distinct_id=posthog_user_id,
-            event='claude4_or_gpt5_set',
-            properties={
-                'conversation_id': conversation_id,
-                'variant': enabled_variant,
-                'original_user_id': user_id,
-                'is_feature_env': IS_FEATURE_ENV,
-            },
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:posthog_capture:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
-                'error': str(e),
-            },
-        )
-        # Continue execution as this is not critical
-
-    logger.info(
-        'posthog_capture',
-        extra={
-            'event': 'claude4_or_gpt5_set',
-            'posthog_user_id': posthog_user_id,
-            'is_feature_env': IS_FEATURE_ENV,
-            'conversation_id': conversation_id,
-            'variant': enabled_variant,
-        },
-    )
-
-    return enabled_variant
-
-
-def handle_claude4_vs_gpt5_experiment(
-    user_id: str | None,
-    conversation_id: str,
-    conversation_settings: ConversationInitData,
-) -> ConversationInitData:
-    """
-    Handle the LiteLLM model experiment.
-
-    Args:
-        user_id: The user ID
-        conversation_id: The conversation ID
-        conversation_settings: The conversation settings
-
-    Returns:
-        Modified conversation settings
-    """
-
-    enabled_variant = _get_model_variant(user_id, conversation_id)
-
-    if not enabled_variant:
-        return conversation_settings
-
-    # Set the model based on the feature flag variant
-    if enabled_variant == 'gpt5':
-        model = build_litellm_proxy_model_path('gpt-5-2025-08-07')
-        conversation_settings.llm_model = model
-    else:
-        conversation_settings.llm_model = get_default_litellm_model()
-
-    return conversation_settings

enterprise/experiments/experiment_versions/_004_condenser_max_step_experiment.py

@@ -1,192 +0,0 @@
-"""
-Condenser max step experiment handler.
-
-This module contains the handler for the condenser max step experiment that tests
-different max_size values for the condenser configuration.
-"""
-
-import posthog
-from experiments.constants import EXPERIMENT_CONDENSER_MAX_STEP
-from server.constants import IS_FEATURE_ENV
-from storage.experiment_assignment_store import ExperimentAssignmentStore
-
-from openhands.core.logger import openhands_logger as logger
-from openhands.server.session.conversation_init_data import ConversationInitData
-
-
-def _get_condenser_max_step_variant(user_id, conversation_id):
-    """
-    Get the condenser max step variant for the experiment.
-
-    Args:
-        user_id: The user ID
-        conversation_id: The conversation ID
-
-    Returns:
-        str or None: The PostHog variant name or None if experiment is not enabled or error occurs
-    """
-    # No-op if the specific experiment is not enabled
-    if not EXPERIMENT_CONDENSER_MAX_STEP:
-        logger.info(
-            'experiment_manager_004:ab_testing:skipped',
-            extra={
-                'convo_id': conversation_id,
-                'reason': 'experiment_not_enabled',
-                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
-            },
-        )
-        return None
-
-    # Use experiment name as the flag key
-    try:
-        enabled_variant = posthog.get_feature_flag(
-            EXPERIMENT_CONDENSER_MAX_STEP, conversation_id
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:get_feature_flag:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
-                'error': str(e),
-            },
-        )
-        return None
-
-    # Store the experiment assignment in the database
-    try:
-        experiment_store = ExperimentAssignmentStore()
-        experiment_store.update_experiment_variant(
-            conversation_id=conversation_id,
-            experiment_name='condenser_max_step_experiment',
-            variant=enabled_variant,
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:store_assignment:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
-                'variant': enabled_variant,
-                'error': str(e),
-            },
-        )
-        # Fail the experiment if we cannot track the splits - results would not be explainable
-        return None
-
-    # Log the experiment event
-    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
-    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
-
-    try:
-        posthog.capture(
-            distinct_id=posthog_user_id,
-            event='condenser_max_step_set',
-            properties={
-                'conversation_id': conversation_id,
-                'variant': enabled_variant,
-                'original_user_id': user_id,
-                'is_feature_env': IS_FEATURE_ENV,
-            },
-        )
-    except Exception as e:
-        logger.error(
-            'experiment_manager:posthog_capture:failed',
-            extra={
-                'convo_id': conversation_id,
-                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
-                'error': str(e),
-            },
-        )
-        # Continue execution as this is not critical
-
-    logger.info(
-        'posthog_capture',
-        extra={
-            'event': 'condenser_max_step_set',
-            'posthog_user_id': posthog_user_id,
-            'is_feature_env': IS_FEATURE_ENV,
-            'conversation_id': conversation_id,
-            'variant': enabled_variant,
-        },
-    )
-
-    return enabled_variant
-
-
-def handle_condenser_max_step_experiment(
-    user_id: str | None,
-    conversation_id: str,
-    conversation_settings: ConversationInitData,
-) -> ConversationInitData:
-    """
-    Handle the condenser max step experiment for conversation settings.
-
-    We should not modify persistent user settings. Instead, apply the experiment
-    variant to the conversation's in-memory settings object for this session only.
-
-    Variants:
-    - control -> condenser_max_size = 120
-    - treatment -> condenser_max_size = 80
-
-    Returns the (potentially) modified conversation_settings.
-    """
-
-    enabled_variant = _get_condenser_max_step_variant(user_id, conversation_id)
-
-    if enabled_variant is None:
-        return conversation_settings
-
-    if enabled_variant == 'control':
-        condenser_max_size = 120
-    elif enabled_variant == 'treatment':
-        condenser_max_size = 80
-    else:
-        logger.error(
-            'condenser_max_step_experiment:unknown_variant',
-            extra={
-                'user_id': user_id,
-                'convo_id': conversation_id,
-                'variant': enabled_variant,
-                'reason': 'unknown variant; returning original conversation settings',
-            },
-        )
-        return conversation_settings
-
-    try:
-        # Apply the variant to this conversation only; do not persist to DB.
-        # Not all OpenHands versions expose `condenser_max_size` on settings.
-        if hasattr(conversation_settings, 'condenser_max_size'):
-            conversation_settings.condenser_max_size = condenser_max_size
-            logger.info(
-                'condenser_max_step_experiment:conversation_settings_applied',
-                extra={
-                    'user_id': user_id,
-                    'convo_id': conversation_id,
-                    'variant': enabled_variant,
-                    'condenser_max_size': condenser_max_size,
-                },
-            )
-        else:
-            logger.warning(
-                'condenser_max_step_experiment:field_missing_on_settings',
-                extra={
-                    'user_id': user_id,
-                    'convo_id': conversation_id,
-                    'variant': enabled_variant,
-                    'reason': 'condenser_max_size not present on ConversationInitData',
-                },
-            )
-    except Exception as e:
-        logger.error(
-            'condenser_max_step_experiment:apply_failed',
-            extra={
-                'user_id': user_id,
-                'convo_id': conversation_id,
-                'variant': enabled_variant,
-                'error': str(e),
-            },
-        )
-        return conversation_settings
-
-    return conversation_settings

enterprise/experiments/experiment_versions/__init__.py

@@ -1,25 +0,0 @@
-"""
-Experiment versions package.
-
-This package contains handlers for different experiment versions.
-"""
-
-from experiments.experiment_versions._001_litellm_default_model_experiment import (
-    handle_litellm_default_model_experiment,
-)
-from experiments.experiment_versions._002_system_prompt_experiment import (
-    handle_system_prompt_experiment,
-)
-from experiments.experiment_versions._003_llm_claude4_vs_gpt5_experiment import (
-    handle_claude4_vs_gpt5_experiment,
-)
-from experiments.experiment_versions._004_condenser_max_step_experiment import (
-    handle_condenser_max_step_experiment,
-)
-
-__all__ = [
-    'handle_litellm_default_model_experiment',
-    'handle_system_prompt_experiment',
-    'handle_claude4_vs_gpt5_experiment',
-    'handle_condenser_max_step_experiment',
-]

enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py

@@ -0,0 +1,65 @@
+from pydantic import SecretStr
+from server.auth.token_manager import TokenManager
+
+from openhands.core.logger import openhands_logger as logger
+from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import (
+    BitbucketDCService,
+)
+from openhands.integrations.service_types import ProviderType
+
+
+class SaaSBitbucketDCService(BitbucketDCService):
+    def __init__(
+        self,
+        user_id: str | None = None,
+        external_auth_token: SecretStr | None = None,
+        external_auth_id: str | None = None,
+        token: SecretStr | None = None,
+        external_token_manager: bool = False,
+        base_domain: str | None = None,
+    ):
+        logger.debug(
+            f'SaaSBitbucketDCService created with user_id {user_id}, external_auth_id {external_auth_id}, external_auth_token {'set' if external_auth_token else 'None'}, token {'set' if token else 'None'}, external_token_manager {external_token_manager}'
+        )
+        super().__init__(
+            user_id=user_id,
+            external_auth_token=external_auth_token,
+            external_auth_id=external_auth_id,
+            token=token,
+            external_token_manager=external_token_manager,
+            base_domain=base_domain,
+        )
+
+        self.token_manager = TokenManager(external=external_token_manager)
+        self.refresh = True
+
+    async def get_latest_token(self) -> SecretStr | None:
+        bitbucket_dc_token = None
+        if self.external_auth_token:
+            bitbucket_dc_token = SecretStr(
+                await self.token_manager.get_idp_token(
+                    self.external_auth_token.get_secret_value(),
+                    idp=ProviderType.BITBUCKET_DATA_CENTER,
+                )
+            )
+            logger.debug('Got Bitbucket DC token via external_auth_token')
+        elif self.external_auth_id:
+            offline_token = await self.token_manager.load_offline_token(
+                self.external_auth_id
+            )
+            bitbucket_dc_token = SecretStr(
+                await self.token_manager.get_idp_token_from_offline_token(
+                    offline_token, ProviderType.BITBUCKET_DATA_CENTER
+                )
+            )
+            logger.debug('Got Bitbucket DC token via external_auth_id')
+        elif self.user_id:
+            bitbucket_dc_token = SecretStr(
+                await self.token_manager.get_idp_token_from_idp_user_id(
+                    self.user_id, ProviderType.BITBUCKET_DATA_CENTER
+                )
+            )
+            logger.debug('Got Bitbucket DC token via user_id')
+        else:
+            logger.warning('external_auth_token and user_id not set!')
+        return bitbucket_dc_token

enterprise/integrations/github/data_collector.py

@@ -6,7 +6,7 @@ from datetime import datetime
 from enum import Enum
 from typing import Any
 
-from github import Github, GithubIntegration
+from github import Auth, Github, GithubIntegration
 from integrations.github.github_view import (
     GithubIssue,
 )
@@ -84,7 +84,7 @@ class GitHubDataCollector:
         # self.full_saved_pr_path = 'github_data/prs/{}-{}/data.json'
         self.full_saved_pr_path = 'prs/github/{}-{}/data.json'
         self.github_integration = GithubIntegration(
-            GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
+            auth=Auth.AppAuth(GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY)
         )
         self.conversation_id = None
 
@@ -116,10 +116,8 @@ class GitHubDataCollector:
 
         return suffix
 
-    def _get_installation_access_token(self, installation_id: str) -> str:
-        token_data = self.github_integration.get_access_token(
-            installation_id  # type: ignore[arg-type]
-        )
+    def _get_installation_access_token(self, installation_id: int) -> str:
+        token_data = self.github_integration.get_access_token(installation_id)
         return token_data.token
 
     def _check_openhands_author(self, name, login) -> bool:
@@ -134,7 +132,7 @@ class GitHubDataCollector:
         )
 
     def _get_issue_comments(
-        self, installation_id: str, repo_name: str, issue_number: int, conversation_id
+        self, installation_id: int, repo_name: str, issue_number: int, conversation_id
     ) -> list[dict[str, Any]]:
         """
         Retrieve all comments from an issue until a comment with conversation_id is found
@@ -143,7 +141,7 @@ class GitHubDataCollector:
         try:
             installation_token = self._get_installation_access_token(installation_id)
 
-            with Github(installation_token) as github_client:
+            with Github(auth=Auth.Token(installation_token)) as github_client:
                 repo = github_client.get_repo(repo_name)
                 issue = repo.get_issue(issue_number)
                 comments = []
@@ -234,10 +232,10 @@ class GitHubDataCollector:
             f'[Github]: Saved issue #{issue_number} for {github_view.full_repo_name}'
         )
 
-    def _get_pr_commits(self, installation_id: str, repo_name: str, pr_number: int):
+    def _get_pr_commits(self, installation_id: int, repo_name: str, pr_number: int):
         commits = []
         installation_token = self._get_installation_access_token(installation_id)
-        with Github(installation_token) as github_client:
+        with Github(auth=Auth.Token(installation_token)) as github_client:
             repo = github_client.get_repo(repo_name)
             pr = repo.get_pull(pr_number)
 
@@ -431,7 +429,7 @@ class GitHubDataCollector:
         - Num openhands review comments
         """
         pr_number = openhands_pr.pr_number
-        installation_id = openhands_pr.installation_id
+        installation_id = int(openhands_pr.installation_id)
         repo_id = openhands_pr.repo_id
 
         # Get installation token and create Github client
@@ -569,7 +567,7 @@ class GitHubDataCollector:
         openhands_helped_author = openhands_commit_count > 0
 
         # Update the PR with OpenHands statistics
-        update_success = store.update_pr_openhands_stats(
+        update_success = await store.update_pr_openhands_stats(
             repo_id=repo_id,
             pr_number=pr_number,
             original_updated_at=openhands_pr.updated_at,
@@ -612,7 +610,7 @@ class GitHubDataCollector:
         action = payload.get('action', '')
         return action == 'closed' and 'pull_request' in payload
 
-    def _track_closed_or_merged_pr(self, payload):
+    async def _track_closed_or_merged_pr(self, payload):
         """
         Track PR closed/merged event
         """
@@ -671,17 +669,17 @@ class GitHubDataCollector:
             num_general_comments=num_general_comments,
         )
 
-        store.insert_pr(pr)
+        await store.insert_pr(pr)
         logger.info(f'Tracked PR {status}: {repo_id}#{pr_number}')
 
-    def process_payload(self, message: Message):
+    async def process_payload(self, message: Message):
         if not COLLECT_GITHUB_INTERACTIONS:
             return
 
         raw_payload = message.message.get('payload', {})
 
         if self._is_pr_closed_or_merged(raw_payload):
-            self._track_closed_or_merged_pr(raw_payload)
+            await self._track_closed_or_merged_pr(raw_payload)
 
     async def save_data(self, github_view: ResolverViewInterface):
         if not COLLECT_GITHUB_INTERACTIONS:

enterprise/integrations/github/github_manager.py

@@ -1,6 +1,6 @@
 from types import MappingProxyType
 
-from github import Github, GithubIntegration
+from github import Auth, Github, GithubIntegration
 from integrations.github.data_collector import GitHubDataCollector
 from integrations.github.github_solvability import summarize_issue_solvability
 from integrations.github.github_view import (
@@ -10,6 +10,7 @@ from integrations.github.github_view import (
     GithubIssue,
     GithubIssueComment,
     GithubPRComment,
+    GithubViewType,
 )
 from integrations.manager import Manager
 from integrations.models import (
@@ -19,30 +20,39 @@ from integrations.models import (
 from integrations.types import ResolverViewInterface
 from integrations.utils import (
     CONVERSATION_URL,
+    ENABLE_SOLVABILITY_ANALYSIS,
     HOST_URL,
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
+    get_session_expired_message,
+    get_user_not_found_message,
 )
+from integrations.v1_utils import get_saas_user_auth
 from jinja2 import Environment, FileSystemLoader
 from pydantic import SecretStr
+from server.auth.auth_error import ExpiredError
 from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
 from server.auth.token_manager import TokenManager
 from server.utils.conversation_callback_utils import register_callback_processor
 
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.provider import ProviderToken, ProviderType
-from openhands.server.types import LLMAuthenticationError, MissingSettingsError
-from openhands.storage.data_models.user_secrets import UserSecrets
-from openhands.utils.async_utils import call_sync_from_async
+from openhands.integrations.service_types import AuthenticationError
+from openhands.server.types import (
+    LLMAuthenticationError,
+    MissingSettingsError,
+    SessionExpiredError,
+)
+from openhands.storage.data_models.secrets import Secrets
 
 
-class GithubManager(Manager):
+class GithubManager(Manager[GithubViewType]):
     def __init__(
         self, token_manager: TokenManager, data_collector: GitHubDataCollector
     ):
         self.token_manager = token_manager
         self.data_collector = data_collector
         self.github_integration = GithubIntegration(
-            GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
+            auth=Auth.AppAuth(GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY)
         )
 
         self.jinja_env = Environment(
@@ -59,11 +69,8 @@ class GithubManager(Manager):
 
         return f'{owner}/{repo_name}'
 
-    def _get_installation_access_token(self, installation_id: str) -> str:
-        # get_access_token is typed to only accept int, but it can handle str.
-        token_data = self.github_integration.get_access_token(
-            installation_id  # type: ignore[arg-type]
-        )
+    def _get_installation_access_token(self, installation_id: int) -> str:
+        token_data = self.github_integration.get_access_token(installation_id)
         return token_data.token
 
     def _add_reaction(
@@ -76,7 +83,7 @@ class GithubManager(Manager):
             reaction: The reaction to add (e.g. "eyes", "+1", "-1", "laugh", "confused", "heart", "hooray", "rocket")
             installation_token: GitHub installation access token for API access
         """
-        with Github(installation_token) as github_client:
+        with Github(auth=Auth.Token(installation_token)) as github_client:
             repo = github_client.get_repo(github_view.full_repo_name)
             # Add reaction based on view type
             if isinstance(github_view, GithubInlinePRComment):
@@ -118,6 +125,76 @@ class GithubManager(Manager):
 
             return False
 
+    def _get_issue_number_from_payload(self, message: Message) -> int | None:
+        """Extract issue/PR number from a GitHub webhook payload.
+
+        Supports all event types that can trigger jobs:
+        - Labeled issues: payload['issue']['number']
+        - Issue comments: payload['issue']['number']
+        - PR comments: payload['issue']['number'] (PRs are accessed via issue endpoint)
+        - Inline PR comments: payload['pull_request']['number']
+
+        Args:
+            message: The incoming GitHub webhook message
+
+        Returns:
+            The issue/PR number, or None if not found
+        """
+        payload = message.message.get('payload', {})
+
+        # Labeled issues, issue comments, and PR comments all have 'issue' in payload
+        if 'issue' in payload:
+            return payload['issue']['number']
+
+        # Inline PR comments have 'pull_request' directly in payload
+        if 'pull_request' in payload:
+            return payload['pull_request']['number']
+
+        return None
+
+    def _send_user_not_found_message(self, message: Message, username: str):
+        """Send a message to the user informing them they need to create an OpenHands account.
+
+        This method handles all supported trigger types:
+        - Labeled issues (action='labeled' with openhands label)
+        - Issue comments (comment containing @openhands)
+        - PR comments (comment containing @openhands on a PR)
+        - Inline PR review comments (comment containing @openhands)
+
+        Args:
+            message: The incoming GitHub webhook message
+            username: The GitHub username to mention in the response
+        """
+        payload = message.message.get('payload', {})
+        installation_id = message.message['installation']
+        repo_obj = payload['repository']
+        full_repo_name = self._get_full_repo_name(repo_obj)
+
+        # Get installation token to post the comment
+        installation_token = self._get_installation_access_token(installation_id)
+
+        # Determine the issue/PR number based on the event type
+        issue_number = self._get_issue_number_from_payload(message)
+
+        if not issue_number:
+            logger.warning(
+                f'[GitHub] Could not determine issue/PR number to send user not found message for {username}. '
+                f'Payload keys: {list(payload.keys())}'
+            )
+            return
+
+        # Post the comment
+        try:
+            with Github(auth=Auth.Token(installation_token)) as github_client:
+                repo = github_client.get_repo(full_repo_name)
+                issue = repo.get_issue(number=issue_number)
+                issue.create_comment(get_user_not_found_message(username))
+        except Exception as e:
+            logger.error(
+                f'[GitHub] Failed to send user not found message to {username} '
+                f'on {full_repo_name}#{issue_number}: {e}'
+            )
+
     async def is_job_requested(self, message: Message) -> bool:
         self._confirm_incoming_source_type(message)
 
@@ -137,11 +214,7 @@ class GithubManager(Manager):
         ).get('body', ''):
             return False
 
