Revert pyproject.toml and poetry.lock changes

Co-authored-by: openhands <openhands@all-hands.dev>

.agents/skills/cross-repo-testing/SKILL.md

@@ -1,202 +0,0 @@
----
-name: cross-repo-testing
-description: This skill should be used when the user asks to "test a cross-repo feature", "deploy a feature branch to staging", "test SDK against OH Cloud", "e2e test a cloud workspace feature", "test provider tokens", "test secrets inheritance", or when changes span the SDK and OpenHands server repos and need end-to-end validation against a staging deployment.
-triggers:
-- cross-repo
-- staging deployment
-- feature branch deploy
-- test against cloud
-- e2e cloud
----
-
-# Cross-Repo Testing: SDK ↔ OpenHands Cloud
-
-How to end-to-end test features that span `OpenHands/software-agent-sdk` and `OpenHands/OpenHands` (the Cloud backend).
-
-## Repository Map
-
-| Repo | Role | What lives here |
-|------|------|-----------------|
-| [`software-agent-sdk`](https://github.com/OpenHands/software-agent-sdk) | Agent core | `openhands-sdk`, `openhands-workspace`, `openhands-tools` packages. `OpenHandsCloudWorkspace` lives here. |
-| [`OpenHands`](https://github.com/OpenHands/OpenHands) | Cloud backend | FastAPI server (`openhands/app_server/`), sandbox management, auth, enterprise integrations. Deployed as OH Cloud. |
-| [`deploy`](https://github.com/OpenHands/deploy) | Infrastructure | Helm charts + GitHub Actions that build the enterprise Docker image and deploy to staging/production. |
-
-**Data flow:** SDK client → OH Cloud API (`/api/v1/...`) → sandbox agent-server (inside runtime container)
-
-## When You Need This
-
-There are **two flows** depending on which direction the dependency goes:
-
-| Flow | When | Example |
-|------|------|---------|
-| **A — SDK client → new Cloud API** | The SDK calls an API that doesn't exist yet on production | `workspace.get_llm()` calling `GET /api/v1/users/me?expose_secrets=true` |
-| **B — OH server → new SDK code** | The Cloud server needs unreleased SDK packages or a new agent-server image | Server consumes a new tool, agent behavior, or workspace method from the SDK |
-
-Flow A only requires deploying the server PR. Flow B requires pinning the SDK to an unreleased commit in the server PR **and** using the SDK PR's agent-server image. Both flows may apply simultaneously.
-
----
-
-## Flow A: SDK Client Tests Against New Cloud API
-
-Use this when the SDK calls an endpoint that only exists on the server PR branch.
-
-### A1. Write and test the server-side changes
-
-In the `OpenHands` repo, implement the new API endpoint(s). Run unit tests:
-
-```bash
-cd OpenHands
-poetry run pytest tests/unit/app_server/test_<relevant>.py -v
-```
-
-Push a PR. Wait for the **"Push Enterprise Image" (Docker) CI job** to succeed — this builds `ghcr.io/openhands/enterprise-server:sha-<COMMIT>`.
-
-### A2. Write the SDK-side changes
-
-In `software-agent-sdk`, implement the client code (e.g., new methods on `OpenHandsCloudWorkspace`). Run SDK unit tests:
-
-```bash
-cd software-agent-sdk
-pip install -e openhands-sdk -e openhands-workspace
-pytest tests/ -v
-```
-
-Push a PR. SDK CI is independent — it doesn't need the server changes to pass unit tests.
-
-### A3. Deploy the server PR to staging
-
-See [Deploying to a Staging Feature Environment](#deploying-to-a-staging-feature-environment) below.
-
-### A4. Run the SDK e2e test against staging
-
-See [Running E2E Tests Against Staging](#running-e2e-tests-against-staging) below.
-
----
-
-## Flow B: OH Server Needs Unreleased SDK Code
-
-Use this when the Cloud server depends on SDK changes that haven't been released to PyPI yet. The server's runtime containers run the `agent-server` image built from the SDK repo, so the server PR must be configured to use the SDK PR's image and packages.
-
-### B1. Get the SDK PR merged (or identify the commit)
-
-The SDK PR must have CI pass so its agent-server Docker image is built. The image is tagged with the **merge-commit SHA** from GitHub Actions — NOT the head-commit SHA shown in the PR.
-
-Find the correct image tag:
-- Check the SDK PR description for an `AGENT_SERVER_IMAGES` section
-- Or check the "Consolidate Build Information" CI job for `"short_sha": "<tag>"`
-
-### B2. Pin SDK packages to the commit in the OpenHands PR
-
-In the `OpenHands` repo PR, pin all 3 SDK packages (`openhands-sdk`, `openhands-agent-server`, `openhands-tools`) to the unreleased commit and update the agent-server image tag. This involves editing 3 files and regenerating 3 lock files.
-
-Follow the **`update-sdk` skill** → "Development: Pin SDK to an Unreleased Commit" section for the full procedure and file-by-file instructions.
-
-### B3. Wait for the OpenHands enterprise image to build
-
-Push the pinned changes. The OpenHands CI will build a new enterprise Docker image (`ghcr.io/openhands/enterprise-server:sha-<OH_COMMIT>`) that bundles the unreleased SDK. Wait for the "Push Enterprise Image" job to succeed.
-
-### B4. Deploy and test
-
-Follow [Deploying to a Staging Feature Environment](#deploying-to-a-staging-feature-environment) using the new OpenHands commit SHA.
-
-### B5. Before merging: remove the pin
-
-**CI guard:** `check-package-versions.yml` blocks merge to `main` if `[tool.poetry.dependencies]` contains `rev` fields. Before the OpenHands PR can merge, the SDK PR must be merged and released to PyPI, then the pin must be replaced with the released version number.
-
----
-
-## Deploying to a Staging Feature Environment
-
-The `deploy` repo creates preview environments from OpenHands PRs.
-
-**Option A — GitHub Actions UI (preferred):**
-Go to `OpenHands/deploy` → Actions → "Create OpenHands preview PR" → enter the OpenHands PR number. This creates a branch `ohpr-<PR>-<random>` and opens a deploy PR.
-
-**Option B — Update an existing feature branch:**
-```bash
-cd deploy
-git checkout ohpr-<PR>-<random>
-# In .github/workflows/deploy.yaml, update BOTH:
-#   OPENHANDS_SHA: "<full-40-char-commit>"
-#   OPENHANDS_RUNTIME_IMAGE_TAG: "<same-commit>-nikolaik"
-git commit -am "Update OPENHANDS_SHA to <commit>" && git push
-```
-
-**Before updating the SHA**, verify the enterprise Docker image exists:
-```bash
-gh api repos/OpenHands/OpenHands/actions/runs \
-  --jq '.workflow_runs[] | select(.head_sha=="<COMMIT>") | "\(.name): \(.conclusion)"' \
-  | grep Docker
-# Must show: "Docker: success"
-```
-
-The deploy CI auto-triggers and creates the environment at:
-```
-https://ohpr-<PR>-<random>.staging.all-hands.dev
-```
-
-**Wait for it to be live:**
-```bash
-curl -s -o /dev/null -w "%{http_code}" https://ohpr-<PR>-<random>.staging.all-hands.dev/api/v1/health
-# 401 = server is up (auth required). DNS may take 1-2 min on first deploy.
-```
-
-## Running E2E Tests Against Staging
-
-**Critical: Feature deployments have their own Keycloak instance.** API keys from `app.all-hands.dev` or `$OPENHANDS_API_KEY` will NOT work. You need a test API key issued by the specific feature deployment's Keycloak.
-
-**You (the agent) cannot obtain this key yourself** — the feature environment requires interactive browser login with credentials you do not have. You must **ask the user** to:
-1. Log in to the feature deployment at `https://ohpr-<PR>-<random>.staging.all-hands.dev` in their browser
-2. Generate a test API key from the UI
-3. Provide the key to you so you can proceed with e2e testing
-
-Do **not** attempt to log in via the browser or guess credentials. Wait for the user to supply the key before running any e2e tests.
-
-```python
-from openhands.workspace import OpenHandsCloudWorkspace
-
-STAGING = "https://ohpr-<PR>-<random>.staging.all-hands.dev"
-
-with OpenHandsCloudWorkspace(
-    cloud_api_url=STAGING,
-    cloud_api_key="<test-api-key-for-this-deployment>",
-) as workspace:
-    # Test the new feature
-    llm = workspace.get_llm()
-    secrets = workspace.get_secrets()
-    print(f"LLM: {llm.model}, secrets: {list(secrets.keys())}")
-```
-
-Or run an example script:
-```bash
-OPENHANDS_CLOUD_API_KEY="<key>" \
-OPENHANDS_CLOUD_API_URL="https://ohpr-<PR>-<random>.staging.all-hands.dev" \
-python examples/02_remote_agent_server/10_cloud_workspace_saas_credentials.py
-```
-
-### Recording results
-
-Both repos support a `.pr/` directory for temporary PR artifacts (design docs, test logs, scripts). These files are automatically removed when the PR is approved — see `.github/workflows/pr-artifacts.yml` and the "PR-Specific Artifacts" section in each repo's `AGENTS.md`.
-
-Push test output to the `.pr/logs/` directory of whichever repo you're working in:
-```bash
-mkdir -p .pr/logs
-python test_script.py 2>&1 | tee .pr/logs/<test_name>.log
-git add -f .pr/logs/
-git commit -m "docs: add e2e test results" && git push
-```
-
-Comment on **both PRs** with pass/fail summary and link to logs.
-
-## Key Gotchas
-
-| Gotcha | Details |
-|--------|---------|
-| **Feature env auth is isolated** | Each `ohpr-*` deployment has its own Keycloak. Production API keys don't work. Agents cannot log in — you must ask the user to provide a test API key from the feature deployment's UI. |
-| **Two SHAs in deploy.yaml** | `OPENHANDS_SHA` and `OPENHANDS_RUNTIME_IMAGE_TAG` must both be updated. The runtime tag is `<sha>-nikolaik`. |
-| **Enterprise image must exist** | The Docker CI job on the OpenHands PR must succeed before you can deploy. If it hasn't run, push an empty commit to trigger it. |
-| **DNS propagation** | First deployment of a new branch takes 1-2 min for DNS. Subsequent deploys are instant. |
-| **Merge-commit SHA ≠ head SHA** | SDK CI tags Docker images with GitHub Actions' merge-commit SHA, not the PR head SHA. Check the SDK PR description or CI logs for the correct tag. |
-| **SDK pin blocks merge** | `check-package-versions.yml` prevents merging an OpenHands PR that has `rev` fields in `[tool.poetry.dependencies]`. The SDK must be released to PyPI first. |
-| **Flow A: stock agent-server is fine** | When only the Cloud API changes, `OpenHandsCloudWorkspace` talks to the Cloud server, not the agent-server. No custom image needed. |
-| **Flow B: agent-server image is required** | When the server needs new SDK code inside runtime containers, you must pin to the SDK PR's agent-server image. |

.agents/skills/upcoming-release.md

@@ -0,0 +1,22 @@
+---
+name: upcoming-release
+description: Generate a concise summary of PRs included in the upcoming release.
+triggers:
+- /upcoming-release
+---
+
+We want to know what is part of the upcoming release.
+
+To do this, you need two commit SHAs. One SHA is what is currently running. The second SHA is what is going to be
+released. The user must provide these. If the user does not provide these, ask the user to provide them before doing
+anything.
+
+Once you have received the two SHAs:
+1. Run the `.github/scripts/find_prs_between_commits.py` script from the repository root directory with the `--json` flag. The **first SHA** should be the older commit (current release), and the **second SHA** should be the newer commit (what's being released).
+2. Do not show PRs that are chores, dependency updates, adding logs, refactors.
+3. From the remaining PRs, split them into these categories:
+   - Features
+   - Bug fixes
+   - Security/CVE fixes
+   - Other
+4. The output should list the PRs under their category, including the PR number with a brief description of the PR.

.agents/skills/upcoming-release/SKILL.md

@@ -1,37 +0,0 @@
----
-name: upcoming-release
-description: This skill should be used when the user asks to "generate release notes", "list upcoming release PRs", "summarize upcoming release", "/upcoming-release", or needs to know what changes are part of an upcoming release.
----
-
-# Upcoming Release Summary
-
-Generate a concise summary of PRs included in the upcoming release.
-
-## Prerequisites
-
-Two commit SHAs are required:
-- **First SHA**: The older commit (current release)
-- **Second SHA**: The newer commit (what's being released)
-
-If the user does not provide both SHAs, ask for them before proceeding.
-
-## Workflow
-
-1. Run the script from the repository root with the `--json` flag:
-   ```bash
-   .github/scripts/find_prs_between_commits.py <older-sha> <newer-sha> --json
-   ```
-
-2. Filter out PRs that are:
-   - Chores
-   - Dependency updates
-   - Adding logs
-   - Refactors
-
-3. Categorize the remaining PRs:
-   - **Features** - New functionality
-   - **Bug fixes** - Corrections to existing behavior
-   - **Security/CVE fixes** - Security-related changes
-   - **Other** - Everything else
-
-4. Format the output with PRs listed under their category, including the PR number and a brief description.

.agents/skills/update-sdk/SKILL.md

@@ -1,123 +0,0 @@
----
-name: update-sdk
-description: This skill should be used when the user asks to "update SDK", "bump SDK version", "pin SDK to a commit", "test unreleased SDK", "update agent-server image", "bump the version", "prepare a release", "what files change for a release", or needs to know how SDK packages are managed in the OpenHands repository. For detailed reference material, see references/docker-image-locations.md and references/sdk-pinning-examples.md in this skill directory.
----
-
-# Update SDK
-
-Bump SDK packages (`openhands-sdk`, `openhands-agent-server`, `openhands-tools`), pin them to unreleased commits for testing, and cut an OpenHands release.
-
-## Quick Summary — How Many Files Change?
-
-| Activity | Manual edits | Auto-regenerated | Total |
-|----------|:------------:|:----------------:|:-----:|
-| **SDK bump** (released PyPI version) | 2 | 3 | **5** |
-| **SDK pin** (unreleased git commit) | 3 | 3 | **6** |
-| **Release commit** (version bump) | 3 | 0 | **3** |
-
-The 3 auto-regenerated files are always: `poetry.lock`, `uv.lock`, `enterprise/poetry.lock`.
-
-## SDK Package Bump — 2 Files + 3 Lock Files
-
-Land as a separate PR before the release. Examples: `929dcc3` (SDK 1.11.5), `cd235cc` (SDK 1.11.4).
-
-| File | What to change |
-|------|----------------|
-| `pyproject.toml` | `openhands-sdk`, `openhands-agent-server`, `openhands-tools` in **two** sections: the `dependencies` array (PEP 508) **and** `[tool.poetry.dependencies]` |
-| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE` constant — set to `ghcr.io/openhands/agent-server:<version>-python` |
-
-Then regenerate lock files:
-```bash
-poetry lock && uv lock && cd enterprise && poetry lock && cd ..
-```
-
-## Docker Image Locations — All Hardcoded References
-
-For the complete inventory of every file containing a hardcoded Docker image tag or repository, see `references/docker-image-locations.md`. Key files that must stay in sync during an SDK bump:
-
-| File | Image reference | Updated during SDK bump? |
-|------|----------------|:------------------------:|
-| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<tag>-python'` | ✅ Yes |
-| `docker-compose.yml` | `AGENT_SERVER_IMAGE_TAG` default | ✅ Should be |
-| `containers/dev/compose.yml` | `AGENT_SERVER_IMAGE_REPOSITORY` + `_TAG` defaults | ✅ Should be |
-
-> **CI enforcement:** `.github/workflows/check-version-consistency.yml` validates version consistency and compose file image references on every PR and push to main.
-
-### ⚠️ Docker Image Tag Gotcha (merge-commit SHA)
-
-The SDK CI in `software-agent-sdk` repo tags Docker images with the **GitHub Actions merge-commit SHA**, NOT the PR head-commit SHA. When pinning to an SDK PR branch:
-
-1. Check the SDK PR description for the actual image tag (look for the `AGENT_SERVER_IMAGES` section)
-2. Or query the CI logs: the "Consolidate Build Information" job prints `"short_sha": "<tag>"`
-3. The merge-commit SHA differs from the head SHA shown in the PR
-
-For released SDK versions, images use a version tag (e.g., `1.12.0-python`) — no merge-commit ambiguity.
-
-## Cutting a Release — 3 Files
-
-A release commit updates the version string across 3 files. Gold-standard examples: 1.3.0 (`d063c8c`), 1.4.0 (`495f48b`).
-
-| File | What to change |
-|------|----------------|
-| `pyproject.toml` | `version = "X.Y.Z"` under `[tool.poetry]` |
-| `frontend/package.json` | `"version": "X.Y.Z"` |
-| `frontend/package-lock.json` | `"version": "X.Y.Z"` in **two** places (root object and `packages[""]`) |
-
-> **Note:** `openhands/version.py` reads the version from `pyproject.toml` at runtime — no manual edit needed there.
-
-### Compose Files (2 files)
-
-Both compose files should use `ghcr.io/openhands/agent-server` with the current SDK version tag.
-
-| File | What to verify |
-|------|----------------|
-| `docker-compose.yml` | `AGENT_SERVER_IMAGE_REPOSITORY` defaults to agent-server, `AGENT_SERVER_IMAGE_TAG` is current |
-| `containers/dev/compose.yml` | Same — must use agent-server, not runtime |
-
-### Release Workflow
-
-#### Step 1: Verify the SDK bump has landed
-
-```bash
-grep -n "openhands-sdk\|openhands-agent-server\|openhands-tools" pyproject.toml
-grep -n "AGENT_SERVER_IMAGE" openhands/app_server/sandbox/sandbox_spec_service.py
-grep "AGENT_SERVER_IMAGE_TAG" docker-compose.yml containers/dev/compose.yml
-```
-
-#### Step 2: Bump version numbers
-
-```bash
-# Edit pyproject.toml, frontend/package.json, frontend/package-lock.json
-git add pyproject.toml frontend/package.json frontend/package-lock.json
-git commit -m "Release X.Y.Z"
-git tag X.Y.Z
-```
-
-Create a `saas-rel-X.Y.Z` branch from the tagged commit for the SaaS deployment pipeline.
-
-#### Step 3: CI builds Docker images automatically
-
-The `ghcr-build.yml` workflow triggers on tag pushes and produces:
-- `ghcr.io/openhands/openhands:X.Y.Z`, `X.Y`, `X`, `latest`
-- `ghcr.io/openhands/runtime:X.Y.Z-nikolaik`, `X.Y-nikolaik`
-
-The tagging logic lives in `containers/build.sh` — when `GITHUB_REF_NAME` matches a semver pattern (`^[0-9]+\.[0-9]+\.[0-9]+$`), it auto-generates major, major.minor, and `latest` tags.
-
-## Development: Pin SDK to an Unreleased Commit
-
-For detailed examples of all pinning formats (commit, branch, uv-only), see `references/sdk-pinning-examples.md`.
-
-### Files to change (3 manual + 3 lock files)
-
-| File | What to change |
-|------|----------------|
-| `pyproject.toml` | Pin all 3 SDK packages in **both** `dependencies` and `[tool.poetry.dependencies]` |
-| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE` — use the merge-commit SHA tag, NOT the head-commit SHA |
-| `docker-compose.yml` | `AGENT_SERVER_IMAGE_TAG` default (for local development) |
-| `poetry.lock` | Auto-regenerated via `poetry lock` |
-| `uv.lock` | Auto-regenerated via `uv lock` |
-| `enterprise/poetry.lock` | Auto-regenerated via `cd enterprise && poetry lock` |
-
-### CI guard
-
-The `check-package-versions.yml` workflow blocks merging to `main` if `[tool.poetry.dependencies]` contains any `rev` fields. This ensures unreleased SDK pins do not accidentally ship in a release.

.agents/skills/update-sdk/references/docker-image-locations.md

@@ -1,84 +0,0 @@
-# Docker Image Locations — Complete Inventory
-
-Every file in the OpenHands repository containing a hardcoded Docker image tag, repository, or version-pinned image reference. Organized by update cadence.
-
-## Updated During SDK Bump (must change)
-
-These files contain image tags that **must** be updated whenever the SDK version or pinned commit changes.
-
-### `openhands/app_server/sandbox/sandbox_spec_service.py`
-- **Line:** `AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<tag>-python'`
-- **Format:** `<sdk-version>-python` for releases (e.g., `1.12.0-python`), `<7-char-commit-hash>-python` for dev pins
-- **Source of truth** for which agent-server image the app server pulls at runtime
-- **⚠️ Gotcha:** When pinning to an SDK PR, the image tag is the **merge-commit SHA** from GitHub Actions, not the PR head-commit SHA. Check the SDK PR description or CI logs for the correct tag.
-
-### `docker-compose.yml`
-- **Lines:**
-  ```yaml
-  - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-  - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-<tag>-python}
-  ```
-- Used by `docker compose up` for local development
-
-### `containers/dev/compose.yml`
-- **Lines:**
-  ```yaml
-  - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-  - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-<tag>-python}
-  ```
-- Used by the dev container setup
-- **Known issue:** On main as of 1.4.0, this file still points to `ghcr.io/openhands/runtime` instead of `agent-server`, and the tag is `1.2-nikolaik` (stale from the V0 era). The `check-version-consistency.yml` CI workflow catches this.
-
-## Updated During Release Commit (version string only)
-
-### `pyproject.toml`
-- **Line:** `version = "X.Y.Z"` under `[tool.poetry]`
-- The Python version is derived from this at runtime via `openhands/version.py`
-
-### `frontend/package.json`
-- **Line:** `"version": "X.Y.Z"`
-
-### `frontend/package-lock.json`
-- **Two places:** root `"version": "X.Y.Z"` and `packages[""].version`
-
-## Dynamic References (auto-derived, no manual update)
-
-### `openhands/version.py`
-- Reads version from `pyproject.toml` at runtime → `openhands.__version__`
-
-### `openhands/resolver/issue_resolver.py`
-- Builds `ghcr.io/openhands/runtime:{openhands.__version__}-nikolaik` dynamically
-
-### `openhands/runtime/utils/runtime_build.py`
-- Base repo URL `ghcr.io/openhands/runtime` is a constant; version comes from elsewhere
-
-### `.github/scripts/update_pr_description.sh`
-- Uses `${SHORT_SHA}` variable at CI runtime, not hardcoded
-
-### `enterprise/Dockerfile`
-- `ARG BASE="ghcr.io/openhands/openhands"` — base image, version supplied at build time
-
-## V0 Legacy Files (separate update cadence)
-
-These reference the V0 runtime image (`ghcr.io/openhands/runtime:X.Y-nikolaik`) for local Docker/Kubernetes paths. They are **not** updated as part of a V1 release but may be updated independently.
-
-### `Development.md`
-- `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:X.Y-nikolaik`
-
-### `openhands/runtime/impl/kubernetes/README.md`
-- `runtime_container_image = "docker.openhands.dev/openhands/runtime:X.Y-nikolaik"`
-
-### `enterprise/enterprise_local/README.md`
-- Uses `ghcr.io/openhands/runtime:main-nikolaik` (points to `main`, not versioned)
-
-### `third_party/runtime/impl/daytona/README.md`
-- Uses `${OPENHANDS_VERSION}` variable, not hardcoded
-
-## Image Registries
-
-| Registry | Usage |
-|----------|-------|
-| `ghcr.io/openhands/agent-server` | V1 agent-server (sandbox) — built by SDK repo CI |
-| `ghcr.io/openhands/openhands` | Main app image — built by `ghcr-build.yml` |
-| `ghcr.io/openhands/runtime` | V0 runtime sandbox — built by `ghcr-build.yml` |
-| `docker.openhands.dev/openhands/*` | Mirror/CDN for the above images |

.agents/skills/update-sdk/references/sdk-pinning-examples.md

@@ -1,103 +0,0 @@
-# SDK Pinning Examples
-
-Examples from real commits showing how to pin SDK packages to unreleased commits, branches, or released versions.
-
-## Pin to a Specific Commit
-
-Example from commit `169fb76` (pinning all 3 packages to SDK commit `100e9af`):
-
-### `dependencies` array (PEP 508 format)
-
-```toml
-"openhands-agent-server @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-agent-server",
-"openhands-sdk @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-sdk",
-"openhands-tools @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-tools",
-```
-
-### `[tool.poetry.dependencies]` (Poetry format)
-
-```toml
-openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-sdk" }
-openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-agent-server" }
-openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-tools" }
-```
-
-### `openhands/app_server/sandbox/sandbox_spec_service.py`
-
-```python
-AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<merge-commit-sha>-python'
-```
-
-**⚠️ Important:** The image tag is the **merge-commit SHA** from the SDK CI, not the commit hash used in `pyproject.toml`. Look up the correct tag from the SDK PR description or CI logs.
-
-## Pin to a Branch
-
-Example from commit `430ee1c` (pinning to branch `openhands/issue-2228-sdk-settings-schema`):
-
-### `[tool.poetry.dependencies]`
-
-```toml
-openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-sdk" }
-openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-agent-server" }
-openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-tools" }
-```
-
-## Using `[tool.uv.sources]` Override
-
-When only `uv` needs the override (keep PyPI versions in the main arrays), add a `[tool.uv.sources]` section. Example from commit `1daca49`:
-
-```toml
-[tool.uv.sources]
-openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-sdk", rev = "4170cca" }
-openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-agent-server", rev = "4170cca" }
-openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-tools", rev = "4170cca" }
-```
-
-## Released PyPI Version (standard release)
-
-Example from commit `929dcc3` (SDK 1.11.5):
-
-### `dependencies` array
-
-```toml
-"openhands-agent-server==1.11.5",
-"openhands-sdk==1.11.5",
-"openhands-tools==1.11.5",
-```
-
-### `[tool.poetry.dependencies]`
-
-```toml
-openhands-sdk = "1.11.5"
-openhands-agent-server = "1.11.5"
-openhands-tools = "1.11.5"
-```
-
-### `openhands/app_server/sandbox/sandbox_spec_service.py`
-
-For released versions, the image tag uses the version number:
-
-```python
-AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:1.11.5-python'
-```
-
-However, **some releases use a commit-hash tag** even for the released version. Check which tag format exists on GHCR. Example from `929dcc3`:
-
-```python
-AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:010e847-python'
-```
-
-## Regenerate Lock Files
-
-After any change to `pyproject.toml`, always regenerate:
-
-```bash
-poetry lock
-uv lock
-cd enterprise && poetry lock && cd ..
-```
-
-## CI Guards
-
-- **`check-package-versions.yml`**: Blocks merge to `main` if `[tool.poetry.dependencies]` contains `rev` fields (prevents shipping unreleased SDK pins)
-- **`check-version-consistency.yml`**: Validates version strings match across `pyproject.toml`, `package.json`, `package-lock.json`, and verifies compose files use `agent-server` images

.github/CODEOWNERS

@@ -0,0 +1,8 @@
+# CODEOWNERS file for OpenHands repository
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+/frontend/ @amanape @hieptl
+/openhands-ui/ @amanape @hieptl
+/openhands/ @tofarr @malhotra5 @hieptl
+/enterprise/ @chuckbutkus @tofarr @malhotra5
+/evaluation/ @xingyaoww @neubig

.github/dependabot.yml

@@ -4,7 +4,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 1
     groups:
       # put packages in their own group if they have a history of breaking the build or needing to be reverted
       pre-commit:
@@ -29,7 +29,7 @@ updates:
     directory: "/frontend"
     schedule:
       interval: "daily"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 1
     groups:
       docusaurus:
         patterns:
@@ -51,7 +51,7 @@ updates:
     schedule:
       interval: "weekly"
       day: "wednesday"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 1
     groups:
       docusaurus:
         patterns:
@@ -72,11 +72,9 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 5
 
   - package-ecosystem: "docker"
     directories:
       - "containers/*"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 5

.github/pull_request_template.md

@@ -1,46 +1,38 @@
-<!-- Keep this PR as draft until it is ready for review. -->
+<!-- If you are still working on the PR, please mark it as draft. Maintainers will review PRs marked ready for review, which leads to lost time if your PR is actually not ready yet. Keep the PR marked as draft until it is finally ready for review -->
 
-<!-- AI/LLM agents: be concise and specific. Do not check the box below. -->
+## Summary of PR
 
-- [ ] A human has tested these changes.
+<!-- Summarize what the PR does -->
 
----
+## Demo Screenshots/Videos
 
-## Why
+<!-- AI/LLM AGENTS: This section is intended for a human author to add screenshots or videos demonstrating the PR in action (optional). While many pull requests may be generated by AI/LLM agents, we are fine with this as long as a human author has reviewed and tested the changes to ensure accuracy and functionality. -->
 
-<!-- Describe problem, motivation, etc.-->
+## Change Type
 
-## Summary
-
-<!-- 1-3 bullets describing what changed. -->
--
-
-## Issue Number
-<!-- Required if there is a relevant issue to this PR. -->
-
-## How to Test
-
-<!--
-Required. Share the steps for the reviewer to be able to test your PR. e.g. You can test by running `npm install` then `npm build dev`.
-
-If you could not test this, say why.
--->
-
-## Video/Screenshots
-
-<!--
-Provide a video or screenshots of testing your PR. e.g. you added a new feature to the gui, show us the video of you testing it successfully.
-
--->
-
-## Type
+<!-- Choose the types that apply to your PR -->
 
 - [ ] Bug fix
-- [ ] Feature
-- [ ] Refactor
+- [ ] New feature
 - [ ] Breaking change
-- [ ] Docs / chore
+- [ ] Refactor
+- [ ] Other (dependency update, docs, typo fixes, etc.)
 