-        if GithubFactory.is_eligible_for_conversation_starter(
-            message
-        ) and self._user_has_write_access_to_repo(installation_id, repo_name, username):
-            await GithubFactory.trigger_conversation_starter(message)
-
+        # Check event types before making expensive API calls (e.g., _user_has_write_access_to_repo)
         if not (
             GithubFactory.is_labeled_issue(message)
             or GithubFactory.is_issue_comment(message)
@@ -151,21 +224,46 @@ class GithubManager(Manager):
             return False
 
         logger.info(f'[GitHub] Checking permissions for {username} in {repo_name}')
+        user_has_write_access = self._user_has_write_access_to_repo(
+            installation_id, repo_name, username
+        )
 
-        return self._user_has_write_access_to_repo(installation_id, repo_name, username)
+        if (
+            GithubFactory.is_eligible_for_conversation_starter(message)
+            and user_has_write_access
+        ):
+            await GithubFactory.trigger_conversation_starter(message)
+
+        return user_has_write_access
 
     async def receive_message(self, message: Message):
         self._confirm_incoming_source_type(message)
         try:
-            await call_sync_from_async(self.data_collector.process_payload, message)
+            await self.data_collector.process_payload(message)
         except Exception:
             logger.warning(
                 '[Github]: Error processing payload for gh interaction', exc_info=True
             )
 
         if await self.is_job_requested(message):
+            payload = message.message.get('payload', {})
+            user_id = payload['sender']['id']
+            username = payload['sender']['login']
+            keycloak_user_id = await self.token_manager.get_user_id_from_idp_user_id(
+                user_id, ProviderType.GITHUB
+            )
+
+            # Check if the user has an OpenHands account
+            if not keycloak_user_id:
+                logger.warning(
+                    f'[GitHub] User {username} (id={user_id}) not found in Keycloak. '
+                    f'User must create an OpenHands account first.'
+                )
+                self._send_user_not_found_message(message, username)
+                return
+
             github_view = await GithubFactory.create_github_view_from_payload(
-                message, self.token_manager
+                message, keycloak_user_id
             )
             logger.info(
                 f'[GitHub] Creating job for {github_view.user_info.username} in {github_view.full_repo_name}#{github_view.issue_number}'
@@ -175,46 +273,51 @@ class GithubManager(Manager):
                 github_view.installation_id
             )
             # Store the installation token
-            self.token_manager.store_org_token(
+            await self.token_manager.store_org_token(
                 github_view.installation_id, installation_token
             )
             # Add eyes reaction to acknowledge we've read the request
             self._add_reaction(github_view, 'eyes', installation_token)
             await self.start_job(github_view)
 
-    async def send_message(self, message: Message, github_view: ResolverViewInterface):
-        installation_token = self.token_manager.load_org_token(
+    async def send_message(self, message: str, github_view: GithubViewType):
+        """Send a message to GitHub.
+
+        Args:
+            message: The message content to send (plain text string)
+            github_view: The GitHub view object containing issue/PR/comment info
+        """
+        installation_token = await self.token_manager.load_org_token(
             github_view.installation_id
         )
         if not installation_token:
             logger.warning('Missing installation token')
             return
 
-        outgoing_message = message.message
-
         if isinstance(github_view, GithubInlinePRComment):
-            with Github(installation_token) as github_client:
+            with Github(auth=Auth.Token(installation_token)) as github_client:
                 repo = github_client.get_repo(github_view.full_repo_name)
                 pr = repo.get_pull(github_view.issue_number)
                 pr.create_review_comment_reply(
-                    comment_id=github_view.comment_id, body=outgoing_message
+                    comment_id=github_view.comment_id, body=message
                 )
 
-        elif (
-            isinstance(github_view, GithubPRComment)
-            or isinstance(github_view, GithubIssueComment)
-            or isinstance(github_view, GithubIssue)
+        elif isinstance(
+            github_view, (GithubPRComment, GithubIssueComment, GithubIssue)
         ):
-            with Github(installation_token) as github_client:
+            with Github(auth=Auth.Token(installation_token)) as github_client:
                 repo = github_client.get_repo(github_view.full_repo_name)
                 issue = repo.get_issue(number=github_view.issue_number)
-                issue.create_comment(outgoing_message)
+                issue.create_comment(message)
 
         else:
-            logger.warning('Unsupported location')
+            # Catch any new types added to GithubViewType that aren't handled above
+            logger.warning(  # type: ignore[unreachable]
+                f'Unsupported github_view type: {type(github_view).__name__}'
+            )
             return
 
-    async def start_job(self, github_view: ResolverViewInterface):
+    async def start_job(self, github_view: GithubViewType) -> None:
         """Kick off a job with openhands agent.
 
         1. Get user credential
@@ -227,7 +330,7 @@ class GithubManager(Manager):
         )
 
         try:
-            msg_info = None
+            msg_info: str = ''
 
             try:
                 user_info = github_view.user_info
@@ -250,7 +353,7 @@ class GithubManager(Manager):
                     f'[GitHub] Creating new conversation for user {user_info.username}'
                 )
 
-                secret_store = UserSecrets(
+                secret_store = Secrets(
                     provider_tokens=MappingProxyType(
                         {
                             ProviderType.GITHUB: ProviderToken(
@@ -268,22 +371,29 @@ class GithubManager(Manager):
                 #   3. Once the conversation is started, its base cost will include the report's spend as well which allows us to control max budget per resolver task
                 convo_metadata = await github_view.initialize_new_conversation()
                 solvability_summary = None
-                try:
-                    if user_token:
+                if not ENABLE_SOLVABILITY_ANALYSIS:
+                    logger.info(
+                        '[Github]: Solvability report feature is disabled, skipping'
+                    )
+                else:
+                    try:
                         solvability_summary = await summarize_issue_solvability(
                             github_view, user_token
                         )
-                    else:
+                    except Exception as e:
                         logger.warning(
-                            '[Github]: No user token available for solvability analysis'
+                            f'[Github]: Error summarizing issue solvability: {str(e)}'
                         )
-                except Exception as e:
-                    logger.warning(
-                        f'[Github]: Error summarizing issue solvability: {str(e)}'
-                    )
+
+                saas_user_auth = await get_saas_user_auth(
+                    github_view.user_info.keycloak_user_id, self.token_manager
+                )
 
                 await github_view.create_new_conversation(
-                    self.jinja_env, secret_store.provider_tokens, convo_metadata
+                    self.jinja_env,
+                    secret_store.provider_tokens,
+                    convo_metadata,
+                    saas_user_auth,
                 )
 
                 conversation_id = github_view.conversation_id
@@ -292,18 +402,19 @@ class GithubManager(Manager):
                     f'[GitHub] Created conversation {conversation_id} for user {user_info.username}'
                 )
 
-                # Create a GithubCallbackProcessor
-                processor = GithubCallbackProcessor(
-                    github_view=github_view,
-                    send_summary_instruction=True,
-                )
+                if not github_view.v1_enabled:
+                    # Create a GithubCallbackProcessor
+                    processor = GithubCallbackProcessor(
+                        github_view=github_view,
+                        send_summary_instruction=True,
+                    )
 
-                # Register the callback processor
-                register_callback_processor(conversation_id, processor)
+                    # Register the callback processor
+                    register_callback_processor(conversation_id, processor)
 
-                logger.info(
-                    f'[Github] Registered callback processor for conversation {conversation_id}'
-                )
+                    logger.info(
+                        f'[Github] Registered callback processor for conversation {conversation_id}'
+                    )
 
                 # Send message with conversation link
                 conversation_link = CONVERSATION_URL.format(conversation_id)
@@ -328,15 +439,20 @@ class GithubManager(Manager):
 
                 msg_info = f'@{user_info.username} please set a valid LLM API key in [OpenHands Cloud]({HOST_URL}) before starting a job.'
 
-            msg = self.create_outgoing_message(msg_info)
-            await self.send_message(msg, github_view)
+            except (AuthenticationError, ExpiredError, SessionExpiredError) as e:
+                logger.warning(
+                    f'[GitHub] Session expired for user {user_info.username}: {str(e)}'
+                )
+
+                msg_info = get_session_expired_message(user_info.username)
+
+            await self.send_message(msg_info, github_view)
 
         except Exception:
             logger.exception('[Github]: Error starting job')
-            msg = self.create_outgoing_message(
-                msg='Uh oh! There was an unexpected error starting the job :('
+            await self.send_message(
+                'Uh oh! There was an unexpected error starting the job :(', github_view
             )
-            await self.send_message(msg, github_view)
 
         try:
             await self.data_collector.save_data(github_view)

enterprise/integrations/github/github_service.py

@@ -1,6 +1,6 @@
 import asyncio
 
-from integrations.utils import store_repositories_in_db
+from integrations.store_repo_utils import store_repositories_in_db
 from pydantic import SecretStr
 from server.auth.token_manager import TokenManager
 
@@ -122,13 +122,37 @@ class SaaSGitHubService(GitHubService):
             raise Exception(f'No node_id found for repository {repo_id}')
         return node_id
 
+    async def _get_external_auth_id(self) -> str | None:
+        """Get or fetch external_auth_id from Keycloak token if not already set."""
+        if self.external_auth_id:
+            return self.external_auth_id
+
+        if self.external_auth_token:
+            try:
+                user_info = await self.token_manager.get_user_info(
+                    self.external_auth_token.get_secret_value()
+                )
+                self.external_auth_id = user_info.sub
+                logger.info(
+                    f'Determined external_auth_id from Keycloak token: {self.external_auth_id}'
+                )
+                return self.external_auth_id
+            except Exception as e:
+                logger.warning(
+                    f'Could not determine external_auth_id from token: {e}',
+                    exc_info=True,
+                )
+        return None
+
     async def get_paginated_repos(self, page, per_page, sort, installation_id):
         repositories = await super().get_paginated_repos(
             page, per_page, sort, installation_id
         )
-        asyncio.create_task(
-            store_repositories_in_db(repositories, self.external_auth_id)
-        )
+        external_auth_id = await self._get_external_auth_id()
+        if external_auth_id:
+            asyncio.create_task(
+                store_repositories_in_db(repositories, external_auth_id)
+            )
         return repositories
 
     async def get_all_repositories(
@@ -136,8 +160,10 @@ class SaaSGitHubService(GitHubService):
     ) -> list[Repository]:
         repositories = await super().get_all_repositories(sort, app_mode)
         # Schedule the background task without awaiting it
-        asyncio.create_task(
-            store_repositories_in_db(repositories, self.external_auth_id)
-        )
+        external_auth_id = await self._get_external_auth_id()
+        if external_auth_id:
+            asyncio.create_task(
+                store_repositories_in_db(repositories, external_auth_id)
+            )
         # Return repositories immediately
         return repositories

enterprise/integrations/github/github_solvability.py

@@ -1,7 +1,7 @@
 import asyncio
 import time
 
-from github import Github
+from github import Auth, Github
 from integrations.github.github_view import (
     GithubInlinePRComment,
     GithubIssueComment,
@@ -14,7 +14,6 @@ from integrations.solvability.models.summary import SolvabilitySummary
 from integrations.utils import ENABLE_SOLVABILITY_ANALYSIS
 from pydantic import ValidationError
 from server.config import get_config
-from storage.database import session_maker
 from storage.saas_settings_store import SaasSettingsStore
 
 from openhands.core.config import LLMConfig
@@ -47,7 +46,7 @@ def fetch_github_issue_context(
     context_parts.append(f'Title: {github_view.title}')
     context_parts.append(f'Description:\n{github_view.description}')
 
-    with Github(user_token) as github_client:
+    with Github(auth=Auth.Token(user_token)) as github_client:
         repo = github_client.get_repo(github_view.full_repo_name)
         issue = repo.get_issue(github_view.issue_number)
         if issue.labels:
@@ -90,7 +89,6 @@ async def summarize_issue_solvability(
     # Grab the user's information so we can load their LLM configuration
     store = SaasSettingsStore(
         user_id=github_view.user_info.keycloak_user_id,
-        session_maker=session_maker,
         config=get_config(),
     )
 
@@ -108,6 +106,11 @@ async def summarize_issue_solvability(
             f'Solvability analysis disabled for user {github_view.user_info.user_id}'
         )
 
+    if user_settings.llm_api_key is None:
+        raise ValueError(
+            f'[Solvability] No LLM API key found for user {github_view.user_info.user_id}'
+        )
+
     try:
         llm_config = LLMConfig(
             model=user_settings.llm_model,

enterprise/integrations/github/github_v1_callback_processor.py

@@ -0,0 +1,298 @@
+import logging
+from typing import Any
+from uuid import UUID
+
+import httpx
+from github import Auth, Github, GithubException, GithubIntegration
+from integrations.utils import get_summary_instruction
+from integrations.v1_utils import handle_callback_error
+from pydantic import Field
+from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
+
+from openhands.agent_server.models import AskAgentRequest, AskAgentResponse
+from openhands.app_server.event_callback.event_callback_models import (
+    EventCallback,
+    EventCallbackProcessor,
+)
+from openhands.app_server.event_callback.event_callback_result_models import (
+    EventCallbackResult,
+    EventCallbackResultStatus,
+)
+from openhands.app_server.event_callback.util import (
+    ensure_conversation_found,
+    ensure_running_sandbox,
+    get_agent_server_url_from_sandbox,
+)
+from openhands.sdk import Event
+from openhands.sdk.event import ConversationStateUpdateEvent
+
+_logger = logging.getLogger(__name__)
+
+
+class GithubV1CallbackProcessor(EventCallbackProcessor):
+    """Callback processor for GitHub V1 integrations."""
+
+    github_view_data: dict[str, Any] = Field(default_factory=dict)
+    should_request_summary: bool = Field(default=True)
+    inline_pr_comment: bool = Field(default=False)
+
+    async def __call__(
+        self,
+        conversation_id: UUID,
+        callback: EventCallback,
+        event: Event,
+    ) -> EventCallbackResult | None:
+        """Process events for GitHub V1 integration."""
+        # Only handle ConversationStateUpdateEvent
+        if not isinstance(event, ConversationStateUpdateEvent):
+            return None
+
+        # Only act when execution has finished
+        if not (event.key == 'execution_status' and event.value == 'finished'):
+            return None
+
+        _logger.info('[GitHub V1] Callback agent state was %s', event)
+        _logger.info(
+            '[GitHub V1] Should request summary: %s', self.should_request_summary
+        )
+
+        if not self.should_request_summary:
+            return None
+
+        self.should_request_summary = False
+
+        try:
+            _logger.info(f'[GitHub V1] Requesting summary {conversation_id}')
+            summary = await self._request_summary(conversation_id)
+            _logger.info(
+                f'[GitHub V1] Posting summary {conversation_id}',
+                extra={'summary': summary},
+            )
+            await self._post_summary_to_github(summary)
+
+            return EventCallbackResult(
+                status=EventCallbackResultStatus.SUCCESS,
+                event_callback_id=callback.id,
+                event_id=event.id,
+                conversation_id=conversation_id,
+                detail=summary,
+            )
+        except Exception as e:
+            # Check if we have installation ID and credentials before posting
+            can_post_error = bool(
+                self.github_view_data.get('installation_id')
+                and GITHUB_APP_CLIENT_ID
+                and GITHUB_APP_PRIVATE_KEY
+            )
+            await handle_callback_error(
+                error=e,
+                conversation_id=conversation_id,
+                service_name='GitHub',
+                service_logger=_logger,
+                can_post_error=can_post_error,
+                post_error_func=self._post_summary_to_github,
+            )
+
+            return EventCallbackResult(
+                status=EventCallbackResultStatus.ERROR,
+                event_callback_id=callback.id,
+                event_id=event.id,
+                conversation_id=conversation_id,
+                detail=str(e),
+            )
+
+    # -------------------------------------------------------------------------
+    # GitHub helpers
+    # -------------------------------------------------------------------------
+
+    def _get_installation_access_token(self) -> str:
+        installation_id = self.github_view_data.get('installation_id')
+
+        if not installation_id:
+            raise ValueError(
+                f'Missing installation ID for GitHub payload: {self.github_view_data}'
+            )
+
+        if not GITHUB_APP_CLIENT_ID or not GITHUB_APP_PRIVATE_KEY:
+            raise ValueError('GitHub App credentials are not configured')
+
+        github_integration = GithubIntegration(
+            auth=Auth.AppAuth(GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY),
+        )
+        token_data = github_integration.get_access_token(installation_id)
+        return token_data.token
+
+    async def _post_summary_to_github(self, summary: str) -> None:
+        """Post a summary comment to the configured GitHub issue."""
+        installation_token = self._get_installation_access_token()
+
+        if not installation_token:
+            raise RuntimeError('Missing GitHub credentials')
+
+        full_repo_name = self.github_view_data['full_repo_name']
+        issue_number = self.github_view_data['issue_number']
+
+        try:
+            if self.inline_pr_comment:
+                with Github(auth=Auth.Token(installation_token)) as github_client:
+                    repo = github_client.get_repo(full_repo_name)
+                    pr = repo.get_pull(issue_number)
+                    pr.create_review_comment_reply(
+                        comment_id=self.github_view_data.get('comment_id', ''),
+                        body=summary,
+                    )
+                return
+
+            with Github(auth=Auth.Token(installation_token)) as github_client:
+                repo = github_client.get_repo(full_repo_name)
+                issue = repo.get_issue(number=issue_number)
+                issue.create_comment(summary)
+        except GithubException as e:
+            if e.status == 410:
+                _logger.info(
+                    '[GitHub V1] Issue/PR %s#%s was deleted, skipping summary post',
+                    full_repo_name,
+                    issue_number,
+                )
+            else:
+                raise
+
+    # -------------------------------------------------------------------------
+    # Agent / sandbox helpers
+    # -------------------------------------------------------------------------
+
+    async def _ask_question(
+        self,
+        httpx_client: httpx.AsyncClient,
+        agent_server_url: str,
+        conversation_id: UUID,
+        session_api_key: str,
+        message_content: str,
+    ) -> str:
+        """Send a message to the agent server via the V1 API and return response text."""
+        send_message_request = AskAgentRequest(question=message_content)
+
+        url = (
+            f"{agent_server_url.rstrip('/')}"
+            f"/api/conversations/{conversation_id}/ask_agent"
+        )
+        headers = {'X-Session-API-Key': session_api_key}
+        payload = send_message_request.model_dump()
+
+        try:
+            response = await httpx_client.post(
+                url,
+                json=payload,
+                headers=headers,
+                timeout=30.0,
+            )
+            response.raise_for_status()
+
+            agent_response = AskAgentResponse.model_validate(response.json())
+            return agent_response.response
+
+        except httpx.HTTPStatusError as e:
+            error_detail = f'HTTP {e.response.status_code} error'
+            try:
+                error_body = e.response.text
+                if error_body:
+                    error_detail += f': {error_body}'
+            except Exception:  # noqa: BLE001
+                pass
+
+            _logger.error(
+                '[GitHub V1] HTTP error sending message to %s: %s. '
+                'Request payload: %s. Response headers: %s',
+                url,
+                error_detail,
+                payload,
+                dict(e.response.headers),
+                exc_info=True,
+            )
+            raise Exception(f'Failed to send message to agent server: {error_detail}')
+
+        except httpx.TimeoutException:
+            error_detail = f'Request timeout after 30 seconds to {url}'
+            _logger.error(
+                '[GitHub V1] %s. Request payload: %s',
+                error_detail,
+                payload,
+                exc_info=True,
+            )
+            raise Exception(error_detail)
+
+        except httpx.RequestError as e:
+            error_detail = f'Request error to {url}: {str(e)}'
+            _logger.error(
+                '[GitHub V1] %s. Request payload: %s',
+                error_detail,
+                payload,
+                exc_info=True,
+            )
+            raise Exception(error_detail)
+
+    # -------------------------------------------------------------------------
+    # Summary orchestration
+    # -------------------------------------------------------------------------
+
+    async def _request_summary(self, conversation_id: UUID) -> str:
+        """Ask the agent to produce a summary of its work and return the agent response.
+
+        NOTE: This method now returns a string (the agent server's response text)
+        and raises exceptions on errors. The wrapping into EventCallbackResult
+        is handled by __call__.
+        """
+        # Import services within the method to avoid circular imports
+        from openhands.app_server.config import (
+            get_app_conversation_info_service,
+            get_httpx_client,
+            get_sandbox_service,
+        )
+        from openhands.app_server.services.injector import InjectorState
+        from openhands.app_server.user.specifiy_user_context import (
+            ADMIN,
+            USER_CONTEXT_ATTR,
+        )
+
+        # Create injector state for dependency injection
+        state = InjectorState()
+        setattr(state, USER_CONTEXT_ATTR, ADMIN)
+
+        async with (
+            get_app_conversation_info_service(state) as app_conversation_info_service,
+            get_sandbox_service(state) as sandbox_service,
+            get_httpx_client(state) as httpx_client,
+        ):
+            # 1. Conversation lookup
+            app_conversation_info = ensure_conversation_found(
+                await app_conversation_info_service.get_app_conversation_info(
+                    conversation_id
+                ),
+                conversation_id,
+            )
+
+            # 2. Sandbox lookup + validation
+            sandbox = ensure_running_sandbox(
+                await sandbox_service.get_sandbox(app_conversation_info.sandbox_id),
+                app_conversation_info.sandbox_id,
+            )
+
+            assert (
+                sandbox.session_api_key is not None
+            ), f'No session API key for sandbox: {sandbox.id}'
+
+            # 3. URL + instruction
+            agent_server_url = get_agent_server_url_from_sandbox(sandbox)
+            agent_server_url = get_agent_server_url_from_sandbox(sandbox)
+
+            # Prepare message based on agent state
+            message_content = get_summary_instruction()
+
+            # Ask the agent and return the response text
+            return await self._ask_question(
+                httpx_client=httpx_client,
+                agent_server_url=agent_server_url,
+                conversation_id=conversation_id,
+                session_api_key=sandbox.session_api_key,
+                message_content=message_content,
+            )

enterprise/integrations/github/github_view.py

@@ -1,6 +1,7 @@
-from uuid import uuid4
+from dataclasses import dataclass
+from uuid import UUID, uuid4
 
-from github import Github, GithubIntegration
+from github import Auth, Github, GithubIntegration
 from github.Issue import Issue
 from integrations.github.github_types import (
     WorkflowRun,
@@ -8,32 +9,43 @@ from integrations.github.github_types import (
     WorkflowRunStatus,
 )
 from integrations.models import Message
+from integrations.resolver_context import ResolverUserContext
 from integrations.types import ResolverViewInterface, UserData
 from integrations.utils import (
     ENABLE_PROACTIVE_CONVERSATION_STARTERS,
+    ENABLE_V1_GITHUB_RESOLVER,
     HOST,
     HOST_URL,
     get_oh_labels,
+    get_user_v1_enabled_setting,
     has_exact_mention,
 )
 from jinja2 import Environment
-from pydantic.dataclasses import dataclass
 from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
 from server.auth.token_manager import TokenManager
 from server.config import get_config
-from storage.database import session_maker
+from storage.org_store import OrgStore
 from storage.proactive_conversation_store import ProactiveConversationStore
 from storage.saas_secrets_store import SaasSecretsStore
-from storage.user_settings import UserSettings
 
+from openhands.agent_server.models import SendMessageRequest
+from openhands.app_server.app_conversation.app_conversation_models import (
+    AppConversationStartRequest,
+    AppConversationStartTaskStatus,
+)
+from openhands.app_server.config import get_app_conversation_service
+from openhands.app_server.services.injector import InjectorState
+from openhands.app_server.user.specifiy_user_context import USER_CONTEXT_ATTR
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.github.github_service import GithubServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
+from openhands.sdk import TextContent
 from openhands.server.services.conversation_service import (
     initialize_conversation,
     start_conversation,
 )
+from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
     ConversationMetadata,
     ConversationTrigger,
@@ -43,6 +55,10 @@ from openhands.utils.async_utils import call_sync_from_async
 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)
 
 
+async def is_v1_enabled_for_github_resolver(user_id: str) -> bool:
+    return await get_user_v1_enabled_setting(user_id) and ENABLE_V1_GITHUB_RESOLVER
+
+
 async def get_user_proactive_conversation_setting(user_id: str | None) -> bool:
     """Get the user's proactive conversation setting.
 
@@ -56,25 +72,18 @@ async def get_user_proactive_conversation_setting(user_id: str | None) -> bool:
         This function checks both the global environment variable kill switch AND
         the user's individual setting. Both must be true for the function to return true.
     """
-
     # If no user ID is provided, we can't check user settings
     if not user_id:
         return False
 
-    def _get_setting():
-        with session_maker() as session:
-            settings = (
-                session.query(UserSettings)
-                .filter(UserSettings.keycloak_user_id == user_id)
-                .first()
-            )
+    # Check global setting first - if disabled globally, return False
+    if not ENABLE_PROACTIVE_CONVERSATION_STARTERS:
+        return False
 
-            if not settings or settings.enable_proactive_conversation_starters is None:
-                return False
-
-            return settings.enable_proactive_conversation_starters
-
-    return await call_sync_from_async(_get_setting)
+    org = await OrgStore.get_current_org_from_keycloak_user_id(user_id)
+    if not org:
+        return False
+    return bool(org.enable_proactive_conversation_starters)
 
 
 # =================================================
@@ -97,6 +106,10 @@ class GithubIssue(ResolverViewInterface):
     title: str
     description: str
     previous_comments: list[Comment]
+    v1_enabled: bool
+
+    def _get_branch_name(self) -> str | None:
+        return getattr(self, 'branch_name', None)
 
     async def _load_resolver_context(self):
         github_service = GithubServiceImpl(
@@ -131,26 +144,44 @@ class GithubIssue(ResolverViewInterface):
             issue_body=self.description,
             previous_comments=self.previous_comments,
         )
+
         return user_instructions, conversation_instructions
 
     async def _get_user_secrets(self):
-        secrets_store = SaasSecretsStore(
-            self.user_info.keycloak_user_id, session_maker, get_config()
-        )
+        secrets_store = SaasSecretsStore(self.user_info.keycloak_user_id, get_config())
         user_secrets = await secrets_store.load()
 
         return user_secrets.custom_secrets if user_secrets else None
 
     async def initialize_new_conversation(self) -> ConversationMetadata:
         # FIXME: Handle if initialize_conversation returns None
+
+        self.v1_enabled = await is_v1_enabled_for_github_resolver(
+            self.user_info.keycloak_user_id
+        )
+
+        logger.info(
+            f'[GitHub V1]: User flag found for {self.user_info.keycloak_user_id} is {self.v1_enabled}'
+        )
+        if self.v1_enabled:
+            # Create dummy conversationm metadata
+            # Don't save to conversation store
+            # V1 conversations are stored in a separate table
+            self.conversation_id = uuid4().hex
+            return ConversationMetadata(
+                conversation_id=self.conversation_id,
+                selected_repository=self.full_repo_name,
+            )
+
         conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
             user_id=self.user_info.keycloak_user_id,
             conversation_id=None,
             selected_repository=self.full_repo_name,
-            selected_branch=None,
+            selected_branch=self._get_branch_name(),
             conversation_trigger=ConversationTrigger.RESOLVER,
             git_provider=ProviderType.GITHUB,
         )
+
         self.conversation_id = conversation_metadata.conversation_id
         return conversation_metadata
 
@@ -159,7 +190,29 @@ class GithubIssue(ResolverViewInterface):
         jinja_env: Environment,
         git_provider_tokens: PROVIDER_TOKEN_TYPE,
         conversation_metadata: ConversationMetadata,
+        saas_user_auth: UserAuth,
     ):
+        logger.info(
+            f'[GitHub V1]: User flag found for {self.user_info.keycloak_user_id} is {self.v1_enabled}'
+        )
+        if self.v1_enabled:
+            # Use V1 app conversation service
+            await self._create_v1_conversation(
+                jinja_env, saas_user_auth, conversation_metadata
+            )
+        else:
+            await self._create_v0_conversation(
+                jinja_env, git_provider_tokens, conversation_metadata
+            )
+
+    async def _create_v0_conversation(
+        self,
+        jinja_env: Environment,
+        git_provider_tokens: PROVIDER_TOKEN_TYPE,
+        conversation_metadata: ConversationMetadata,
+    ):
+        """Create conversation using the legacy V0 system."""
+        logger.info('[GitHub]: Creating V0 conversation')
         custom_secrets = await self._get_user_secrets()
 
         user_instructions, conversation_instructions = await self._get_instructions(
@@ -178,6 +231,100 @@ class GithubIssue(ResolverViewInterface):
             conversation_instructions=conversation_instructions,
         )
 
+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        """Build the initial user message for V1 resolver conversations.
+
+        For "issue opened" events (no specific comment body), we can simply
+        concatenate the user prompt and the rendered issue context.
+
+        Subclasses that represent comment-driven events (issue comments, PR review
+        comments, inline review comments) override this method to control ordering
+        (e.g., context first, then the triggering comment, then previous comments).
+        """
+
+        user_instructions, conversation_instructions = await self._get_instructions(
+            jinja_env
+        )
+
+        parts: list[str] = []
+        if user_instructions.strip():
+            parts.append(user_instructions.strip())
+        if conversation_instructions.strip():
+            parts.append(conversation_instructions.strip())
+
+        return '\n\n'.join(parts)
+
+    async def _create_v1_conversation(
+        self,
+        jinja_env: Environment,
+        saas_user_auth: UserAuth,
+        conversation_metadata: ConversationMetadata,
+    ):
+        """Create conversation using the new V1 app conversation system."""
+        logger.info('[GitHub V1]: Creating V1 conversation')
+
+        initial_user_text = await self._get_v1_initial_user_message(jinja_env)
+
+        # Create the initial message request
+        initial_message = SendMessageRequest(
+            role='user', content=[TextContent(text=initial_user_text)]
+        )
+
+        # Create the GitHub V1 callback processor
+        github_callback_processor = self._create_github_v1_callback_processor()
+
+        # Get the app conversation service and start the conversation
+        injector_state = InjectorState()
+
+        # Create the V1 conversation start request with the callback processor
+        start_request = AppConversationStartRequest(
+            conversation_id=UUID(conversation_metadata.conversation_id),
+            # NOTE: Resolver instructions are intended to be lower priority than the
+            # system prompt, so we inject them into the initial user message.
+            system_message_suffix=None,
+            initial_message=initial_message,
+            selected_repository=self.full_repo_name,
+            selected_branch=self._get_branch_name(),
+            git_provider=ProviderType.GITHUB,
+            title=f'GitHub Issue #{self.issue_number}: {self.title}',
+            trigger=ConversationTrigger.RESOLVER,
+            processors=[
+                github_callback_processor
+            ],  # Pass the callback processor directly
+        )
+
+        # Set up the GitHub user context for the V1 system
+        github_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
+        setattr(injector_state, USER_CONTEXT_ATTR, github_user_context)
+
+        async with get_app_conversation_service(
+            injector_state
+        ) as app_conversation_service:
+            async for task in app_conversation_service.start_app_conversation(
+                start_request
+            ):
+                if task.status == AppConversationStartTaskStatus.ERROR:
+                    logger.error(f'Failed to start V1 conversation: {task.detail}')
+                    raise RuntimeError(
+                        f'Failed to start V1 conversation: {task.detail}'
+                    )
+
+    def _create_github_v1_callback_processor(self):
+        """Create a V1 callback processor for GitHub integration."""
+        from integrations.github.github_v1_callback_processor import (
+            GithubV1CallbackProcessor,
+        )
+
+        # Create and return the GitHub V1 callback processor
+        return GithubV1CallbackProcessor(
+            github_view_data={
+                'issue_number': self.issue_number,
+                'full_repo_name': self.full_repo_name,
+                'installation_id': self.installation_id,
+            },
+            send_summary_instruction=self.send_summary_instruction,
+        )
+
 
 @dataclass
 class GithubIssueComment(GithubIssue):
@@ -196,7 +343,6 @@ class GithubIssueComment(GithubIssue):
         conversation_instructions_template = jinja_env.get_template(
             'issue_conversation_instructions.j2'
         )
-
         conversation_instructions = conversation_instructions_template.render(
             issue_number=self.issue_number,
             issue_title=self.title,
@@ -206,6 +352,17 @@ class GithubIssueComment(GithubIssue):
 
         return user_instructions, conversation_instructions
 
+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        await self._load_resolver_context()
+        template = jinja_env.get_template('issue_comment_initial_message.j2')
+        return template.render(
+            issue_number=self.issue_number,
+            issue_title=self.title,
+            issue_body=self.description,
+            issue_comment=self.comment_body,
+            previous_comments=self.previous_comments,
+        ).strip()
+
 
 @dataclass
 class GithubPRComment(GithubIssueComment):
@@ -232,19 +389,17 @@ class GithubPRComment(GithubIssueComment):
 
         return user_instructions, conversation_instructions
 
-    async def initialize_new_conversation(self) -> ConversationMetadata:
-        # FIXME: Handle if initialize_conversation returns None
-        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
-            user_id=self.user_info.keycloak_user_id,
-            conversation_id=None,
-            selected_repository=self.full_repo_name,
-            selected_branch=self.branch_name,
-            conversation_trigger=ConversationTrigger.RESOLVER,
-            git_provider=ProviderType.GITHUB,
-        )
-
-        self.conversation_id = conversation_metadata.conversation_id
-        return conversation_metadata
+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        await self._load_resolver_context()
+        template = jinja_env.get_template('pr_update_initial_message.j2')
+        return template.render(
+            pr_number=self.issue_number,
+            branch_name=self.branch_name,
+            pr_title=self.title,
+            pr_body=self.description,
+            pr_comment=self.comment_body,
+            comments=self.previous_comments,
+        ).strip()
 
 
 @dataclass
@@ -280,7 +435,6 @@ class GithubInlinePRComment(GithubPRComment):
         conversation_instructions_template = jinja_env.get_template(
             'pr_update_conversation_instructions.j2'
         )
-
         conversation_instructions = conversation_instructions_template.render(
             pr_number=self.issue_number,
             pr_title=self.title,
@@ -293,6 +447,38 @@ class GithubInlinePRComment(GithubPRComment):
 
         return user_instructions, conversation_instructions
 
+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        await self._load_resolver_context()
+        template = jinja_env.get_template('pr_update_initial_message.j2')
+        return template.render(
+            pr_number=self.issue_number,
+            branch_name=self.branch_name,
+            pr_title=self.title,
+            pr_body=self.description,
+            file_location=self.file_location,
+            line_number=self.line_number,
+            pr_comment=self.comment_body,
+            comments=self.previous_comments,
+        ).strip()
+
+    def _create_github_v1_callback_processor(self):
+        """Create a V1 callback processor for GitHub integration."""
+        from integrations.github.github_v1_callback_processor import (
+            GithubV1CallbackProcessor,
+        )
+
+        # Create and return the GitHub V1 callback processor
+        return GithubV1CallbackProcessor(
+            github_view_data={
+                'issue_number': self.issue_number,
+                'full_repo_name': self.full_repo_name,
+                'installation_id': self.installation_id,
+                'comment_id': self.comment_id,
+            },
+            inline_pr_comment=True,
+            send_summary_instruction=self.send_summary_instruction,
+        )
+
 
 @dataclass
 class GithubFailingAction:
@@ -542,13 +728,13 @@ class GithubFactory:
 
         def _interact_with_github() -> Issue | None:
             with GithubIntegration(
-                GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
+                auth=Auth.AppAuth(GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY)
             ) as integration:
                 access_token = integration.get_access_token(
                     payload['installation']['id']
                 ).token
 
-            with Github(access_token) as gh:
+            with Github(auth=Auth.Token(access_token)) as gh:
                 repo = gh.get_repo(selected_repo)
                 login = (
                     payload['organization']['login']
@@ -606,8 +792,8 @@ class GithubFactory:
 
     @staticmethod
     async def create_github_view_from_payload(
-        message: Message, token_manager: TokenManager
-    ) -> ResolverViewInterface:
+        message: Message, keycloak_user_id: str
+    ) -> GithubViewType:
         """Create the appropriate class (GithubIssue or GithubPRComment) based on the payload.
         Also return metadata about the event (e.g., action type).
         """
@@ -616,17 +802,10 @@ class GithubFactory:
         user_id = payload['sender']['id']
         username = payload['sender']['login']
 
-        keyloak_user_id = await token_manager.get_user_id_from_idp_user_id(
-            user_id, ProviderType.GITHUB
-        )
-
-        if keyloak_user_id is None:
-            logger.warning(f'Got invalid keyloak user id for GitHub User {user_id} ')
-
         selected_repo = GithubFactory.get_full_repo_name(repo_obj)
         is_public_repo = not repo_obj.get('private', True)
         user_info = UserData(
-            user_id=user_id, username=username, keycloak_user_id=keyloak_user_id
+            user_id=user_id, username=username, keycloak_user_id=keycloak_user_id
         )
 
         installation_id = message.message['installation']
@@ -650,6 +829,7 @@ class GithubFactory:
                 title='',
                 description='',
                 previous_comments=[],
+                v1_enabled=False,
             )
 
         elif GithubFactory.is_issue_comment(message):
@@ -675,6 +855,7 @@ class GithubFactory:
                 title='',
                 description='',
                 previous_comments=[],
+                v1_enabled=False,
             )
 
         elif GithubFactory.is_pr_comment(message):
@@ -685,12 +866,12 @@ class GithubFactory:
 
             access_token = ''
             with GithubIntegration(
-                GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
+                auth=Auth.AppAuth(GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY)
             ) as integration:
                 access_token = integration.get_access_token(installation_id).token
 
             head_ref = None
-            with Github(access_token) as gh:
+            with Github(auth=Auth.Token(access_token)) as gh:
                 repo = gh.get_repo(selected_repo)
                 pull_request = repo.get_pull(issue_number)
                 head_ref = pull_request.head.ref
@@ -716,6 +897,7 @@ class GithubFactory:
                 title='',
                 description='',
                 previous_comments=[],
+                v1_enabled=False,
             )
 
         elif GithubFactory.is_inline_pr_comment(message):
@@ -749,6 +931,7 @@ class GithubFactory:
                 title='',
                 description='',
                 previous_comments=[],
+                v1_enabled=False,
             )
 
         else:

enterprise/integrations/gitlab/gitlab_manager.py

@@ -1,4 +1,7 @@
+from __future__ import annotations
+
 from types import MappingProxyType
+from typing import cast
 
 from integrations.gitlab.gitlab_view import (
     GitlabFactory,
@@ -15,7 +18,9 @@ from integrations.utils import (
     CONVERSATION_URL,
     HOST_URL,
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
+    get_session_expired_message,
 )
+from integrations.v1_utils import get_saas_user_auth
 from jinja2 import Environment, FileSystemLoader
 from pydantic import SecretStr
 from server.auth.token_manager import TokenManager
@@ -24,11 +29,15 @@ from server.utils.conversation_callback_utils import register_callback_processor
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl
 from openhands.integrations.provider import ProviderToken, ProviderType
-from openhands.server.types import LLMAuthenticationError, MissingSettingsError
-from openhands.storage.data_models.user_secrets import UserSecrets
+from openhands.server.types import (
+    LLMAuthenticationError,
+    MissingSettingsError,
+    SessionExpiredError,
+)
+from openhands.storage.data_models.secrets import Secrets
 
 
-class GitlabManager(Manager):
+class GitlabManager(Manager[GitlabViewType]):
     def __init__(self, token_manager: TokenManager, data_collector: None = None):
         self.token_manager = token_manager
 
@@ -62,11 +71,11 @@ class GitlabManager(Manager):
             logger.warning(f'Got invalid keyloak user id for GitLab User {user_id}')
             return False
 
-        # Importing here prevents circular import
+        # GitLabServiceImpl returns SaaSGitLabService in enterprise context
         from integrations.gitlab.gitlab_service import SaaSGitLabService
 
-        gitlab_service: SaaSGitLabService = GitLabServiceImpl(
-            external_auth_id=keycloak_user_id
+        gitlab_service = cast(
+            SaaSGitLabService, GitLabServiceImpl(external_auth_id=keycloak_user_id)
         )
 
         return await gitlab_service.user_has_write_access(project_id)
@@ -116,55 +125,52 @@ class GitlabManager(Manager):
         # Check if the user has write access to the repository
         return has_write_access
 
-    async def send_message(self, message: Message, gitlab_view: ResolverViewInterface):
-        """
-        Send a message to GitLab based on the view type.
+    async def send_message(self, message: str, gitlab_view: ResolverViewInterface):
+        """Send a message to GitLab based on the view type.
 