-## Notes
+## Checklist
+<!-- AI/LLM AGENTS: This checklist is for a human author to complete. Do NOT check either of the two boxes below. Leave them unchecked until a human has personally reviewed and tested the changes. -->
 
-<!-- Optional: migrations, config changes, rollout concerns, follow-ups, or anything reviewers should know. -->
+- [ ] I have read and reviewed the code and I understand what the code is doing.
+- [ ] I have tested the code to the best of my ability and ensured it works as expected.
+
+## Fixes
+
+<!-- If this resolves an issue, link it here so it will close automatically upon merge. -->
+
+Resolves #(issue)
+
+## Release Notes
+
+<!-- Check the box if this change is worth adding to the release notes. If checked, you must provide an
+end-user friendly description for your change below the checkbox. -->
+
+- [ ] Include this change in the Release Notes.

.github/workflows/check-package-versions.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v6

.github/workflows/check-version-consistency.yml

@@ -1,122 +0,0 @@
-name: Check Version Consistency
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-  workflow_dispatch:
-
-jobs:
-  check-version-consistency:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: "3.12"
-
-      - name: Check version and Docker image tag consistency
-        run: |
-          python - <<'PY'
-          import json
-          import re
-          import sys
-          import tomllib
-
-          errors = []
-          warnings = []
-
-          # ── 1. Extract the canonical version from pyproject.toml ──────────
-          with open("pyproject.toml", "rb") as f:
-              pyproject = tomllib.load(f)
-          version = pyproject["tool"]["poetry"]["version"]
-          major_minor = ".".join(version.split(".")[:2])
-          print(f"📦 pyproject.toml version: {version} (major.minor: {major_minor})")
-
-          # ── 2. Check frontend/package.json ────────────────────────────────
-          with open("frontend/package.json") as f:
-              pkg = json.load(f)
-          if pkg["version"] != version:
-              errors.append(
-                  f"frontend/package.json version is '{pkg['version']}', expected '{version}'"
-              )
-          else:
-              print(f"  ✔ frontend/package.json: {pkg['version']}")
-
-          # ── 3. Check frontend/package-lock.json (2 places) ───────────────
-          with open("frontend/package-lock.json") as f:
-              lock = json.load(f)
-          for key, val in [
-              ("root.version", lock.get("version")),
-              ('packages[""].version', lock.get("packages", {}).get("", {}).get("version")),
-          ]:
-              if val != version:
-                  errors.append(
-                      f"frontend/package-lock.json {key} is '{val}', expected '{version}'"
-                  )
-              else:
-                  print(f"  ✔ frontend/package-lock.json {key}: {val}")
-
-          # ── 4. Check compose files use agent-server images ─────────────────
-          # Both compose files should use ghcr.io/.../agent-server (not runtime).
-          # Agent-server tags use SDK version (e.g. "1.12.0-python") or commit
-          # hashes (e.g. "31536c8-python") — both are acceptable.
-          repo_pattern = re.compile(r"AGENT_SERVER_IMAGE_REPOSITORY[^}]*:-([^}]+)")
-          tag_pattern = re.compile(r"AGENT_SERVER_IMAGE_TAG:-([^}]+)")
-
-          for filepath in ["docker-compose.yml", "containers/dev/compose.yml"]:
-              try:
-                  with open(filepath) as f:
-                      content = f.read()
-              except FileNotFoundError:
-                  warnings.append(f"{filepath}: file not found")
-                  continue
-
-              repos = repo_pattern.findall(content)
-              tags = tag_pattern.findall(content)
-
-              if not repos:
-                  warnings.append(f"{filepath}: no AGENT_SERVER_IMAGE_REPOSITORY default found")
-              else:
-                  repo = repos[0]
-                  if "agent-server" not in repo:
-                      errors.append(
-                          f"{filepath}: AGENT_SERVER_IMAGE_REPOSITORY defaults to '{repo}', "
-                          f"expected an agent-server image (not runtime)"
-                      )
-                  else:
-                      print(f"  ✔ {filepath} image repository: {repo}")
-
-              if not tags:
-                  warnings.append(f"{filepath}: no AGENT_SERVER_IMAGE_TAG default found")
-              else:
-                  tag = tags[0]
-                  if not tag:
-                      errors.append(f"{filepath}: AGENT_SERVER_IMAGE_TAG default is empty")
-                  else:
-                      print(f"  ✔ {filepath} image tag: {tag}")
-
-          # ── 5. Report ─────────────────────────────────────────────────────
-          print()
-          if warnings:
-              print("⚠ Warnings:")
-              for w in warnings:
-                  print(f"  {w}")
-              print()
-
-          if errors:
-              print("❌ FAILED: Version inconsistencies found:\n")
-              for e in errors:
-                  print(f"  ✖ {e}")
-              print(
-                  "\nAll version numbers and Docker image tags must be consistent."
-                  "\nSee .agents/skills/update-sdk/SKILL.md for the full checklist."
-              )
-              sys.exit(1)
-          else:
-              print("✅ All version numbers and Docker image tags are consistent.")
-          PY

.github/workflows/e2e-tests.yml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Install poetry via pipx
         uses: abatilo/actions-poetry@v4
@@ -192,7 +192,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: playwright-report
           path: tests/e2e/test-results/
@@ -200,7 +200,7 @@ jobs:
 
       - name: Upload OpenHands logs
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: openhands-logs
           path: |

.github/workflows/enterprise-check-migrations.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -34,7 +34,7 @@ jobs:
           fi
 
       - name: Find Comment
-        uses: peter-evans/find-comment@v4
+        uses: peter-evans/find-comment@v3
         id: find-comment
         with:
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/fe-e2e-tests.yml

@@ -17,20 +17,18 @@ concurrency:
 jobs:
   fe-e2e-test:
     name: FE E2E Tests
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     strategy:
       matrix:
         node-version: [22]
       fail-fast: true
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install dependencies
         working-directory: ./frontend
         run: npm ci
@@ -41,7 +39,7 @@ jobs:
         working-directory: ./frontend
         run: npx playwright test --project=chromium
       - name: Upload Playwright report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         if: always()
         with:
           name: playwright-report

.github/workflows/fe-unit-tests.yml

@@ -21,20 +21,18 @@ jobs:
   # Run frontend unit tests
   fe-test:
     name: FE Unit Tests
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     strategy:
       matrix:
         node-version: [22]
       fail-fast: true
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install dependencies
         working-directory: ./frontend
         run: npm ci

.github/workflows/ghcr-build.yml

@@ -30,51 +30,45 @@ env:
 
 jobs:
   define-matrix:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith
     outputs:
       base_image: ${{ steps.define-base-images.outputs.base_image }}
-      architectures: ${{ steps.define-base-images.outputs.architectures }}
     steps:
       - name: Define base images
         shell: bash
         id: define-base-images
         run: |
-          architectures='["amd64", "arm64"]'
           if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
             json=$(jq -n -c '[
-                { image: "nikolaik/python-nodejs:python3.12-nodejs22-slim", tag: "nikolaik" }
+                { image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" }
               ]')
           else
             json=$(jq -n -c '[
-                { image: "nikolaik/python-nodejs:python3.12-nodejs22-slim", tag: "nikolaik" },
+                { image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" },
                 { image: "ubuntu:24.04", tag: "ubuntu" }
               ]')
           fi
           echo "base_image=$json" >> "$GITHUB_OUTPUT"
-          echo "architectures=$architectures" >> "$GITHUB_OUTPUT"
 
-  # Builds the OpenHands Docker images (one per architecture, natively)
+  # Builds the OpenHands Docker images
   ghcr_build_app:
-    name: Build App Image (${{ matrix.arch }})
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-22.04' }}
+    name: Build App Image
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
-    needs: define-matrix
-    outputs:
-      # All arch variants produce the same base tags, so any entry works
-      base_tags: ${{ steps.build.outputs.base_tags }}
     permissions:
       contents: read
       packages: write
-    strategy:
-      matrix:
-        arch: ${{ fromJson(needs.define-matrix.outputs.architectures) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.7.0
+        with:
+          image: tonistiigi/binfmt:latest
       - name: Login to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -86,79 +80,33 @@ jobs:
         run: |
           echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
       - name: Build and push app image
-        id: build
         if: "!github.event.pull_request.head.repo.fork"
         run: |
-          ./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --push --arch ${{ matrix.arch }}
+          ./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --push
 
-          # Output base tags (without arch suffix) for the merge job
-          ./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --arch ${{ matrix.arch }} --dry
-          BASE_TAGS=$(jq -r '.base_tags | join("\n")' docker-build-dry.json)
-          echo "base_tags<<EOF" >> "$GITHUB_OUTPUT"
-          echo "$BASE_TAGS" >> "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
-
-  # Merges per-architecture app images into a multi-arch manifest
-  ghcr_build_app_merge:
-    name: Merge App Multi-Arch Manifest
-    runs-on: ubuntu-22.04
-    needs: [define-matrix, ghcr_build_app]
-    if: github.event.pull_request.head.repo.fork != true
-    permissions:
-      packages: write
-    steps:
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Merge multi-arch manifest
-        run: |
-          ARCHS='${{ join(fromJson(needs.define-matrix.outputs.architectures), ' ') }}'
-          TAGS="${{ needs.ghcr_build_app.outputs.base_tags }}"
-          while IFS= read -r tag; do
-            [[ -z "$tag" ]] && continue
-            sources=""
-            for arch in $ARCHS; do
-              if ! docker buildx imagetools inspect "${tag}-${arch}" > /dev/null 2>&1; then
-                echo "::error::Missing image ${tag}-${arch}"
-                exit 1
-              fi
-              sources+=" ${tag}-${arch}"
-            done
-            echo "Creating manifest for $tag from:$sources"
-            docker buildx imagetools create -t "$tag" $sources
-          done <<< "$TAGS"
-
-  # Builds the runtime Docker images (one per architecture x base_image, natively)
+  # Builds the runtime Docker images
   ghcr_build_runtime:
-    name: Build Runtime Image (${{ matrix.base_image.tag }}, ${{ matrix.arch }})
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-22.04' }}
+    name: Build Runtime Image
+    runs-on: blacksmith-8vcpu-ubuntu-2204
     if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
     permissions:
       contents: read
       packages: write
     needs: define-matrix
-    outputs:
-      # Keyed by base_image tag so the merge job can access per-variant tags.
-      # Matrix outputs from different entries with the same key overwrite each other,
-      # but all arch variants of the same base_image produce identical base tags.
-      base_tags_nikolaik: ${{ steps.params.outputs.base_tags_nikolaik }}
-      base_tags_ubuntu: ${{ steps.params.outputs.base_tags_ubuntu }}
     strategy:
       matrix:
         base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
-        arch: ${{ fromJson(needs.define-matrix.outputs.architectures) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.7.0
+        with:
+          image: tonistiigi/binfmt:latest
       - name: Login to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -169,7 +117,7 @@ jobs:
       - name: Install poetry via pipx
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: "3.12"
           cache: poetry
@@ -184,106 +132,55 @@ jobs:
         run: |
           echo SHORT_SHA=$(git rev-parse --short "$RELEVANT_SHA") >> $GITHUB_ENV
       - name: Determine docker build params
-        id: params
         if: github.event.pull_request.head.repo.fork != true
         shell: bash
         run: |
-          ./containers/build.sh -i runtime -o ${{ env.REPO_OWNER }} -t ${{ matrix.base_image.tag }} --arch ${{ matrix.arch }} --dry
+
+          ./containers/build.sh -i runtime -o ${{ env.REPO_OWNER }} -t ${{ matrix.base_image.tag }} --dry
 
           DOCKER_BUILD_JSON=$(jq -c . < docker-build-dry.json)
           echo "DOCKER_TAGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.tags | join(",")')" >> $GITHUB_ENV
           echo "DOCKER_PLATFORM=$(echo "$DOCKER_BUILD_JSON" | jq -r '.platform')" >> $GITHUB_ENV
           echo "DOCKER_BUILD_ARGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.build_args | join(",")')" >> $GITHUB_ENV
-
-          # Output base tags (without arch suffix) keyed by base_image tag for the merge job
-          BASE_TAGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.base_tags | join("\n")')
-          echo "base_tags_${{ matrix.base_image.tag }}<<EOF" >> "$GITHUB_OUTPUT"
-          echo "$BASE_TAGS" >> "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
       - name: Build and push runtime image ${{ matrix.base_image.image }}
         if: github.event.pull_request.head.repo.fork != true
-        uses: docker/build-push-action@v6
+        uses: useblacksmith/build-push-action@v1
         with:
           push: true
           tags: ${{ env.DOCKER_TAGS }}
           platforms: ${{ env.DOCKER_PLATFORM }}
-          cache-from: type=registry,ref=ghcr.io/${{ env.REPO_OWNER }}/runtime:buildcache-${{ matrix.base_image.tag }}-${{ matrix.arch }}
-          cache-to: type=registry,ref=ghcr.io/${{ env.REPO_OWNER }}/runtime:buildcache-${{ matrix.base_image.tag }}-${{ matrix.arch }},mode=max
+          # Caching directives to boost performance
+          cache-from: type=registry,ref=ghcr.io/${{ env.REPO_OWNER }}/runtime:buildcache-${{ matrix.base_image.tag }}
+          cache-to: type=registry,ref=ghcr.io/${{ env.REPO_OWNER }}/runtime:buildcache-${{ matrix.base_image.tag }},mode=max
           build-args: ${{ env.DOCKER_BUILD_ARGS }}
           context: containers/runtime
           provenance: false
       # Forked repos can't push to GHCR, so we just build in order to populate the cache for rebuilding
       - name: Build runtime image ${{ matrix.base_image.image }} for fork
         if: github.event.pull_request.head.repo.fork
-        uses: docker/build-push-action@v6
+        uses: useblacksmith/build-push-action@v1
         with:
           tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
           context: containers/runtime
       - name: Upload runtime source for fork
         if: github.event.pull_request.head.repo.fork
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
-          name: runtime-src-${{ matrix.base_image.tag }}-${{ matrix.arch }}
+          name: runtime-src-${{ matrix.base_image.tag }}
           path: containers/runtime
 
-  # Merges per-architecture runtime images into multi-arch manifests
-  ghcr_build_runtime_merge:
-    name: Merge Runtime Multi-Arch Manifest
-    runs-on: ubuntu-22.04
-    needs: [define-matrix, ghcr_build_runtime]
-    if: github.event.pull_request.head.repo.fork != true
-    permissions:
-      packages: write
-    steps:
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Merge multi-arch manifests
-        run: |
-          ARCHS='${{ join(fromJson(needs.define-matrix.outputs.architectures), ' ') }}'
-
-          # Merge all runtime base_image variants
-          for variant_tags in \
-            "${{ needs.ghcr_build_runtime.outputs.base_tags_nikolaik }}" \
-            "${{ needs.ghcr_build_runtime.outputs.base_tags_ubuntu }}"; do
-            while IFS= read -r tag; do
-              [[ -z "$tag" ]] && continue
-              sources=""
-              for arch in $ARCHS; do
-                if ! docker buildx imagetools inspect "${tag}-${arch}" > /dev/null 2>&1; then
-                  echo "::error::Missing image ${tag}-${arch}"
-                  exit 1
-                fi
-                sources+=" ${tag}-${arch}"
-              done
-              echo "Creating manifest for $tag from:$sources"
-              docker buildx imagetools create -t "$tag" $sources
-            done <<< "$variant_tags"
-          done
-
   ghcr_build_enterprise:
-    name: Push Enterprise Image (${{ matrix.arch }})
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-22.04' }}
+    name: Push Enterprise Image
+    runs-on: blacksmith-8vcpu-ubuntu-2204
     permissions:
       contents: read
       packages: write
-    needs: [define-matrix, ghcr_build_app_merge]
+    needs: [define-matrix, ghcr_build_app]
     # Do not build enterprise in forks
     if: github.event.pull_request.head.repo.fork != true
-    outputs:
-      # Tags without arch suffix, for the merge job
-      base_tags: ${{ steps.meta_base.outputs.tags }}
-    strategy:
-      matrix:
-        arch: ${{ fromJson(needs.define-matrix.outputs.architectures) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -294,7 +191,7 @@ jobs:
           driver-opts: network=host
 
       - name: Login to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -302,28 +199,6 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: ghcr.io/openhands/enterprise-server
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=sha
-            type=sha,format=long
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=match,pattern=cloud-\d+\.\d+\.\d+
-          flavor: |
-            latest=auto
-            prefix=
-            suffix=-${{ matrix.arch }}
-        env:
-          DOCKER_METADATA_PR_HEAD_SHA: true
-
-      # Also compute base tags (no arch suffix) for the merge job output
-      - name: Extract base metadata for merge
-        id: meta_base
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/openhands/enterprise-server
@@ -335,22 +210,22 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-            type=match,pattern=cloud-\d+\.\d+\.\d+
           flavor: |
             latest=auto
             prefix=
             suffix=
         env:
           DOCKER_METADATA_PR_HEAD_SHA: true
-
       - name: Determine app image tag
         shell: bash
         run: |
-          # Use the commit SHA to pin the exact app image built by ghcr_build_app,
-          # rather than a mutable branch tag like "main" which can serve stale cached layers.
-          echo "OPENHANDS_DOCKER_TAG=${RELEVANT_SHA}" >> $GITHUB_ENV
+          # Duplicated with build.sh
+          sanitized_ref_name=$(echo "$GITHUB_REF_NAME" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
+          OPENHANDS_BUILD_VERSION=$sanitized_ref_name
+          sanitized_ref_name=$(echo "$sanitized_ref_name" | tr '[:upper:]' '[:lower:]') # lower case is required in tagging
+          echo "OPENHANDS_DOCKER_TAG=${sanitized_ref_name}" >> $GITHUB_ENV
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: useblacksmith/build-push-action@v1
         with:
           context: .
           file: enterprise/Dockerfile
@@ -359,54 +234,17 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             OPENHANDS_VERSION=${{ env.OPENHANDS_DOCKER_TAG }}
-          platforms: linux/${{ matrix.arch }}
+          platforms: linux/amd64
           # Add build provenance
           provenance: true
           # Add build attestations for better security
           sbom: true
 
-  # Merges per-architecture enterprise images into a multi-arch manifest
-  ghcr_build_enterprise_merge:
-    name: Merge Enterprise Multi-Arch Manifest
-    runs-on: ubuntu-22.04
-    permissions:
-      packages: write
-    needs: [define-matrix, ghcr_build_enterprise]
-    if: github.event.pull_request.head.repo.fork != true
-    steps:
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Merge multi-arch manifest
-        run: |
-          ARCHS='${{ join(fromJson(needs.define-matrix.outputs.architectures), ' ') }}'
-          TAGS="${{ needs.ghcr_build_enterprise.outputs.base_tags }}"
-          while IFS= read -r tag; do
-            [[ -z "$tag" ]] && continue
-            sources=""
-            for arch in $ARCHS; do
-              if ! docker buildx imagetools inspect "${tag}-${arch}" > /dev/null 2>&1; then
-                echo "::error::Missing image ${tag}-${arch}"
-                exit 1
-              fi
-              sources+=" ${tag}-${arch}"
-            done
-            echo "Creating manifest for $tag from:$sources"
-            docker buildx imagetools create -t "$tag" $sources
-          done <<< "$TAGS"
-
   # "All Runtime Tests Passed" is a required job for PRs to merge
   # We can remove this once the config changes
   runtime_tests_check_success:
     name: All Runtime Tests Passed
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
       - name: All tests passed
         run: echo "All runtime tests have passed successfully!"
@@ -414,11 +252,11 @@ jobs:
   update_pr_description:
     name: Update PR Description
     if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'
-    needs: [ghcr_build_runtime_merge]
-    runs-on: ubuntu-22.04
+    needs: [ghcr_build_runtime]
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Get short SHA
         id: short_sha

.github/workflows/lint-fix.yml

@@ -9,12 +9,12 @@ jobs:
   lint-fix-frontend:
     if: github.event.label.name == 'lint-fix'
     name: Fix frontend linting issues
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     permissions:
       contents: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -22,14 +22,13 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Node.js 22
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: 22
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: npm ci
+        run: |
+          cd frontend
+          npm install --frozen-lockfile
       - name: Generate i18n and route types
         run: |
           cd frontend
@@ -59,12 +58,12 @@ jobs:
   lint-fix-python:
     if: github.event.label.name == 'lint-fix'
     name: Fix Python linting issues
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     permissions:
       contents: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -72,7 +71,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
           cache: "pip"

.github/workflows/lint.yml

@@ -19,35 +19,34 @@ jobs:
   # Run lint on the frontend code
   lint-frontend:
     name: Lint frontend
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - name: Install Node.js 22
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: 22
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install dependencies
-        working-directory: ./frontend
-        run: npm ci
+        run: |
+          cd frontend
+          npm install --frozen-lockfile
       - name: Lint, TypeScript compilation, and translation checks
         run: |
           cd frontend
           npm run lint
-          npm run make-i18n && npx tsc
+          npm run make-i18n && tsc
           npm run check-translation-completeness
 
   # Run lint on the python code
   lint-python:
     name: Lint python
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
           cache: "pip"
@@ -58,13 +57,13 @@ jobs:
 
   lint-enterprise-python:
     name: Lint enterprise python
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
           cache: "pip"

.github/workflows/npm-publish-ui.yml

@@ -18,7 +18,7 @@ concurrency:
 jobs:
   check-version:
     name: Check if version has changed
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     defaults:
       run:
         shell: bash
@@ -27,7 +27,7 @@ jobs:
       current-version: ${{ steps.version-check.outputs.current-version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           fetch-depth: 2 # Need previous commit to compare
 
@@ -55,7 +55,7 @@ jobs:
 
   publish:
     name: Publish to npm
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     needs: check-version
     if: needs.check-version.outputs.should-publish == 'true'
     defaults:
@@ -63,7 +63,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2

.github/workflows/openhands-resolver.yml

@@ -86,7 +86,7 @@ jobs:
     runs-on: "${{ inputs.runner || 'ubuntu-latest' }}"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v6
@@ -269,7 +269,7 @@ jobs:
           fi
 