         Args:
-            message: The message to send
+            message: The message content to send (plain text string)
             gitlab_view: The GitLab view object containing issue/PR/comment info
         """
         keycloak_user_id = gitlab_view.user_info.keycloak_user_id
 
-        # Importing here prevents circular import
+        # GitLabServiceImpl returns SaaSGitLabService in enterprise context
         from integrations.gitlab.gitlab_service import SaaSGitLabService
 
-        gitlab_service: SaaSGitLabService = GitLabServiceImpl(
-            external_auth_id=keycloak_user_id
+        gitlab_service = cast(
+            SaaSGitLabService, GitLabServiceImpl(external_auth_id=keycloak_user_id)
         )
 
-        outgoing_message = message.message
-
         if isinstance(gitlab_view, GitlabInlineMRComment) or isinstance(
             gitlab_view, GitlabMRComment
         ):
             await gitlab_service.reply_to_mr(
-                gitlab_view.project_id,
-                gitlab_view.issue_number,
-                gitlab_view.discussion_id,
-                message.message,
+                project_id=str(gitlab_view.project_id),
+                merge_request_iid=str(gitlab_view.issue_number),
+                discussion_id=gitlab_view.discussion_id,
+                body=message,
             )
 
         elif isinstance(gitlab_view, GitlabIssueComment):
             await gitlab_service.reply_to_issue(
-                gitlab_view.project_id,
-                gitlab_view.issue_number,
-                gitlab_view.discussion_id,
-                outgoing_message,
+                project_id=str(gitlab_view.project_id),
+                issue_number=str(gitlab_view.issue_number),
+                discussion_id=gitlab_view.discussion_id,
+                body=message,
             )
         elif isinstance(gitlab_view, GitlabIssue):
             await gitlab_service.reply_to_issue(
-                gitlab_view.project_id,
-                gitlab_view.issue_number,
-                None,  # no discussion id, issue is tagged
-                outgoing_message,
+                project_id=str(gitlab_view.project_id),
+                issue_number=str(gitlab_view.issue_number),
+                discussion_id=None,  # no discussion id, issue is tagged
+                body=message,
             )
         else:
             logger.warning(
                 f'[GitLab] Unsupported view type: {type(gitlab_view).__name__}'
             )
 
-    async def start_job(self, gitlab_view: GitlabViewType):
+    async def start_job(self, gitlab_view: GitlabViewType) -> None:
         """
         Start a job for the GitLab view.
 
@@ -198,7 +204,7 @@ class GitlabManager(Manager):
                     f'[GitLab] Creating new conversation for user {user_info.username}'
                 )
 
-                secret_store = UserSecrets(
+                secret_store = Secrets(
                     provider_tokens=MappingProxyType(
                         {
                             ProviderType.GITLAB: ProviderToken(
@@ -209,8 +215,18 @@ class GitlabManager(Manager):
                     )
                 )
 
+                # Initialize conversation and get metadata (following GitHub pattern)
+                convo_metadata = await gitlab_view.initialize_new_conversation()
+
+                saas_user_auth = await get_saas_user_auth(
+                    gitlab_view.user_info.keycloak_user_id, self.token_manager
+                )
+
                 await gitlab_view.create_new_conversation(
-                    self.jinja_env, secret_store.provider_tokens
+                    self.jinja_env,
+                    secret_store.provider_tokens,
+                    convo_metadata,
+                    saas_user_auth,
                 )
 
                 conversation_id = gitlab_view.conversation_id
@@ -219,18 +235,19 @@ class GitlabManager(Manager):
                     f'[GitLab] Created conversation {conversation_id} for user {user_info.username}'
                 )
 
-                # Create a GitlabCallbackProcessor for this conversation
-                processor = GitlabCallbackProcessor(
-                    gitlab_view=gitlab_view,
-                    send_summary_instruction=True,
-                )
+                if not gitlab_view.v1_enabled:
+                    # Create a GitlabCallbackProcessor for this conversation
+                    processor = GitlabCallbackProcessor(
+                        gitlab_view=gitlab_view,
+                        send_summary_instruction=True,
+                    )
 
-                # Register the callback processor
-                register_callback_processor(conversation_id, processor)
+                    # Register the callback processor
+                    register_callback_processor(conversation_id, processor)
 
-                logger.info(
-                    f'[GitLab] Created callback processor for conversation {conversation_id}'
-                )
+                    logger.info(
+                        f'[GitLab] Created callback processor for conversation {conversation_id}'
+                    )
 
                 conversation_link = CONVERSATION_URL.format(conversation_id)
                 msg_info = f"I'm on it! {user_info.username} can [track my progress at all-hands.dev]({conversation_link})"
@@ -249,13 +266,18 @@ class GitlabManager(Manager):
 
                 msg_info = f'@{user_info.username} please set a valid LLM API key in [OpenHands Cloud]({HOST_URL}) before starting a job.'
 
+            except SessionExpiredError as e:
+                logger.warning(
+                    f'[GitLab] Session expired for user {user_info.username}: {str(e)}'
+                )
+
+                msg_info = get_session_expired_message(user_info.username)
+
             # Send the acknowledgment message
-            msg = self.create_outgoing_message(msg_info)
-            await self.send_message(msg, gitlab_view)
+            await self.send_message(msg_info, gitlab_view)
 
         except Exception as e:
             logger.exception(f'[GitLab] Error starting job: {str(e)}')
-            msg = self.create_outgoing_message(
-                msg='Uh oh! There was an unexpected error starting the job :('
+            await self.send_message(
+                'Uh oh! There was an unexpected error starting the job :(', gitlab_view
             )
-            await self.send_message(msg, gitlab_view)

enterprise/integrations/gitlab/gitlab_service.py

@@ -1,7 +1,7 @@
 import asyncio
 
+from integrations.store_repo_utils import store_repositories_in_db
 from integrations.types import GitLabResourceType
-from integrations.utils import store_repositories_in_db
 from pydantic import SecretStr
 from server.auth.token_manager import TokenManager
 from storage.gitlab_webhook import GitlabWebhook, WebhookStatus
@@ -80,22 +80,52 @@ class SaaSGitLabService(GitLabService):
             logger.warning('external_auth_token and user_id not set!')
         return gitlab_token
 
-    async def get_owned_groups(self) -> list[dict]:
+    async def get_owned_groups(self, min_access_level: int = 40) -> list[dict]:
         """
-        Get all groups for which the current user is the owner.
+        Get all top-level groups where the current user has admin access.
+
+        This method supports pagination and fetches all groups where the user has
+        at least the specified access level.
+
+        Args:
+            min_access_level: Minimum access level required (default: 40 for Maintainer or Owner)
+                             - 40: Maintainer or Owner
+                             - 50: Owner only
 
         Returns:
-            list[dict]: A list of groups owned by the current user.
+            list[dict]: A list of groups where user has the specified access level or higher.
         """
-        url = f'{self.BASE_URL}/groups'
-        params = {'owned': 'true', 'per_page': 100, 'top_level_only': 'true'}
+        groups_with_admin_access = []
+        page = 1
+        per_page = 100
 
-        try:
-            response, headers = await self._make_request(url, params)
-            return response
-        except Exception:
-            logger.warning('Error fetching owned groups', exc_info=True)
-            return []
+        while True:
+            try:
+                url = f'{self.BASE_URL}/groups'
+                params = {
+                    'page': str(page),
+                    'per_page': str(per_page),
+                    'min_access_level': min_access_level,
+                    'top_level_only': 'true',
+                }
+                response, headers = await self._make_request(url, params)
+
+                if not response:
+                    break
+
+                groups_with_admin_access.extend(response)
+                page += 1
+
+                # Check if we've reached the last page
+                link_header = headers.get('Link', '')
+                if 'rel="next"' not in link_header:
+                    break
+
+            except Exception:
+                logger.warning(f'Error fetching groups on page {page}', exc_info=True)
+                break
+
+        return groups_with_admin_access
 
     async def add_owned_projects_and_groups_to_db(self, owned_personal_projects):
         """
@@ -155,6 +185,30 @@ class SaaSGitLabService(GitLabService):
             users_personal_projects: List of personal projects owned by the user
             repositories: List of Repository objects to store
         """
+        # If external_auth_id is not set, try to determine it from the Keycloak token
+        if not self.external_auth_id and self.external_auth_token:
+            try:
+                user_info = await self.token_manager.get_user_info(
+                    self.external_auth_token.get_secret_value()
+                )
+                keycloak_user_id = user_info.sub
+                self.external_auth_id = keycloak_user_id
+                logger.info(
+                    f'Determined external_auth_id from Keycloak token: {self.external_auth_id}'
+                )
+            except Exception:
+                logger.warning(
+                    'Cannot store repository data: external_auth_id is not set and could not be determined from token',
+                    exc_info=True,
+                )
+                return
+
+        if not self.external_auth_id:
+            logger.warning(
+                'Cannot store repository data: external_auth_id could not be determined'
+            )
+            return
+
         try:
             # First, add owned projects and groups to the database
             await self.add_owned_projects_and_groups_to_db(users_personal_projects)
@@ -527,3 +581,55 @@ class SaaSGitLabService(GitLabService):
             await self._make_request(url=url, params=params, method=RequestMethod.POST)
         except Exception as e:
             logger.exception(f'[GitLab]: Reply to MR failed {e}')
+
+    async def get_user_resources_with_admin_access(
+        self,
+    ) -> tuple[list[dict], list[dict]]:
+        """
+        Get all projects and groups where the current user has admin access (maintainer or owner).
+
+        Returns:
+            tuple[list[dict], list[dict]]: A tuple containing:
+                - list of projects where user has admin access
+                - list of groups where user has admin access
+        """
+        projects_with_admin_access = []
+        groups_with_admin_access = []
+
+        # Fetch all projects the user is a member of
+        page = 1
+        per_page = 100
+        while True:
+            try:
+                url = f'{self.BASE_URL}/projects'
+                params = {
+                    'page': str(page),
+                    'per_page': str(per_page),
+                    'membership': 1,
+                    'min_access_level': 40,  # Maintainer or Owner
+                }
+                response, headers = await self._make_request(url, params)
+
+                if not response:
+                    break
+
+                projects_with_admin_access.extend(response)
+                page += 1
+
+                # Check if we've reached the last page
+                link_header = headers.get('Link', '')
+                if 'rel="next"' not in link_header:
+                    break
+
+            except Exception:
+                logger.warning(f'Error fetching projects on page {page}', exc_info=True)
+                break
+
+        # Fetch all groups where user is owner or maintainer
+        groups_with_admin_access = await self.get_owned_groups(min_access_level=40)
+
+        logger.info(
+            f'Found {len(projects_with_admin_access)} projects and {len(groups_with_admin_access)} groups with admin access'
+        )
+
+        return projects_with_admin_access, groups_with_admin_access

enterprise/integrations/gitlab/gitlab_v1_callback_processor.py

@@ -0,0 +1,269 @@
+import logging
+from typing import Any
+from uuid import UUID
+
+import httpx
+from integrations.utils import get_summary_instruction
+from integrations.v1_utils import handle_callback_error
+from pydantic import Field
+
+from openhands.agent_server.models import AskAgentRequest, AskAgentResponse
+from openhands.app_server.event_callback.event_callback_models import (
+    EventCallback,
+    EventCallbackProcessor,
+)
+from openhands.app_server.event_callback.event_callback_result_models import (
+    EventCallbackResult,
+    EventCallbackResultStatus,
+)
+from openhands.app_server.event_callback.util import (
+    ensure_conversation_found,
+    ensure_running_sandbox,
+    get_agent_server_url_from_sandbox,
+)
+from openhands.sdk import Event
+from openhands.sdk.event import ConversationStateUpdateEvent
+
+_logger = logging.getLogger(__name__)
+
+
+class GitlabV1CallbackProcessor(EventCallbackProcessor):
+    """Callback processor for GitLab V1 integrations."""
+
+    gitlab_view_data: dict[str, Any] = Field(default_factory=dict)
+    should_request_summary: bool = Field(default=True)
+    inline_mr_comment: bool = Field(default=False)
+
+    async def __call__(
+        self,
+        conversation_id: UUID,
+        callback: EventCallback,
+        event: Event,
+    ) -> EventCallbackResult | None:
+        """Process events for GitLab V1 integration."""
+        # Only handle ConversationStateUpdateEvent
+        if not isinstance(event, ConversationStateUpdateEvent):
+            return None
+
+        # Only act when execution has finished
+        if not (event.key == 'execution_status' and event.value == 'finished'):
+            return None
+
+        _logger.info('[GitLab V1] Callback agent state was %s', event)
+        _logger.info(
+            '[GitLab V1] Should request summary: %s', self.should_request_summary
+        )
+
+        if not self.should_request_summary:
+            return None
+
+        self.should_request_summary = False
+
+        try:
+            _logger.info(f'[GitLab V1] Requesting summary {conversation_id}')
+            summary = await self._request_summary(conversation_id)
+            _logger.info(
+                f'[GitLab V1] Posting summary {conversation_id}',
+                extra={'summary': summary},
+            )
+            await self._post_summary_to_gitlab(summary)
+
+            return EventCallbackResult(
+                status=EventCallbackResultStatus.SUCCESS,
+                event_callback_id=callback.id,
+                event_id=event.id,
+                conversation_id=conversation_id,
+                detail=summary,
+            )
+        except Exception as e:
+            can_post_error = bool(self.gitlab_view_data.get('keycloak_user_id'))
+            await handle_callback_error(
+                error=e,
+                conversation_id=conversation_id,
+                service_name='GitLab',
+                service_logger=_logger,
+                can_post_error=can_post_error,
+                post_error_func=self._post_summary_to_gitlab,
+            )
+
+            return EventCallbackResult(
+                status=EventCallbackResultStatus.ERROR,
+                event_callback_id=callback.id,
+                event_id=event.id,
+                conversation_id=conversation_id,
+                detail=str(e),
+            )
+
+    # -------------------------------------------------------------------------
+    # GitLab helpers
+    # -------------------------------------------------------------------------
+
+    async def _post_summary_to_gitlab(self, summary: str) -> None:
+        """Post a summary comment to the configured GitLab issue or MR."""
+        # Import here to avoid circular imports
+        from integrations.gitlab.gitlab_service import SaaSGitLabService
+
+        keycloak_user_id = self.gitlab_view_data.get('keycloak_user_id')
+        if not keycloak_user_id:
+            raise RuntimeError('Missing keycloak user ID for GitLab')
+
+        gitlab_service = SaaSGitLabService(external_auth_id=keycloak_user_id)
+
+        project_id = self.gitlab_view_data['project_id']
+        issue_number = self.gitlab_view_data['issue_number']
+        discussion_id = self.gitlab_view_data['discussion_id']
+        is_mr = self.gitlab_view_data.get('is_mr', False)
+
+        if is_mr:
+            await gitlab_service.reply_to_mr(
+                project_id,
+                issue_number,
+                discussion_id,
+                summary,
+            )
+        else:
+            await gitlab_service.reply_to_issue(
+                project_id,
+                issue_number,
+                discussion_id,
+                summary,
+            )
+
+    # -------------------------------------------------------------------------
+    # Agent / sandbox helpers
+    # -------------------------------------------------------------------------
+
+    async def _ask_question(
+        self,
+        httpx_client: httpx.AsyncClient,
+        agent_server_url: str,
+        conversation_id: UUID,
+        session_api_key: str,
+        message_content: str,
+    ) -> str:
+        """Send a message to the agent server via the V1 API and return response text."""
+        send_message_request = AskAgentRequest(question=message_content)
+
+        url = (
+            f"{agent_server_url.rstrip('/')}"
+            f"/api/conversations/{conversation_id}/ask_agent"
+        )
+        headers = {'X-Session-API-Key': session_api_key}
+        payload = send_message_request.model_dump()
+
+        try:
+            response = await httpx_client.post(
+                url,
+                json=payload,
+                headers=headers,
+                timeout=30.0,
+            )
+            response.raise_for_status()
+
+            agent_response = AskAgentResponse.model_validate(response.json())
+            return agent_response.response
+
+        except httpx.HTTPStatusError as e:
+            error_detail = f'HTTP {e.response.status_code} error'
+            try:
+                error_body = e.response.text
+                if error_body:
+                    error_detail += f': {error_body}'
+            except Exception:  # noqa: BLE001
+                pass
+
+            _logger.error(
+                '[GitLab V1] HTTP error sending message to %s: %s. '
+                'Request payload: %s. Response headers: %s',
+                url,
+                error_detail,
+                payload,
+                dict(e.response.headers),
+                exc_info=True,
+            )
+            raise Exception(f'Failed to send message to agent server: {error_detail}')
+
+        except httpx.TimeoutException:
+            error_detail = f'Request timeout after 30 seconds to {url}'
+            _logger.error(
+                '[GitLab V1] %s. Request payload: %s',
+                error_detail,
+                payload,
+                exc_info=True,
+            )
+            raise Exception(error_detail)
+
+        except httpx.RequestError as e:
+            error_detail = f'Request error to {url}: {str(e)}'
+            _logger.error(
+                '[GitLab V1] %s. Request payload: %s',
+                error_detail,
+                payload,
+                exc_info=True,
+            )
+            raise Exception(error_detail)
+
+    # -------------------------------------------------------------------------
+    # Summary orchestration
+    # -------------------------------------------------------------------------
+
+    async def _request_summary(self, conversation_id: UUID) -> str:
+        """Ask the agent to produce a summary of its work and return the agent response.
+
+        NOTE: This method now returns a string (the agent server's response text)
+        and raises exceptions on errors. The wrapping into EventCallbackResult
+        is handled by __call__.
+        """
+        # Import services within the method to avoid circular imports
+        from openhands.app_server.config import (
+            get_app_conversation_info_service,
+            get_httpx_client,
+            get_sandbox_service,
+        )
+        from openhands.app_server.services.injector import InjectorState
+        from openhands.app_server.user.specifiy_user_context import (
+            ADMIN,
+            USER_CONTEXT_ATTR,
+        )
+
+        # Create injector state for dependency injection
+        state = InjectorState()
+        setattr(state, USER_CONTEXT_ATTR, ADMIN)
+
+        async with (
+            get_app_conversation_info_service(state) as app_conversation_info_service,
+            get_sandbox_service(state) as sandbox_service,
+            get_httpx_client(state) as httpx_client,
+        ):
+            # 1. Conversation lookup
+            app_conversation_info = ensure_conversation_found(
+                await app_conversation_info_service.get_app_conversation_info(
+                    conversation_id
+                ),
+                conversation_id,
+            )
+
+            # 2. Sandbox lookup + validation
+            sandbox = ensure_running_sandbox(
+                await sandbox_service.get_sandbox(app_conversation_info.sandbox_id),
+                app_conversation_info.sandbox_id,
+            )
+
+            assert (
+                sandbox.session_api_key is not None
+            ), f'No session API key for sandbox: {sandbox.id}'
+
+            # 3. URL + instruction
+            agent_server_url = get_agent_server_url_from_sandbox(sandbox)
+
+            # Prepare message based on agent state
+            message_content = get_summary_instruction()
+
+            # Ask the agent and return the response text
+            return await self._ask_question(
+                httpx_client=httpx_client,
+                agent_server_url=agent_server_url,
+                conversation_id=conversation_id,
+                session_api_key=sandbox.session_api_key,
+                message_content=message_content,
+            )

enterprise/integrations/gitlab/gitlab_view.py

@@ -1,25 +1,53 @@
 from dataclasses import dataclass
+from uuid import UUID, uuid4
 
 from integrations.models import Message
+from integrations.resolver_context import ResolverUserContext
 from integrations.types import ResolverViewInterface, UserData
-from integrations.utils import HOST, get_oh_labels, has_exact_mention
+from integrations.utils import (
+    ENABLE_V1_GITLAB_RESOLVER,
+    HOST,
+    get_oh_labels,
+    get_user_v1_enabled_setting,
+    has_exact_mention,
+)
 from jinja2 import Environment
 from server.auth.token_manager import TokenManager
 from server.config import get_config
-from storage.database import session_maker
 from storage.saas_secrets_store import SaasSecretsStore
 
+from openhands.agent_server.models import SendMessageRequest
+from openhands.app_server.app_conversation.app_conversation_models import (
+    AppConversationStartRequest,
+    AppConversationStartTaskStatus,
+)
+from openhands.app_server.config import get_app_conversation_service
+from openhands.app_server.services.injector import InjectorState
+from openhands.app_server.user.specifiy_user_context import USER_CONTEXT_ATTR
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
-from openhands.server.services.conversation_service import create_new_conversation
-from openhands.storage.data_models.conversation_metadata import ConversationTrigger
+from openhands.sdk import TextContent
+from openhands.server.services.conversation_service import (
+    initialize_conversation,
+    start_conversation,
+)
+from openhands.server.user_auth.user_auth import UserAuth
+from openhands.storage.data_models.conversation_metadata import (
+    ConversationMetadata,
+    ConversationTrigger,
+)
 
 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)
 CONFIDENTIAL_NOTE = 'confidential_note'
 NOTE_TYPES = ['note', CONFIDENTIAL_NOTE]
 
+
+async def is_v1_enabled_for_gitlab_resolver(user_id: str) -> bool:
+    return await get_user_v1_enabled_setting(user_id) and ENABLE_V1_GITLAB_RESOLVER
+
+
 # =================================================
 # SECTION: Factory to create appriorate Gitlab view
 # =================================================
@@ -41,6 +69,10 @@ class GitlabIssue(ResolverViewInterface):
     description: str
     previous_comments: list[Comment]
     is_mr: bool
+    v1_enabled: bool
+
+    def _get_branch_name(self) -> str | None:
+        return getattr(self, 'branch_name', None)
 
     async def _load_resolver_context(self):
         gitlab_service = GitLabServiceImpl(
@@ -78,35 +110,158 @@ class GitlabIssue(ResolverViewInterface):
         return user_instructions, conversation_instructions
 
     async def _get_user_secrets(self):
-        secrets_store = SaasSecretsStore(
-            self.user_info.keycloak_user_id, session_maker, get_config()
-        )
+        secrets_store = SaasSecretsStore(self.user_info.keycloak_user_id, get_config())
         user_secrets = await secrets_store.load()
 
         return user_secrets.custom_secrets if user_secrets else None
 
+    async def initialize_new_conversation(self) -> ConversationMetadata:
+        # v1_enabled is already set at construction time in the factory method
+        # This is the source of truth for the conversation type
+        if self.v1_enabled:
+            # Create dummy conversation metadata
+            # Don't save to conversation store
+            # V1 conversations are stored in a separate table
+            self.conversation_id = uuid4().hex
+            return ConversationMetadata(
+                conversation_id=self.conversation_id,
+                selected_repository=self.full_repo_name,
+            )
+
+        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
+            user_id=self.user_info.keycloak_user_id,
+            conversation_id=None,
+            selected_repository=self.full_repo_name,
+            selected_branch=self._get_branch_name(),
+            conversation_trigger=ConversationTrigger.RESOLVER,
+            git_provider=ProviderType.GITLAB,
+        )
+
+        self.conversation_id = conversation_metadata.conversation_id
+        return conversation_metadata
+
     async def create_new_conversation(
-        self, jinja_env: Environment, git_provider_tokens: PROVIDER_TOKEN_TYPE
+        self,
+        jinja_env: Environment,
+        git_provider_tokens: PROVIDER_TOKEN_TYPE,
+        conversation_metadata: ConversationMetadata,
+        saas_user_auth: UserAuth,
     ):
+        # v1_enabled is already set at construction time in the factory method
+        if self.v1_enabled:
+            # Use V1 app conversation service
+            await self._create_v1_conversation(
+                jinja_env, saas_user_auth, conversation_metadata
+            )
+        else:
+            await self._create_v0_conversation(
+                jinja_env, git_provider_tokens, conversation_metadata
+            )
+
+    async def _create_v0_conversation(
+        self,
+        jinja_env: Environment,
+        git_provider_tokens: PROVIDER_TOKEN_TYPE,
+        conversation_metadata: ConversationMetadata,
+    ):
+        """Create conversation using the legacy V0 system."""
+        logger.info('[GitLab]: Creating V0 conversation')
         custom_secrets = await self._get_user_secrets()
 
         user_instructions, conversation_instructions = await self._get_instructions(
             jinja_env
         )
-        agent_loop_info = await create_new_conversation(
+
+        await start_conversation(
             user_id=self.user_info.keycloak_user_id,
             git_provider_tokens=git_provider_tokens,
             custom_secrets=custom_secrets,
-            selected_repository=self.full_repo_name,
-            selected_branch=None,
             initial_user_msg=user_instructions,
-            conversation_instructions=conversation_instructions,
             image_urls=None,
-            conversation_trigger=ConversationTrigger.RESOLVER,
             replay_json=None,
+            conversation_id=conversation_metadata.conversation_id,
+            conversation_metadata=conversation_metadata,
+            conversation_instructions=conversation_instructions,
+        )
+
+    async def _create_v1_conversation(
+        self,
+        jinja_env: Environment,
+        saas_user_auth: UserAuth,
+        conversation_metadata: ConversationMetadata,
+    ):
+        """Create conversation using the new V1 app conversation system."""
+        logger.info('[GitLab V1]: Creating V1 conversation')
+
+        user_instructions, conversation_instructions = await self._get_instructions(
+            jinja_env
+        )
+
+        # Create the initial message request
+        initial_message = SendMessageRequest(
+            role='user', content=[TextContent(text=user_instructions)]
+        )
+
+        # Create the GitLab V1 callback processor
+        gitlab_callback_processor = self._create_gitlab_v1_callback_processor()
+
+        # Get the app conversation service and start the conversation
+        injector_state = InjectorState()
+
+        # Determine the title based on whether it's an MR or issue
+        title_prefix = 'GitLab MR' if self.is_mr else 'GitLab Issue'
+        title = f'{title_prefix} #{self.issue_number}: {self.title}'
+
+        # Create the V1 conversation start request with the callback processor
+        start_request = AppConversationStartRequest(
+            conversation_id=UUID(conversation_metadata.conversation_id),
+            system_message_suffix=conversation_instructions,
+            initial_message=initial_message,
+            selected_repository=self.full_repo_name,
+            selected_branch=self._get_branch_name(),
+            git_provider=ProviderType.GITLAB,
+            title=title,
+            trigger=ConversationTrigger.RESOLVER,
+            processors=[
+                gitlab_callback_processor
+            ],  # Pass the callback processor directly
+        )
+
+        # Set up the GitLab user context for the V1 system
+        gitlab_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
+        setattr(injector_state, USER_CONTEXT_ATTR, gitlab_user_context)
+
+        async with get_app_conversation_service(
+            injector_state
+        ) as app_conversation_service:
+            async for task in app_conversation_service.start_app_conversation(
+                start_request
+            ):
+                if task.status == AppConversationStartTaskStatus.ERROR:
+                    logger.error(f'Failed to start V1 conversation: {task.detail}')
+                    raise RuntimeError(
+                        f'Failed to start V1 conversation: {task.detail}'
+                    )
+
+    def _create_gitlab_v1_callback_processor(self):
+        """Create a V1 callback processor for GitLab integration."""
+        from integrations.gitlab.gitlab_v1_callback_processor import (
+            GitlabV1CallbackProcessor,
+        )
+
+        # Create and return the GitLab V1 callback processor
+        return GitlabV1CallbackProcessor(
+            gitlab_view_data={
+                'issue_number': self.issue_number,
+                'project_id': self.project_id,
+                'full_repo_name': self.full_repo_name,
+                'installation_id': self.installation_id,
+                'keycloak_user_id': self.user_info.keycloak_user_id,
+                'is_mr': self.is_mr,
+                'discussion_id': getattr(self, 'discussion_id', None),
+            },
+            send_summary_instruction=self.send_summary_instruction,
         )
-        self.conversation_id = agent_loop_info.conversation_id
-        return self.conversation_id
 
 
 @dataclass
@@ -141,6 +296,9 @@ class GitlabIssueComment(GitlabIssue):
 class GitlabMRComment(GitlabIssueComment):
     branch_name: str
 
+    def _get_branch_name(self) -> str | None:
+        return self.branch_name
+
     async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
         user_instructions_template = jinja_env.get_template('mr_update_prompt.j2')
         await self._load_resolver_context()
@@ -162,29 +320,6 @@ class GitlabMRComment(GitlabIssueComment):
 
         return user_instructions, conversation_instructions
 
-    async def create_new_conversation(
-        self, jinja_env: Environment, git_provider_tokens: PROVIDER_TOKEN_TYPE
-    ):
-        custom_secrets = await self._get_user_secrets()
-
-        user_instructions, conversation_instructions = await self._get_instructions(
-            jinja_env
-        )
-        agent_loop_info = await create_new_conversation(
-            user_id=self.user_info.keycloak_user_id,
-            git_provider_tokens=git_provider_tokens,
-            custom_secrets=custom_secrets,
-            selected_repository=self.full_repo_name,
-            selected_branch=self.branch_name,
-            initial_user_msg=user_instructions,
-            conversation_instructions=conversation_instructions,
-            image_urls=None,
-            conversation_trigger=ConversationTrigger.RESOLVER,
-            replay_json=None,
-        )
-        self.conversation_id = agent_loop_info.conversation_id
-        return self.conversation_id
-
 
 @dataclass
 class GitlabInlineMRComment(GitlabMRComment):
@@ -306,7 +441,7 @@ class GitlabFactory:
     @staticmethod
     async def create_gitlab_view_from_payload(
         message: Message, token_manager: TokenManager
-    ) -> ResolverViewInterface:
+    ) -> GitlabViewType:
         payload = message.message['payload']
         installation_id = message.message['installation_id']
         user = payload['user']
@@ -325,6 +460,16 @@ class GitlabFactory:
             user_id=user_id, username=username, keycloak_user_id=keycloak_user_id
         )
 
+        # Check v1_enabled at construction time - this is the source of truth
+        v1_enabled = (
+            await is_v1_enabled_for_gitlab_resolver(keycloak_user_id)
+            if keycloak_user_id
+            else False
+        )
+        logger.info(
+            f'[GitLab V1]: User flag found for {keycloak_user_id} is {v1_enabled}'
+        )
+
         if GitlabFactory.is_labeled_issue(message):
             issue_iid = payload['object_attributes']['iid']
 
@@ -346,6 +491,7 @@ class GitlabFactory:
                 description='',
                 previous_comments=[],
                 is_mr=False,
+                v1_enabled=v1_enabled,
             )
 
         elif GitlabFactory.is_issue_comment(message):
@@ -376,6 +522,7 @@ class GitlabFactory:
                 description='',
                 previous_comments=[],
                 is_mr=False,
+                v1_enabled=v1_enabled,
             )
 
         elif GitlabFactory.is_mr_comment(message):
@@ -408,6 +555,7 @@ class GitlabFactory:
                 description='',
                 previous_comments=[],
                 is_mr=True,
+                v1_enabled=v1_enabled,
             )
 
         elif GitlabFactory.is_mr_comment(message, inline=True):
@@ -448,4 +596,7 @@ class GitlabFactory:
                 description='',
                 previous_comments=[],
                 is_mr=True,
+                v1_enabled=v1_enabled,
             )
+
+        raise ValueError(f'Unhandled GitLab webhook event: {message}')

enterprise/integrations/gitlab/webhook_installation.py

@@ -0,0 +1,194 @@
+"""Shared utilities for GitLab webhook installation.
+
+This module contains reusable functions and classes for installing GitLab webhooks
+that can be used by both the cron job and API routes.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from uuid import uuid4
+
+from integrations.types import GitLabResourceType
+from integrations.utils import GITLAB_WEBHOOK_URL
+from storage.gitlab_webhook import GitlabWebhook, WebhookStatus
+from storage.gitlab_webhook_store import GitlabWebhookStore
+
+from openhands.core.logger import openhands_logger as logger
+
+if TYPE_CHECKING:
+    from integrations.gitlab.gitlab_service import SaaSGitLabService
+
+# Webhook configuration constants
+WEBHOOK_NAME = 'OpenHands Resolver'
+SCOPES: list[str] = [
+    'note_events',
+    'merge_requests_events',
+    'confidential_issues_events',
+    'issues_events',
+    'confidential_note_events',
+    'job_events',
+    'pipeline_events',
+]
+
+
+class BreakLoopException(Exception):
+    """Exception raised when webhook installation conditions are not met or rate limited."""
+
+    pass
+
+
+async def verify_webhook_conditions(
+    gitlab_service: SaaSGitLabService,
+    resource_type: GitLabResourceType,
+    resource_id: str,
+    webhook_store: GitlabWebhookStore,
+    webhook: GitlabWebhook,
+) -> None:
+    """
+    Verify all conditions are met for webhook installation.
+    Raises BreakLoopException if any condition fails or rate limited.
+
+    Args:
+        gitlab_service: GitLab service instance
+        resource_type: Type of resource (PROJECT or GROUP)
+        resource_id: ID of the resource
+        webhook_store: Webhook store instance
+        webhook: Webhook object to verify
+    """
+    # Check if resource exists
+    does_resource_exist, status = await gitlab_service.check_resource_exists(
+        resource_type, resource_id
+    )
+
+    logger.info(
+        'Does resource exists',
+        extra={
+            'does_resource_exist': does_resource_exist,
+            'status': status,
+            'resource_id': resource_id,
+            'resource_type': resource_type,
+        },
+    )
+
+    if status == WebhookStatus.RATE_LIMITED:
+        raise BreakLoopException()
+    if not does_resource_exist and status != WebhookStatus.RATE_LIMITED:
+        await webhook_store.delete_webhook(webhook)
+        raise BreakLoopException()
+
+    # Check if user has admin access
+    (
+        is_user_admin_of_resource,
+        status,
+    ) = await gitlab_service.check_user_has_admin_access_to_resource(
+        resource_type, resource_id
+    )
+
+    logger.info(
+        'Is user admin',
+        extra={
+            'is_user_admin': is_user_admin_of_resource,
+            'status': status,
+            'resource_id': resource_id,
+            'resource_type': resource_type,
+        },
+    )
+
+    if status == WebhookStatus.RATE_LIMITED:
+        raise BreakLoopException()
+    if not is_user_admin_of_resource:
+        await webhook_store.delete_webhook(webhook)
+        raise BreakLoopException()
+
+    # Check if webhook already exists
+    (
+        does_webhook_exist_on_resource,
+        status,
+    ) = await gitlab_service.check_webhook_exists_on_resource(
+        resource_type=resource_type,
+        resource_id=resource_id,
+        webhook_url=GITLAB_WEBHOOK_URL,
+    )
+
+    logger.info(
+        'Does webhook already exist',
+        extra={
+            'does_webhook_exist_on_resource': does_webhook_exist_on_resource,
+            'status': status,
+            'resource_id': resource_id,
+            'resource_type': resource_type,
+        },
+    )
+
+    if status == WebhookStatus.RATE_LIMITED:
+        raise BreakLoopException()
+    if does_webhook_exist_on_resource != webhook.webhook_exists:
+        await webhook_store.update_webhook(
+            webhook, {'webhook_exists': does_webhook_exist_on_resource}
+        )
+
+    if does_webhook_exist_on_resource:
+        raise BreakLoopException()
+
+
+async def install_webhook_on_resource(
+    gitlab_service: SaaSGitLabService,
+    resource_type: GitLabResourceType,
+    resource_id: str,
+    webhook_store: GitlabWebhookStore,
+    webhook: GitlabWebhook,
+) -> tuple[str | None, WebhookStatus | None]:
+    """
+    Install webhook on a GitLab resource.
+
+    Args:
+        gitlab_service: GitLab service instance
+        resource_type: Type of resource (PROJECT or GROUP)
+        resource_id: ID of the resource
+        webhook_store: Webhook store instance
+        webhook: Webhook object to install
+
+    Returns:
+        Tuple of (webhook_id, status)
+    """
+    webhook_secret = f'{webhook.user_id}-{str(uuid4())}'
+    webhook_uuid = f'{str(uuid4())}'
+
+    webhook_id, status = await gitlab_service.install_webhook(
+        resource_type=resource_type,
+        resource_id=resource_id,
+        webhook_name=WEBHOOK_NAME,
+        webhook_url=GITLAB_WEBHOOK_URL,
+        webhook_secret=webhook_secret,
+        webhook_uuid=webhook_uuid,
+        scopes=SCOPES,
+    )
+
+    log_extra = {
+        'webhook_id': webhook_id,
+        'status': status,
+        'resource_id': resource_id,
+        'resource_type': resource_type,
+    }
+
+    if status == WebhookStatus.RATE_LIMITED:
+        logger.warning('Rate limited while creating webhook', extra=log_extra)
+        raise BreakLoopException()
+
+    if webhook_id:
+        await webhook_store.update_webhook(
+            webhook=webhook,
+            update_fields={
+                'webhook_secret': webhook_secret,
+                'webhook_exists': True,  # webhook was created
+                'webhook_url': GITLAB_WEBHOOK_URL,
+                'scopes': SCOPES,
+                'webhook_uuid': webhook_uuid,  # required to identify which webhook installation is sending payload
+            },
+        )
+        logger.info('Created new webhook', extra=log_extra)
+    else:
+        logger.error('Failed to create webhook', extra=log_extra)
+
+    return webhook_id, status

enterprise/integrations/jira/jira_manager.py

@@ -1,22 +1,38 @@
-import hashlib
-import hmac
-from typing import Dict, Optional, Tuple
-from urllib.parse import urlparse
+"""Jira integration manager.
+
+This module orchestrates the processing of Jira webhook events:
+1. Parse webhook payload (via JiraPayloadParser)
+2. Validate workspace
+3. Authenticate user
+4. Create view with repository selection (via JiraFactory)
+5. Start conversation job
+
+The manager delegates payload parsing to JiraPayloadParser and view creation
+to JiraFactory, keeping the orchestration logic clean and traceable.
+"""
 
 import httpx
-from fastapi import Request
-from integrations.jira.jira_types import JiraViewInterface
-from integrations.jira.jira_view import (
-    JiraExistingConversationView,
-    JiraFactory,
-    JiraNewConversationView,
+from integrations.jira.jira_payload import (
+    JiraPayloadError,
+    JiraPayloadParser,
+    JiraPayloadSkipped,
+    JiraPayloadSuccess,
+    JiraWebhookPayload,
 )
+from integrations.jira.jira_types import (
+    JiraViewInterface,
+    RepositoryNotFoundError,
+    StartingConvoException,
+)
+from integrations.jira.jira_view import JiraFactory, JiraNewConversationView
 from integrations.manager import Manager
-from integrations.models import JobContext, Message
+from integrations.models import Message
 from integrations.utils import (
+    HOST,
     HOST_URL,
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
-    filter_potential_repos_by_user_msg,
+    get_oh_labels,
+    get_session_expired_message,
 )
 from jinja2 import Environment, FileSystemLoader
 from server.auth.saas_user_auth import get_user_auth_from_keycloak_id
@@ -27,311 +43,221 @@ from storage.jira_user import JiraUser
 from storage.jira_workspace import JiraWorkspace
 
 from openhands.core.logger import openhands_logger as logger
-from openhands.integrations.provider import ProviderHandler
-from openhands.integrations.service_types import Repository
-from openhands.server.shared import server_config
-from openhands.server.types import LLMAuthenticationError, MissingSettingsError
+from openhands.server.types import (
+    LLMAuthenticationError,
+    MissingSettingsError,
+    SessionExpiredError,
+)
 from openhands.server.user_auth.user_auth import UserAuth
+from openhands.utils.http_session import httpx_verify_option
 
 JIRA_CLOUD_API_URL = 'https://api.atlassian.com/ex/jira'
 
+# Get OH labels for this environment
+OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)
+
+
+class JiraManager(Manager[JiraViewInterface]):
+    """Manager for processing Jira webhook events.
+
+    This class orchestrates the flow from webhook receipt to conversation creation,
+    delegating parsing to JiraPayloadParser and view creation to JiraFactory.
+    """
 
-class JiraManager(Manager):
     def __init__(self, token_manager: TokenManager):
         self.token_manager = token_manager
         self.integration_store = JiraIntegrationStore.get_instance()
         self.jinja_env = Environment(
             loader=FileSystemLoader(OPENHANDS_RESOLVER_TEMPLATES_DIR + 'jira')
         )
+        self.payload_parser = JiraPayloadParser(
+            oh_label=OH_LABEL,
+            inline_oh_label=INLINE_OH_LABEL,
+        )
 