       - name: Upload output.jsonl as artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         if: always() # Upload even if the previous steps fail
         with:
           name: resolver-output

.github/workflows/pr-artifacts.yml

@@ -1,136 +0,0 @@
----
-name: PR Artifacts
-
-on:
-    workflow_dispatch: # Manual trigger for testing
-    pull_request:
-        types: [opened, synchronize, reopened]
-        branches: [main]
-    pull_request_review:
-        types: [submitted]
-
-jobs:
-  # Auto-remove .pr/ directory when a reviewer approves
-    cleanup-on-approval:
-        concurrency:
-            group: cleanup-pr-artifacts-${{ github.event.pull_request.number }}
-            cancel-in-progress: false
-        if: github.event_name == 'pull_request_review' && github.event.review.state == 'approved'
-        runs-on: ubuntu-latest
-        permissions:
-            contents: write
-            pull-requests: write
-        steps:
-            - name: Check if fork PR
-              id: check-fork
-              run: |
-                  if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.event.pull_request.base.repo.full_name }}" ]; then
-                    echo "is_fork=true" >> $GITHUB_OUTPUT
-                    echo "::notice::Fork PR detected - skipping auto-cleanup (manual removal required)"
-                  else
-                    echo "is_fork=false" >> $GITHUB_OUTPUT
-                  fi
-
-            - uses: actions/checkout@v6
-              if: steps.check-fork.outputs.is_fork == 'false'
-              with:
-                  ref: ${{ github.event.pull_request.head.ref }}
-                  token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
-
-            - name: Remove .pr/ directory
-              id: remove
-              if: steps.check-fork.outputs.is_fork == 'false'
-              run: |
-                  if [ -d ".pr" ]; then
-                    git config user.name "allhands-bot"
-                    git config user.email "allhands-bot@users.noreply.github.com"
-                    git rm -rf .pr/
-                    git commit -m "chore: Remove PR-only artifacts [automated]"
-                    git push || {
-                      echo "::error::Failed to push cleanup commit. Check branch protection rules."
-                      exit 1
-                    }
-                    echo "removed=true" >> $GITHUB_OUTPUT
-                    echo "::notice::Removed .pr/ directory"
-                  else
-                    echo "removed=false" >> $GITHUB_OUTPUT
-                    echo "::notice::No .pr/ directory to remove"
-                  fi
-
-            - name: Update PR comment after cleanup
-              if: steps.check-fork.outputs.is_fork == 'false' && steps.remove.outputs.removed == 'true'
-              uses: actions/github-script@v7
-              with:
-                  script: |
-                      const marker = '<!-- pr-artifacts-notice -->';
-                      const body = `${marker}
-                      ✅ **PR Artifacts Cleaned Up**
-
-                      The \`.pr/\` directory has been automatically removed.
-                      `;
-
-                      const { data: comments } = await github.rest.issues.listComments({
-                        owner: context.repo.owner,
-                        repo: context.repo.repo,
-                        issue_number: context.issue.number,
-                      });
-
-                      const existing = comments.find(c => c.body.includes(marker));
-                      if (existing) {
-                        await github.rest.issues.updateComment({
-                          owner: context.repo.owner,
-                          repo: context.repo.repo,
-                          comment_id: existing.id,
-                          body: body,
-                        });
-                      }
-
-  # Warn if .pr/ directory exists (will be auto-removed on approval)
-    check-pr-artifacts:
-        if: github.event_name == 'pull_request'
-        runs-on: ubuntu-latest
-        permissions:
-            contents: read
-            pull-requests: write
-        steps:
-            - uses: actions/checkout@v6
-
-            - name: Check for .pr/ directory
-              id: check
-              run: |
-                  if [ -d ".pr" ]; then
-                    echo "exists=true" >> $GITHUB_OUTPUT
-                    echo "::warning::.pr/ directory exists and will be automatically removed when the PR is approved. For fork PRs, manual removal is required before merging."
-                  else
-                    echo "exists=false" >> $GITHUB_OUTPUT
-                  fi
-
-            - name: Post or update PR comment
-              if: steps.check.outputs.exists == 'true'
-              uses: actions/github-script@v7
-              with:
-                  script: |
-                      const marker = '<!-- pr-artifacts-notice -->';
-                      const body = `${marker}
-                      📁 **PR Artifacts Notice**
-
-                      This PR contains a \`.pr/\` directory with PR-specific documents. This directory will be **automatically removed** when the PR is approved.
-
-                      > For fork PRs: Manual removal is required before merging.
-                      `;
-
-                      const { data: comments } = await github.rest.issues.listComments({
-                        owner: context.repo.owner,
-                        repo: context.repo.repo,
-                        issue_number: context.issue.number,
-                      });
-
-                      const existing = comments.find(c => c.body.includes(marker));
-                      if (!existing) {
-                        await github.rest.issues.createComment({
-                          owner: context.repo.owner,
-                          repo: context.repo.repo,
-                          issue_number: context.issue.number,
-                          body: body,
-                        });
-                      }

.github/workflows/pr-review-evaluation.yml

@@ -28,7 +28,7 @@ jobs:
         steps:
             - name: Download review trace artifact
               id: download-trace
-              uses: dawidd6/action-download-artifact@v15
+              uses: dawidd6/action-download-artifact@v6
               continue-on-error: true
               with:
                   workflow: pr-review-by-openhands.yml
@@ -51,7 +51,7 @@ jobs:
             # Always checkout main branch for security - cannot test script changes in PRs
             - name: Checkout extensions repository
               if: steps.check-trace.outputs.trace_exists == 'true'
-              uses: actions/checkout@v6
+              uses: actions/checkout@v5
               with:
                   repository: OpenHands/extensions
                   path: extensions
@@ -77,7 +77,7 @@ jobs:
                       --trace-file trace-info/laminar_trace_info.json
 
             - name: Upload evaluation logs
-              uses: actions/upload-artifact@v7
+              uses: actions/upload-artifact@v5
               if: always() && steps.check-trace.outputs.trace_exists == 'true'
               with:
                   name: pr-review-evaluation-${{ github.event.pull_request.number }}

.github/workflows/py-tests.yml

@@ -19,7 +19,7 @@ jobs:
   # Run python tests on Linux
   test-on-linux:
     name: Python Tests on Linux
-    runs-on: ubuntu-24.04
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     env:
       INSTALL_DOCKER: "0" # Set to '0' to skip Docker installation
     strategy:
@@ -30,22 +30,20 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
       - name: Install tmux
         run: sudo apt-get update && sudo apt-get install -y tmux
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: "22.x"
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install poetry via pipx
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -65,7 +63,7 @@ jobs:
         env:
           COVERAGE_FILE: ".coverage.runtime.${{ matrix.python_version }}"
       - name: Store coverage file
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-openhands
           path: |
@@ -75,16 +73,16 @@ jobs:
 
   test-enterprise:
     name: Enterprise Python Unit Tests
-    runs-on: ubuntu-24.04
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     strategy:
       matrix:
         python-version: ["3.12"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - name: Install poetry via pipx
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -97,7 +95,7 @@ jobs:
         env:
           COVERAGE_FILE: ".coverage.enterprise.${{ matrix.python_version }}"
       - name: Store coverage file
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-enterprise
           path: ".coverage.enterprise.${{ matrix.python_version }}"
@@ -113,9 +111,9 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v6
         id: download
         with:
           pattern: coverage-*

.github/workflows/pypi-release.yml

@@ -17,14 +17,14 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-22.04
-    # Run when manually dispatched for "app server" OR for tag pushes that don't contain '-cli' and don't start with 'cloud-'
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    # Run when manually dispatched for "app server" OR for tag pushes that don't contain '-cli'
     if: |
       (github.event_name == 'workflow_dispatch' && github.event.inputs.reason == 'app server')
-      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-cli') && !startsWith(github.ref, 'refs/tags/cloud-'))
+      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-cli'))
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v4
+      - uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
       - name: Install Poetry

.github/workflows/stale.yml

@@ -8,10 +8,10 @@ on:
 
 jobs:
   stale:
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     if: github.repository == 'OpenHands/OpenHands'
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@v9
         with:
           stale-issue-message: 'This issue is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.'
           stale-pr-message: 'This PR is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.'

.github/workflows/ui-build.yml

@@ -19,10 +19,10 @@ concurrency:
 jobs:
   ui-build:
     name: Build openhands-ui
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - uses: oven-sh/setup-bun@v2
         with:
           bun-version-file: "openhands-ui/.bun-version"

.gitignore

@@ -234,8 +234,6 @@ yarn-error.log*
 
 logs
 
-ralph/
-
 # agent
 .envrc
 /workspace

AGENTS.md

@@ -36,81 +36,9 @@ then re-run the command to ensure it passes. Common issues include:
 - Be especially careful with `git reset --hard` after staging files, as it will remove accidentally staged files
 - When remote has new changes, use `git fetch upstream && git rebase upstream/<branch>` on the same branch
 
-## Lockfile Regeneration (Preserve Original Tool Versions)
-
-When regenerating lockfiles (poetry.lock, uv.lock, etc.), you MUST use the same tool version that originally generated the lockfile to avoid unnecessary diff noise. Each lockfile contains a version header indicating which tool version was used.
-
-### Poetry (poetry.lock)
-
-1. Extract the version from the lockfile header:
-   ```bash
-   POETRY_VERSION=$(grep -m1 "^# This file is automatically @generated by Poetry" poetry.lock | sed 's/.*Poetry \([0-9.]*\).*/\1/')
-   ```
-2. If a version is found, install that specific version:
-   ```bash
-   pipx install poetry==$POETRY_VERSION --force
-   ```
-3. Then regenerate the lockfile:
-   ```bash
-   poetry lock --no-update
-   ```
-
-### uv (uv.lock)
-
-1. Extract the version from the lockfile header:
-   ```bash
-   UV_VERSION=$(grep -m1 "^# This file was autogenerated by uv" uv.lock | sed 's/.*uv version \([0-9.]*\).*/\1/')
-   ```
-2. If a version is found, install that specific version:
-   ```bash
-   pipx install uv==$UV_VERSION --force
-   ```
-3. Then regenerate the lockfile:
-   ```bash
-   uv lock
-   ```
-
-This ensures that lockfile updates only contain actual dependency changes, not tool version migration artifacts.
-
-## PR-Specific Artifacts (`.pr/` directory)
-
-When working on a PR that requires design documents, scripts meant for development-only, or other temporary artifacts that should NOT be merged to main, store them in a `.pr/` directory at the repository root.
-
-### Usage
-
-```
-.pr/
-├── design.md       # Design decisions and architecture notes
-├── analysis.md     # Investigation or debugging notes
-├── logs/           # Test output or CI logs for reviewer reference
-└── notes.md        # Any other PR-specific content
-```
-
-### How It Works
-
-1. **Notification**: When `.pr/` exists, a comment is posted to the PR conversation alerting reviewers
-2. **Auto-cleanup**: When the PR is approved, the `.pr/` directory is automatically removed via `.github/workflows/pr-artifacts.yml`
-3. **Fork PRs**: Auto-cleanup cannot push to forks, so manual removal is required before merging
-
-### Important Notes
-
-- Do NOT put anything in `.pr/` that needs to be preserved after merge
-- The `.pr/` check passes (green ✅) during development — it only posts a notification, not a blocking error
-- For fork PRs: You must manually remove `.pr/` before the PR can be merged
-
-### When to Use
-
-- Complex refactoring that benefits from written design rationale
-- Debugging sessions where you want to document your investigation
-- E2E test results or logs that demonstrate a cross-repo feature works
-- Feature implementations that need temporary planning docs
-- Any analysis that helps reviewers understand the PR but isn't needed long-term
-
 ## Repository Structure
 Backend:
 - Located in the `openhands` directory
-- The current V1 application server lives in `openhands/app_server/`. `make start-backend` still launches `openhands.server.listen:app`, which includes the V1 routes by default unless `ENABLE_V1=0`.
-- For V1 web-app docs, LLM setup should point users to the Settings UI.
 - Testing:
   - All tests are in `tests/unit/test_*.py`
   - To test new code, run `poetry run pytest tests/unit/test_xxx.py` where `xxx` is the appropriate file for the current functionality
@@ -414,30 +342,3 @@ To add a new LLM model to OpenHands, you need to update multiple files across bo
 - Models appear in CLI provider selection based on the verified arrays
 - The `organize_models_and_providers` function groups models by provider
 - Default model selection prioritizes verified models for each provider
-
-### Sandbox Settings API (SDK Credential Inheritance)
-
-The sandbox settings API allows SDK-created conversations to inherit the user's SaaS credentials
-(LLM config, secrets) securely via `LookupSecret`. Raw secret values only flow SaaS→sandbox,
-never through the SDK client.
-
-#### User Credentials with Exposed Secrets (in `openhands/app_server/user/user_router.py`):
-- `GET /api/v1/users/me?expose_secrets=true` → Full user settings with unmasked secrets (e.g., `llm_api_key`)
-- `GET /api/v1/users/me` → Full user settings (secrets masked, Bearer only)
-
-Auth requirements for `expose_secrets=true`:
-- Bearer token (proves user identity via `OPENHANDS_API_KEY`)
-- `X-Session-API-Key` header (proves caller has an active sandbox owned by the authenticated user)
-
-Called by `workspace.get_llm()` in the SDK to retrieve LLM config with the API key.
-
-#### Sandbox-Scoped Secrets Endpoints (in `openhands/app_server/sandbox/sandbox_router.py`):
-- `GET /sandboxes/{id}/settings/secrets` → list secret names (no values)
-- `GET /sandboxes/{id}/settings/secrets/{name}` → raw secret value (called FROM sandbox)
-
-#### Auth: `X-Session-API-Key` header, validated via `SandboxService.get_sandbox_by_session_api_key()`
-
-#### Related SDK code (in `software-agent-sdk` repo):
-- `openhands/sdk/llm/llm.py`: `LLM.api_key` accepts `SecretSource` (including `LookupSecret`)
-- `openhands/workspace/cloud/workspace.py`: `get_llm()` and `get_secrets()` return LookupSecret-backed objects
-- Tests: `tests/sdk/llm/test_llm_secret_source_api_key.py`, `tests/workspace/test_cloud_workspace_sdk_settings.py`

CONTRIBUTING.md

@@ -1,105 +1,83 @@
 # Contributing
 
-Thanks for your interest in contributing to OpenHands! We're building the future of AI-powered software development, and we'd love for you to be part of this journey.
+Thanks for your interest in contributing to OpenHands! We welcome and appreciate contributions.
 
-## Our Vision
+## Understanding OpenHands's CodeBase
 
-The OpenHands community is built around the belief that AI and AI agents are going to fundamentally change the way we build software. If this is true, we should do everything we can to make sure that the benefits provided by such powerful technology are accessible to everyone.
+To understand the codebase, please refer to the README in each module:
+- [frontend](./frontend/README.md)
+- [openhands](./openhands/README.md)
+   - [agenthub](./openhands/agenthub/README.md)
+   - [server](./openhands/server/README.md)
 
-We believe in the power of open source to democratize access to cutting-edge AI technology. Just as the internet transformed how we share information, we envision a world where AI-powered development tools are available to every developer, regardless of their background or resources.
+For benchmarks and evaluation, see the [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks) repository.
 
-## Getting Started
+## Setting up Your Development Environment
 
-### Quick Ways to Contribute
+We have a separate doc [Development.md](https://github.com/OpenHands/OpenHands/blob/main/Development.md) that tells
+you how to set up a development workflow.
 
-- **Use OpenHands** and [report issues](https://github.com/OpenHands/OpenHands/issues) you encounter
-- **Give feedback** using the thumbs-up/thumbs-down buttons after each session
-- **Star our repository** on [GitHub](https://github.com/OpenHands/OpenHands)
-- **Share OpenHands** with other developers
+## How Can I Contribute?
 
-### Set Up Your Development Environment
+There are many ways that you can contribute:
 
-- **Requirements**: Linux/Mac/WSL, Docker, Python 3.12, Node.js 22+, Poetry 1.8+
-- **Quick setup**: `make build`
-- **Run locally**: `make run`
-- **LLM setup (V1 web app)**: configure your model and API key in the Settings UI after the app starts
+1. **Download and use** OpenHands, and send [issues](https://github.com/OpenHands/OpenHands/issues) when you encounter something that isn't working or a feature that you'd like to see.
+2. **Send feedback** after each session by [clicking the thumbs-up thumbs-down buttons](https://docs.openhands.dev/usage/feedback), so we can see where things are working and failing, and also build an open dataset for training code agents.
+3. **Improve the Codebase** by sending [PRs](#sending-pull-requests-to-openhands) (see details below). In particular, we have some [good first issues](https://github.com/OpenHands/OpenHands/labels/good%20first%20issue) that may be ones to start on.
 
-Full details in our [Development Guide](./Development.md).
+## What Can I Build?
 
-### Find Your First Issue
+Here are a few ways you can help improve the codebase.
 
-- Browse [good first issues](https://github.com/OpenHands/OpenHands/labels/good%20first%20issue)
-- Check our [project boards](https://github.com/OpenHands/OpenHands/projects) for organized tasks
-- Join our [Slack community](https://openhands.dev/joinslack) to ask what needs help
+#### UI/UX
 
-## Understanding the Codebase
+We're always looking to improve the look and feel of the application. If you've got a small fix
+for something that's bugging you, feel free to open up a PR that changes the [`./frontend`](./frontend) directory.
 
-- **[Frontend](./frontend/README.md)** - React application
-- **[App Server (V1)](./openhands/app_server/README.md)** - Current FastAPI application server and REST API modules
-- **[Agents](./openhands/agenthub/README.md)** - AI agent implementations
-- **[Runtime](./openhands/runtime/README.md)** - Execution environments
-- **[Evaluation](https://github.com/OpenHands/benchmarks)** - Testing and benchmarks
+If you're looking to make a bigger change, add a new UI element, or significantly alter the style
+of the application, please open an issue first, or better, join the #dev-ui-ux channel in our Slack
+to gather consensus from our design team first.
 
-## What Can You Build?
+#### Improving the agent
 
-### Frontend & UI/UX
-- React & TypeScript development
-- UI/UX improvements
-- Mobile responsiveness
-- Component libraries
+Our main agent is the CodeAct agent. You can [see its prompts here](https://github.com/OpenHands/OpenHands/tree/main/openhands/agenthub/codeact_agent).
 
-For bigger changes, join the #proj-gui channel in [Slack](https://openhands.dev/joinslack) first.
+Changes to these prompts, and to the underlying behavior in Python, can have a huge impact on user experience.
+You can try modifying the prompts to see how they change the behavior of the agent as you use the app
+locally, but we will need to do an end-to-end evaluation of any changes here to ensure that the agent
+is getting better over time.
 
-### Agent Development
-- Prompt engineering
-- New agent types
-- Agent evaluation
-- Multi-agent systems
+We use the [SWE-bench](https://www.swebench.com/) benchmark to test our agent. You can join the #evaluation
+channel in Slack to learn more.
 
-We use [SWE-bench](https://www.swebench.com/) to evaluate agents.
+#### Adding a new agent
 
-### Backend & Infrastructure
-- Python development
-- Runtime systems (Docker containers, sandboxes)
-- Cloud integrations
-- Performance optimization
+You may want to experiment with building new types of agents. You can add an agent to [`openhands/agenthub`](./openhands/agenthub)
+to help expand the capabilities of OpenHands.
 
-### Testing & Quality Assurance
-- Unit testing
-- Integration testing
-- Bug hunting
-- Performance testing
+#### Adding a new runtime
 
-### Documentation & Education
-- Technical documentation
-- Translation
-- Community support
+The agent needs a place to run code and commands. When you run OpenHands on your laptop, it uses a Docker container
+to do this by default. But there are other ways of creating a sandbox for the agent.
 
-## Pull Request Process
+If you work for a company that provides a cloud-based runtime, you could help us add support for that runtime
+by implementing the [interface specified here](https://github.com/OpenHands/OpenHands/blob/main/openhands/runtime/base.py).
 
-### Small Improvements
-- Quick review and approval
-- Ensure CI tests pass
-- Include clear description of changes
+#### Testing
 
-### Core Agent Changes
-These are evaluated based on:
-- **Accuracy** - Does it make the agent better at solving problems?
-- **Efficiency** - Does it improve speed or reduce resource usage?
-- **Code Quality** - Is the code maintainable and well-tested?
-
-Discuss major changes in [GitHub issues](https://github.com/OpenHands/OpenHands/issues) or [Slack](https://openhands.dev/joinslack) first.
+When you write code, it is also good to write tests. Please navigate to the [`./tests`](./tests) folder to see existing
+test suites. At the moment, we have these kinds of tests: [`unit`](./tests/unit), [`runtime`](./tests/runtime), and [`end-to-end (e2e)`](./tests/e2e).
+Please refer to the README for each test suite. These tests also run on GitHub's continuous integration to ensure
+quality of the project.
 
 ## Sending Pull Requests to OpenHands
 
 You'll need to fork our repository to send us a Pull Request. You can learn more
 about how to fork a GitHub repo and open a PR with your changes in [this article](https://medium.com/swlh/forks-and-pull-requests-how-to-contribute-to-github-repos-8843fac34ce8).
 
-You may also check out previous PRs in the [PR list](https://github.com/OpenHands/OpenHands/pulls).
+### Pull Request title
 
-### Pull Request Title Format
-
-As described [here](https://github.com/commitizen/conventional-commit-types/blob/master/index.json), a valid PR title should begin with one of the following prefixes:
+As described [here](https://github.com/commitizen/conventional-commit-types/blob/master/index.json), ideally a valid PR title should begin with one of the following prefixes:
 
 - `feat`: A new feature
 - `fix`: A bug fix
@@ -117,27 +95,45 @@ For example, a PR title could be:
 - `refactor: modify package path`
 - `feat(frontend): xxxx`, where `(frontend)` means that this PR mainly focuses on the frontend component.
 
-### Pull Request Description
+You may also check out previous PRs in the [PR list](https://github.com/OpenHands/OpenHands/pulls).
 
-- Explain what the PR does and why
-- Link to related issues
-- Include screenshots for UI changes
-- If your changes are user-facing (e.g. a new feature in the UI, a change in behavior, or a bugfix),
-  please include a short message that we can add to our changelog
+### Pull Request description
 
-## Becoming a Maintainer
+- If your PR is small (such as a typo fix), you can go brief.
+- If it contains a lot of changes, it's better to write more details.
 
-For contributors who have made significant and sustained contributions to the project, there is a possibility of joining the maintainer team.
-The process for this is as follows:
+If your changes are user-facing (e.g. a new feature in the UI, a change in behavior, or a bugfix)
+please include a short message that we can add to our changelog.
 
-1. Any contributor who has made sustained and high-quality contributions to the codebase can be nominated by any maintainer. If you feel that you may qualify you can reach out to any of the maintainers that have reviewed your PRs and ask if you can be nominated.
-2. Once a maintainer nominates a new maintainer, there will be a discussion period among the maintainers for at least 3 days.
-3. If no concerns are raised the nomination will be accepted by acclamation, and if concerns are raised there will be a discussion and possible vote.
+## How to Make Effective Contributions
 
-Note that just making many PRs does not immediately imply that you will become a maintainer. We will be looking at sustained high-quality contributions over a period of time, as well as good teamwork and adherence to our [Code of Conduct](./CODE_OF_CONDUCT.md).
+### Opening Issues
 
-## Need Help?
+If you notice any bugs or have any feature requests please open them via the [issues page](https://github.com/OpenHands/OpenHands/issues). We will triage
+based on how critical the bug is or how potentially useful the improvement is, discuss, and implement the ones that
+the community has interest/effort for.
 
-- **Slack**: [Join our community](https://openhands.dev/joinslack)
-- **GitHub Issues**: [Open an issue](https://github.com/OpenHands/OpenHands/issues)
-- **Email**: contact@openhands.dev
+Further, if you see an issue you like, please leave a "thumbs-up" or a comment, which will help us prioritize.
+
+### Making Pull Requests
+
+We're generally happy to consider all pull requests with the evaluation process varying based on the type of change:
+
+#### For Small Improvements
+
+Small improvements with few downsides are typically reviewed and approved quickly.
+One thing to check when making changes is to ensure that all continuous integration tests pass, which you can check
+before getting a review.
+
+#### For Core Agent Changes
+
+We need to be more careful with changes to the core agent, as it is imperative to maintain high quality. These PRs are
+evaluated based on three key metrics:
+
+1. **Accuracy**
+2. **Efficiency**
+3. **Code Complexity**
+
+If it improves accuracy, efficiency, or both with only a minimal change to code quality, that's great we're happy to merge it in!
+If there are bigger tradeoffs (e.g. helping efficiency a lot and hurting accuracy a little) we might want to put it behind a feature flag.
+Either way, please feel free to discuss on github issues or slack, and we will give guidance and preliminary feedback.

Development.md

@@ -6,196 +6,22 @@ If you wish to contribute your changes, check out the
 on how to clone and setup the project initially before moving on. Otherwise,
 you can clone the OpenHands project directly.
 
-## Choose Your Setup
+## Start the Server for Development
 
-Select your operating system to see the specific setup instructions:
+### 1. Requirements
 
-- [macOS](#macos-setup)
-- [Linux](#linux-setup)
-- [Windows WSL](#windows-wsl-setup)
-- [Dev Container](#dev-container)
-- [Developing in Docker](#developing-in-docker)
-- [No sudo access?](#develop-without-sudo-access)
+- Linux, Mac OS, or [WSL on Windows](https://learn.microsoft.com/en-us/windows/wsl/install) [Ubuntu >= 22.04]
+- [Docker](https://docs.docker.com/engine/install/) (For those on MacOS, make sure to allow the default Docker socket to be used from advanced settings!)
+- [Python](https://www.python.org/downloads/) = 3.12
+- [NodeJS](https://nodejs.org/en/download/package-manager) >= 22.x
+- [Poetry](https://python-poetry.org/docs/#installing-with-the-official-installer) >= 1.8
+- OS-specific dependencies:
+  - Ubuntu: build-essential => `sudo apt-get install build-essential python3.12-dev`
+  - WSL: netcat => `sudo apt-get install netcat`
 
----
+Make sure you have all these dependencies installed before moving on to `make build`.
 
-## macOS Setup
-
-### 1. Install Prerequisites
-
-You'll need the following installed:
-
-- **Python 3.12** — `brew install python@3.12` (see the [official Homebrew Python docs](https://docs.brew.sh/Homebrew-and-Python) for details). Make sure `python3.12` is available in your PATH (the `make build` step will verify this).
-- **Node.js >= 22** — `brew install node`
-- **Poetry >= 1.8** — `brew install poetry`
-- **Docker Desktop** — `brew install --cask docker`
-  - After installing, open Docker Desktop → **Settings → Advanced** → Enable **"Allow the default Docker socket to be used"**
-
-### 2. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 3. Configure the Language Model
-
-OpenHands supports a diverse array of Language Models (LMs) through the powerful [litellm](https://docs.litellm.ai) library.
-
-For the V1 web app, start OpenHands and configure your model and API key in the Settings UI.
-
-If you are running headless or CLI workflows, you can prepare local defaults with:
-
-```bash
-make setup-config
-```
-
-**Note on Alternative Models:**
-See [our documentation](https://docs.openhands.dev/usage/llms) for recommended models.
-
-### 4. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
-These targets serve the current OpenHands V1 API by default. In the codebase, `make start-backend` runs `openhands.server.listen:app`, and that app includes the `openhands/app_server` V1 routes unless `ENABLE_V1=0`.
-
----
-
-## Linux Setup
-
-This guide covers Ubuntu/Debian. For other distributions, adapt the package manager commands accordingly.
-
-### 1. Install Prerequisites
-
-```bash
-# Update package list
-sudo apt update
-
-# Install system dependencies
-sudo apt install -y build-essential curl netcat software-properties-common
-
-# Install Python 3.12
-# Ubuntu 24.04+ and Debian 13+ ship with Python 3.12 — skip the PPA step if
-# python3.12 --version already works on your system.
-# The deadsnakes PPA is Ubuntu-only and needed for Ubuntu 22.04 or older:
-sudo add-apt-repository -y ppa:deadsnakes/ppa
-sudo apt update
-sudo apt install -y python3.12 python3.12-dev python3.12-venv
-
-# Install Node.js 22.x
-curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
-sudo apt install -y nodejs
-
-# Install Poetry
-curl -sSL https://install.python-poetry.org | python3 -
-
-# Add Poetry to your PATH
-echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
-source ~/.bashrc
-
-# Install Docker
-# Follow the official guide: https://docs.docker.com/engine/install/ubuntu/
-# Quick version:
-sudo install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
-sudo chmod a+r /etc/apt/keyrings/docker.asc
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-sudo apt update
-sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-sudo usermod -aG docker $USER
-# Log out and back in for Docker group changes to take effect
-```
-
-### 2. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 3. Configure the Language Model
-
-See the [macOS section above](#3-configure-the-language-model) for guidance: configure your model and API key in the Settings UI.
-
-### 4. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
----
-
-## Windows WSL Setup
-
-WSL2 with Ubuntu is recommended. The setup is similar to Linux, with a few WSL-specific considerations.
-
-### 1. Install WSL2
-
-**Option A: Windows 11 (Microsoft Store)**
-The easiest way on Windows 11:
-1. Open the **Microsoft Store** app
-2. Search for **"Ubuntu 22.04 LTS"** or **"Ubuntu"**
-3. Click **Install**
-4. Launch Ubuntu from the Start menu
-
-**Option B: PowerShell**
-```powershell
-# Run this in PowerShell as Administrator
-wsl --install -d Ubuntu-22.04
-```
-
-After installation, restart your computer and open Ubuntu.
-
-### 2. Install Prerequisites (in WSL Ubuntu)
-
-Follow [Step 1 from the Linux setup](#1-install-prerequisites-1) to install system dependencies, Python 3.12, Node.js, and Poetry. Skip the Docker installation — Docker is provided through Docker Desktop below.
-
-### 3. Configure Docker for WSL2
-
-1. Install [Docker Desktop for Windows](https://www.docker.com/products/docker-desktop)
-2. Open Docker Desktop > Settings > General
-3. Enable: "Use the WSL 2 based engine"
-4. Go to Settings > Resources > WSL Integration
-5. Enable integration with your Ubuntu distribution
-
-**Important:** Keep your project files in the WSL filesystem (e.g., `~/workspace/openhands`), not in `/mnt/c`. Files accessed via `/mnt/c` will be significantly slower.
-
-### 4. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 5. Configure the Language Model
-
-See the [macOS section above](#3-configure-the-language-model) for the current V1 guidance: configure your model and API key in the Settings UI for the web app, and use `make setup-config` only for headless or CLI workflows.
-
-### 6. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
-Access the frontend at `http://localhost:3001` from your Windows browser.
-
----
-
-## Dev Container
+#### Dev container
 
 There is a [dev container](https://containers.dev/) available which provides a
 pre-configured environment with all the necessary dependencies installed if you
@@ -206,38 +32,7 @@ extension installed, you can open the project in a dev container by using the
 _Dev Container: Reopen in Container_ command from the Command Palette
 (Ctrl+Shift+P).
 
----
-
-## Developing in Docker
-
-If you don't want to install dependencies on your host machine, you can develop inside a Docker container.
-
-### Quick Start
-
-```bash
-make docker-dev
-```
-
-For more details, see the [dev container documentation](./containers/dev/README.md).
-
-### Alternative: Docker Run
-
-If you just want to run OpenHands without setting up a dev environment:
-
-```bash
-make docker-run
-```
-
-If you don't have `make` installed, run:
-
-```bash
-cd ./containers/dev
-./dev.sh
-```
-
----
-
-## Develop without sudo access
+#### Develop without sudo access
 
 If you want to develop without system admin/sudo access to upgrade/install `Python` and/or `NodeJS`, you can use
 `conda` or `mamba` to manage the packages for you:
@@ -253,90 +48,159 @@ mamba install conda-forge::nodejs
 mamba install conda-forge::poetry
 ```
 
----
+### 2. Build and Setup The Environment
 
-## Running OpenHands with OpenHands
-
-You can use OpenHands to develop and improve OpenHands itself!
-
-### Quick Start
+Begin by building the project which includes setting up the environment and installing dependencies. This step ensures
+that OpenHands is ready to run on your system:
 
 ```bash
-export INSTALL_DOCKER=0
-export RUNTIME=local
-make build && make run
+make build
 ```
 
-Access the interface at:
-- Local development: http://localhost:3001
-- Remote/cloud environments: Use the appropriate external URL
+### 3. Configuring the Language Model
 
-For external access:
-```bash
-make run FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0
-```
+OpenHands supports a diverse array of Language Models (LMs) through the powerful [litellm](https://docs.litellm.ai) library.
 
----
-
-## LLM Debugging
-
-If you encounter issues with the Language Model, enable debug logging:
+To configure the LM of your choice, run:
 
 ```bash
-export DEBUG=1
-# Restart the backend
-make start-backend
+make setup-config
 ```
 
-Logs will be saved to `logs/llm/CURRENT_DATE/` for troubleshooting.
+This command will prompt you to enter the LLM API key, model name, and other variables ensuring that OpenHands is
+tailored to your specific needs. Note that the model name will apply only when you run headless. If you use the UI,
+please set the model in the UI.
 
----
+Note: If you have previously run OpenHands using the docker command, you may have already set some environment
+variables in your terminal. The final configurations are set from highest to lowest priority:
+Environment variables > config.toml variables > default variables
 
-## Testing
+**Note on Alternative Models:**
+See [our documentation](https://docs.openhands.dev/usage/llms) for recommended models.
 
-### Unit Tests
+### 4. Running the application
+
+#### Option A: Run the Full Application
+
+Once the setup is complete, this command starts both the backend and frontend servers, allowing you to interact with OpenHands:
 
 ```bash
-poetry run pytest ./tests/unit/test_*.py
+make run
 ```
 
----
+#### Option B: Individual Server Startup
 
-## Adding Dependencies
+- **Start the Backend Server:** If you prefer, you can start the backend server independently to focus on
+  backend-related tasks or configurations.
 
-1. Add your dependency in `pyproject.toml` or use `poetry add xxx`
-2. Update the lock file: `poetry lock --no-update`
+  ```bash
+  make start-backend
+  ```
 
----
+- **Start the Frontend Server:** Similarly, you can start the frontend server on its own to work on frontend-related
+  components or interface enhancements.
+  ```bash
+  make start-frontend
+  ```
 
-## Using Existing Docker Images
+### 5. Running OpenHands with OpenHands
 
-To reduce build time, you can use an existing runtime image:
+You can use OpenHands to develop and improve OpenHands itself! This is a powerful way to leverage AI assistance for contributing to the project.
 
-```bash
-export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:1.2-nikolaik
-```
+#### Quick Start
 
----
+1. **Build and run OpenHands:**
 
-## Help
+   ```bash
+   export INSTALL_DOCKER=0
+   export RUNTIME=local
+   make build && make run
+   ```
+
+2. **Access the interface:**
+
+   - Local development: http://localhost:3001
+   - Remote/cloud environments: Use the appropriate external URL
+
+3. **Configure for external access (if needed):**
+   ```bash
+   # For external access (e.g., cloud environments)
+   make run FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0
+   ```
+
+### 6. LLM Debugging
+
+If you encounter any issues with the Language Model (LM) or you're simply curious, export DEBUG=1 in the environment and restart the backend.
+OpenHands will log the prompts and responses in the logs/llm/CURRENT_DATE directory, allowing you to identify the causes.
+
+### 7. Help
+
+Need help or info on available targets and commands? Use the help command for all the guidance you need with OpenHands.
 