-    async def authenticate_user(
-        self, jira_user_id: str, workspace_id: int
+    async def receive_message(self, message: Message):
+        """Process incoming Jira webhook message.
+
+        Flow:
+        1. Parse webhook payload
+        2. Validate workspace exists and is active
+        3. Authenticate user
+        4. Create view (includes fetching issue details and selecting repository)
+        5. Start job
+
+        Each step has clear logging for traceability.
+        """
+        raw_payload = message.message.get('payload', {})
+
+        # Step 1: Parse webhook payload
+        logger.info(
+            '[Jira] Received webhook',
+            extra={'raw_payload': raw_payload},
+        )
+
+        parse_result = self.payload_parser.parse(raw_payload)
+
+        if isinstance(parse_result, JiraPayloadSkipped):
+            logger.info(
+                '[Jira] Webhook skipped', extra={'reason': parse_result.skip_reason}
+            )
+            return
+
+        if isinstance(parse_result, JiraPayloadError):
+            logger.warning(
+                '[Jira] Webhook parse failed', extra={'error': parse_result.error}
+            )
+            return
+
+        payload = parse_result.payload
+        logger.info(
+            '[Jira] Processing webhook',
+            extra={
+                'event_type': payload.event_type.value,
+                'issue_key': payload.issue_key,
+                'user_email': payload.user_email,
+            },
+        )
+
+        # Step 2: Validate workspace
+        workspace = await self._get_active_workspace(payload)
+        if not workspace:
+            return
+
+        # Step 3: Authenticate user
+        jira_user, saas_user_auth = await self._authenticate_user(payload, workspace)
+        if not jira_user or not saas_user_auth:
+            return
+
+        # Step 4: Create view (includes issue details fetch and repo selection)
+        decrypted_api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
+
+        try:
+            view = await JiraFactory.create_view(
+                payload=payload,
+                workspace=workspace,
+                user=jira_user,
+                user_auth=saas_user_auth,
+                decrypted_api_key=decrypted_api_key,
+            )
+        except RepositoryNotFoundError as e:
+            logger.warning(
+                '[Jira] Repository not found',
+                extra={'issue_key': payload.issue_key, 'error': str(e)},
+            )
+            await self._send_error_from_payload(payload, workspace, str(e))
+            return
+        except StartingConvoException as e:
+            logger.warning(
+                '[Jira] View creation failed',
+                extra={'issue_key': payload.issue_key, 'error': str(e)},
+            )
+            await self._send_error_from_payload(payload, workspace, str(e))
+            return
+        except Exception as e:
+            logger.error(
+                '[Jira] Unexpected error creating view',
+                extra={'issue_key': payload.issue_key, 'error': str(e)},
+                exc_info=True,
+            )
+            await self._send_error_from_payload(
+                payload,
+                workspace,
+                'Failed to initialize conversation. Please try again.',
+            )
+            return
+
+        # Step 5: Start job
+        await self.start_job(view)
+
+    async def _get_active_workspace(
+        self, payload: JiraWebhookPayload
+    ) -> JiraWorkspace | None:
+        """Validate and return the workspace for the webhook.
+
+        Returns None if:
+        - Workspace not found
+        - Workspace is inactive
+        - Request is from service account (to prevent recursion)
+        """
+        workspace = await self.integration_store.get_workspace_by_name(
+            payload.workspace_name
+        )
+
+        if not workspace:
+            logger.warning(
+                '[Jira] Workspace not found',
+                extra={'workspace_name': payload.workspace_name},
+            )
+            # Can't send error without workspace credentials
+            return None
+
+        # Prevent recursive triggers from service account
+        if payload.user_email == workspace.svc_acc_email:
+            logger.debug(
+                '[Jira] Ignoring service account trigger',
+                extra={'workspace_name': payload.workspace_name},
+            )
+            return None
+
+        if workspace.status != 'active':
+            logger.warning(
+                '[Jira] Workspace inactive',
+                extra={'workspace_id': workspace.id, 'status': workspace.status},
+            )
+            await self._send_error_from_payload(
+                payload, workspace, 'Jira integration is not active for your workspace.'
+            )
+            return None
+
+        return workspace
+
+    async def _authenticate_user(
+        self, payload: JiraWebhookPayload, workspace: JiraWorkspace
     ) -> tuple[JiraUser | None, UserAuth | None]:
-        """Authenticate Jira user and get their OpenHands user auth."""
-
-        # Find active Jira user by Keycloak user ID and workspace ID
+        """Authenticate the Jira user and get OpenHands auth."""
         jira_user = await self.integration_store.get_active_user(
-            jira_user_id, workspace_id
+            payload.account_id, workspace.id
         )
 
         if not jira_user:
             logger.warning(
-                f'[Jira] No active Jira user found for {jira_user_id} in workspace {workspace_id}'
+                '[Jira] User not found or inactive',
+                extra={
+                    'account_id': payload.account_id,
+                    'user_email': payload.user_email,
+                    'workspace_id': workspace.id,
+                },
+            )
+            await self._send_error_from_payload(
+                payload,
+                workspace,
+                f'User {payload.user_email} is not authenticated or active in the Jira integration.',
             )
             return None, None
 
         saas_user_auth = await get_user_auth_from_keycloak_id(
             jira_user.keycloak_user_id
         )
+
+        if not saas_user_auth:
+            logger.warning(
+                '[Jira] Failed to get OpenHands auth',
+                extra={
+                    'keycloak_user_id': jira_user.keycloak_user_id,
+                    'user_email': payload.user_email,
+                },
+            )
+            await self._send_error_from_payload(
+                payload,
+                workspace,
+                f'User {payload.user_email} is not authenticated with OpenHands.',
+            )
+            return None, None
+
         return jira_user, saas_user_auth
 
-    async def _get_repositories(self, user_auth: UserAuth) -> list[Repository]:
-        """Get repositories that the user has access to."""
-        provider_tokens = await user_auth.get_provider_tokens()
-        if provider_tokens is None:
-            return []
-        access_token = await user_auth.get_access_token()
-        user_id = await user_auth.get_user_id()
-        client = ProviderHandler(
-            provider_tokens=provider_tokens,
-            external_auth_token=access_token,
-            external_auth_id=user_id,
-        )
-        repos: list[Repository] = await client.get_repositories(
-            'pushed', server_config.app_mode, None, None, None, None
-        )
-        return repos
-
-    async def validate_request(
-        self, request: Request
-    ) -> Tuple[bool, Optional[str], Optional[Dict]]:
-        """Verify Jira webhook signature."""
-        signature_header = request.headers.get('x-hub-signature')
-        signature = signature_header.split('=')[1] if signature_header else None
-        body = await request.body()
-        payload = await request.json()
-        workspace_name = ''
-
-        if payload.get('webhookEvent') == 'comment_created':
-            selfUrl = payload.get('comment', {}).get('author', {}).get('self')
-        elif payload.get('webhookEvent') == 'jira:issue_updated':
-            selfUrl = payload.get('user', {}).get('self')
-        else:
-            workspace_name = ''
-
-        parsedUrl = urlparse(selfUrl)
-        if parsedUrl.hostname:
-            workspace_name = parsedUrl.hostname
-
-        if not workspace_name:
-            logger.warning('[Jira] No workspace name found in webhook payload')
-            return False, None, None
-
-        if not signature:
-            logger.warning('[Jira] No signature found in webhook headers')
-            return False, None, None
-
-        workspace = await self.integration_store.get_workspace_by_name(workspace_name)
-
-        if not workspace:
-            logger.warning('[Jira] Could not identify workspace for webhook')
-            return False, None, None
-
-        if workspace.status != 'active':
-            logger.warning(f'[Jira] Workspace {workspace.id} is not active')
-            return False, None, None
-
-        webhook_secret = self.token_manager.decrypt_text(workspace.webhook_secret)
-        digest = hmac.new(webhook_secret.encode(), body, hashlib.sha256).hexdigest()
-
-        if hmac.compare_digest(signature, digest):
-            logger.info('[Jira] Webhook signature verified successfully')
-            return True, signature, payload
-
-        return False, None, None
-
-    def parse_webhook(self, payload: Dict) -> JobContext | None:
-        event_type = payload.get('webhookEvent')
-
-        if event_type == 'comment_created':
-            comment_data = payload.get('comment', {})
-            comment = comment_data.get('body', '')
-
-            if '@openhands' not in comment:
-                return None
-
-            issue_data = payload.get('issue', {})
-            issue_id = issue_data.get('id')
-            issue_key = issue_data.get('key')
-            base_api_url = issue_data.get('self', '').split('/rest/')[0]
-
-            user_data = comment_data.get('author', {})
-            user_email = user_data.get('emailAddress')
-            display_name = user_data.get('displayName')
-            account_id = user_data.get('accountId')
-        elif event_type == 'jira:issue_updated':
-            changelog = payload.get('changelog', {})
-            items = changelog.get('items', [])
-            labels = [
-                item.get('toString', '')
-                for item in items
-                if item.get('field') == 'labels' and 'toString' in item
-            ]
-
-            if 'openhands' not in labels:
-                return None
-
-            issue_data = payload.get('issue', {})
-            issue_id = issue_data.get('id')
-            issue_key = issue_data.get('key')
-            base_api_url = issue_data.get('self', '').split('/rest/')[0]
-
-            user_data = payload.get('user', {})
-            user_email = user_data.get('emailAddress')
-            display_name = user_data.get('displayName')
-            account_id = user_data.get('accountId')
-            comment = ''
-        else:
-            return None
-
-        workspace_name = ''
-
-        parsedUrl = urlparse(base_api_url)
-        if parsedUrl.hostname:
-            workspace_name = parsedUrl.hostname
-
-        if not all(
-            [
-                issue_id,
-                issue_key,
-                user_email,
-                display_name,
-                account_id,
-                workspace_name,
-                base_api_url,
-            ]
-        ):
-            return None
-
-        return JobContext(
-            issue_id=issue_id,
-            issue_key=issue_key,
-            user_msg=comment,
-            user_email=user_email,
-            display_name=display_name,
-            platform_user_id=account_id,
-            workspace_name=workspace_name,
-            base_api_url=base_api_url,
-        )
-
-    async def receive_message(self, message: Message):
-        """Process incoming Jira webhook message."""
-
-        payload = message.message.get('payload', {})
-        job_context = self.parse_webhook(payload)
-
-        if not job_context:
-            logger.info('[Jira] Webhook does not match trigger conditions')
-            return
-
-        # Get workspace by user email domain
-        workspace = await self.integration_store.get_workspace_by_name(
-            job_context.workspace_name
-        )
-        if not workspace:
-            logger.warning(
-                f'[Jira] No workspace found for email domain: {job_context.user_email}'
-            )
-            await self._send_error_comment(
-                job_context,
-                'Your workspace is not configured with Jira integration.',
-                None,
-            )
-            return
-
-        # Prevent any recursive triggers from the service account
-        if job_context.user_email == workspace.svc_acc_email:
-            return
-
-        if workspace.status != 'active':
-            logger.warning(f'[Jira] Workspace {workspace.id} is not active')
-            await self._send_error_comment(
-                job_context,
-                'Jira integration is not active for your workspace.',
-                workspace,
-            )
-            return
-
-        # Authenticate user
-        jira_user, saas_user_auth = await self.authenticate_user(
-            job_context.platform_user_id, workspace.id
-        )
-        if not jira_user or not saas_user_auth:
-            logger.warning(
-                f'[Jira] User authentication failed for {job_context.user_email}'
-            )
-            await self._send_error_comment(
-                job_context,
-                f'User {job_context.user_email} is not authenticated or active in the Jira integration.',
-                workspace,
-            )
-            return
-
-        # Get issue details
-        try:
-            api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
-            issue_title, issue_description = await self.get_issue_details(
-                job_context, workspace.jira_cloud_id, workspace.svc_acc_email, api_key
-            )
-            job_context.issue_title = issue_title
-            job_context.issue_description = issue_description
-        except Exception as e:
-            logger.error(f'[Jira] Failed to get issue context: {str(e)}')
-            await self._send_error_comment(
-                job_context,
-                'Failed to retrieve issue details. Please check the issue key and try again.',
-                workspace,
-            )
-            return
-
-        try:
-            # Create Jira view
-            jira_view = await JiraFactory.create_jira_view_from_payload(
-                job_context,
-                saas_user_auth,
-                jira_user,
-                workspace,
-            )
-        except Exception as e:
-            logger.error(f'[Jira] Failed to create jira view: {str(e)}', exc_info=True)
-            await self._send_error_comment(
-                job_context,
-                'Failed to initialize conversation. Please try again.',
-                workspace,
-            )
-            return
-
-        if not await self.is_job_requested(message, jira_view):
-            return
-
-        await self.start_job(jira_view)
-
-    async def is_job_requested(
-        self, message: Message, jira_view: JiraViewInterface
-    ) -> bool:
-        """
-        Check if a job is requested and handle repository selection.
-        """
-
-        if isinstance(jira_view, JiraExistingConversationView):
-            return True
-
-        try:
-            # Get user repositories
-            user_repos: list[Repository] = await self._get_repositories(
-                jira_view.saas_user_auth
-            )
-
-            target_str = f'{jira_view.job_context.issue_description}\n{jira_view.job_context.user_msg}'
-
-            # Try to infer repository from issue description
-            match, repos = filter_potential_repos_by_user_msg(target_str, user_repos)
-
-            if match:
-                # Found exact repository match
-                jira_view.selected_repo = repos[0].full_name
-                logger.info(f'[Jira] Inferred repository: {repos[0].full_name}')
-                return True
-            else:
-                # No clear match - send repository selection comment
-                await self._send_repo_selection_comment(jira_view)
-                return False
-
-        except Exception as e:
-            logger.error(f'[Jira] Error in is_job_requested: {str(e)}')
-            return False
-
-    async def start_job(self, jira_view: JiraViewInterface):
+    async def start_job(self, view: JiraViewInterface) -> None:
         """Start a Jira job/conversation."""
         # Import here to prevent circular import
         from server.conversation_callback_processor.jira_callback_processor import (
@@ -339,165 +265,155 @@ class JiraManager(Manager):
         )
 
         try:
-            user_info: JiraUser = jira_view.jira_user
             logger.info(
-                f'[Jira] Starting job for user {user_info.keycloak_user_id} '
-                f'issue {jira_view.job_context.issue_key}',
+                '[Jira] Starting job',
+                extra={
+                    'issue_key': view.payload.issue_key,
+                    'user_id': view.jira_user.keycloak_user_id,
+                    'selected_repo': view.selected_repo,
+                },
             )
 
             # Create conversation
-            conversation_id = await jira_view.create_or_update_conversation(
-                self.jinja_env
-            )
+            conversation_id = await view.create_or_update_conversation(self.jinja_env)
 
             logger.info(
-                f'[Jira] Created/Updated conversation {conversation_id} for issue {jira_view.job_context.issue_key}'
+                '[Jira] Conversation created',
+                extra={
+                    'conversation_id': conversation_id,
+                    'issue_key': view.payload.issue_key,
+                },
             )
 
             # Register callback processor for updates
-            if isinstance(jira_view, JiraNewConversationView):
+            if isinstance(view, JiraNewConversationView):
                 processor = JiraCallbackProcessor(
-                    issue_key=jira_view.job_context.issue_key,
-                    workspace_name=jira_view.jira_workspace.name,
+                    issue_key=view.payload.issue_key,
+                    workspace_name=view.jira_workspace.name,
                 )
-
-                # Register the callback processor
                 register_callback_processor(conversation_id, processor)
-
                 logger.info(
-                    f'[Jira] Created callback processor for conversation {conversation_id}'
+                    '[Jira] Callback processor registered',
+                    extra={'conversation_id': conversation_id},
                 )
 
-            # Send initial response
-            msg_info = jira_view.get_response_msg()
+            # Send success response
+            msg_info = view.get_response_msg()
 
         except MissingSettingsError as e:
-            logger.warning(f'[Jira] Missing settings error: {str(e)}')
+            logger.warning(
+                '[Jira] Missing settings error',
+                extra={'issue_key': view.payload.issue_key, 'error': str(e)},
+            )
             msg_info = f'Please re-login into [OpenHands Cloud]({HOST_URL}) before starting a job.'
 
         except LLMAuthenticationError as e:
-            logger.warning(f'[Jira] LLM authentication error: {str(e)}')
+            logger.warning(
+                '[Jira] LLM authentication error',
+                extra={'issue_key': view.payload.issue_key, 'error': str(e)},
+            )
             msg_info = f'Please set a valid LLM API key in [OpenHands Cloud]({HOST_URL}) before starting a job.'
 
+        except SessionExpiredError as e:
+            logger.warning(
+                '[Jira] Session expired',
+                extra={'issue_key': view.payload.issue_key, 'error': str(e)},
+            )
+            msg_info = get_session_expired_message()
+
+        except StartingConvoException as e:
+            logger.warning(
+                '[Jira] Conversation start failed',
+                extra={'issue_key': view.payload.issue_key, 'error': str(e)},
+            )
+            msg_info = str(e)
+
         except Exception as e:
             logger.error(
-                f'[Jira] Unexpected error starting job: {str(e)}', exc_info=True
+                '[Jira] Unexpected error starting job',
+                extra={'issue_key': view.payload.issue_key, 'error': str(e)},
+                exc_info=True,
             )
             msg_info = 'Sorry, there was an unexpected error starting the job. Please try again.'
 
         # Send response comment
-        try:
-            api_key = self.token_manager.decrypt_text(
-                jira_view.jira_workspace.svc_acc_api_key
-            )
-            await self.send_message(
-                self.create_outgoing_message(msg=msg_info),
-                issue_key=jira_view.job_context.issue_key,
-                jira_cloud_id=jira_view.jira_workspace.jira_cloud_id,
-                svc_acc_email=jira_view.jira_workspace.svc_acc_email,
-                svc_acc_api_key=api_key,
-            )
-        except Exception as e:
-            logger.error(f'[Jira] Failed to send response message: {str(e)}')
-
-    async def get_issue_details(
-        self,
-        job_context: JobContext,
-        jira_cloud_id: str,
-        svc_acc_email: str,
-        svc_acc_api_key: str,
-    ) -> Tuple[str, str]:
-        url = f'{JIRA_CLOUD_API_URL}/{jira_cloud_id}/rest/api/2/issue/{job_context.issue_key}'
-        async with httpx.AsyncClient() as client:
-            response = await client.get(url, auth=(svc_acc_email, svc_acc_api_key))
-            response.raise_for_status()
-            issue_payload = response.json()
-
-        if not issue_payload:
-            raise ValueError(f'Issue with key {job_context.issue_key} not found.')
-
-        title = issue_payload.get('fields', {}).get('summary', '')
-        description = issue_payload.get('fields', {}).get('description', '')
-
-        if not title:
-            raise ValueError(
-                f'Issue with key {job_context.issue_key} does not have a title.'
-            )
-
-        if not description:
-            raise ValueError(
-                f'Issue with key {job_context.issue_key} does not have a description.'
-            )
-
-        return title, description
+        await self._send_comment(view, msg_info)
 
     async def send_message(
         self,
-        message: Message,
+        message: str,
         issue_key: str,
         jira_cloud_id: str,
         svc_acc_email: str,
         svc_acc_api_key: str,
     ):
+        """Send a comment to a Jira issue.
+
+        Args:
+            message: The message content to send (plain text string)
+            issue_key: The Jira issue key (e.g., 'PROJ-123')
+            jira_cloud_id: The Jira Cloud ID
+            svc_acc_email: Service account email for authentication
+            svc_acc_api_key: Service account API key for authentication
+        """
         url = (
             f'{JIRA_CLOUD_API_URL}/{jira_cloud_id}/rest/api/2/issue/{issue_key}/comment'
         )
-        data = {'body': message.message}
-        async with httpx.AsyncClient() as client:
+        data = {'body': message}
+        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
             response = await client.post(
                 url, auth=(svc_acc_email, svc_acc_api_key), json=data
             )
             response.raise_for_status()
             return response.json()
 
-    async def _send_error_comment(
-        self,
-        job_context: JobContext,
-        error_msg: str,
-        workspace: JiraWorkspace | None,
-    ):
-        """Send error comment to Jira issue."""
-        if not workspace:
-            logger.error('[Jira] Cannot send error comment - no workspace available')
-            return
+    async def _send_comment(self, view: JiraViewInterface, msg: str):
+        """Send a comment using credentials from the view."""
+        try:
+            api_key = self.token_manager.decrypt_text(
+                view.jira_workspace.svc_acc_api_key
+            )
+            await self.send_message(
+                msg,
+                issue_key=view.payload.issue_key,
+                jira_cloud_id=view.jira_workspace.jira_cloud_id,
+                svc_acc_email=view.jira_workspace.svc_acc_email,
+                svc_acc_api_key=api_key,
+            )
+        except Exception as e:
+            logger.error(
+                '[Jira] Failed to send comment',
+                extra={'issue_key': view.payload.issue_key, 'error': str(e)},
+            )
 
+    async def _send_error_from_payload(
+        self,
+        payload: JiraWebhookPayload,
+        workspace: JiraWorkspace,
+        error_msg: str,
+    ):
+        """Send error comment before view is created (using payload directly)."""
         try:
             api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
             await self.send_message(
-                self.create_outgoing_message(msg=error_msg),
-                issue_key=job_context.issue_key,
+                error_msg,
+                issue_key=payload.issue_key,
                 jira_cloud_id=workspace.jira_cloud_id,
                 svc_acc_email=workspace.svc_acc_email,
                 svc_acc_api_key=api_key,
             )
-        except Exception as e:
-            logger.error(f'[Jira] Failed to send error comment: {str(e)}')
-
-    async def _send_repo_selection_comment(self, jira_view: JiraViewInterface):
-        """Send a comment with repository options for the user to choose."""
-        try:
-            comment_msg = (
-                'I need to know which repository to work with. '
-                'Please add it to your issue description or send a followup comment.'
-            )
-
-            api_key = self.token_manager.decrypt_text(
-                jira_view.jira_workspace.svc_acc_api_key
-            )
-
-            await self.send_message(
-                self.create_outgoing_message(msg=comment_msg),
-                issue_key=jira_view.job_context.issue_key,
-                jira_cloud_id=jira_view.jira_workspace.jira_cloud_id,
-                svc_acc_email=jira_view.jira_workspace.svc_acc_email,
-                svc_acc_api_key=api_key,
-            )
-
-            logger.info(
-                f'[Jira] Sent repository selection comment for issue {jira_view.job_context.issue_key}'
-            )
-
         except Exception as e:
             logger.error(
-                f'[Jira] Failed to send repository selection comment: {str(e)}'
+                '[Jira] Failed to send error comment',
+                extra={'issue_key': payload.issue_key, 'error': str(e)},
             )
+
+    def get_workspace_name_from_payload(self, payload: dict) -> str | None:
+        """Extract workspace name from Jira webhook payload.
+
+        This method is used by the route for signature verification.
+        """
+        parse_result = self.payload_parser.parse(payload)
+        if isinstance(parse_result, JiraPayloadSuccess):
+            return parse_result.payload.workspace_name
+        return None

enterprise/integrations/jira/jira_payload.py

@@ -0,0 +1,265 @@
+"""Centralized payload parsing for Jira webhooks.
+
+This module provides a single source of truth for parsing and validating
+Jira webhook payloads, replacing scattered parsing logic throughout the codebase.
+"""
+
+from dataclasses import dataclass
+from enum import Enum
+from urllib.parse import urlparse
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class JiraEventType(Enum):
+    """Types of Jira events we handle."""
+
+    LABELED_TICKET = 'labeled_ticket'
+    COMMENT_MENTION = 'comment_mention'
+
+
+@dataclass(frozen=True)
+class JiraWebhookPayload:
+    """Normalized, validated representation of a Jira webhook payload.
+
+    This immutable dataclass replaces JobContext and provides a single
+    source of truth for all webhook data. All parsing happens in
+    JiraPayloadParser, ensuring consistent validation.
+    """
+
+    event_type: JiraEventType
+    raw_event: str  # Original webhookEvent value
+
+    # Issue data
+    issue_id: str
+    issue_key: str
+
+    # User data
+    user_email: str
+    display_name: str
+    account_id: str
+
+    # Workspace data (derived from issue self URL)
+    workspace_name: str
+    base_api_url: str
+
+    # Event-specific data
+    comment_body: str = ''  # For comment events
+
+    @property
+    def user_msg(self) -> str:
+        """Alias for comment_body for backward compatibility."""
+        return self.comment_body
+
+
+class JiraPayloadParseError(Exception):
+    """Raised when payload parsing fails."""
+
+    def __init__(self, reason: str, event_type: str | None = None):
+        self.reason = reason
+        self.event_type = event_type
+        super().__init__(reason)
+
+
+@dataclass(frozen=True)
+class JiraPayloadSuccess:
+    """Result when parsing succeeds."""
+
+    payload: JiraWebhookPayload
+
+
+@dataclass(frozen=True)
+class JiraPayloadSkipped:
+    """Result when event is intentionally skipped."""
+
+    skip_reason: str
+
+
+@dataclass(frozen=True)
+class JiraPayloadError:
+    """Result when parsing fails due to invalid data."""
+
+    error: str
+
+
+JiraPayloadParseResult = JiraPayloadSuccess | JiraPayloadSkipped | JiraPayloadError
+
+
+class JiraPayloadParser:
+    """Centralized parser for Jira webhook payloads.
+
+    This class provides a single entry point for parsing webhooks,
+    determining event types, and extracting all necessary fields.
+    Replaces scattered parsing in JiraFactory and JiraManager.
+    """
+
+    def __init__(self, oh_label: str, inline_oh_label: str):
+        """Initialize parser with OpenHands label configuration.
+
+        Args:
+            oh_label: Label that triggers OpenHands (e.g., 'openhands')
+            inline_oh_label: Mention that triggers OpenHands (e.g., '@openhands')
+        """
+        self.oh_label = oh_label
+        self.inline_oh_label = inline_oh_label
+
+    def parse(self, raw_payload: dict) -> JiraPayloadParseResult:
+        """Parse a raw webhook payload into a normalized JiraWebhookPayload.
+
+        Args:
+            raw_payload: The raw webhook payload dict from Jira
+
+        Returns:
+            One of:
+            - JiraPayloadSuccess: Valid, actionable event with payload
+            - JiraPayloadSkipped: Event we intentionally don't process
+            - JiraPayloadError: Malformed payload we expected to process
+        """
+        webhook_event = raw_payload.get('webhookEvent', '')
+
+        logger.debug(
+            '[Jira] Parsing webhook payload', extra={'webhook_event': webhook_event}
+        )
+
+        if webhook_event == 'jira:issue_updated':
+            return self._parse_label_event(raw_payload, webhook_event)
+        elif webhook_event == 'comment_created':
+            return self._parse_comment_event(raw_payload, webhook_event)
+        else:
+            return JiraPayloadSkipped(f'Unhandled webhook event type: {webhook_event}')
+
+    def _parse_label_event(
+        self, payload: dict, webhook_event: str
+    ) -> JiraPayloadParseResult:
+        """Parse an issue_updated event for label changes."""
+        changelog = payload.get('changelog', {})
+        items = changelog.get('items', [])
+
+        # Extract labels that were added
+        labels = [
+            item.get('toString', '')
+            for item in items
+            if item.get('field') == 'labels' and 'toString' in item
+        ]
+
+        if self.oh_label not in labels:
+            return JiraPayloadSkipped(
+                f"Label event does not contain '{self.oh_label}' label"
+            )
+
+        # For label events, user data comes from 'user' field
+        user_data = payload.get('user', {})
+        return self._extract_and_validate(
+            payload=payload,
+            user_data=user_data,
+            event_type=JiraEventType.LABELED_TICKET,
+            webhook_event=webhook_event,
+            comment_body='',
+        )
+
+    def _parse_comment_event(
+        self, payload: dict, webhook_event: str
+    ) -> JiraPayloadParseResult:
+        """Parse a comment_created event."""
+        comment_data = payload.get('comment', {})
+        comment_body = comment_data.get('body', '')
+
+        if not self._has_mention(comment_body):
+            return JiraPayloadSkipped(
+                f"Comment does not mention '{self.inline_oh_label}'"
+            )
+
+        # For comment events, user data comes from 'comment.author'
+        user_data = comment_data.get('author', {})
+        return self._extract_and_validate(
+            payload=payload,
+            user_data=user_data,
+            event_type=JiraEventType.COMMENT_MENTION,
+            webhook_event=webhook_event,
+            comment_body=comment_body,
+        )
+
+    def _has_mention(self, text: str) -> bool:
+        """Check if text contains an exact mention of OpenHands."""
+        from integrations.utils import has_exact_mention
+
+        return has_exact_mention(text, self.inline_oh_label)
+
+    def _extract_and_validate(
+        self,
+        payload: dict,
+        user_data: dict,
+        event_type: JiraEventType,
+        webhook_event: str,
+        comment_body: str,
+    ) -> JiraPayloadParseResult:
+        """Extract common fields and validate required data is present."""
+        issue_data = payload.get('issue', {})
+
+        # Extract all fields with empty string defaults (makes them str type)
+        issue_id = issue_data.get('id', '')
+        issue_key = issue_data.get('key', '')
+        user_email = user_data.get('emailAddress', '')
+        display_name = user_data.get('displayName', '')
+        account_id = user_data.get('accountId', '')
+        base_api_url, workspace_name = self._extract_workspace_from_url(
+            issue_data.get('self', '')
+        )
+
+        # Validate required fields
+        missing: list[str] = []
+        if not issue_id:
+            missing.append('issue.id')
+        if not issue_key:
+            missing.append('issue.key')
+        if not display_name:
+            missing.append('user.displayName')
+        if not account_id:
+            missing.append('user.accountId')
+        if not workspace_name:
+            missing.append('workspace_name (derived from issue.self)')
+        if not base_api_url:
+            missing.append('base_api_url (derived from issue.self)')
+
+        if missing:
+            return JiraPayloadError(f"Missing required fields: {', '.join(missing)}")
+
+        return JiraPayloadSuccess(
+            JiraWebhookPayload(
+                event_type=event_type,
+                raw_event=webhook_event,
+                issue_id=issue_id,
+                issue_key=issue_key,
+                user_email=user_email,
+                display_name=display_name,
+                account_id=account_id,
+                workspace_name=workspace_name,
+                base_api_url=base_api_url,
+                comment_body=comment_body,
+            )
+        )
+
+    def _extract_workspace_from_url(self, self_url: str) -> tuple[str, str]:
+        """Extract base API URL and workspace name from issue self URL.
+
+        Args:
+            self_url: The 'self' URL from the issue data
+
+        Returns:
+            Tuple of (base_api_url, workspace_name)
+        """
+        if not self_url:
+            return '', ''
+
+        # Extract base URL (everything before /rest/)
+        if '/rest/' in self_url:
+            base_api_url = self_url.split('/rest/')[0]
+        else:
+            parsed = urlparse(self_url)
+            base_api_url = f'{parsed.scheme}://{parsed.netloc}'
+
+        # Extract workspace name (hostname)
+        parsed = urlparse(base_api_url)
+        workspace_name = parsed.hostname or ''
+
+        return base_api_url, workspace_name

enterprise/integrations/jira/jira_types.py

@@ -1,26 +1,42 @@
-from abc import ABC, abstractmethod
+"""Type definitions and interfaces for Jira integration."""
+
+from abc import ABC, abstractmethod
+from typing import TYPE_CHECKING
 
-from integrations.models import JobContext
 from jinja2 import Environment
 from storage.jira_user import JiraUser
 from storage.jira_workspace import JiraWorkspace
 
 from openhands.server.user_auth.user_auth import UserAuth
 
+if TYPE_CHECKING:
+    from integrations.jira.jira_payload import JiraWebhookPayload
+
 
 class JiraViewInterface(ABC):
-    """Interface for Jira views that handle different types of Jira interactions."""
+    """Interface for Jira views that handle different types of Jira interactions.
 
-    job_context: JobContext
+    Views hold the webhook payload directly rather than duplicating fields,
+    and fetch issue details lazily when needed.
+    """
+
+    # Core data - view holds these references
+    payload: 'JiraWebhookPayload'
     saas_user_auth: UserAuth
     jira_user: JiraUser
     jira_workspace: JiraWorkspace
+
+    # Mutable state set during processing
     selected_repo: str | None
     conversation_id: str
 
     @abstractmethod
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
-        """Get initial instructions for the conversation."""
+    async def get_issue_details(self) -> tuple[str, str]:
+        """Fetch and cache issue title and description from Jira API.
+
+        Returns:
+            Tuple of (issue_title, issue_description)
+        """
         pass
 
     @abstractmethod
@@ -35,6 +51,21 @@ class JiraViewInterface(ABC):
 
 
 class StartingConvoException(Exception):
-    """Exception raised when starting a conversation fails."""
+    """Exception raised when starting a conversation fails.
+
+    This provides user-friendly error messages that can be sent back to Jira.
+    """
+
+    pass
+
+
+class RepositoryNotFoundError(Exception):
+    """Raised when a repository cannot be determined from the issue.
+
+    This is a separate error domain from StartingConvoException - it represents
+    a precondition failure (no repo configured/found) rather than a conversation
+    creation failure. The manager catches this and converts it to a user-friendly
+    message.
+    """
 
     pass

enterprise/integrations/jira/jira_view.py

@@ -1,8 +1,21 @@
-from dataclasses import dataclass
+"""Jira view implementations and factory.
 
-from integrations.jira.jira_types import JiraViewInterface, StartingConvoException
-from integrations.models import JobContext
-from integrations.utils import CONVERSATION_URL, get_final_agent_observation
+Views are responsible for:
+- Holding the webhook payload and auth context
+- Lazy-loading issue details from Jira API when needed
+- Creating conversations with the selected repository
+"""
+
+from dataclasses import dataclass, field
+
+import httpx
+from integrations.jira.jira_payload import JiraWebhookPayload
+from integrations.jira.jira_types import (
+    JiraViewInterface,
+    RepositoryNotFoundError,
+    StartingConvoException,
+)
+from integrations.utils import CONVERSATION_URL, infer_repo_from_message
 from jinja2 import Environment
 from storage.jira_conversation import JiraConversation
 from storage.jira_integration_store import JiraIntegrationStore
@@ -10,55 +23,147 @@ from storage.jira_user import JiraUser
 from storage.jira_workspace import JiraWorkspace
 
 from openhands.core.logger import openhands_logger as logger
-from openhands.core.schema.agent import AgentState
-from openhands.events.action import MessageAction
-from openhands.events.serialization.event import event_to_dict
-from openhands.server.services.conversation_service import (
-    create_new_conversation,
-    setup_init_conversation_settings,
-)
-from openhands.server.shared import ConversationStoreImpl, config, conversation_manager
+from openhands.integrations.provider import ProviderHandler
+from openhands.server.services.conversation_service import create_new_conversation
 from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import ConversationTrigger
+from openhands.utils.http_session import httpx_verify_option
+
+JIRA_CLOUD_API_URL = 'https://api.atlassian.com/ex/jira'
 
 integration_store = JiraIntegrationStore.get_instance()
 
 
 @dataclass
 class JiraNewConversationView(JiraViewInterface):
-    job_context: JobContext
+    """View for creating a new Jira conversation.
+
+    This view holds the webhook payload directly and lazily fetches
+    issue details when needed for rendering templates.
+    """
+
+    payload: JiraWebhookPayload
     saas_user_auth: UserAuth
     jira_user: JiraUser
     jira_workspace: JiraWorkspace
-    selected_repo: str | None
-    conversation_id: str
+    selected_repo: str | None = None
+    conversation_id: str = ''
 
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
-        """Instructions passed when conversation is first initialized"""
+    # Lazy-loaded issue details (cached after first fetch)
+    _issue_title: str | None = field(default=None, repr=False)
+    _issue_description: str | None = field(default=None, repr=False)
+
+    # Decrypted API key (set by factory)
+    _decrypted_api_key: str = field(default='', repr=False)
+
+    async def get_issue_details(self) -> tuple[str, str]:
+        """Fetch issue details from Jira API (cached after first call).
+
+        Returns:
+            Tuple of (issue_title, issue_description)
+
+        Raises:
+            StartingConvoException: If issue details cannot be fetched
+        """
+        if self._issue_title is not None and self._issue_description is not None:
+            return self._issue_title, self._issue_description
+
+        try:
+            url = f'{JIRA_CLOUD_API_URL}/{self.jira_workspace.jira_cloud_id}/rest/api/2/issue/{self.payload.issue_key}'
+            async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+                response = await client.get(
+                    url,
+                    auth=(
+                        self.jira_workspace.svc_acc_email,
+                        self._decrypted_api_key,
+                    ),
+                )
+                response.raise_for_status()
+                issue_payload = response.json()
+
+            if not issue_payload:
+                raise StartingConvoException(
+                    f'Issue {self.payload.issue_key} not found.'
+                )
+
+            self._issue_title = issue_payload.get('fields', {}).get('summary', '')
+            self._issue_description = (
+                issue_payload.get('fields', {}).get('description', '') or ''
+            )
+
+            if not self._issue_title:
+                raise StartingConvoException(
+                    f'Issue {self.payload.issue_key} does not have a title.'
+                )
+
+            logger.info(
+                '[Jira] Fetched issue details',
+                extra={
+                    'issue_key': self.payload.issue_key,
+                    'has_description': bool(self._issue_description),
+                },
+            )
+
+            return self._issue_title, self._issue_description
+
+        except httpx.HTTPStatusError as e:
+            logger.error(
+                '[Jira] Failed to fetch issue details',
+                extra={
+                    'issue_key': self.payload.issue_key,
+                    'status': e.response.status_code,
+                },
+            )
+            raise StartingConvoException(
+                f'Failed to fetch issue details: HTTP {e.response.status_code}'
+            )
+        except Exception as e:
+            if isinstance(e, StartingConvoException):
+                raise
+            logger.error(
+                '[Jira] Failed to fetch issue details',
+                extra={'issue_key': self.payload.issue_key, 'error': str(e)},
+            )
+            raise StartingConvoException(f'Failed to fetch issue details: {str(e)}')
+
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+        """Get instructions for the conversation.
+
+        This fetches issue details if not already cached.
+
+        Returns:
+            Tuple of (system_instructions, user_message)
+        """
+        issue_title, issue_description = await self.get_issue_details()
 
         instructions_template = jinja_env.get_template('jira_instructions.j2')
         instructions = instructions_template.render()
 
         user_msg_template = jinja_env.get_template('jira_new_conversation.j2')
-
         user_msg = user_msg_template.render(
-            issue_key=self.job_context.issue_key,
-            issue_title=self.job_context.issue_title,
-            issue_description=self.job_context.issue_description,
-            user_message=self.job_context.user_msg or '',
+            issue_key=self.payload.issue_key,
+            issue_title=issue_title,
+            issue_description=issue_description,
+            user_message=self.payload.user_msg,
         )
 
         return instructions, user_msg
 
     async def create_or_update_conversation(self, jinja_env: Environment) -> str:
-        """Create a new Jira conversation"""
+        """Create a new Jira conversation.
 
+        Returns:
+            The conversation ID
+
+        Raises:
+            StartingConvoException: If conversation creation fails
+        """
         if not self.selected_repo:
             raise StartingConvoException('No repository selected for this conversation')
 
         provider_tokens = await self.saas_user_auth.get_provider_tokens()
-        user_secrets = await self.saas_user_auth.get_user_secrets()
-        instructions, user_msg = self._get_instructions(jinja_env)
+        user_secrets = await self.saas_user_auth.get_secrets()
+        instructions, user_msg = await self._get_instructions(jinja_env)
 
         try:
             agent_loop_info = await create_new_conversation(
@@ -76,149 +181,259 @@ class JiraNewConversationView(JiraViewInterface):
 
             self.conversation_id = agent_loop_info.conversation_id
 
-            logger.info(f'[Jira] Created conversation {self.conversation_id}')
+            logger.info(
+                '[Jira] Created conversation',
+                extra={
+                    'conversation_id': self.conversation_id,
+                    'issue_key': self.payload.issue_key,
+                    'selected_repo': self.selected_repo,
+                },
+            )
 
             # Store Jira conversation mapping
             jira_conversation = JiraConversation(
                 conversation_id=self.conversation_id,
-                issue_id=self.job_context.issue_id,
-                issue_key=self.job_context.issue_key,
+                issue_id=self.payload.issue_id,
+                issue_key=self.payload.issue_key,
                 jira_user_id=self.jira_user.id,
             )
 
             await integration_store.create_conversation(jira_conversation)
 
             return self.conversation_id
+
         except Exception as e:
+            if isinstance(e, StartingConvoException):
+                raise
             logger.error(
-                f'[Jira] Failed to create conversation: {str(e)}', exc_info=True
+                '[Jira] Failed to create conversation',
+                extra={'issue_key': self.payload.issue_key, 'error': str(e)},
+                exc_info=True,
             )
             raise StartingConvoException(f'Failed to create conversation: {str(e)}')
 
     def get_response_msg(self) -> str:
-        """Get the response message to send back to Jira"""
+        """Get the response message to send back to Jira."""
         conversation_link = CONVERSATION_URL.format(self.conversation_id)
-        return f"I'm on it! {self.job_context.display_name} can [track my progress here|{conversation_link}]."
-
-
-@dataclass
-class JiraExistingConversationView(JiraViewInterface):
-    job_context: JobContext
-    saas_user_auth: UserAuth
-    jira_user: JiraUser
-    jira_workspace: JiraWorkspace
-    selected_repo: str | None
-    conversation_id: str
-
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
-        """Instructions passed when conversation is first initialized"""
-
-        user_msg_template = jinja_env.get_template('jira_existing_conversation.j2')
-        user_msg = user_msg_template.render(
-            issue_key=self.job_context.issue_key,
-            user_message=self.job_context.user_msg or '',
-            issue_title=self.job_context.issue_title,
-            issue_description=self.job_context.issue_description,
-        )
-
-        return '', user_msg
-
-    async def create_or_update_conversation(self, jinja_env: Environment) -> str:
-        """Update an existing Jira conversation"""
-
-        user_id = self.jira_user.keycloak_user_id
-
-        try:
-            conversation_store = await ConversationStoreImpl.get_instance(
-                config, user_id
-            )
-
-            try:
-                await conversation_store.get_metadata(self.conversation_id)
-            except FileNotFoundError:
-                raise StartingConvoException('Conversation no longer exists.')
-
-            provider_tokens = await self.saas_user_auth.get_provider_tokens()
-            # Should we raise here if there are no providers?
-            providers_set = list(provider_tokens.keys()) if provider_tokens else []
-
-            conversation_init_data = await setup_init_conversation_settings(
-                user_id, self.conversation_id, providers_set
-            )
-
-            # Either join ongoing conversation, or restart the conversation
-            agent_loop_info = await conversation_manager.maybe_start_agent_loop(
-                self.conversation_id, conversation_init_data, user_id
-            )
-
-            final_agent_observation = get_final_agent_observation(
-                agent_loop_info.event_store
-            )
-            agent_state = (
-                None
-                if len(final_agent_observation) == 0
-                else final_agent_observation[0].agent_state
-            )
-
-            if not agent_state or agent_state == AgentState.LOADING:
-                raise StartingConvoException('Conversation is still starting')
-
-            _, user_msg = self._get_instructions(jinja_env)
-            user_message_event = MessageAction(content=user_msg)
-            await conversation_manager.send_event_to_conversation(
-                self.conversation_id, event_to_dict(user_message_event)
-            )
-
-            return self.conversation_id
-        except Exception as e:
-            logger.error(
-                f'[Jira] Failed to create conversation: {str(e)}', exc_info=True
-            )
-            raise StartingConvoException(f'Failed to create conversation: {str(e)}')
-
-    def get_response_msg(self) -> str:
-        """Get the response message to send back to Jira"""
-        conversation_link = CONVERSATION_URL.format(self.conversation_id)
-        return f"I'm on it! {self.job_context.display_name} can [continue tracking my progress here|{conversation_link}]."
+        return f"I'm on it! {self.payload.display_name} can [track my progress here|{conversation_link}]."
 