 ```bash
 make help
 ```
 
----
+### 8. Testing
+
+To run tests, refer to the following:
+
+#### Unit tests
+
+```bash
+poetry run pytest ./tests/unit/test_*.py
+```
+
+### 9. Add or update dependency
+
+1. Add your dependency in `pyproject.toml` or use `poetry add xxx`.
+2. Update the poetry.lock file via `poetry lock --no-update`.
+
+### 10. Use existing Docker image
+
+To reduce build time (e.g., if no changes were made to the client-runtime component), you can use an existing Docker
+container image by setting the SANDBOX_RUNTIME_CONTAINER_IMAGE environment variable to the desired Docker image.
+
+Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:1.2-nikolaik`
+
+## Develop inside Docker container
+
+TL;DR
+
+```bash
+make docker-dev
+```
+
+See more details [here](./containers/dev/README.md).
+
+If you are just interested in running `OpenHands` without installing all the required tools on your host.
+
+```bash
+make docker-run
+```
+
+If you do not have `make` on your host, run:
+
+```bash
+cd ./containers/dev
+./dev.sh
+```
+
+You do need [Docker](https://docs.docker.com/engine/install/) installed on your host though.
 
 ## Key Documentation Resources
 
+Here's a guide to the important documentation files in the repository:
+
 - [/README.md](./README.md): Main project overview, features, and basic setup instructions
 - [/Development.md](./Development.md) (this file): Comprehensive guide for developers working on OpenHands
 - [/CONTRIBUTING.md](./CONTRIBUTING.md): Guidelines for contributing to the project, including code style and PR process
 - [DOC_STYLE_GUIDE.md](https://github.com/OpenHands/docs/blob/main/openhands/DOC_STYLE_GUIDE.md): Standards for writing and maintaining project documentation
-- [/openhands/app_server/README.md](./openhands/app_server/README.md): Current V1 application server implementation and REST API modules
+- [/openhands/README.md](./openhands/README.md): Details about the backend Python implementation
 - [/frontend/README.md](./frontend/README.md): Frontend React application setup and development guide
 - [/containers/README.md](./containers/README.md): Information about Docker containers and deployment
 - [/tests/unit/README.md](./tests/unit/README.md): Guide to writing and running unit tests
 - [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks): Documentation for the evaluation framework and benchmarks
 - [/skills/README.md](./skills/README.md): Information about the skills architecture and implementation
+- [/openhands/server/README.md](./openhands/server/README.md): Server implementation details and API documentation
 - [/openhands/runtime/README.md](./openhands/runtime/README.md): Documentation for the runtime environment and execution model

README.md

@@ -23,6 +23,7 @@
   <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=pt">Português</a> |
   <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=ru">Русский</a> |
   <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=zh">中文</a>
+
 </div>
 
 <hr>
@@ -83,71 +84,3 @@ All our work is available under the MIT license, except for the `enterprise/` di
 The core `openhands` and `agent-server` Docker images are fully MIT-licensed as well.
 
 If you need help with anything, or just want to chat, [come find us on Slack](https://dub.sh/openhands).
-
-<hr>
-
-### Thank You to Our Contributors
-
-<div align="center">
-
-[![OpenHands Contributors](https://assets.openhands.dev/readme/openhands-openhands-contributors.svg)](https://github.com/OpenHands/OpenHands/graphs/contributors)
-
-</div>
-
-<hr>
-
-### Trusted by Engineers at
-
-<div align="center">
-  <br/><br/>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/tiktok.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/tiktok.svg" alt="TikTok" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/vmware.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/vmware.svg" alt="VMware" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/roche.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/roche.svg" alt="Roche" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/amazon.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/amazon.svg" alt="Amazon" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/c3-ai.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/c3-ai.svg" alt="C3 AI" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/netflix.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/netflix.svg" alt="Netflix" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/mastercard.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/mastercard.svg" alt="Mastercard" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/red-hat.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/red-hat.svg" alt="Red Hat" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/mongodb.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/mongodb.svg" alt="MongoDB" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/apple.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/apple.svg" alt="Apple" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/nvidia.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/nvidia.svg" alt="NVIDIA" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/google.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/google.svg" alt="Google" height="17" hspace="5">
-  </picture>
-</div>
-
-</div>

config.template.toml

@@ -296,7 +296,7 @@ classpath = "my_package.my_module.MyCustomAgent"
 #user_id = 1000
 
 # Container image to use for the sandbox
-#base_container_image = "nikolaik/python-nodejs:python3.12-nodejs22-slim"
+#base_container_image = "nikolaik/python-nodejs:python3.12-nodejs22"
 
 # Use host network
 #use_host_network = false

containers/app/Dockerfile

@@ -1,5 +1,5 @@
 ARG OPENHANDS_BUILD_VERSION=dev
-FROM node:25.8-trixie-slim AS frontend-builder
+FROM node:25.2-trixie-slim AS frontend-builder
 
 WORKDIR /app
 
@@ -20,11 +20,9 @@ ENV POETRY_NO_INTERACTION=1 \
     POETRY_VIRTUALENVS_CREATE=1 \
     POETRY_CACHE_DIR=/tmp/poetry_cache
 
-# Pin Poetry version to match the version used to generate poetry.lock
-ARG POETRY_VERSION=2.3.3
 RUN apt-get update -y \
     && apt-get install -y curl make git build-essential jq gettext \
-    && python3 -m pip install "poetry==${POETRY_VERSION}" --break-system-packages
+    && python3 -m pip install poetry --break-system-packages
 
 COPY pyproject.toml poetry.lock ./
 RUN touch README.md
@@ -52,7 +50,7 @@ RUN mkdir -p $FILE_STORE_PATH
 RUN mkdir -p $WORKSPACE_BASE
 
 RUN apt-get update -y \
-    && apt-get install -y curl git ssh sudo \
+    && apt-get install -y curl ssh sudo \
     && rm -rf /var/lib/apt/lists/*
 
 # Default is 1000, but OSX is often 501
@@ -75,17 +73,6 @@ ENV VIRTUAL_ENV=/app/.venv \
 
 COPY --chown=openhands:openhands --chmod=770 --from=backend-builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 
-# Pin pip to a known-good version (reproducible builds) and fix CVE-2025-8869
-# Pin both venv pip and system pip (Trivy scans both)
-# - `python -m pip` uses the venv because `PATH` is prefixed with `${VIRTUAL_ENV}/bin`
-# - `/usr/local/bin/python3 -m pip` uses the system interpreter regardless of `PATH`
-ARG PIP_VERSION=26.0.1
-RUN python -m pip install --no-cache-dir "pip==${PIP_VERSION}"
-
-USER root
-RUN /usr/local/bin/python3 -m pip install --no-cache-dir "pip==${PIP_VERSION}" --break-system-packages
-USER openhands
-
 COPY --chown=openhands:openhands --chmod=770 ./skills ./skills
 COPY --chown=openhands:openhands --chmod=770 ./openhands ./openhands
 COPY --chown=openhands:openhands --chmod=777 ./openhands/runtime/plugins ./openhands/runtime/plugins

containers/build.sh

@@ -8,18 +8,16 @@ push=0
 load=0
 tag_suffix=""
 dry_run=0
-arch_suffix=""
 
 # Function to display usage information
 usage() {
-    echo "Usage: $0 -i <image_name> [-o <org_name>] [--push] [--load] [-t <tag_suffix>] [--dry] [--arch <arch>]"
+    echo "Usage: $0 -i <image_name> [-o <org_name>] [--push] [--load] [-t <tag_suffix>] [--dry]"
     echo "  -i: Image name (required)"
     echo "  -o: Organization name"
     echo "  --push: Push the image"
     echo "  --load: Load the image"
     echo "  -t: Tag suffix"
     echo "  --dry: Don't build, only create build-args.json"
-    echo "  --arch: Architecture suffix (e.g. amd64 or arm64). Appends -<arch> to tags and forces single-platform build"
     exit 1
 }
 
@@ -32,7 +30,6 @@ while [[ $# -gt 0 ]]; do
         --load) load=1; shift ;;
         -t) tag_suffix="$2"; shift 2 ;;
         --dry) dry_run=1; shift ;;
-        --arch) arch_suffix="$2"; shift 2 ;;
         *) usage ;;
     esac
 done
@@ -78,7 +75,7 @@ if [[ -n $tag_suffix ]]; then
   done
 fi
 
-echo "Tags (before arch suffix): ${tags[@]}"
+echo "Tags: ${tags[@]}"
 
 if [[ "$image_name" == "openhands" ]]; then
   dir="./containers/app"
@@ -113,21 +110,10 @@ if [[ -n "$DOCKER_IMAGE_TAG" ]]; then
   tags+=("$DOCKER_IMAGE_TAG")
 fi
 
-# Apply architecture suffix for split-arch builds (after all tags are collected)
-if [[ -n "$arch_suffix" ]]; then
-  cache_tag+="-${arch_suffix}"
-  for i in "${!tags[@]}"; do
-    tags[$i]="${tags[$i]}-${arch_suffix}"
-  done
-  # Force single-platform build for this architecture
-  arch_platform="linux/${arch_suffix}"
-fi
-
 DOCKER_REPOSITORY="$DOCKER_REGISTRY/$DOCKER_ORG/$DOCKER_IMAGE"
 DOCKER_REPOSITORY=${DOCKER_REPOSITORY,,} # lowercase
 echo "Repo: $DOCKER_REPOSITORY"
 echo "Base dir: $DOCKER_BASE_DIR"
-echo "Tags: ${tags[@]}"
 
 args=""
 full_tags=()
@@ -136,6 +122,7 @@ for tag in "${tags[@]}"; do
   full_tags+=("$DOCKER_REPOSITORY:$tag")
 done
 
+
 if [[ $push -eq 1 ]]; then
   args+=" --push"
   args+=" --cache-to=type=registry,ref=$DOCKER_REPOSITORY:$cache_tag,mode=max"
@@ -147,10 +134,8 @@ fi
 
 echo "Args: $args"
 
-# Determine the platform(s) to build for
-if [[ -n "$arch_platform" ]]; then
-  platform="$arch_platform"
-elif [[ $load -eq 1 ]]; then
+# Modify the platform selection based on --load flag
+if [[ $load -eq 1 ]]; then
   # When loading, build only for the current platform
   platform=$(docker version -f '{{.Server.Os}}/{{.Server.Arch}}')
 else
@@ -159,24 +144,13 @@ else
 fi
 if [[ $dry_run -eq 1 ]]; then
   echo "Dry Run is enabled. Writing build config to docker-build-dry.json"
-  # Compute base tags (arch suffix stripped) for use by merge jobs
-  base_tags=()
-  for ftag in "${full_tags[@]}"; do
-    if [[ -n "$arch_suffix" ]]; then
-      base_tags+=("${ftag%-${arch_suffix}}")
-    else
-      base_tags+=("$ftag")
-    fi
-  done
   jq -n \
     --argjson tags "$(printf '%s\n' "${full_tags[@]}" | jq -R . | jq -s .)" \
-    --argjson base_tags "$(printf '%s\n' "${base_tags[@]}" | jq -R . | jq -s .)" \
     --arg platform "$platform" \
     --arg openhands_build_version "$OPENHANDS_BUILD_VERSION" \
     --arg dockerfile "$dir/Dockerfile" \
     '{
       tags: $tags,
-      base_tags: $base_tags,
       platform: $platform,
       build_args: [
         "OPENHANDS_BUILD_VERSION=" + $openhands_build_version
@@ -195,7 +169,7 @@ docker buildx build \
   $args \
   --build-arg OPENHANDS_BUILD_VERSION="$OPENHANDS_BUILD_VERSION" \
   --cache-from=type=registry,ref=$DOCKER_REPOSITORY:$cache_tag \
-  --cache-from=type=registry,ref=$DOCKER_REPOSITORY:${cache_tag_base}-main${arch_suffix:+-${arch_suffix}} \
+  --cache-from=type=registry,ref=$DOCKER_REPOSITORY:$cache_tag_base-main \
   --platform $platform \
   --provenance=false \
   -f "$dir/Dockerfile" \

containers/dev/compose.yml

@@ -12,8 +12,8 @@ services:
       - SANDBOX_API_HOSTNAME=host.docker.internal
       - DOCKER_HOST_ADDR=host.docker.internal
       #
-      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.15.0-python}
+      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/runtime}
+      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.2-nikolaik}
       - SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234}
       - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
     ports:

dev_config/python/.pre-commit-config.yaml

@@ -58,8 +58,6 @@ repos:
             types-Markdown,
             pydantic,
             lxml,
-            "openhands-sdk==1.14",
-            "openhands-tools==1.14",
           ]
         # To see gaps add `--html-report mypy-report/`
         entry: mypy --config-file dev_config/python/mypy.ini openhands/

dev_config/python/mypy.ini

@@ -14,11 +14,3 @@ exclude = (third_party/|enterprise/)
 
 [mypy-openhands.memory.condenser.impl.*]
 disable_error_code = override
-
-[mypy-openai.*]
-follow_imports = skip
-ignore_missing_imports = True
-
-[mypy-litellm.*]
-follow_imports = skip
-ignore_missing_imports = True

docker-compose.yml

@@ -8,7 +8,7 @@ services:
     container_name: openhands-app-${DATE:-}
     environment:
       - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.15.0-python}
+      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-31536c8-python}
       #- SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234} # enable this only if you want a specific non-root sandbox user but you will have to manually adjust permissions of ~/.openhands for this user
       - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
     ports:

enterprise/Dockerfile

@@ -10,7 +10,7 @@ LABEL com.datadoghq.tags.env="${DD_ENV}"
 # Apply security updates to fix CVEs
 RUN apt-get update && \
     apt-get install -y curl && \
-    curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
     apt-get install -y nodejs && \
     apt-get install -y jq gettext && \
     # Apply security updates for packages with available fixes

enterprise/LICENSE

@@ -1,7 +1,5 @@
 # PolyForm Free Trial License 1.0.0
 
-Copyright (c) 2026 All Hands AI
-
 ## Acceptance
 
 In order to get any license under these terms, you must agree

enterprise/README.md

@@ -51,6 +51,6 @@ NOTE: in the future we will simply replace the `GithubTokenManager` with keycloa
 ## User ID vs User Token
 
 - In OpenHands, the entire app revolves around the GitHub token the user sets. `openhands/server` uses `request.state.github_token` for the entire app
-- On Enterprise, the entire APP resolves around the Github User ID. This is because the cookie sets it, so `openhands/server` AND `enterprise/server` depend on it and completely ignore `request.state.github_token` (token is fetched from `GithubTokenManager` instead)
+- On Enterprise, the entire APP resolves around the Github User ID. This is because the cookie sets it, so `openhands/server` AND `enterprise/server` depend on it and completly ignore `request.state.github_token` (token is fetched from `GithubTokenManager` instead)
 
 Note that introducing GitHub User ID in OpenHands, for instance, will cause large breakages.

enterprise/alembic.ini

@@ -59,7 +59,7 @@ handlers = console
 qualname =
 
 [logger_sqlalchemy]
-level = WARNING
+level = DEBUG
 handlers =
 qualname = sqlalchemy.engine
 

enterprise/allhands-realm-github-provider.json.tmpl

@@ -723,13 +723,11 @@
         "https://$WEB_HOST/slack/keycloak-callback",
         "https://$WEB_HOST/oauth/device/keycloak-callback",
         "https://$WEB_HOST/api/email/verified",
-        "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*",
-        "https://laminar.$WEB_HOST/api/auth/callback/keycloak"
+        "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*"
       ],
       "webOrigins": [
         "https://$WEB_HOST",
-        "https://$AUTH_WEB_HOST",
-        "https://laminar.$WEB_HOST"
+        "https://$AUTH_WEB_HOST"
       ],
       "notBefore": 0,
       "bearerOnly": false,
@@ -1774,40 +1772,6 @@
         "sendIdTokenOnLogout": "true",
         "passMaxAge": "false"
       }
-    },
-    {
-      "alias": "bitbucket_data_center",
-      "displayName": "Bitbucket Data Center",
-      "internalId": "b77b4ead-20e8-451c-ad27-99f92d561616",
-      "providerId": "oauth2",
-      "enabled": true,
-      "updateProfileFirstLoginMode": "on",
-      "trustEmail": true,
-      "storeToken": true,
-      "addReadTokenRoleOnCreate": false,
-      "authenticateByDefault": false,
-      "linkOnly": false,
-      "hideOnLogin": false,
-      "config": {
-        "givenNameClaim": "given_name",
-        "userInfoUrl": "https://${WEB_HOST}/bitbucket-dc-proxy/oauth2/userinfo",
-        "clientId": "$BITBUCKET_DATA_CENTER_CLIENT_ID",
-        "tokenUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/token",
-        "acceptsPromptNoneForwardFromClient": "false",
-        "fullNameClaim": "name",
-        "userIDClaim": "sub",
-        "emailClaim": "email",
-        "userNameClaim": "preferred_username",
-        "caseSensitiveOriginalUsername": "false",
-        "familyNameClaim": "family_name",
-        "pkceEnabled": "false",
-        "authorizationUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/authorize",
-        "clientAuthMethod": "client_secret_post",
-        "syncMode": "IMPORT",
-        "clientSecret": "$BITBUCKET_DATA_CENTER_CLIENT_SECRET",
-        "allowedClockSkew": "0",
-        "defaultScope": "REPO_WRITE"
-      }
     }
   ],
   "identityProviderMappers": [
@@ -1865,26 +1829,6 @@
         "syncMode": "FORCE",
         "attribute": "identity_provider"
       }
-    },
-    {
-      "name": "id-mapper",
-      "identityProviderAlias": "bitbucket_data_center",
-      "identityProviderMapper": "oidc-user-attribute-idp-mapper",
-      "config": {
-        "syncMode": "FORCE",
-        "claim": "sub",
-        "user.attribute": "bitbucket_data_center_id"
-      }
-    },
-    {
-      "name": "identity-provider",
-      "identityProviderAlias": "bitbucket_data_center",
-      "identityProviderMapper": "hardcoded-attribute-idp-mapper",
-      "config": {
-        "attribute.value": "bitbucket_data_center",
-        "syncMode": "FORCE",
-        "attribute": "identity_provider"
-      }
     }
   ],
   "components": {

enterprise/doc/architecture/README.md

@@ -1,13 +0,0 @@
-# Enterprise Architecture Documentation
-
-Architecture diagrams specific to the OpenHands SaaS/Enterprise deployment.
-
-## Documentation
-
-- [Authentication Flow](./authentication.md) - Keycloak-based authentication for SaaS deployment
-- [External Integrations](./external-integrations.md) - GitHub, Slack, Jira, and other service integrations
-
-## Related Documentation
-
-For core OpenHands architecture (applicable to all deployments), see:
-- [Core Architecture Documentation](../../../openhands/architecture/README.md)

enterprise/doc/architecture/authentication.md

@@ -1,58 +0,0 @@
-# Authentication Flow (SaaS Deployment)
-
-OpenHands uses Keycloak for identity management in the SaaS deployment. The authentication flow involves multiple services:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant User as User (Browser)
-    participant App as App Server
-    participant KC as Keycloak
-    participant IdP as Identity Provider<br/>(GitHub, Google, etc.)
-    participant DB as User Database
-
-    Note over User,DB: OAuth 2.0 / OIDC Authentication Flow
-
-    User->>App: Access OpenHands
-    App->>User: Redirect to Keycloak
-    User->>KC: Login request
-    KC->>User: Show login options
-    User->>KC: Select provider (e.g., GitHub)
-    KC->>IdP: OAuth redirect
-    User->>IdP: Authenticate
-    IdP-->>KC: OAuth callback + tokens
-    Note over KC: Create/update user session
-    KC-->>User: Redirect with auth code
-    User->>App: Auth code
-    App->>KC: Exchange code for tokens
-    KC-->>App: Access token + Refresh token
-    Note over App: Create signed JWT cookie
-    App->>DB: Store/update user record
-    App-->>User: Set keycloak_auth cookie
-
-    Note over User,DB: Subsequent Requests
-
-    User->>App: Request with cookie
-    Note over App: Verify JWT signature
-    App->>KC: Validate token (if needed)
-    KC-->>App: Token valid
-    Note over App: Extract user context
-    App-->>User: Authorized response
-```
-
-### Authentication Components
-
-| Component | Purpose | Location |
-|-----------|---------|----------|
-| **Keycloak** | Identity provider, SSO, token management | External service |
-| **UserAuth** | Abstract auth interface | `openhands/server/user_auth/user_auth.py` |
-| **SaasUserAuth** | Keycloak implementation | `enterprise/server/auth/saas_user_auth.py` |
-| **JWT Service** | Token signing/verification | `openhands/app_server/services/jwt_service.py` |
-| **Auth Routes** | Login/logout endpoints | `enterprise/server/routes/auth.py` |
-
-### Token Flow
-
-1. **Keycloak Access Token**: Short-lived token for API access
-2. **Keycloak Refresh Token**: Long-lived token to obtain new access tokens
-3. **Signed JWT Cookie**: App Server's session cookie containing encrypted Keycloak tokens
-4. **Provider Tokens**: OAuth tokens for GitHub, GitLab, etc. (stored separately for git operations)

enterprise/doc/architecture/external-integrations.md

@@ -1,88 +0,0 @@
-# External Integrations
-
-OpenHands integrates with external services (GitHub, Slack, Jira, etc.) through webhook-based event handling:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant Ext as External Service<br/>(GitHub/Slack/Jira)
-    participant App as App Server
-    participant IntRouter as Integration Router
-    participant Manager as Integration Manager
-    participant Conv as Conversation Service
-    participant Sandbox as Sandbox
-
-    Note over Ext,Sandbox: Webhook Event Flow (e.g., GitHub Issue Created)
-
-    Ext->>App: POST /api/integration/{service}/events
-    App->>IntRouter: Route to service handler
-    Note over IntRouter: Verify signature (HMAC)
-
-    IntRouter->>Manager: Parse event payload
-    Note over Manager: Extract context (repo, issue, user)
-    Note over Manager: Map external user → OpenHands user
-
-    Manager->>Conv: Create conversation (with issue context)
-    Conv->>Sandbox: Provision sandbox
-    Sandbox-->>Conv: Ready
-
-    Manager->>Sandbox: Start agent with task
-
-    Note over Ext,Sandbox: Agent Works on Task...
-
-    Sandbox-->>Manager: Task complete
-    Manager->>Ext: POST result<br/>(PR, comment, etc.)
-
-    Note over Ext,Sandbox: Callback Flow (Agent → External Service)
-
-    Sandbox->>App: Webhook callback<br/>/api/v1/webhooks
-    App->>Manager: Process callback
-    Manager->>Ext: Update external service
-```
-
-### Supported Integrations
-
-| Integration | Trigger Events | Agent Actions |
-|-------------|----------------|---------------|
-| **GitHub** | Issue created, PR opened, @mention | Create PR, comment, push commits |
-| **GitLab** | Issue created, MR opened | Create MR, comment, push commits |
-| **Slack** | @mention in channel | Reply in thread, create tasks |
-| **Jira** | Issue created/updated | Update ticket, add comments |
-| **Linear** | Issue created | Update status, add comments |
-
-### Integration Components
-
-| Component | Purpose | Location |
-|-----------|---------|----------|
-| **Integration Routes** | Webhook endpoints per service | `enterprise/server/routes/integration/` |
-| **Integration Managers** | Business logic per service | `enterprise/integrations/{service}/` |
-| **Token Manager** | Store/retrieve OAuth tokens | `enterprise/server/auth/token_manager.py` |
-| **Callback Processor** | Handle agent → service updates | `enterprise/integrations/{service}/*_callback_processor.py` |
-
-### Integration Authentication
-
-```
-External Service (e.g., GitHub)
-        │
-        ▼
-┌─────────────────────────────────┐
-│ GitHub App Installation         │
-│ - Webhook secret for signature  │
-│ - App private key for API calls │
-└─────────────────────────────────┘
-        │
-        ▼
-┌─────────────────────────────────┐
-│ User Account Linking            │
-│ - Keycloak user ID              │
-│ - GitHub user ID                │
-│ - Stored OAuth tokens           │
-└─────────────────────────────────┘
-        │
-        ▼
-┌─────────────────────────────────┐
-│ Agent Execution                 │
-│ - Uses linked tokens for API    │
-│ - Can push, create PRs, comment │
-└─────────────────────────────────┘
-```

enterprise/enterprise_local/convert_to_env.py

@@ -109,9 +109,6 @@ lines.append(
 lines.append(
     'OPENHANDS_BITBUCKET_SERVICE_CLS=integrations.bitbucket.bitbucket_service.SaaSBitBucketService'
 )
-lines.append(
-    'OPENHANDS_BITBUCKET_DATA_CENTER_SERVICE_CLS=integrations.bitbucket_data_center.bitbucket_dc_service.SaaSBitbucketDCService'
-)
 lines.append(
     'OPENHANDS_CONVERSATION_VALIDATOR_CLS=storage.saas_conversation_validator.SaasConversationValidator'
 )

enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py

@@ -1,65 +0,0 @@
-from pydantic import SecretStr
-from server.auth.token_manager import TokenManager
-
-from openhands.core.logger import openhands_logger as logger
-from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import (
-    BitbucketDCService,
-)
-from openhands.integrations.service_types import ProviderType
-
-
-class SaaSBitbucketDCService(BitbucketDCService):
-    def __init__(
-        self,
-        user_id: str | None = None,
-        external_auth_token: SecretStr | None = None,
-        external_auth_id: str | None = None,
-        token: SecretStr | None = None,
-        external_token_manager: bool = False,
-        base_domain: str | None = None,
-    ):
-        logger.debug(
-            f'SaaSBitbucketDCService created with user_id {user_id}, external_auth_id {external_auth_id}, external_auth_token {'set' if external_auth_token else 'None'}, token {'set' if token else 'None'}, external_token_manager {external_token_manager}'
-        )
-        super().__init__(
-            user_id=user_id,
-            external_auth_token=external_auth_token,
-            external_auth_id=external_auth_id,
-            token=token,
-            external_token_manager=external_token_manager,
-            base_domain=base_domain,
-        )
-
-        self.token_manager = TokenManager(external=external_token_manager)
-        self.refresh = True
-
-    async def get_latest_token(self) -> SecretStr | None:
-        bitbucket_dc_token = None
-        if self.external_auth_token:
-            bitbucket_dc_token = SecretStr(
-                await self.token_manager.get_idp_token(
-                    self.external_auth_token.get_secret_value(),
-                    idp=ProviderType.BITBUCKET_DATA_CENTER,
-                )
-            )
-            logger.debug('Got Bitbucket DC token via external_auth_token')
-        elif self.external_auth_id:
-            offline_token = await self.token_manager.load_offline_token(
-                self.external_auth_id
-            )
-            bitbucket_dc_token = SecretStr(
-                await self.token_manager.get_idp_token_from_offline_token(
-                    offline_token, ProviderType.BITBUCKET_DATA_CENTER
-                )
-            )
-            logger.debug('Got Bitbucket DC token via external_auth_id')
-        elif self.user_id:
-            bitbucket_dc_token = SecretStr(
-                await self.token_manager.get_idp_token_from_idp_user_id(
-                    self.user_id, ProviderType.BITBUCKET_DATA_CENTER
-                )
-            )
-            logger.debug('Got Bitbucket DC token via user_id')
-        else:
-            logger.warning('external_auth_token and user_id not set!')
-        return bitbucket_dc_token

enterprise/integrations/github/github_manager.py

@@ -1,5 +1,3 @@
-import os
-from contextlib import nullcontext
 from types import MappingProxyType
 
 from github import Auth, Github, GithubIntegration
@@ -30,7 +28,6 @@ from integrations.utils import (
 )
 from integrations.v1_utils import get_saas_user_auth
 from jinja2 import Environment, FileSystemLoader
-from lmnr import Laminar
 from pydantic import SecretStr
 from server.auth.auth_error import ExpiredError
 from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
@@ -48,36 +45,6 @@ from openhands.server.types import (
 from openhands.storage.data_models.secrets import Secrets
 
 
-def _should_enable_laminar_observability() -> bool:
-    observability_env_vars = (
-        'LMNR_PROJECT_API_KEY',
-        'OTEL_ENDPOINT',
-        'OTEL_EXPORTER_OTLP_TRACES_ENDPOINT',
-        'OTEL_EXPORTER_OTLP_ENDPOINT',
-    )
-    return (
-        any(os.getenv(key) for key in observability_env_vars)
-        or Laminar.is_initialized()
-    )
-
-
-def init_laminar_for_external():
-    """Compatibility wrapper for the SDK helper until it is released in openhands-sdk."""
-    try:
-        from openhands.sdk.observability import (
-            init_laminar_for_external as sdk_init_laminar_for_external,
-        )
-    except ImportError:
-        from openhands.sdk.observability import maybe_init_laminar
-
-        maybe_init_laminar()
-        if _should_enable_laminar_observability():
-            return Laminar.get_laminar_span_context()
-        return None
-
-    return sdk_init_laminar_for_external()
-
-
 class GithubManager(Manager[GithubViewType]):
     def __init__(
         self, token_manager: TokenManager, data_collector: GitHubDataCollector
@@ -362,9 +329,6 @@ class GithubManager(Manager[GithubViewType]):
             GithubCallbackProcessor,
         )
 
-        # Initialize Laminar for external caller (webhook) and get parent span context
-        laminar_span_context = init_laminar_for_external()
-
         try:
             msg_info: str = ''
 
@@ -425,37 +389,12 @@ class GithubManager(Manager[GithubViewType]):
                     github_view.user_info.keycloak_user_id, self.token_manager
                 )
 
-                # Try to set up Laminar span before conversation creation
-                # Note: Only catch Laminar setup errors; conversation errors should propagate
-                span_context = nullcontext()
-                if laminar_span_context:
-                    try:
-                        span = Laminar.start_as_current_span(
-                            name='github-resolver',
-                            parent_span_context=laminar_span_context,
-                        )
-                        Laminar.set_trace_metadata(
-                            {
-                                'source': 'github',
-                                'repo': github_view.full_repo_name,
-                                'issue_number': str(github_view.issue_number),
-                                'username': user_info.username,
-                                'conversation_id': github_view.conversation_id,
-                            }
-                        )
-                        span_context = span
-                    except Exception as e:
-                        # Log Laminar setup failure but continue without tracing
-                        logger.warning(f'[Github] Laminar span setup error: {e}')
-
-                # Create conversation (with span if enabled)
-                with span_context:
-                    await github_view.create_new_conversation(
-                        self.jinja_env,
-                        secret_store.provider_tokens,
-                        convo_metadata,
-                        saas_user_auth,
-                    )
+                await github_view.create_new_conversation(
+                    self.jinja_env,
+                    secret_store.provider_tokens,
+                    convo_metadata,
+                    saas_user_auth,
+                )
 
                 conversation_id = github_view.conversation_id
 
@@ -519,10 +458,3 @@ class GithubManager(Manager[GithubViewType]):
             await self.data_collector.save_data(github_view)
         except Exception:
             logger.warning('[Github]: Error saving interaction data', exc_info=True)
-
-        # Flush Laminar traces if enabled (laminar_span_context is None if disabled)
-        if laminar_span_context:
-            try:
-                Laminar.flush()
-            except Exception as e:
-                logger.warning(f'[Github] Error flushing Laminar traces: {e}')

enterprise/integrations/github/github_v1_callback_processor.py

@@ -43,20 +43,15 @@ class GithubV1CallbackProcessor(EventCallbackProcessor):
         event: Event,
     ) -> EventCallbackResult | None:
         """Process events for GitHub V1 integration."""
-        # Only handle ConversationStateUpdateEvent for execution_status
+        # Only handle ConversationStateUpdateEvent
         if not isinstance(event, ConversationStateUpdateEvent):
             return None
 
-        if event.key != 'execution_status':
+        # Only act when execution has finished
+        if not (event.key == 'execution_status' and event.value == 'finished'):
             return None
 
-        # Log ALL terminal states for monitoring (finished, error, stuck)
         _logger.info('[GitHub V1] Callback agent state was %s', event)
-
-        # Only request summary when execution has finished successfully
-        if event.value != 'finished':