 
 class JiraFactory:
-    """Factory for creating Jira views based on message content"""
+    """Factory for creating Jira views.
+
+    The factory is responsible for:
+    - Creating the appropriate view type
+    - Inferring and selecting the repository
+    - Validating all required data is available
+
+    Repository selection happens here so that view creation either
+    succeeds with a valid repo or fails with a clear error.
+    """
 
     @staticmethod
-    async def create_jira_view_from_payload(
-        job_context: JobContext,
-        saas_user_auth: UserAuth,
-        jira_user: JiraUser,
-        jira_workspace: JiraWorkspace,
+    async def _create_provider_handler(user_auth: UserAuth) -> ProviderHandler | None:
+        """Create a ProviderHandler for the user."""
+        provider_tokens = await user_auth.get_provider_tokens()
+        if provider_tokens is None:
+            return None
+
+        access_token = await user_auth.get_access_token()
+        user_id = await user_auth.get_user_id()
+
+        return ProviderHandler(
+            provider_tokens=provider_tokens,
+            external_auth_token=access_token,
+            external_auth_id=user_id,
+        )
+
+    @staticmethod
+    def _extract_potential_repos(
+        issue_key: str,
+        issue_title: str,
+        issue_description: str,
+        user_msg: str,
+    ) -> list[str]:
+        """Extract potential repository names from issue content.
+
+        Raises:
+            RepositoryNotFoundError: If no potential repos found in text.
+        """
+        search_text = f'{issue_title}\n{issue_description}\n{user_msg}'
+        potential_repos = infer_repo_from_message(search_text)
+
+        if not potential_repos:
+            raise RepositoryNotFoundError(
+                'Could not determine which repository to use. '
+                'Please mention the repository (e.g., owner/repo) in the issue description or comment.'
+            )
+
+        logger.info(
+            '[Jira] Found potential repositories in issue content',
+            extra={'issue_key': issue_key, 'potential_repos': potential_repos},
+        )
+        return potential_repos
+
+    @staticmethod
+    async def _verify_repos(
+        issue_key: str,
+        potential_repos: list[str],
+        provider_handler: ProviderHandler,
+    ) -> list[str]:
+        """Verify which repos the user has access to."""
+        verified_repos: list[str] = []
+
+        for repo_name in potential_repos:
+            try:
+                repository = await provider_handler.verify_repo_provider(repo_name)
+                verified_repos.append(repository.full_name)
+                logger.debug(
+                    '[Jira] Repository verification succeeded',
+                    extra={'issue_key': issue_key, 'repository': repository.full_name},
+                )
+            except Exception as e:
+                logger.debug(
+                    '[Jira] Repository verification failed',
+                    extra={
+                        'issue_key': issue_key,
+                        'repo_name': repo_name,
+                        'error': str(e),
+                    },
+                )
+
+        return verified_repos
+
+    @staticmethod
+    def _select_single_repo(
+        issue_key: str,
+        potential_repos: list[str],
+        verified_repos: list[str],
+    ) -> str:
+        """Select exactly one repo from verified repos.
+
+        Raises:
+            RepositoryNotFoundError: If zero or multiple repos verified.
+        """
+        if len(verified_repos) == 0:
+            raise RepositoryNotFoundError(
+                f'Could not access any of the mentioned repositories: {", ".join(potential_repos)}. '
+                'Please ensure you have access to the repository and it exists.'
+            )
+
+        if len(verified_repos) > 1:
+            raise RepositoryNotFoundError(
+                f'Multiple repositories found: {", ".join(verified_repos)}. '
+                'Please specify exactly one repository in the issue description or comment.'
+            )
+
+        logger.info(
+            '[Jira] Verified repository access',
+            extra={'issue_key': issue_key, 'repository': verified_repos[0]},
+        )
+        return verified_repos[0]
+
+    @staticmethod
+    async def _infer_repository(
+        payload: JiraWebhookPayload,
+        user_auth: UserAuth,
+        issue_title: str,
+        issue_description: str,
+    ) -> str:
+        """Infer and verify the repository from issue content.
+
+        Raises:
+            RepositoryNotFoundError: If no valid repository can be determined.
+        """
+        provider_handler = await JiraFactory._create_provider_handler(user_auth)
+        if not provider_handler:
+            raise RepositoryNotFoundError(
+                'No Git provider connected. Please connect a Git provider in OpenHands settings.'
+            )
+
+        potential_repos = JiraFactory._extract_potential_repos(
+            payload.issue_key, issue_title, issue_description, payload.user_msg
+        )
+
+        verified_repos = await JiraFactory._verify_repos(
+            payload.issue_key, potential_repos, provider_handler
+        )
+
+        return JiraFactory._select_single_repo(
+            payload.issue_key, potential_repos, verified_repos
+        )
+
+    @staticmethod
+    async def create_view(
+        payload: JiraWebhookPayload,
+        workspace: JiraWorkspace,
+        user: JiraUser,
+        user_auth: UserAuth,
+        decrypted_api_key: str,
     ) -> JiraViewInterface:
-        """Create appropriate Jira view based on the message and user state"""
+        """Create a Jira view with repository already selected.
 
-        if not jira_user or not saas_user_auth or not jira_workspace:
-            raise StartingConvoException('User not authenticated with Jira integration')
+        This factory method:
+        1. Creates the view with payload and auth context
+        2. Fetches issue details (needed for repo inference)
+        3. Infers and selects the repository
 
-        conversation = await integration_store.get_user_conversations_by_issue_id(
-            job_context.issue_id, jira_user.id
+        If any step fails, an appropriate exception is raised with
+        a user-friendly message.
+
+        Args:
+            payload: Parsed webhook payload
+            workspace: The Jira workspace
+            user: The Jira user
+            user_auth: OpenHands user authentication
+            decrypted_api_key: Decrypted service account API key
+
+        Returns:
+            A JiraViewInterface with selected_repo populated
+
+        Raises:
+            StartingConvoException: If view creation fails
+            RepositoryNotFoundError: If repository cannot be determined
+        """
+        logger.info(
+            '[Jira] Creating view',
+            extra={
+                'issue_key': payload.issue_key,
+                'event_type': payload.event_type.value,
+            },
         )
 
-        if conversation:
-            logger.info(
-                f'[Jira] Found existing conversation for issue {job_context.issue_id}'
-            )
-            return JiraExistingConversationView(
-                job_context=job_context,
-                saas_user_auth=saas_user_auth,
-                jira_user=jira_user,
-                jira_workspace=jira_workspace,
-                selected_repo=None,
-                conversation_id=conversation.conversation_id,
-            )
-
-        return JiraNewConversationView(
-            job_context=job_context,
-            saas_user_auth=saas_user_auth,
-            jira_user=jira_user,
-            jira_workspace=jira_workspace,
-            selected_repo=None,  # Will be set later after repo inference
-            conversation_id='',  # Will be set when conversation is created
+        # Create the view
+        view = JiraNewConversationView(
+            payload=payload,
+            saas_user_auth=user_auth,
+            jira_user=user,
+            jira_workspace=workspace,
+            _decrypted_api_key=decrypted_api_key,
         )
+
+        # Fetch issue details (needed for repo inference)
+        try:
+            issue_title, issue_description = await view.get_issue_details()
+        except StartingConvoException:
+            raise  # Re-raise with original message
+        except Exception as e:
+            raise StartingConvoException(f'Failed to fetch issue details: {str(e)}')
+
+        # Infer and select repository
+        selected_repo = await JiraFactory._infer_repository(
+            payload=payload,
+            user_auth=user_auth,
+            issue_title=issue_title,
+            issue_description=issue_description,
+        )
+
+        view.selected_repo = selected_repo
+
+        logger.info(
+            '[Jira] View created successfully',
+            extra={
+                'issue_key': payload.issue_key,
+                'selected_repo': selected_repo,
+            },
+        )
+
+        return view

enterprise/integrations/jira_dc/jira_dc_manager.py

@@ -19,6 +19,7 @@ from integrations.utils import (
     HOST_URL,
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
     filter_potential_repos_by_user_msg,
+    get_session_expired_message,
 )
 from jinja2 import Environment, FileSystemLoader
 from server.auth.saas_user_auth import get_user_auth_from_keycloak_id
@@ -32,11 +33,16 @@ from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.provider import ProviderHandler
 from openhands.integrations.service_types import Repository
 from openhands.server.shared import server_config
-from openhands.server.types import LLMAuthenticationError, MissingSettingsError
+from openhands.server.types import (
+    LLMAuthenticationError,
+    MissingSettingsError,
+    SessionExpiredError,
+)
 from openhands.server.user_auth.user_auth import UserAuth
+from openhands.utils.http_session import httpx_verify_option
 
 
-class JiraDcManager(Manager):
+class JiraDcManager(Manager[JiraDcViewInterface]):
     def __init__(self, token_manager: TokenManager):
         self.token_manager = token_manager
         self.integration_store = JiraDcIntegrationStore.get_instance()
@@ -347,7 +353,7 @@ class JiraDcManager(Manager):
             logger.error(f'[Jira DC] Error in is_job_requested: {str(e)}')
             return False
 
-    async def start_job(self, jira_dc_view: JiraDcViewInterface):
+    async def start_job(self, jira_dc_view: JiraDcViewInterface) -> None:
         """Start a Jira DC job/conversation."""
         # Import here to prevent circular import
         from server.conversation_callback_processor.jira_dc_callback_processor import (
@@ -396,6 +402,10 @@ class JiraDcManager(Manager):
             logger.warning(f'[Jira DC] LLM authentication error: {str(e)}')
             msg_info = f'Please set a valid LLM API key in [OpenHands Cloud]({HOST_URL}) before starting a job.'
 
+        except SessionExpiredError as e:
+            logger.warning(f'[Jira DC] Session expired: {str(e)}')
+            msg_info = get_session_expired_message()
+
         except Exception as e:
             logger.error(
                 f'[Jira DC] Unexpected error starting job: {str(e)}', exc_info=True
@@ -408,7 +418,7 @@ class JiraDcManager(Manager):
                 jira_dc_view.jira_dc_workspace.svc_acc_api_key
             )
             await self.send_message(
-                self.create_outgoing_message(msg=msg_info),
+                msg_info,
                 issue_key=jira_dc_view.job_context.issue_key,
                 base_api_url=jira_dc_view.job_context.base_api_url,
                 svc_acc_api_key=api_key,
@@ -422,7 +432,7 @@ class JiraDcManager(Manager):
         """Get issue details from Jira DC API."""
         url = f'{job_context.base_api_url}/rest/api/2/issue/{job_context.issue_key}'
         headers = {'Authorization': f'Bearer {svc_acc_api_key}'}
-        async with httpx.AsyncClient() as client:
+        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
             response = await client.get(url, headers=headers)
             response.raise_for_status()
             issue_payload = response.json()
@@ -446,13 +456,20 @@ class JiraDcManager(Manager):
         return title, description
 
     async def send_message(
-        self, message: Message, issue_key: str, base_api_url: str, svc_acc_api_key: str
+        self, message: str, issue_key: str, base_api_url: str, svc_acc_api_key: str
     ):
-        """Send message/comment to Jira DC issue."""
+        """Send message/comment to Jira DC issue.
+
+        Args:
+            message: The message content to send (plain text string)
+            issue_key: The Jira issue key (e.g., 'PROJ-123')
+            base_api_url: The base API URL for the Jira DC instance
+            svc_acc_api_key: Service account API key for authentication
+        """
         url = f'{base_api_url}/rest/api/2/issue/{issue_key}/comment'
         headers = {'Authorization': f'Bearer {svc_acc_api_key}'}
-        data = {'body': message.message}
-        async with httpx.AsyncClient() as client:
+        data = {'body': message}
+        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
             response = await client.post(url, headers=headers, json=data)
             response.raise_for_status()
             return response.json()
@@ -471,7 +488,7 @@ class JiraDcManager(Manager):
         try:
             api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
             await self.send_message(
-                self.create_outgoing_message(msg=error_msg),
+                error_msg,
                 issue_key=job_context.issue_key,
                 base_api_url=job_context.base_api_url,
                 svc_acc_api_key=api_key,
@@ -492,7 +509,7 @@ class JiraDcManager(Manager):
             )
 
             await self.send_message(
-                self.create_outgoing_message(msg=comment_msg),
+                comment_msg,
                 issue_key=jira_dc_view.job_context.issue_key,
                 base_api_url=jira_dc_view.job_context.base_api_url,
                 svc_acc_api_key=api_key,

enterprise/integrations/jira_dc/jira_dc_types.py

@@ -19,7 +19,7 @@ class JiraDcViewInterface(ABC):
     conversation_id: str
 
     @abstractmethod
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
         """Get initial instructions for the conversation."""
         pass
 

enterprise/integrations/jira_dc/jira_dc_view.py

@@ -36,7 +36,7 @@ class JiraDcNewConversationView(JiraDcViewInterface):
     selected_repo: str | None
     conversation_id: str
 
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
         """Instructions passed when conversation is first initialized"""
 
         instructions_template = jinja_env.get_template('jira_dc_instructions.j2')
@@ -60,8 +60,8 @@ class JiraDcNewConversationView(JiraDcViewInterface):
             raise StartingConvoException('No repository selected for this conversation')
 
         provider_tokens = await self.saas_user_auth.get_provider_tokens()
-        user_secrets = await self.saas_user_auth.get_user_secrets()
-        instructions, user_msg = self._get_instructions(jinja_env)
+        user_secrets = await self.saas_user_auth.get_secrets()
+        instructions, user_msg = await self._get_instructions(jinja_env)
 
         try:
             agent_loop_info = await create_new_conversation(
@@ -113,7 +113,7 @@ class JiraDcExistingConversationView(JiraDcViewInterface):
     selected_repo: str | None
     conversation_id: str
 
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
         """Instructions passed when conversation is first initialized"""
 
         user_msg_template = jinja_env.get_template('jira_dc_existing_conversation.j2')
@@ -155,6 +155,9 @@ class JiraDcExistingConversationView(JiraDcViewInterface):
                 self.conversation_id, conversation_init_data, user_id
             )
 
+            if agent_loop_info.event_store is None:
+                raise StartingConvoException('Event store not available')
+
             final_agent_observation = get_final_agent_observation(
                 agent_loop_info.event_store
             )
@@ -167,7 +170,7 @@ class JiraDcExistingConversationView(JiraDcViewInterface):
             if not agent_state or agent_state == AgentState.LOADING:
                 raise StartingConvoException('Conversation is still starting')
 
-            _, user_msg = self._get_instructions(jinja_env)
+            _, user_msg = await self._get_instructions(jinja_env)
             user_message_event = MessageAction(content=user_msg)
             await conversation_manager.send_event_to_conversation(
                 self.conversation_id, event_to_dict(user_message_event)

enterprise/integrations/linear/linear_manager.py

@@ -16,6 +16,7 @@ from integrations.utils import (
     HOST_URL,
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
     filter_potential_repos_by_user_msg,
+    get_session_expired_message,
 )
 from jinja2 import Environment, FileSystemLoader
 from server.auth.saas_user_auth import get_user_auth_from_keycloak_id
@@ -29,11 +30,16 @@ from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.provider import ProviderHandler
 from openhands.integrations.service_types import Repository
 from openhands.server.shared import server_config
-from openhands.server.types import LLMAuthenticationError, MissingSettingsError
+from openhands.server.types import (
+    LLMAuthenticationError,
+    MissingSettingsError,
+    SessionExpiredError,
+)
 from openhands.server.user_auth.user_auth import UserAuth
+from openhands.utils.http_session import httpx_verify_option
 
 
-class LinearManager(Manager):
+class LinearManager(Manager[LinearViewInterface]):
     def __init__(self, token_manager: TokenManager):
         self.token_manager = token_manager
         self.integration_store = LinearIntegrationStore.get_instance()
@@ -337,7 +343,7 @@ class LinearManager(Manager):
             logger.error(f'[Linear] Error in is_job_requested: {str(e)}')
             return False
 
-    async def start_job(self, linear_view: LinearViewInterface):
+    async def start_job(self, linear_view: LinearViewInterface) -> None:
         """Start a Linear job/conversation."""
         # Import here to prevent circular import
         from server.conversation_callback_processor.linear_callback_processor import (
@@ -386,6 +392,10 @@ class LinearManager(Manager):
             logger.warning(f'[Linear] LLM authentication error: {str(e)}')
             msg_info = f'Please set a valid LLM API key in [OpenHands Cloud]({HOST_URL}) before starting a job.'
 
+        except SessionExpiredError as e:
+            logger.warning(f'[Linear] Session expired: {str(e)}')
+            msg_info = get_session_expired_message()
+
         except Exception as e:
             logger.error(
                 f'[Linear] Unexpected error starting job: {str(e)}', exc_info=True
@@ -398,7 +408,7 @@ class LinearManager(Manager):
                 linear_view.linear_workspace.svc_acc_api_key
             )
             await self.send_message(
-                self.create_outgoing_message(msg=msg_info),
+                msg_info,
                 linear_view.job_context.issue_id,
                 api_key,
             )
@@ -408,7 +418,7 @@ class LinearManager(Manager):
     async def _query_api(self, query: str, variables: Dict, api_key: str) -> Dict:
         """Query Linear GraphQL API."""
         headers = {'Authorization': api_key}
-        async with httpx.AsyncClient() as client:
+        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
             response = await client.post(
                 self.api_url,
                 headers=headers,
@@ -463,8 +473,14 @@ class LinearManager(Manager):
 
         return title, description
 
-    async def send_message(self, message: Message, issue_id: str, api_key: str):
-        """Send message/comment to Linear issue."""
+    async def send_message(self, message: str, issue_id: str, api_key: str):
+        """Send message/comment to Linear issue.
+
+        Args:
+            message: The message content to send (plain text string)
+            issue_id: The Linear issue ID to comment on
+            api_key: The Linear API key for authentication
+        """
         query = """
             mutation CommentCreate($input: CommentCreateInput!) {
               commentCreate(input: $input) {
@@ -475,7 +491,7 @@ class LinearManager(Manager):
               }
             }
         """
-        variables = {'input': {'issueId': issue_id, 'body': message.message}}
+        variables = {'input': {'issueId': issue_id, 'body': message}}
         return await self._query_api(query, variables, api_key)
 
     async def _send_error_comment(
@@ -488,9 +504,7 @@ class LinearManager(Manager):
 
         try:
             api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
-            await self.send_message(
-                self.create_outgoing_message(msg=error_msg), issue_id, api_key
-            )
+            await self.send_message(error_msg, issue_id, api_key)
         except Exception as e:
             logger.error(f'[Linear] Failed to send error comment: {str(e)}')
 
@@ -507,7 +521,7 @@ class LinearManager(Manager):
             )
 
             await self.send_message(
-                self.create_outgoing_message(msg=comment_msg),
+                comment_msg,
                 linear_view.job_context.issue_id,
                 api_key,
             )

enterprise/integrations/linear/linear_types.py

@@ -19,7 +19,7 @@ class LinearViewInterface(ABC):
     conversation_id: str
 
     @abstractmethod
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
         """Get initial instructions for the conversation."""
         pass