-            return None
-
         _logger.info(
             '[GitHub V1] Should request summary: %s', self.should_request_summary
         )

enterprise/integrations/github/github_view.py

@@ -10,7 +10,6 @@ from integrations.github.github_types import (
 )
 from integrations.models import Message
 from integrations.resolver_context import ResolverUserContext
-from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.types import ResolverViewInterface, UserData
 from integrations.utils import (
     ENABLE_PROACTIVE_CONVERSATION_STARTERS,
@@ -27,7 +26,6 @@ from server.auth.token_manager import TokenManager
 from server.config import get_config
 from storage.org_store import OrgStore
 from storage.proactive_conversation_store import ProactiveConversationStore
-from storage.saas_conversation_store import SaasConversationStore
 from storage.saas_secrets_store import SaasSecretsStore
 
 from openhands.agent_server.models import SendMessageRequest
@@ -43,14 +41,16 @@ from openhands.integrations.github.github_service import GithubServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
 from openhands.sdk import TextContent
-from openhands.server.services.conversation_service import start_conversation
+from openhands.server.services.conversation_service import (
+    initialize_conversation,
+    start_conversation,
+)
 from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
     ConversationMetadata,
     ConversationTrigger,
 )
 from openhands.utils.async_utils import call_sync_from_async
-from openhands.utils.conversation_summary import get_default_conversation_title
 
 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)
 
@@ -154,17 +154,12 @@ class GithubIssue(ResolverViewInterface):
         return user_secrets.custom_secrets if user_secrets else None
 
     async def initialize_new_conversation(self) -> ConversationMetadata:
+        # FIXME: Handle if initialize_conversation returns None
+
         self.v1_enabled = await is_v1_enabled_for_github_resolver(
             self.user_info.keycloak_user_id
         )
 
-        # Resolve target org based on claimed git organizations
-        self.resolved_org_id = await resolve_org_for_repo(
-            provider='github',
-            full_repo_name=self.full_repo_name,
-            keycloak_user_id=self.user_info.keycloak_user_id,
-        )
-
         logger.info(
             f'[GitHub V1]: User flag found for {self.user_info.keycloak_user_id} is {self.v1_enabled}'
         )
@@ -178,28 +173,16 @@ class GithubIssue(ResolverViewInterface):
                 selected_repository=self.full_repo_name,
             )
 
-        # Create the conversation store with resolver org routing
-        # (bypasses initialize_conversation to avoid threading enterprise-only
-        # resolver_org_id through the generic OSS interface)
-        store = await SaasConversationStore.get_resolver_instance(
-            get_config(),
-            self.user_info.keycloak_user_id,
-            self.resolved_org_id,
-        )
-
-        conversation_id = uuid4().hex
-        conversation_metadata = ConversationMetadata(
-            trigger=ConversationTrigger.RESOLVER,
-            conversation_id=conversation_id,
-            title=get_default_conversation_title(conversation_id),
+        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
             user_id=self.user_info.keycloak_user_id,
+            conversation_id=None,
             selected_repository=self.full_repo_name,
             selected_branch=self._get_branch_name(),
+            conversation_trigger=ConversationTrigger.RESOLVER,
             git_provider=ProviderType.GITHUB,
         )
-        await store.save_metadata(conversation_metadata)
 
-        self.conversation_id = conversation_id
+        self.conversation_id = conversation_metadata.conversation_id
         return conversation_metadata
 
     async def create_new_conversation(
@@ -311,10 +294,7 @@ class GithubIssue(ResolverViewInterface):
         )
 
         # Set up the GitHub user context for the V1 system
-        github_user_context = ResolverUserContext(
-            saas_user_auth=saas_user_auth,
-            resolver_org_id=self.resolved_org_id,
-        )
+        github_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
         setattr(injector_state, USER_CONTEXT_ATTR, github_user_context)
 
         async with get_app_conversation_service(
@@ -342,7 +322,7 @@ class GithubIssue(ResolverViewInterface):
                 'full_repo_name': self.full_repo_name,
                 'installation_id': self.installation_id,
             },
-            should_request_summary=self.send_summary_instruction,
+            send_summary_instruction=self.send_summary_instruction,
         )
 
 
@@ -496,7 +476,7 @@ class GithubInlinePRComment(GithubPRComment):
                 'comment_id': self.comment_id,
             },
             inline_pr_comment=True,
-            should_request_summary=self.send_summary_instruction,
+            send_summary_instruction=self.send_summary_instruction,
         )
 
 

enterprise/integrations/gitlab/gitlab_v1_callback_processor.py

@@ -41,20 +41,15 @@ class GitlabV1CallbackProcessor(EventCallbackProcessor):
         event: Event,
     ) -> EventCallbackResult | None:
         """Process events for GitLab V1 integration."""
-        # Only handle ConversationStateUpdateEvent for execution_status
+        # Only handle ConversationStateUpdateEvent
         if not isinstance(event, ConversationStateUpdateEvent):
             return None
 
-        if event.key != 'execution_status':
+        # Only act when execution has finished
+        if not (event.key == 'execution_status' and event.value == 'finished'):
             return None
 
-        # Log ALL terminal states for monitoring (finished, error, stuck)
         _logger.info('[GitLab V1] Callback agent state was %s', event)
-
-        # Only request summary when execution has finished successfully
-        if event.value != 'finished':
-            return None
-
         _logger.info(
             '[GitLab V1] Should request summary: %s', self.should_request_summary
         )

enterprise/integrations/gitlab/gitlab_view.py

@@ -3,7 +3,6 @@ from uuid import UUID, uuid4
 
 from integrations.models import Message
 from integrations.resolver_context import ResolverUserContext
-from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.types import ResolverViewInterface, UserData
 from integrations.utils import (
     ENABLE_V1_GITLAB_RESOLVER,
@@ -15,7 +14,6 @@ from integrations.utils import (
 from jinja2 import Environment
 from server.auth.token_manager import TokenManager
 from server.config import get_config
-from storage.saas_conversation_store import SaasConversationStore
 from storage.saas_secrets_store import SaasSecretsStore
 
 from openhands.agent_server.models import SendMessageRequest
@@ -31,13 +29,15 @@ from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
 from openhands.sdk import TextContent
-from openhands.server.services.conversation_service import start_conversation
+from openhands.server.services.conversation_service import (
+    initialize_conversation,
+    start_conversation,
+)
 from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
     ConversationMetadata,
     ConversationTrigger,
 )
-from openhands.utils.conversation_summary import get_default_conversation_title
 
 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)
 CONFIDENTIAL_NOTE = 'confidential_note'
@@ -118,14 +118,6 @@ class GitlabIssue(ResolverViewInterface):
     async def initialize_new_conversation(self) -> ConversationMetadata:
         # v1_enabled is already set at construction time in the factory method
         # This is the source of truth for the conversation type
-
-        # Resolve target org based on claimed git organizations
-        self.resolved_org_id = await resolve_org_for_repo(
-            provider='gitlab',
-            full_repo_name=self.full_repo_name,
-            keycloak_user_id=self.user_info.keycloak_user_id,
-        )
-
         if self.v1_enabled:
             # Create dummy conversation metadata
             # Don't save to conversation store
@@ -136,28 +128,16 @@ class GitlabIssue(ResolverViewInterface):
                 selected_repository=self.full_repo_name,
             )
 
-        # Create the conversation store with resolver org routing
-        # (bypasses initialize_conversation to avoid threading enterprise-only
-        # resolver_org_id through the generic OSS interface)
-        store = await SaasConversationStore.get_resolver_instance(
-            get_config(),
-            self.user_info.keycloak_user_id,
-            self.resolved_org_id,
-        )
-
-        conversation_id = uuid4().hex
-        conversation_metadata = ConversationMetadata(
-            trigger=ConversationTrigger.RESOLVER,
-            conversation_id=conversation_id,
-            title=get_default_conversation_title(conversation_id),
+        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
             user_id=self.user_info.keycloak_user_id,
+            conversation_id=None,
             selected_repository=self.full_repo_name,
             selected_branch=self._get_branch_name(),
+            conversation_trigger=ConversationTrigger.RESOLVER,
             git_provider=ProviderType.GITLAB,
         )
-        await store.save_metadata(conversation_metadata)
 
-        self.conversation_id = conversation_id
+        self.conversation_id = conversation_metadata.conversation_id
         return conversation_metadata
 
     async def create_new_conversation(
@@ -248,10 +228,7 @@ class GitlabIssue(ResolverViewInterface):
         )
 
         # Set up the GitLab user context for the V1 system
-        gitlab_user_context = ResolverUserContext(
-            saas_user_auth=saas_user_auth,
-            resolver_org_id=self.resolved_org_id,
-        )
+        gitlab_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
         setattr(injector_state, USER_CONTEXT_ATTR, gitlab_user_context)
 
         async with get_app_conversation_service(
@@ -283,7 +260,7 @@ class GitlabIssue(ResolverViewInterface):
                 'is_mr': self.is_mr,
                 'discussion_id': getattr(self, 'discussion_id', None),
             },
-            should_request_summary=self.send_summary_instruction,
+            send_summary_instruction=self.send_summary_instruction,
         )
 
 

enterprise/integrations/jira/jira_manager.py

@@ -24,20 +24,20 @@ from integrations.jira.jira_types import (
     RepositoryNotFoundError,
     StartingConvoException,
 )
-from integrations.jira.jira_view import JiraFactory
+from integrations.jira.jira_view import JiraFactory, JiraNewConversationView
 from integrations.manager import Manager
 from integrations.models import Message
 from integrations.utils import (
     HOST,
     HOST_URL,
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
-    format_jira_comment_body,
     get_oh_labels,
     get_session_expired_message,
 )
 from jinja2 import Environment, FileSystemLoader
 from server.auth.saas_user_auth import get_user_auth_from_keycloak_id
 from server.auth.token_manager import TokenManager
+from server.utils.conversation_callback_utils import register_callback_processor
 from storage.jira_integration_store import JiraIntegrationStore
 from storage.jira_user import JiraUser
 from storage.jira_workspace import JiraWorkspace
@@ -259,6 +259,11 @@ class JiraManager(Manager[JiraViewInterface]):
 
     async def start_job(self, view: JiraViewInterface) -> None:
         """Start a Jira job/conversation."""
+        # Import here to prevent circular import
+        from server.conversation_callback_processor.jira_callback_processor import (
+            JiraCallbackProcessor,
+        )
+
         try:
             logger.info(
                 '[Jira] Starting job',
@@ -280,7 +285,19 @@ class JiraManager(Manager[JiraViewInterface]):
                 },
             )
 
-            # Create success message
+            # Register callback processor for updates
+            if isinstance(view, JiraNewConversationView):
+                processor = JiraCallbackProcessor(
+                    issue_key=view.payload.issue_key,
+                    workspace_name=view.jira_workspace.name,
+                )
+                register_callback_processor(conversation_id, processor)
+                logger.info(
+                    '[Jira] Callback processor registered',
+                    extra={'conversation_id': conversation_id},
+                )
+
+            # Send success response
             msg_info = view.get_response_msg()
 
         except MissingSettingsError as e:
@@ -342,7 +359,7 @@ class JiraManager(Manager[JiraViewInterface]):
         url = (
             f'{JIRA_CLOUD_API_URL}/{jira_cloud_id}/rest/api/2/issue/{issue_key}/comment'
         )
-        data = format_jira_comment_body(message)
+        data = {'body': message}
         async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
             response = await client.post(
                 url, auth=(svc_acc_email, svc_acc_api_key), json=data

enterprise/integrations/jira/jira_payload.py

@@ -136,10 +136,11 @@ class JiraPayloadParser:
         items = changelog.get('items', [])
 
         # Extract labels that were added
-        labels = set()
-        for item in items:
-            if item.get('field') == 'labels' and item.get('toString'):
-                labels.update(item['toString'].split())
+        labels = [
+            item.get('toString', '')
+            for item in items
+            if item.get('field') == 'labels' and 'toString' in item
+        ]
 
         if self.oh_label not in labels:
             return JiraPayloadSkipped(

enterprise/integrations/jira/jira_v1_callback_processor.py

@@ -1,238 +0,0 @@
-import logging
-from uuid import UUID
-
-import httpx
-from integrations.utils import format_jira_comment_body, get_summary_instruction
-from pydantic import Field
-
-from openhands.agent_server.models import AskAgentRequest, AskAgentResponse
-from openhands.app_server.event_callback.event_callback_models import (
-    EventCallback,
-    EventCallbackProcessor,
-)
-from openhands.app_server.event_callback.event_callback_result_models import (
-    EventCallbackResult,
-    EventCallbackResultStatus,
-)
-from openhands.app_server.event_callback.util import (
-    ensure_conversation_found,
-    ensure_running_sandbox,
-    get_agent_server_url_from_sandbox,
-)
-from openhands.sdk import Event
-from openhands.sdk.event import ConversationStateUpdateEvent
-from openhands.utils.http_session import httpx_verify_option
-
-_logger = logging.getLogger(__name__)
-
-JIRA_CLOUD_API_URL = 'https://api.atlassian.com/ex/jira'
-
-
-class JiraV1CallbackProcessor(EventCallbackProcessor):
-    """Callback processor for Jira V1 integrations."""
-
-    should_request_summary: bool = Field(default=True)
-    svc_acc_email: str
-    decrypted_api_key: str
-    issue_key: str
-    jira_cloud_id: str
-
-    async def __call__(
-        self,
-        conversation_id: UUID,
-        callback: EventCallback,
-        event: Event,
-    ) -> EventCallbackResult | None:
-        """Process events for Jira V1 integration."""
-        # Only handle ConversationStateUpdateEvent for execution_status
-        if not isinstance(event, ConversationStateUpdateEvent):
-            return None
-
-        if event.key != 'execution_status':
-            return None
-
-        _logger.info('[Jira] Callback agent state was %s', event)
-
-        # Only request summary when execution has finished successfully
-        if event.value != 'finished':
-            return None
-
-        _logger.info('[Jira] Should request summary: %s', self.should_request_summary)
-
-        if not self.should_request_summary:
-            return None
-
-        self.should_request_summary = False
-
-        try:
-            _logger.info(f'[Jira] Requesting summary {conversation_id}')
-            summary = await self._request_summary(conversation_id)
-            _logger.info(
-                f'[Jira] Posting summary {conversation_id}',
-                extra={'summary': summary},
-            )
-            await self._post_summary_to_jira(summary)
-
-            return EventCallbackResult(
-                status=EventCallbackResultStatus.SUCCESS,
-                event_callback_id=callback.id,
-                event_id=event.id,
-                conversation_id=conversation_id,
-                detail=summary,
-            )
-        except Exception as e:
-            _logger.exception(f'[Jira] Failed to post summary: {e}', stack_info=True)
-            return EventCallbackResult(
-                status=EventCallbackResultStatus.ERROR,
-                event_callback_id=callback.id,
-                event_id=event.id,
-                conversation_id=conversation_id,
-                detail=str(e),
-            )
-
-    async def _request_summary(self, conversation_id: UUID) -> str:
-        """Ask the agent to produce a summary of its work and return the agent response."""
-        # Import services within the method to avoid circular imports
-        from openhands.app_server.config import (
-            get_app_conversation_info_service,
-            get_httpx_client,
-            get_sandbox_service,
-        )
-        from openhands.app_server.services.injector import InjectorState
-        from openhands.app_server.user.specifiy_user_context import (
-            ADMIN,
-            USER_CONTEXT_ATTR,
-        )
-
-        # Create injector state for dependency injection
-        state = InjectorState()
-        setattr(state, USER_CONTEXT_ATTR, ADMIN)
-
-        async with (
-            get_app_conversation_info_service(state) as app_conversation_info_service,
-            get_sandbox_service(state) as sandbox_service,
-            get_httpx_client(state) as httpx_client,
-        ):
-            # 1. Conversation lookup
-            app_conversation_info = ensure_conversation_found(
-                await app_conversation_info_service.get_app_conversation_info(
-                    conversation_id
-                ),
-                conversation_id,
-            )
-
-            # 2. Sandbox lookup + validation
-            sandbox = ensure_running_sandbox(
-                await sandbox_service.get_sandbox(app_conversation_info.sandbox_id),
-                app_conversation_info.sandbox_id,
-            )
-
-            assert (
-                sandbox.session_api_key is not None
-            ), f'No session API key for sandbox: {sandbox.id}'
-
-            # 3. URL + instruction
-            agent_server_url = get_agent_server_url_from_sandbox(sandbox)
-
-            # Prepare message based on agent state
-            message_content = get_summary_instruction()
-
-            # Ask the agent and return the response text
-            return await self._ask_question(
-                httpx_client=httpx_client,
-                agent_server_url=agent_server_url,
-                conversation_id=conversation_id,
-                session_api_key=sandbox.session_api_key,
-                message_content=message_content,
-            )
-
-    async def _ask_question(
-        self,
-        httpx_client: httpx.AsyncClient,
-        agent_server_url: str,
-        conversation_id: UUID,
-        session_api_key: str,
-        message_content: str,
-    ) -> str:
-        """Send a message to the agent server via the V1 API and return response text."""
-        send_message_request = AskAgentRequest(question=message_content)
-
-        url = (
-            f"{agent_server_url.rstrip('/')}"
-            f"/api/conversations/{conversation_id}/ask_agent"
-        )
-        headers = {'X-Session-API-Key': session_api_key}
-        payload = send_message_request.model_dump()
-
-        try:
-            response = await httpx_client.post(
-                url,
-                json=payload,
-                headers=headers,
-                timeout=30.0,
-            )
-            response.raise_for_status()
-
-            agent_response = AskAgentResponse.model_validate(response.json())
-            return agent_response.response
-
-        except httpx.HTTPStatusError as e:
-            error_detail = f'HTTP {e.response.status_code} error'
-            try:
-                error_body = e.response.text
-                if error_body:
-                    error_detail += f': {error_body}'
-            except Exception:
-                pass
-
-            _logger.exception(
-                '[Jira] HTTP error sending message to %s: %s. '
-                'Request payload: %s. Response headers: %s',
-                url,
-                error_detail,
-                payload,
-                dict(e.response.headers),
-                stack_info=True,
-            )
-            raise Exception(f'Failed to send message to agent server: {error_detail}')
-
-        except httpx.TimeoutException:
-            error_detail = f'Request timeout after 30 seconds to {url}'
-            _logger.exception(
-                '[Jira] Timeout error: %s. Request payload: %s',
-                error_detail,
-                payload,
-                stack_info=True,
-            )
-            raise Exception(f'Failed to send message to agent server: {error_detail}')
-
-    async def _post_summary_to_jira(self, summary: str):
-        """Post the summary back to the Jira issue."""
-        if not all(
-            [
-                self.svc_acc_email,
-                self.decrypted_api_key,
-                self.issue_key,
-                self.jira_cloud_id,
-            ]
-        ):
-            _logger.warning('[Jira] Missing required data for posting summary')
-            return
-
-        # Add a comment to the Jira issue with the summary
-        comment_url = (
-            f'{JIRA_CLOUD_API_URL}/{self.jira_cloud_id}'
-            f'/rest/api/2/issue/{self.issue_key}/comment'
-        )
-
-        message = f'OpenHands resolved this issue:\n\n{summary}'
-        comment_body = format_jira_comment_body(message)
-
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
-            response = await client.post(
-                comment_url,
-                auth=(self.svc_acc_email, self.decrypted_api_key),
-                json=comment_body,
-            )
-            response.raise_for_status()
-            _logger.info(f'[Jira] Posted summary to {self.issue_key}')

enterprise/integrations/jira/jira_view.py

@@ -7,7 +7,6 @@ Views are responsible for:
 """
 
 from dataclasses import dataclass, field
-from uuid import UUID, uuid4
 
 import httpx
 from integrations.jira.jira_payload import JiraWebhookPayload
@@ -16,37 +15,18 @@ from integrations.jira.jira_types import (
     RepositoryNotFoundError,
     StartingConvoException,
 )
-from integrations.jira.jira_v1_callback_processor import (
-    JiraV1CallbackProcessor,
-)
-from integrations.resolver_context import ResolverUserContext
-from integrations.resolver_org_router import resolve_org_for_repo
-from integrations.utils import (
-    CONVERSATION_URL,
-    infer_repo_from_message,
-)
+from integrations.utils import CONVERSATION_URL, infer_repo_from_message
 from jinja2 import Environment
 from storage.jira_conversation import JiraConversation
 from storage.jira_integration_store import JiraIntegrationStore
 from storage.jira_user import JiraUser
 from storage.jira_workspace import JiraWorkspace
 
-from openhands.agent_server.models import SendMessageRequest
-from openhands.app_server.app_conversation.app_conversation_models import (
-    AppConversationStartRequest,
-    AppConversationStartTaskStatus,
-)
-from openhands.app_server.config import get_app_conversation_service
-from openhands.app_server.services.injector import InjectorState
-from openhands.app_server.user.specifiy_user_context import USER_CONTEXT_ATTR
 from openhands.core.logger import openhands_logger as logger
-from openhands.integrations.provider import ProviderHandler, ProviderType
-from openhands.sdk import TextContent
+from openhands.integrations.provider import ProviderHandler
+from openhands.server.services.conversation_service import create_new_conversation
 from openhands.server.user_auth.user_auth import UserAuth
-from openhands.storage.data_models.conversation_metadata import (
-    ConversationMetadata,
-    ConversationTrigger,
-)
+from openhands.storage.data_models.conversation_metadata import ConversationTrigger
 from openhands.utils.http_session import httpx_verify_option
 
 JIRA_CLOUD_API_URL = 'https://api.atlassian.com/ex/jira'
@@ -66,7 +46,7 @@ class JiraNewConversationView(JiraViewInterface):
     saas_user_auth: UserAuth
     jira_user: JiraUser
     jira_workspace: JiraWorkspace
-    selected_repo: str = ''
+    selected_repo: str | None = None
     conversation_id: str = ''
 
     # Lazy-loaded issue details (cached after first fetch)
@@ -76,9 +56,6 @@ class JiraNewConversationView(JiraViewInterface):
     # Decrypted API key (set by factory)
     _decrypted_api_key: str = field(default='', repr=False)
 
-    # Resolved org ID for V1 conversations
-    resolved_org_id: UUID | None = None
-
     async def get_issue_details(self) -> tuple[str, str]:
         """Fetch issue details from Jira API (cached after first call).
 
@@ -184,131 +161,56 @@ class JiraNewConversationView(JiraViewInterface):
         if not self.selected_repo:
             raise StartingConvoException('No repository selected for this conversation')
 
-        jira_conversation = JiraConversation(
-            conversation_id=self.conversation_id,
-            issue_id=self.payload.issue_id,
-            issue_key=self.payload.issue_key,
-            jira_user_id=self.jira_user.id,
-        )
-        await integration_store.create_conversation(jira_conversation)
-
-        conversation_metadata = await self._create_v1_metadata()
-        await self._create_v1_conversation(jinja_env, conversation_metadata)
-        return self.conversation_id
-
-    async def _create_v1_metadata(self) -> ConversationMetadata:
-        """Create conversation metadata for V1 conversations.
-
-        The JiraConversation mapping is saved to the integration store (above), but
-        V1 conversation metadata is managed by the app conversation system, not
-        the legacy conversation store.
-        """
-        logger.info('[Jira]: Creating V1 metadata')
-
-        # Generate a dummy conversation for V1 (not saved to store)
-        self.conversation_id = uuid4().hex
-        self.resolved_org_id = await self._get_resolved_org_id()
-
-        return ConversationMetadata(
-            conversation_id=self.conversation_id,
-            selected_repository=self.selected_repo,
-        )
-
-    async def _create_v1_conversation(
-        self,
-        jinja_env: Environment,
-        conversation_metadata: ConversationMetadata,
-    ):
-        """Create conversation using the new V1 app conversation system."""
-        logger.info('[Jira]: Creating V1 conversation')
-
-        initial_user_text = await self._get_v1_initial_user_message(jinja_env)
-
-        # Create the initial message request
-        initial_message = SendMessageRequest(
-            role='user', content=[TextContent(text=initial_user_text)]
-        )
-
-        # Create the Jira V1 callback processor
-        jira_callback_processor = self._create_jira_v1_callback_processor()
-
-        injector_state = InjectorState()
-
-        # Create the V1 conversation start request
-        start_request = AppConversationStartRequest(
-            conversation_id=UUID(conversation_metadata.conversation_id),
-            system_message_suffix=None,
-            initial_message=initial_message,
-            selected_repository=self.selected_repo,
-            selected_branch=None,
-            git_provider=ProviderType.GITHUB,
-            title=f'Jira Issue {self.payload.issue_key}: {self._issue_title or "Unknown"}',
-            trigger=ConversationTrigger.JIRA,
-            processors=[jira_callback_processor],
-        )
-
-        # Set up the Jira user context for the V1 system
-        jira_user_context = ResolverUserContext(
-            saas_user_auth=self.saas_user_auth,
-            resolver_org_id=self.resolved_org_id,
-        )
-        setattr(injector_state, USER_CONTEXT_ATTR, jira_user_context)
-
-        async with get_app_conversation_service(
-            injector_state
-        ) as app_conversation_service:
-            async for task in app_conversation_service.start_app_conversation(
-                start_request
-            ):
-                if task.status == AppConversationStartTaskStatus.ERROR:
-                    logger.error(f'Failed to start V1 conversation: {task.detail}')
-                    raise RuntimeError(
-                        f'Failed to start V1 conversation: {task.detail}'
-                    )
-
-    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
-        """Build the initial user message for V1 resolver conversations."""
-        issue_title, issue_description = await self.get_issue_details()
-
-        user_msg_template = jinja_env.get_template('jira_new_conversation.j2')
-        user_msg = user_msg_template.render(
-            issue_key=self.payload.issue_key,
-            issue_title=issue_title,
-            issue_description=issue_description,
-            user_message=self.payload.user_msg,
-        )
-
-        return user_msg
-
-    def _create_jira_v1_callback_processor(self):
-        """Create a V1 callback processor for Jira integration."""
-        return JiraV1CallbackProcessor(
-            svc_acc_email=self.jira_workspace.svc_acc_email,
-            decrypted_api_key=self._decrypted_api_key,
-            issue_key=self.payload.issue_key,
-            jira_cloud_id=self.jira_workspace.jira_cloud_id,
-        )
-
-    async def _get_resolved_org_id(self) -> UUID | None:
-        """Resolve the org ID for V1 conversations."""
         provider_tokens = await self.saas_user_auth.get_provider_tokens()
-        if not provider_tokens:
-            return None
+        user_secrets = await self.saas_user_auth.get_secrets()
+        instructions, user_msg = await self._get_instructions(jinja_env)
 
         try:
-            provider_handler = ProviderHandler(provider_tokens)
-            repository = await provider_handler.verify_repo_provider(self.selected_repo)
-            resolved_org_id = await resolve_org_for_repo(
-                provider=repository.git_provider.value,
-                full_repo_name=self.selected_repo,
-                keycloak_user_id=self.jira_user.keycloak_user_id,
+            agent_loop_info = await create_new_conversation(
+                user_id=self.jira_user.keycloak_user_id,
+                git_provider_tokens=provider_tokens,
+                selected_repository=self.selected_repo,
+                selected_branch=None,
+                initial_user_msg=user_msg,
+                conversation_instructions=instructions,
+                image_urls=None,
+                replay_json=None,
+                conversation_trigger=ConversationTrigger.JIRA,
+                custom_secrets=user_secrets.custom_secrets if user_secrets else None,
             )
-            return resolved_org_id
+
+            self.conversation_id = agent_loop_info.conversation_id
+
+            logger.info(
+                '[Jira] Created conversation',
+                extra={
+                    'conversation_id': self.conversation_id,
+                    'issue_key': self.payload.issue_key,
+                    'selected_repo': self.selected_repo,
+                },
+            )
+
+            # Store Jira conversation mapping
+            jira_conversation = JiraConversation(
+                conversation_id=self.conversation_id,
+                issue_id=self.payload.issue_id,
+                issue_key=self.payload.issue_key,
+                jira_user_id=self.jira_user.id,
+            )
+
+            await integration_store.create_conversation(jira_conversation)
+
+            return self.conversation_id
+
         except Exception as e:
-            logger.warning(
-                f'[Jira] Failed to resolve org for {self.selected_repo}: {e}'
+            if isinstance(e, StartingConvoException):
+                raise
+            logger.error(
+                '[Jira] Failed to create conversation',
+                extra={'issue_key': self.payload.issue_key, 'error': str(e)},
+                exc_info=True,
             )
-            return None
+            raise StartingConvoException(f'Failed to create conversation: {str(e)}')
 
     def get_response_msg(self) -> str:
         """Get the response message to send back to Jira."""

enterprise/integrations/jira_dc/jira_dc_manager.py

@@ -20,7 +20,6 @@ from integrations.utils import (
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
     filter_potential_repos_by_user_msg,
     get_session_expired_message,
-    markdown_to_jira_markup,
 )
 from jinja2 import Environment, FileSystemLoader
 from server.auth.saas_user_auth import get_user_auth_from_keycloak_id
@@ -469,8 +468,7 @@ class JiraDcManager(Manager[JiraDcViewInterface]):
         """
         url = f'{base_api_url}/rest/api/2/issue/{issue_key}/comment'
         headers = {'Authorization': f'Bearer {svc_acc_api_key}'}
-        # Convert standard Markdown to Jira Wiki Markup for proper rendering
-        data = {'body': markdown_to_jira_markup(message)}
+        data = {'body': message}
         async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
             response = await client.post(url, headers=headers, json=data)
             response.raise_for_status()

enterprise/integrations/linear/linear_view.py

@@ -1,34 +1,25 @@
 from dataclasses import dataclass
-from uuid import uuid4
 
 from integrations.linear.linear_types import LinearViewInterface, StartingConvoException
 from integrations.models import JobContext
-from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.utils import CONVERSATION_URL, get_final_agent_observation
 from jinja2 import Environment
-from server.config import get_config
 from storage.linear_conversation import LinearConversation
 from storage.linear_integration_store import LinearIntegrationStore
 from storage.linear_user import LinearUser
 from storage.linear_workspace import LinearWorkspace
-from storage.saas_conversation_store import SaasConversationStore
 
 from openhands.core.logger import openhands_logger as logger
 from openhands.core.schema.agent import AgentState
 from openhands.events.action import MessageAction
 from openhands.events.serialization.event import event_to_dict
-from openhands.integrations.provider import ProviderHandler
 from openhands.server.services.conversation_service import (
+    create_new_conversation,
     setup_init_conversation_settings,
-    start_conversation,
 )
 from openhands.server.shared import ConversationStoreImpl, config, conversation_manager
 from openhands.server.user_auth.user_auth import UserAuth
-from openhands.storage.data_models.conversation_metadata import (
-    ConversationMetadata,
-    ConversationTrigger,
-)
-from openhands.utils.conversation_summary import get_default_conversation_title
+from openhands.storage.data_models.conversation_metadata import ConversationTrigger
 
 integration_store = LinearIntegrationStore.get_instance()
 
@@ -70,70 +61,20 @@ class LinearNewConversationView(LinearViewInterface):
         instructions, user_msg = await self._get_instructions(jinja_env)
 
         try:
-            user_id = self.linear_user.keycloak_user_id
-
-            # Resolve git provider from repository
-            resolved_git_provider = None
-            if provider_tokens:
-                try:
-                    provider_handler = ProviderHandler(provider_tokens)
-                    repository = await provider_handler.verify_repo_provider(
-                        self.selected_repo
-                    )
-                    resolved_git_provider = repository.git_provider
-                except Exception as e:
-                    logger.warning(
-                        f'[Linear] Failed to resolve git provider for {self.selected_repo}: {e}'
-                    )
-
-            # Resolve target org based on claimed git organizations
-            resolved_org_id = None
-            if resolved_git_provider and self.selected_repo:
-                try:
-                    resolved_org_id = await resolve_org_for_repo(
-                        provider=resolved_git_provider.value,
-                        full_repo_name=self.selected_repo,
-                        keycloak_user_id=user_id,
-                    )
-                except Exception as e:
-                    logger.warning(
-                        f'[Linear] Failed to resolve org for {self.selected_repo}: {e}'
-                    )
-
-            # Create the conversation store with resolver org routing
-            # (bypasses initialize_conversation to avoid threading enterprise-only
-            # resolver_org_id through the generic OSS interface)
-            store = await SaasConversationStore.get_resolver_instance(
-                get_config(),
-                user_id,
-                resolved_org_id,
-            )
-
-            conversation_id = uuid4().hex
-            conversation_metadata = ConversationMetadata(
-                trigger=ConversationTrigger.LINEAR,
-                conversation_id=conversation_id,
-                title=get_default_conversation_title(conversation_id),
-                user_id=user_id,
+            agent_loop_info = await create_new_conversation(
+                user_id=self.linear_user.keycloak_user_id,
+                git_provider_tokens=provider_tokens,
                 selected_repository=self.selected_repo,
                 selected_branch=None,
-                git_provider=resolved_git_provider,
-            )
-            await store.save_metadata(conversation_metadata)
-
-            await start_conversation(
-                user_id=user_id,
-                git_provider_tokens=provider_tokens,
-                custom_secrets=user_secrets.custom_secrets if user_secrets else None,
                 initial_user_msg=user_msg,
+                conversation_instructions=instructions,
                 image_urls=None,
                 replay_json=None,
-                conversation_id=conversation_id,
-                conversation_metadata=conversation_metadata,
-                conversation_instructions=instructions,
+                conversation_trigger=ConversationTrigger.LINEAR,
+                custom_secrets=user_secrets.custom_secrets if user_secrets else None,
             )
 
-            self.conversation_id = conversation_id
+            self.conversation_id = agent_loop_info.conversation_id
 
             logger.info(f'[Linear] Created conversation {self.conversation_id}')
 

enterprise/integrations/resolver_context.py

@@ -1,9 +1,7 @@
-from uuid import UUID
-
 from openhands.app_server.user.user_context import UserContext
 from openhands.app_server.user.user_models import UserInfo
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderHandler
-from openhands.integrations.service_types import ProviderType, UserGitInfo
+from openhands.integrations.service_types import ProviderType
 from openhands.sdk.secret import SecretSource, StaticSecret
 from openhands.server.user_auth.user_auth import UserAuth
 
@@ -14,10 +12,8 @@ class ResolverUserContext(UserContext):
     def __init__(
         self,
         saas_user_auth: UserAuth,
-        resolver_org_id: UUID | None = None,
     ):
         self.saas_user_auth = saas_user_auth
-        self.resolver_org_id = resolver_org_id
         self._provider_handler: ProviderHandler | None = None
 
     async def get_user_id(self) -> str | None:
@@ -64,9 +60,7 @@ class ResolverUserContext(UserContext):
                 return provider_token.token.get_secret_value()
         return None
 
-    async def get_provider_tokens(
-        self, as_env_vars: bool = False
-    ) -> PROVIDER_TOKEN_TYPE | dict[str, str] | None:
+    async def get_provider_tokens(self) -> PROVIDER_TOKEN_TYPE | None:
         return await self.saas_user_auth.get_provider_tokens()
 
     async def get_secrets(self) -> dict[str, SecretSource]:
@@ -85,6 +79,3 @@ class ResolverUserContext(UserContext):
 
     async def get_mcp_api_key(self) -> str | None:
         return await self.saas_user_auth.get_mcp_api_key()
-
-    async def get_user_git_info(self) -> UserGitInfo | None:
-        return await self.saas_user_auth.get_user_git_info()

enterprise/integrations/resolver_org_router.py

@@ -1,68 +0,0 @@
-"""Resolve which OpenHands organization workspace a resolver conversation should be created in.
-
-This module provides a reusable utility for routing resolver conversations
-(GitHub, GitLab, Bitbucket, Slack, etc.) to the correct OpenHands organization
-workspace based on claimed Git organizations.
-"""
-
-from uuid import UUID
-
-from storage.org_git_claim_store import OrgGitClaimStore
-from storage.org_member_store import OrgMemberStore
-
-from openhands.core.logger import openhands_logger as logger
-
-
-async def resolve_org_for_repo(
-    provider: str,
-    full_repo_name: str,
-    keycloak_user_id: str,
-) -> UUID | None:
-    """Determine the OpenHands org_id for a resolver conversation.
-
-    If the repo's git organization is claimed by an OpenHands org AND the user
-    is a member of that org, returns the claiming org's ID. Otherwise returns
-    None (caller should fall back to user.current_org_id / personal workspace).
-
-    Args:
-        provider: Git provider name ("github", "gitlab", "bitbucket")
-        full_repo_name: Full repository name (e.g., "OpenHands/foo")
-        keycloak_user_id: The user's Keycloak UUID string
-
-    Returns:
-        The org_id if the repo's org is claimed and user is a member, else None
-    """
-    git_org = full_repo_name.split('/')[0].lower()
-
-    try:
-        claim = await OrgGitClaimStore.get_claim_by_provider_and_git_org(
-            provider, git_org
-        )
-        if not claim:
-            logger.debug(
-                f'[OrgResolver] No claim found for {provider}/{git_org}',
-            )
-            return None
-
-        member = await OrgMemberStore.get_org_member(
-            claim.org_id, UUID(keycloak_user_id)
-        )
-        if not member:
-            logger.debug(
-                f'[OrgResolver] User {keycloak_user_id} is not a member of org '
-                f'{claim.org_id} (claimed {provider}/{git_org}). '
-                f'Falling back to personal workspace.',
-            )
-            return None
-
-        logger.info(
-            f'[OrgResolver] Routing conversation to org {claim.org_id} '
-            f'for {provider}/{git_org} (user {keycloak_user_id})',
-        )
-        return claim.org_id
-    except Exception as e:
-        logger.error(
-            f'[OrgResolver] Error resolving org for {provider}/{git_org}: {e}',
-            exc_info=True,
-        )
-        return None

enterprise/integrations/slack/slack_errors.py

@@ -1,128 +0,0 @@
-"""Centralized error handling for Slack integration.
-
-This module provides:
-- SlackErrorCode: Unique error codes for traceability
-- SlackError: Exception class for user-facing errors
-- get_user_message(): Function to get user-facing messages for error codes
-"""
-
-import logging
-from enum import Enum
-from typing import Any
-
-from integrations.utils import HOST_URL
-
-logger = logging.getLogger(__name__)
-
-
-class SlackErrorCode(Enum):
-    """Unique error codes for traceability in logs and user messages."""
-
-    SESSION_EXPIRED = 'SLACK_ERR_001'
-    REDIS_STORE_FAILED = 'SLACK_ERR_002'
-    REDIS_RETRIEVE_FAILED = 'SLACK_ERR_003'
-    USER_NOT_AUTHENTICATED = 'SLACK_ERR_004'
-    PROVIDER_TIMEOUT = 'SLACK_ERR_005'
-    PROVIDER_AUTH_FAILED = 'SLACK_ERR_006'
-    LLM_AUTH_FAILED = 'SLACK_ERR_007'
-    MISSING_SETTINGS = 'SLACK_ERR_008'
-    UNEXPECTED_ERROR = 'SLACK_ERR_999'
-
-
-class SlackError(Exception):
-    """Exception for errors that should be communicated to the Slack user.
-
-    This exception is caught by the centralized error handler in SlackManager,
-    which logs the error and sends an appropriate message to the user.
-
-    Usage:
-        raise SlackError(SlackErrorCode.USER_NOT_AUTHENTICATED,
-                        message_kwargs={'login_link': link})
-    """
-
-    def __init__(
-        self,
-        code: SlackErrorCode,
-        message_kwargs: dict[str, Any] | None = None,
-        log_context: dict[str, Any] | None = None,
-    ):
-        """Initialize a SlackError.
-
-        Args:
-            code: The error code identifying the type of error
-            message_kwargs: Kwargs for formatting the user message
-                           (e.g., {'login_link': '...'})
-            log_context: Additional context for structured logging
-        """
-        self.code = code
-        self.message_kwargs = message_kwargs or {}
-        self.log_context = log_context or {}
-        super().__init__(f'{code.value}: {code.name}')
-
-    def get_user_message(self) -> str:
-        """Get the user-facing message for this error."""
-        return get_user_message(self.code, **self.message_kwargs)
-
-
-# Centralized user-facing messages
-_USER_MESSAGES: dict[SlackErrorCode, str] = {
-    SlackErrorCode.SESSION_EXPIRED: (
-        '⏰ Your session has expired. '
-        'Please mention me again with your request to start a new conversation.'
-    ),
-    SlackErrorCode.REDIS_STORE_FAILED: (
-        '⚠️ Something went wrong on our end (ref: {code}). '
-        'Please try again in a few moments.'
-    ),
-    SlackErrorCode.REDIS_RETRIEVE_FAILED: (
-        '⚠️ Something went wrong on our end (ref: {code}). '
-        'Please try again in a few moments.'
-    ),
-    SlackErrorCode.USER_NOT_AUTHENTICATED: (
-        '🔐 Please link your Slack account to OpenHands: '
-        '[Click here to Login]({login_link})'
-    ),
-    SlackErrorCode.PROVIDER_TIMEOUT: (
-        '⏱️ The request timed out while connecting to your git provider. '
-        'Please try again.'
-    ),
-    SlackErrorCode.PROVIDER_AUTH_FAILED: (
-        '🔐 Authentication with your git provider failed. '
-        f'Please re-login at [OpenHands Cloud]({HOST_URL}) and try again.'
-    ),
-    SlackErrorCode.LLM_AUTH_FAILED: (
-        '@{username} please set a valid LLM API key in '
-        f'[OpenHands Cloud]({HOST_URL}) before starting a job.'
-    ),
-    SlackErrorCode.MISSING_SETTINGS: (
-        '{username} please re-login into '
-        f'[OpenHands Cloud]({HOST_URL}) before starting a job.'
-    ),
-    SlackErrorCode.UNEXPECTED_ERROR: (
-        'Uh oh! There was an unexpected error (ref: {code}). Please try again later.'
-    ),
-}
-
-
-def get_user_message(error_code: SlackErrorCode, **kwargs) -> str:
-    """Get a user-facing message for a given error code.
-
-    Args:
-        error_code: The error code to get a message for
-        **kwargs: Additional formatting arguments (e.g., username, login_link)
-
-    Returns:
-        Formatted user-facing message string
-    """
-    msg = _USER_MESSAGES.get(
-        error_code, _USER_MESSAGES[SlackErrorCode.UNEXPECTED_ERROR]
-    )
-    try:
-        return msg.format(code=error_code.value, **kwargs)
-    except KeyError as e:
-        logger.warning(
-            f'Missing format key {e} in error message',
-            extra={'error_code': error_code.value},
-        )
-        # Return a generic error message with the code for debugging
-        return f'An error occurred (ref: {error_code.value}). Please try again later.'

enterprise/integrations/slack/slack_manager.py

@@ -1,9 +1,9 @@
+import re
 from typing import Any
 
 import jwt
 from integrations.manager import Manager
 from integrations.models import Message, SourceType
-from integrations.slack.slack_errors import SlackError, SlackErrorCode
 from integrations.slack.slack_types import (
     SlackMessageView,
     SlackViewInterface,
@@ -13,13 +13,13 @@ from integrations.slack.slack_view import (
     SlackFactory,
     SlackNewConversationFromRepoFormView,
     SlackNewConversationView,
+    SlackUnkownUserView,
     SlackUpdateExistingConversationView,
 )
 from integrations.utils import (
     HOST_URL,
     OPENHANDS_RESOLVER_TEMPLATES_DIR,
     get_session_expired_message,
-    infer_repo_from_message,
 )
 from integrations.v1_utils import get_saas_user_auth
 from jinja2 import Environment, FileSystemLoader
@@ -33,12 +33,8 @@ from storage.slack_user import SlackUser
 
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.provider import ProviderHandler
-from openhands.integrations.service_types import (
-    AuthenticationError,
-    ProviderTimeoutError,
-    Repository,
-)
-from openhands.server.shared import config, server_config, sio
+from openhands.integrations.service_types import Repository
+from openhands.server.shared import config, server_config
 from openhands.server.types import (
     LLMAuthenticationError,
     MissingSettingsError,
@@ -52,12 +48,6 @@ authorize_url_generator = AuthorizeUrlGenerator(
     user_scopes=['search:read'],
 )
 
-# Key prefix for storing user messages in Redis during repo selection flow
-SLACK_USER_MSG_KEY_PREFIX = 'slack_user_msg'
-# Expiration time for stored user messages (5 minutes)
-# Arbitrary timeout based on typical user attention span; may be tuned based on feedback
-SLACK_USER_MSG_EXPIRATION = 300
-
 
 class SlackManager(Manager[SlackViewInterface]):
     def __init__(self, token_manager):
@@ -96,126 +86,18 @@ class SlackManager(Manager[SlackViewInterface]):
 
         return slack_user, saas_user_auth
 
-    async def _store_user_msg_for_form(
-        self, message_ts: str, thread_ts: str | None, user_msg: str
-    ) -> None:
-        """Store user message in Redis for later retrieval when form is submitted.
+    def _infer_repo_from_message(self, user_msg: str) -> str | None:
+        # Regular expression to match patterns like "OpenHands/OpenHands" or "deploy repo"
+        pattern = r'([a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+)|([a-zA-Z0-9_-]+)(?=\s+repo)'
+        match = re.search(pattern, user_msg)
 
-        This is needed because when a user selects a repo from the external_select
-        dropdown, Slack sends a separate interaction payload that doesn't include
-        the original user message.
+        if match:
+            repo = match.group(1) if match.group(1) else match.group(2)
+            return repo
 
-        Args:
-            message_ts: The message timestamp (unique identifier)
-            thread_ts: The thread timestamp (if in a thread)
-            user_msg: The original user message to store
+        return None
 
-        Raises:
-            SlackError: If storage fails (REDIS_STORE_FAILED)
-        """
-        key = f'{SLACK_USER_MSG_KEY_PREFIX}:{message_ts}:{thread_ts}'
-        try:
-            redis = sio.manager.redis
-            await redis.set(key, user_msg, ex=SLACK_USER_MSG_EXPIRATION)
-            logger.info(
-                'slack_stored_user_msg',
-                extra={
-                    'message_ts': message_ts,
-                    'thread_ts': thread_ts,
-                    'key': key,
-                },
-            )
-        except Exception as e:
-            logger.error(
-                'slack_store_user_msg_failed',
-                extra={
-                    'message_ts': message_ts,
-                    'thread_ts': thread_ts,
-                    'key': key,
-                    'error': str(e),
-                },
-            )
-            raise SlackError(
-                SlackErrorCode.REDIS_STORE_FAILED,
-                log_context={'message_ts': message_ts, 'thread_ts': thread_ts},
-            )
-
-    async def _retrieve_user_msg_for_form(
-        self, message_ts: str, thread_ts: str | None
-    ) -> str:
-        """Retrieve stored user message from Redis.
-
-        Args:
-            message_ts: The message timestamp
-            thread_ts: The thread timestamp (if in a thread)
-
-        Returns:
-            The stored user message
-
-        Raises:
-            SlackError: If retrieval fails (REDIS_RETRIEVE_FAILED) or message
-                        not found (SESSION_EXPIRED)
-        """
-        key = f'{SLACK_USER_MSG_KEY_PREFIX}:{message_ts}:{thread_ts}'
-        try:
-            redis = sio.manager.redis
-            user_msg = await redis.get(key)
-            if user_msg:
-                # Redis returns bytes, decode to string
-                if isinstance(user_msg, bytes):
-                    user_msg = user_msg.decode('utf-8')
-                logger.info(
-                    'slack_retrieved_user_msg',
-                    extra={
-                        'message_ts': message_ts,
-                        'thread_ts': thread_ts,
-                        'key': key,
-                    },
-                )
-                return user_msg
-            else:
-                logger.warning(
-                    'slack_user_msg_not_found',
-                    extra={
-                        'message_ts': message_ts,
-                        'thread_ts': thread_ts,
-                        'key': key,
-                    },
-                )
-                raise SlackError(
-                    SlackErrorCode.SESSION_EXPIRED,
-                    log_context={'message_ts': message_ts, 'thread_ts': thread_ts},
-                )
-        except SlackError:
-            raise
-        except Exception as e:
-            logger.error(
-                'slack_retrieve_user_msg_failed',
-                extra={
-                    'message_ts': message_ts,
-                    'thread_ts': thread_ts,
-                    'key': key,
-                    'error': str(e),
-                },
-            )
-            raise SlackError(
-                SlackErrorCode.REDIS_RETRIEVE_FAILED,
-                log_context={'message_ts': message_ts, 'thread_ts': thread_ts},
-            )
-
-    async def _search_repositories(
-        self, user_auth: UserAuth, query: str = '', per_page: int = 100
-    ) -> list[Repository]:
-        """Search repositories for a user with optional query filtering.
-
-        Args:
-            user_auth: The user's authentication context
-            query: Search query to filter repositories (empty string returns all)
-            per_page: Maximum number of results to return
-
-        Returns:
-            List of matching Repository objects
-        """
+    async def _get_repositories(self, user_auth: UserAuth) -> list[Repository]:
         provider_tokens = await user_auth.get_provider_tokens()
         if provider_tokens is None:
             return []
@@ -226,35 +108,31 @@ class SlackManager(Manager[SlackViewInterface]):
             external_auth_token=access_token,
             external_auth_id=user_id,
         )
-        repos: list[Repository] = await client.search_repositories(
-            selected_provider=None,
-            query=query,
-            per_page=per_page,
-            sort='pushed',
-            order='desc',
-            app_mode=server_config.app_mode,
+        repos: list[Repository] = await client.get_repositories(
+            'pushed', server_config.app_mode, None, None, None, None
         )
         return repos
 
     def _generate_repo_selection_form(
-        self, message_ts: str, thread_ts: str | None
-    ) -> list[dict[str, Any]]:
-        """Generate a repo selection form with immediate "No Repository" button and search dropdown.
+        self, repo_list: list[Repository], message_ts: str, thread_ts: str | None
+    ):
+        options = [
+            {
+                'text': {'type': 'plain_text', 'text': 'No Repository'},
+                'value': '-',
+            }
+        ]
+        options.extend(
+            {
+                'text': {
+                    'type': 'plain_text',
+                    'text': repo.full_name,
+                },
+                'value': repo.full_name,
+            }
+            for repo in repo_list
+        )
 
-        This form provides two options side-by-side:
-        1. A "No Repository" button - immediately clickable without any loading
-        2. An external_select dropdown - for searching repositories dynamically
-
-        This design ensures "No Repository" is always immediately available while
-        still providing full dynamic search capability for repositories.
-
-        Args:
-            message_ts: The message timestamp for tracking
-            thread_ts: The thread timestamp if in a thread
-
-        Returns:
-            List of Slack Block Kit blocks for the selection form
-        """
         return [
             {
                 'type': 'header',
@@ -264,295 +142,78 @@ class SlackManager(Manager[SlackViewInterface]):
                     'emoji': True,
                 },
             },
-            {
-                'type': 'section',
-                'text': {
-                    'type': 'mrkdwn',
-                    'text': 'Select a repository or continue without one:',
-                },
-            },
             {
                 'type': 'actions',
                 'elements': [
                     {
-                        'type': 'button',
-                        'action_id': f'no_repository:{message_ts}:{thread_ts}',
-                        'text': {
-                            'type': 'plain_text',
-                            'text': 'No Repository',
-                            'emoji': True,
-                        },
-                        'value': '-',
-                    },
-                    {
-                        'type': 'external_select',
+                        'type': 'static_select',
                         'action_id': f'repository_select:{message_ts}:{thread_ts}',
-                        'placeholder': {
-                            'type': 'plain_text',
-                            'text': 'Search repositories...',
-                        },
-                        'min_query_length': 0,
-                    },
+                        'options': options,
+                    }
                 ],
             },
         ]
 
-    def _build_repo_options(self, repos: list[Repository]) -> list[dict[str, Any]]:
-        """Build Slack options list from repositories.
+    def filter_potential_repos_by_user_msg(
+        self, user_msg: str, user_repos: list[Repository]
+    ) -> tuple[bool, list[Repository]]:
+        inferred_repo = self._infer_repo_from_message(user_msg)
+        if not inferred_repo:
+            return False, user_repos[0:99]
 
-        Returns up to 100 repositories formatted as Slack options
-        (Slack has a 100 option limit for external_select).
+        final_repos = []
+        for repo in user_repos:
+            if inferred_repo.lower() in repo.full_name.lower():
+                final_repos.append(repo)
 
-        Note: "No Repository" is handled by a separate button in the form,
-        so it's not included in the dropdown options.
+        # no repos matched, return original list
+        if len(final_repos) == 0:
+            return False, user_repos[0:99]
 
-        Args:
-            repos: List of Repository objects
+        # Found exact match
+        elif len(final_repos) == 1:
+            return True, final_repos
 
-        Returns:
-            List of Slack option objects
-        """
-        return [
-            {
-                'text': {
-                    'type': 'plain_text',
-                    'text': repo.full_name[:75],  # Slack has 75 char limit for text
-                },
-                'value': repo.full_name,
-            }
-            for repo in repos[:100]
-        ]
-
-    async def search_repos_for_slack(
-        self, user_auth: UserAuth, query: str, per_page: int = 20
-    ) -> list[dict[str, Any]]:
-        """Public API for repository search with formatted Slack options.
-
-        This method searches for repositories and formats the results as Slack
-        external_select options.
-
-        Args:
-            user_auth: The user's authentication context
-            query: Search query to filter repositories (empty string returns all)
-            per_page: Maximum number of results to return (default: 20)
-
-        Returns:
-            List of Slack option objects ready for external_select response
-        """
-        repos = await self._search_repositories(
-            user_auth, query=query, per_page=per_page
-        )
-        return self._build_repo_options(repos)
+        # Found partial matches
+        return False, final_repos[0:99]
 
     async def receive_message(self, message: Message):
-        """Process an incoming Slack message.
-
-        This is the single entry point for all Slack message processing.
-        All SlackErrors raised during processing are caught and handled here,
-        sending appropriate error messages to the user.
-        """
         self._confirm_incoming_source_type(message)
 
-        try:
-            slack_view = await self._process_message(message)
-            if slack_view and await self.is_job_requested(message, slack_view):
-                await self.start_job(slack_view)
-
-        except SlackError as e:
-            await self.handle_slack_error(message.message, e)
-
-        except Exception as e:
-            logger.exception(
-                'slack_unexpected_error',
-                extra={'error': str(e), **message.message},
-            )
-            await self.handle_slack_error(
-                message.message,
-                SlackError(SlackErrorCode.UNEXPECTED_ERROR),
-            )
-
-    def _parse_form_action(self, action: dict) -> tuple[str, str | None, str] | None:
-        """Parse action payload and extract message_ts, thread_ts, and selected value.
-
-        This handles the different payload structures for button clicks vs dropdown
-        selections in the repository selection form.
-
-        Args:
-            action: The action object from the Slack payload
-
-        Returns:
-            Tuple of (message_ts, thread_ts, selected_value) if action is recognized,
-            None if the action_id is unknown.
-        """
-        action_id = action['action_id']
-
-        if action_id.startswith('no_repository:'):
-            # Button click - value is in 'value' field
-            attribs = action_id.split('no_repository:')[-1]
-            selected_value = action.get('value', '-')
-        elif action_id.startswith('repository_select:'):
-            # Dropdown selection - value is in 'selected_option'
-            attribs = action_id.split('repository_select:')[-1]
-            selected_value = action['selected_option']['value']
-        else:
-            return None
-
-        message_ts, thread_ts = attribs.split(':')
-        thread_ts = None if thread_ts == 'None' else thread_ts
-
-        return message_ts, thread_ts, selected_value
-
-    async def receive_form_interaction(self, slack_payload: dict):
-        """Process a Slack form interaction (repository selection or button click).
-
-        This handles the block_actions payload when a user interacts with the
-        repository selection form. It can handle:
-        - "No Repository" button click: proceeds with conversation without a repo
-        - Repository selection from dropdown: proceeds with the selected repo
-
-        Args:
-            slack_payload: The raw Slack interaction payload
-        """
-        # Extract fields from the Slack interaction payload
-        action = slack_payload['actions'][0]
-        slack_user_id = slack_payload['user']['id']
-        channel_id = slack_payload['container']['channel_id']
-        team_id = slack_payload['team']['id']
-
-        # Parse the action to extract message_ts, thread_ts, and selected value
-        parsed = self._parse_form_action(action)
-        if parsed is None:
-            logger.warning(
-                'slack_unknown_action_id',
-                extra={
-                    'action_id': action['action_id'],
-                    'slack_user_id': slack_user_id,
-                },
-            )
-            return
-
-        message_ts, thread_ts, selected_value = parsed
-
-        # Build partial payload for error handling
-        payload = {
-            'team_id': team_id,
-            'channel_id': channel_id,
-            'slack_user_id': slack_user_id,
-            'message_ts': message_ts,
-            'thread_ts': thread_ts,
-        }
-
-        # Convert "-" (No Repository) to None
-        selected_repository = None if selected_value == '-' else selected_value
-
-        # Retrieve the original user message from Redis
-        try:
-            user_msg = await self._retrieve_user_msg_for_form(message_ts, thread_ts)
-        except SlackError as e:
-            await self.handle_slack_error(payload, e)
-            return
-        except Exception as e:
-            logger.exception(
-                'slack_unexpected_error',
-                extra={'error': str(e), **payload},
-            )
-            await self.handle_slack_error(
-                payload, SlackError(SlackErrorCode.UNEXPECTED_ERROR)
-            )
-            return
-
-        # Complete the payload and delegate to receive_message
-        payload['selected_repo'] = selected_repository
-        payload['user_msg'] = user_msg
-
-        message = Message(source=SourceType.SLACK, message=payload)
-        await self.receive_message(message)
-
-    async def _process_message(self, message: Message) -> SlackViewInterface | None:
-        """Process message and return view if authenticated, or raise SlackError.
-
-        Returns:
-            SlackViewInterface if user is authenticated and ready to proceed,
-            None if processing should stop (but no error).
-
-        Raises:
-            SlackError: If user is not authenticated or other recoverable error.
-        """
         slack_user, saas_user_auth = await self.authenticate_user(
             slack_user_id=message.message['slack_user_id']
         )
 
-        slack_view = await SlackFactory.create_slack_view_from_payload(
-            message, slack_user, saas_user_auth
-        )
-
-        # Check if this is an unauthenticated user (SlackMessageView but not SlackViewInterface)
-        if not isinstance(slack_view, SlackViewInterface):
-            login_link = self._generate_login_link_with_state(message)
-            raise SlackError(
-                SlackErrorCode.USER_NOT_AUTHENTICATED,
-                message_kwargs={'login_link': login_link},
-                log_context=slack_view.to_log_context(),
+        try:
+            slack_view = await SlackFactory.create_slack_view_from_payload(
+                message, slack_user, saas_user_auth
             )
-
-        return slack_view
-
-    def _generate_login_link_with_state(self, message: Message) -> str:
-        """Generate OAuth login link with message state encoded."""
-        jwt_secret = config.jwt_secret
-        if not jwt_secret:
-            raise ValueError('Must configure jwt_secret')
-        state = jwt.encode(
-            message.message, jwt_secret.get_secret_value(), algorithm='HS256'
-        )
-        return authorize_url_generator.generate(state)
-
-    async def handle_slack_error(self, payload: dict, error: SlackError) -> None:
-        """Handle a SlackError by logging and sending user message.
-
-        This is the centralized error handler for all SlackErrors, used by both
-        the manager and routes.
-
-        Args:
-            payload: The Slack payload dict containing channel/user info
-            error: The SlackError to handle
-        """
-        # Create a minimal view for sending the error message
-        view = await SlackMessageView.from_payload(
-            payload, self._get_slack_team_store()
-        )
-
-        if not view:
+        except Exception as e:
             logger.error(
-                'slack_error_no_view',
-                extra={
-                    'error_code': error.code.value,
-                    **error.log_context,
-                },
+                f'[Slack]: Failed to create slack view: {e}',
+                exc_info=True,
+                stack_info=True,
             )
             return
 
-        # Log the error
-        log_level = (
-            'exception' if error.code == SlackErrorCode.UNEXPECTED_ERROR else 'warning'
-        )
-        log_data = {
-            'error_code': error.code.value,
-            **view.to_log_context(),
-            **error.log_context,
-        }
-        getattr(logger, log_level)(
-            f'slack_error_{error.code.name.lower()}', extra=log_data
-        )
+        if isinstance(slack_view, SlackUnkownUserView):
+            jwt_secret = config.jwt_secret
+            if not jwt_secret:
+                raise ValueError('Must configure jwt_secret')
+            state = jwt.encode(
+                message.message, jwt_secret.get_secret_value(), algorithm='HS256'
+            )
+            link = authorize_url_generator.generate(state)
+            msg = self.login_link.format(link)
 
-        # Send user-facing message
-        await self.send_message(error.get_user_message(), view, ephemeral=True)
+            logger.info('slack_not_yet_authenticated')
+            await self.send_message(msg, slack_view, ephemeral=True)
+            return
 
-    def _get_slack_team_store(self):
-        """Get the SlackTeamStore instance (lazy import to avoid circular deps)."""
-        from storage.slack_team_store import SlackTeamStore
+        if not await self.is_job_requested(message, slack_view):
+            return
 
-        return SlackTeamStore.get_instance()
+        await self.start_job(slack_view)
 
     async def send_message(
         self,
@@ -593,109 +254,54 @@ class SlackManager(Manager[SlackViewInterface]):
                 thread_ts=slack_view.message_ts,
             )
 
-    async def _try_verify_inferred_repo(
-        self, slack_view: SlackNewConversationView
-    ) -> bool:
-        """Try to infer and verify a repository from the user's message.
-
-        Returns:
-            True if a valid repo was found and verified, False otherwise
-        """
-        user = slack_view.slack_to_openhands_user
-        inferred_repos = infer_repo_from_message(slack_view.user_msg)
-
-        if len(inferred_repos) != 1:
-            return False
-
-        inferred_repo = inferred_repos[0]
-        logger.info(
-            f'[Slack] Verifying inferred repo "{inferred_repo}" '
-            f'for user {user.slack_display_name} (id={slack_view.saas_user_auth.get_user_id()})'
-        )
-
-        try:
-            provider_tokens = await slack_view.saas_user_auth.get_provider_tokens()
-            if not provider_tokens:
-                return False
-
-            access_token = await slack_view.saas_user_auth.get_access_token()
-            user_id = await slack_view.saas_user_auth.get_user_id()
-            provider_handler = ProviderHandler(
-                provider_tokens=provider_tokens,
-                external_auth_token=access_token,
-                external_auth_id=user_id,
-            )
-            repo = await provider_handler.verify_repo_provider(inferred_repo)
-            slack_view.selected_repo = repo.full_name
-            return True
-        except (AuthenticationError, ProviderTimeoutError) as e:
-            logger.info(
-                f'[Slack] Could not verify repo "{inferred_repo}": {e}. '
-                f'Showing repository selector.'
-            )
-            return False
-
-    async def _show_repo_selection_form(
-        self, slack_view: SlackNewConversationView
-    ) -> None:
-        """Display the repository selection form to the user.
-
-        Raises:
-            SlackError: If storing the user message fails (REDIS_STORE_FAILED)
-        """
-        user = slack_view.slack_to_openhands_user
-        logger.info(
-            'render_repository_selector',
-            extra={
-                'slack_user_id': user.slack_user_id,
-                'keycloak_user_id': user.keycloak_user_id,
-                'message_ts': slack_view.message_ts,
-                'thread_ts': slack_view.thread_ts,
-            },
-        )
-
-        # Store the user message for later retrieval - raises SlackError on failure
-        await self._store_user_msg_for_form(
-            slack_view.message_ts, slack_view.thread_ts, slack_view.user_msg
-        )
-
-        repo_selection_msg = {
-            'text': 'Choose a Repository:',
-            'blocks': self._generate_repo_selection_form(
-                slack_view.message_ts, slack_view.thread_ts
-            ),
-        }
-        await self.send_message(repo_selection_msg, slack_view, ephemeral=True)
-
     async def is_job_requested(
         self, message: Message, slack_view: SlackViewInterface
     ) -> bool:
-        """Determine if a job should be started based on the current context.
-
-        This method checks:
-            1. If the view type allows immediate job start
-            2. If a repo can be inferred and verified from the message
-            3. Otherwise shows the repo selection form
-
-        Args:
-            slack_view: Must be a SlackViewType (authenticated view that can start jobs)
-
-        Returns:
-            True if job should start, False if waiting for user input
+        """A job is always request we only receive webhooks for events associated with the slack bot
+        This method really just checks
+            1. Is the user is authenticated
+            2. Do we have the necessary information to start a job (either by inferring the selected repo, otherwise asking the user)
         """
-        # Check if view type allows immediate start
+        # Infer repo from user message is not needed; user selected repo from the form or is updating existing convo
         if isinstance(slack_view, SlackUpdateExistingConversationView):
             return True
-        if isinstance(slack_view, SlackNewConversationFromRepoFormView):
+        elif isinstance(slack_view, SlackNewConversationFromRepoFormView):
             return True
+        elif isinstance(slack_view, SlackNewConversationView):
+            user = slack_view.slack_to_openhands_user
+            user_repos: list[Repository] = await self._get_repositories(
+                slack_view.saas_user_auth
+            )
+            match, repos = self.filter_potential_repos_by_user_msg(
+                slack_view.user_msg, user_repos
+            )
 
-        # For new conversations, try to infer/verify repo or show selection form
-        if isinstance(slack_view, SlackNewConversationView):
-            if await self._try_verify_inferred_repo(slack_view):
+            # User mentioned a matching repo is their message, start job without repo selection form
+            if match:
+                slack_view.selected_repo = repos[0].full_name
                 return True
-            await self._show_repo_selection_form(slack_view)
 
-        return False
+            logger.info(
+                'render_repository_selector',
+                extra={
+                    'slack_user_id': user,
+                    'keycloak_user_id': user.keycloak_user_id,
+                    'message_ts': slack_view.message_ts,
+                    'thread_ts': slack_view.thread_ts,
+                },
+            )
+
+            repo_selection_msg = {
+                'text': 'Choose a Repository:',
+                'blocks': self._generate_repo_selection_form(
+                    repos, slack_view.message_ts, slack_view.thread_ts
+                ),
+            }
+            await self.send_message(repo_selection_msg, slack_view, ephemeral=True)
+
+            return False
+
+        return True
 
     async def start_job(self, slack_view: SlackViewInterface) -> None:
         # Importing here prevents circular import

enterprise/integrations/slack/slack_types.py

@@ -1,5 +1,4 @@
 from abc import ABC, abstractmethod
-from dataclasses import dataclass
 
 from integrations.types import SummaryExtractionTracker
 from jinja2 import Environment
@@ -8,13 +7,12 @@ from storage.slack_user import SlackUser
 from openhands.server.user_auth.user_auth import UserAuth
 
 
-@dataclass
-class SlackMessageView:
-    """Minimal view for sending messages to Slack.
+class SlackMessageView(ABC):
+    """Minimal interface for sending messages to Slack.
 
-    This class contains only the fields needed to send messages,
-    without requiring user authentication. Can be used directly for
-    simple message operations or as a base class for more complex views.
+    This base class contains only the fields needed to send messages,
+    without requiring user authentication. Used by both authenticated
+    and unauthenticated Slack views.
     """
 
     bot_access_token: str
@@ -22,77 +20,6 @@ class SlackMessageView:
     channel_id: str
     message_ts: str
     thread_ts: str | None
-    team_id: str
-
-    def to_log_context(self) -> dict:
-        """Return dict suitable for structured logging."""
-        return {
-            'slack_channel_id': self.channel_id,
-            'slack_user_id': self.slack_user_id,
-            'slack_team_id': self.team_id,
-            'slack_thread_ts': self.thread_ts,
-            'slack_message_ts': self.message_ts,
-        }
-
-    @classmethod
-    async def from_payload(
-        cls,
-        payload: dict,
-        slack_team_store,
-    ) -> 'SlackMessageView | None':
-        """Create a view from a raw Slack payload.
-
-        This factory method handles the various payload formats from different
-        Slack interactions (events, form submissions, block suggestions).
-
-        Args:
-            payload: Raw Slack payload dictionary
-            slack_team_store: Store for retrieving bot tokens
-
-        Returns:
-            SlackMessageView if all required fields are available,
-            None if required fields are missing or bot token unavailable.
-        """
-        from openhands.core.logger import openhands_logger as logger
-
-        team_id = payload.get('team', {}).get('id') or payload.get('team_id')
-        channel_id = (
-            payload.get('container', {}).get('channel_id')
-            or payload.get('channel', {}).get('id')
-            or payload.get('channel_id')
-        )
-        user_id = payload.get('user', {}).get('id') or payload.get('slack_user_id')
-        message_ts = payload.get('message_ts', '')
-        thread_ts = payload.get('thread_ts')
-
-        if not team_id or not channel_id or not user_id:
-            logger.warning(
-                'slack_message_view_from_payload_missing_fields',
-                extra={
-                    'has_team_id': bool(team_id),
-                    'has_channel_id': bool(channel_id),
-                    'has_user_id': bool(user_id),
-                    'payload_keys': list(payload.keys()),
-                },
-            )
-            return None
-
-        bot_token = await slack_team_store.get_team_bot_token(team_id)
-        if not bot_token:
-            logger.warning(
-                'slack_message_view_from_payload_no_bot_token',
-                extra={'team_id': team_id},
-            )
-            return None
-
-        return cls(
-            bot_access_token=bot_token,
-            slack_user_id=user_id,
-            channel_id=channel_id,
-            message_ts=message_ts,
-            thread_ts=thread_ts,
-            team_id=team_id,
-        )
 
 
 class SlackViewInterface(SlackMessageView, SummaryExtractionTracker, ABC):
@@ -100,9 +27,6 @@ class SlackViewInterface(SlackMessageView, SummaryExtractionTracker, ABC):
 
     All fields are required (non-None) because this interface is only used
     for users who have linked their Slack account to OpenHands.
-
-    Inherits from SlackMessageView:
-        bot_access_token, slack_user_id, channel_id, message_ts, thread_ts, team_id
     """
 
     user_msg: str
@@ -112,6 +36,7 @@ class SlackViewInterface(SlackMessageView, SummaryExtractionTracker, ABC):
     should_extract: bool
     send_summary_instruction: bool
     conversation_id: str
+    team_id: str
     v1_enabled: bool
 
     @abstractmethod
@@ -130,4 +55,4 @@ class SlackViewInterface(SlackMessageView, SummaryExtractionTracker, ABC):
 
 
 class StartingConvoException(Exception):
-    """Raised when trying to send message to a conversation that is still starting up."""
+    """Raised when trying to send message to a conversation that's is still starting up"""

enterprise/integrations/slack/slack_v1_callback_processor.py

@@ -40,20 +40,16 @@ class SlackV1CallbackProcessor(EventCallbackProcessor):
         event: Event,
     ) -> EventCallbackResult | None:
         """Process events for Slack V1 integration."""
-        # Only handle ConversationStateUpdateEvent for execution_status
+        # Only handle ConversationStateUpdateEvent
         if not isinstance(event, ConversationStateUpdateEvent):
             return None
 
-        if event.key != 'execution_status':
+        # Only act when execution has finished
+        if not (event.key == 'execution_status' and event.value == 'finished'):
             return None
 
-        # Log ALL terminal states for monitoring (finished, error, stuck)
         _logger.info('[Slack V1] Callback agent state was %s', event)
 
-        # Only request summary when execution has finished successfully
-        if event.value != 'finished':
-            return None
-
         try:
             summary = await self._request_summary(conversation_id)
             await self._post_summary_to_slack(summary)
@@ -111,11 +107,9 @@ class SlackV1CallbackProcessor(EventCallbackProcessor):
 
         try:
             # Post the summary as a threaded reply
-            # Use markdown_text instead of text to properly render standard Markdown
-            # (e.g., **bold**, [link](url)) which is used throughout the codebase
             response = client.chat_postMessage(
                 channel=channel_id,
-                markdown_text=summary,
+                text=summary,
                 thread_ts=thread_ts,
                 unfurl_links=False,
                 unfurl_media=False,

enterprise/integrations/slack/slack_view.py

@@ -4,7 +4,6 @@ from uuid import UUID, uuid4
 
 from integrations.models import Message
 from integrations.resolver_context import ResolverUserContext
-from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.slack.slack_types import (
     SlackMessageView,
     SlackViewInterface,
@@ -18,9 +17,7 @@ from integrations.utils import (
     get_user_v1_enabled_setting,
 )
 from jinja2 import Environment
-from server.config import get_config
 from slack_sdk import WebClient
-from storage.saas_conversation_store import SaasConversationStore
 from storage.slack_conversation import SlackConversation
 from storage.slack_conversation_store import SlackConversationStore
 from storage.slack_team_store import SlackTeamStore
@@ -39,20 +36,18 @@ from openhands.core.logger import openhands_logger as logger
 from openhands.core.schema.agent import AgentState
 from openhands.events.action import MessageAction
 from openhands.events.serialization.event import event_to_dict
-from openhands.integrations.provider import ProviderHandler
+from openhands.integrations.provider import ProviderHandler, ProviderType
 from openhands.sdk import TextContent
 from openhands.server.services.conversation_service import (
+    create_new_conversation,
     setup_init_conversation_settings,
-    start_conversation,
 )
 from openhands.server.shared import ConversationStoreImpl, config, conversation_manager
 from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
-    ConversationMetadata,
     ConversationTrigger,
 )
 from openhands.utils.async_utils import GENERAL_TIMEOUT
-from openhands.utils.conversation_summary import get_default_conversation_title
 
 # =================================================
 # SECTION: Slack view types
@@ -68,6 +63,22 @@ async def is_v1_enabled_for_slack_resolver(user_id: str) -> bool:
     return await get_user_v1_enabled_setting(user_id) and ENABLE_V1_SLACK_RESOLVER
 
 
+@dataclass
+class SlackUnkownUserView(SlackMessageView):
+    """View for unauthenticated Slack users who haven't linked their account.
+
+    This view only contains the minimal fields needed to send a login link
+    message back to the user. It does not implement SlackViewInterface
+    because it cannot create conversations without user authentication.
+    """
+
+    bot_access_token: str
+    slack_user_id: str
+    channel_id: str
+    message_ts: str
+    thread_ts: str | None
+
+
 @dataclass
 class SlackNewConversationView(SlackViewInterface):
     bot_access_token: str
@@ -207,22 +218,6 @@ class SlackNewConversationView(SlackViewInterface):
         provider_tokens = await self.saas_user_auth.get_provider_tokens()
         user_secrets = await self.saas_user_auth.get_secrets()
 
-        # Determine git provider from repository (needed for both org routing and conversation creation)
-        self._resolved_git_provider = None
-        if self.selected_repo and provider_tokens:
-            provider_handler = ProviderHandler(provider_tokens)
-            repository = await provider_handler.verify_repo_provider(self.selected_repo)
-            self._resolved_git_provider = repository.git_provider
-
-        # Resolve target org based on claimed git organizations
-        self.resolved_org_id = None
-        if self._resolved_git_provider and self.selected_repo:
-            self.resolved_org_id = await resolve_org_for_repo(
-                provider=self._resolved_git_provider.value,
-                full_repo_name=self.selected_repo,
-                keycloak_user_id=self.slack_to_openhands_user.keycloak_user_id,
-            )
-
         # Check if V1 conversations are enabled for this user
         self.v1_enabled = await is_v1_enabled_for_slack_resolver(
             self.slack_to_openhands_user.keycloak_user_id
@@ -245,44 +240,30 @@ class SlackNewConversationView(SlackViewInterface):
             jinja
         )
 
-        user_id = self.slack_to_openhands_user.keycloak_user_id
+        # Determine git provider from repository
+        git_provider = None
+        if self.selected_repo and provider_tokens:
+            provider_handler = ProviderHandler(provider_tokens)
+            repository = await provider_handler.verify_repo_provider(self.selected_repo)
+            git_provider = repository.git_provider
 
-        # Create the conversation store with resolver org routing
-        # (bypasses initialize_conversation to avoid threading enterprise-only
-        # resolver_org_id through the generic OSS interface)
-        store = await SaasConversationStore.get_resolver_instance(
-            get_config(),
-            user_id,
-            self.resolved_org_id,
-        )
-
-        conversation_id = uuid4().hex
-        conversation_metadata = ConversationMetadata(
-            trigger=ConversationTrigger.SLACK,
-            conversation_id=conversation_id,
-            title=get_default_conversation_title(conversation_id),
-            user_id=user_id,
+        agent_loop_info = await create_new_conversation(
+            user_id=self.slack_to_openhands_user.keycloak_user_id,
+            git_provider_tokens=provider_tokens,
             selected_repository=self.selected_repo,
             selected_branch=None,
-            git_provider=self._resolved_git_provider,
-        )
-        await store.save_metadata(conversation_metadata)
-
-        await start_conversation(
-            user_id=user_id,
-            git_provider_tokens=provider_tokens,
-            custom_secrets=user_secrets.custom_secrets if user_secrets else None,
             initial_user_msg=user_instructions,
-            image_urls=None,
-            replay_json=None,
-            conversation_id=conversation_id,
-            conversation_metadata=conversation_metadata,
             conversation_instructions=(
                 conversation_instructions if conversation_instructions else None
             ),
+            image_urls=None,
+            replay_json=None,
+            conversation_trigger=ConversationTrigger.SLACK,
+            custom_secrets=user_secrets.custom_secrets if user_secrets else None,
+            git_provider=git_provider,
         )
 
-        self.conversation_id = conversation_id
+        self.conversation_id = agent_loop_info.conversation_id
         logger.info(f'[Slack]: Created V0 conversation: {self.conversation_id}')
         await self.save_slack_convo(v1_enabled=False)
 
@@ -300,8 +281,13 @@ class SlackNewConversationView(SlackViewInterface):
         # Create the Slack V1 callback processor
         slack_callback_processor = self._create_slack_v1_callback_processor()
 
-        # Use git provider resolved in create_or_update_conversation
-        git_provider = self._resolved_git_provider
+        # Determine git provider from repository
+        git_provider = None
+        provider_tokens = await self.saas_user_auth.get_provider_tokens()
+        if self.selected_repo and provider_tokens:
+            provider_handler = ProviderHandler(provider_tokens)
+            repository = await provider_handler.verify_repo_provider(self.selected_repo)
+            git_provider = ProviderType(repository.git_provider.value)
 
         # Get the app conversation service and start the conversation
         injector_state = InjectorState()
@@ -322,10 +308,7 @@ class SlackNewConversationView(SlackViewInterface):
         )
 
         # Set up the Slack user context for the V1 system
-        slack_user_context = ResolverUserContext(
-            saas_user_auth=self.saas_user_auth,
-            resolver_org_id=self.resolved_org_id,
-        )
+        slack_user_context = ResolverUserContext(saas_user_auth=self.saas_user_auth)
         setattr(injector_state, USER_CONTEXT_ATTR, slack_user_context)
 
         async with get_app_conversation_service(
@@ -495,7 +478,7 @@ class SlackUpdateExistingConversationView(SlackNewConversationView):
             )
 
             # 6. Send the message to the agent server
-            url = f"{agent_server_url.rstrip('/')}/api/conversations/{UUID(self.conversation_id)}/events"
+            url = f'{agent_server_url.rstrip("/")}/api/conversations/{UUID(self.conversation_id)}/events'
 
             headers = {'X-Session-API-Key': running_sandbox.session_api_key}
             payload = send_message_request.model_dump()
@@ -593,15 +576,13 @@ class SlackFactory:
             raise Exception('Did not find slack team')
 
         # Determine if this is a known slack user by openhands
-        # Return SlackMessageView (not SlackViewInterface) for unauthenticated users
         if not slack_user or not saas_user_auth or not channel_id or not message_ts:
-            return SlackMessageView(
+            return SlackUnkownUserView(
                 bot_access_token=bot_access_token,
                 slack_user_id=slack_user_id,
                 channel_id=channel_id or '',
                 message_ts=message_ts or '',
                 thread_ts=thread_ts,
-                team_id=team_id,
             )
 
         # At this point, we've verified slack_user, saas_user_auth, channel_id, and message_ts are set
@@ -676,11 +657,3 @@ class SlackFactory:
                 team_id=team_id,
                 v1_enabled=False,
             )
-
-
-# Type alias for all authenticated Slack view types that can start conversations
-SlackViewType = (
-    SlackNewConversationView
-    | SlackNewConversationFromRepoFormView
-    | SlackUpdateExistingConversationView
-)

enterprise/integrations/stripe_service.py

@@ -100,25 +100,27 @@ async def has_payment_method_by_user_id(user_id: str) -> bool:
     return bool(payment_methods.data)
 
 
-async def migrate_customer(session, user_id: str, org: Org):
-    result = await session.execute(
-        select(StripeCustomer).where(StripeCustomer.keycloak_user_id == user_id)
-    )
-    stripe_customer = result.scalar_one_or_none()
-    if stripe_customer is None:
-        return
-    stripe_customer.org_id = org.id
-    customer = await stripe.Customer.modify_async(
-        id=stripe_customer.stripe_customer_id,
-        email=org.contact_email,
-        metadata={'user_id': '', 'org_id': str(org.id)},
-    )
+async def migrate_customer(user_id: str, org: Org):
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(StripeCustomer).where(StripeCustomer.keycloak_user_id == user_id)
+        )
+        stripe_customer = result.scalar_one_or_none()
+        if stripe_customer is None:
+            return
+        stripe_customer.org_id = org.id
+        customer = await stripe.Customer.modify_async(
+            id=stripe_customer.stripe_customer_id,
+            email=org.contact_email,
+            metadata={'user_id': '', 'org_id': str(org.id)},
+        )
 
-    logger.info(
-        'migrated_customer',
-        extra={
-            'user_id': user_id,
-            'org_id': str(org.id),
-            'stripe_customer_id': customer.id,
-        },
-    )
+        logger.info(
+            'migrated_customer',
+            extra={
+                'user_id': user_id,
+                'org_id': str(org.id),
+                'stripe_customer_id': customer.id,
+            },
+        )
+        await session.commit()

enterprise/integrations/utils.py

@@ -436,13 +436,12 @@ def infer_repo_from_message(user_msg: str) -> list[str]:
         r'(?=\s|$|}}|[\]\)\'",.:`])'  # right boundary
     )
 
-    # Use dict to preserve ordering
-    matches: dict[str, bool] = {}
+    matches: list[str] = []
 
     # Git URLs first (highest priority)
     for owner, repo in re.findall(git_url_pattern, normalized_msg):
         repo = re.sub(r'\.git$', '', repo)
-        matches[f'{owner}/{repo}'] = True
+        matches.append(f'{owner}/{repo}')
 
     # Direct mentions
     for owner, repo in re.findall(direct_pattern, normalized_msg):
@@ -458,10 +457,9 @@ def infer_repo_from_message(user_msg: str) -> list[str]:
             continue
 
         if full_match not in matches:
-            matches[full_match] = True
+            matches.append(full_match)
 
-    result = list(matches)
-    return result
+    return matches
 
 
 def filter_potential_repos_by_user_msg(
@@ -597,18 +595,3 @@ def markdown_to_jira_markup(markdown_text: str) -> str:
         # Log the error but don't raise it - return original text as fallback
         print(f'Error converting markdown to Jira markup: {str(e)}')
         return markdown_text or ''
-
-
-def format_jira_comment_body(message: str) -> dict:
-    """Format a message as a Jira API v2 comment body.
-
-    This helper ensures consistent comment formatting across all Jira integrations.
-    Converts markdown to Jira Wiki Markup and wraps in the expected API structure.
-
-    Args:
-        message: The message content to send (may contain markdown)
-
-    Returns:
-        dict: The comment body in Jira API v2 format {'body': ...}
-    """
-    return {'body': markdown_to_jira_markup(message)}

enterprise/migrations/env.py

@@ -6,15 +6,9 @@ from logging.config import fileConfig
 # These plugin setup messages would otherwise appear before logging is configured
 logging.getLogger('alembic.runtime.plugins').setLevel(logging.WARNING)
 
-# Prevent SQLAlchemy engine from logging SQL results at DEBUG level, which can
-# leak sensitive column data (e.g. API keys, tokens) into log aggregators.
-# This is set before any engine is created so it takes effect immediately.
-logging.getLogger('sqlalchemy.engine').setLevel(logging.WARNING)
-logging.getLogger('sqlalchemy.engine.Engine').setLevel(logging.WARNING)
-
 from alembic import context  # noqa: E402
 from google.cloud.sql.connector import Connector  # noqa: E402
-from sqlalchemy import create_engine, text  # noqa: E402
+from sqlalchemy import create_engine  # noqa: E402
 from storage.base import Base  # noqa: E402
 
 target_metadata = Base.metadata
@@ -76,12 +70,6 @@ config = context.config
 if config.config_file_name is not None:
     fileConfig(config.config_file_name)
 
-# Re-apply SQLAlchemy engine log suppression after fileConfig, which may override
-# our earlier settings from alembic.ini. This ensures DEBUG-level SQL result logging
-# is always suppressed, preventing sensitive data from leaking into log aggregators.
-logging.getLogger('sqlalchemy.engine').setLevel(logging.WARNING)
-logging.getLogger('sqlalchemy.engine.Engine').setLevel(logging.WARNING)
-
 
 def run_migrations_offline() -> None:
     """Run migrations in 'offline' mode.
@@ -121,10 +109,6 @@ def run_migrations_online() -> None:
             version_table_schema=target_metadata.schema,
         )
 
-        # Lock number must be unique — md5 hash of 'openhands_enterprise_migrations'
-        # Lock is released when the connection context manager exits
-        connection.execute(text('SELECT pg_advisory_lock(3617572382373537863)'))
-
         with context.begin_transaction():
             context.run_migrations()
 

enterprise/migrations/versions/099_create_user_authorizations_table.py

@@ -1,136 +0,0 @@
-"""Create user_authorizations table and migrate blocked_email_domains
-
-Revision ID: 099
-Revises: 098
-Create Date: 2025-03-05 00:00:00.000000
-
-"""
-
-import os
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '099'
-down_revision: Union[str, None] = '098'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def _seed_from_environment() -> None:
-    """Seed user_authorizations table from environment variables.
-
-    Reads EMAIL_PATTERN_BLACKLIST and EMAIL_PATTERN_WHITELIST environment variables.
-    Each should be a comma-separated list of SQL LIKE patterns (e.g., '%@example.com').
-
-    If the environment variables are not set or empty, this function does nothing.
-
-    This allows us to set up feature deployments with particular patterns already
-    blacklisted or whitelisted. (For example, you could blacklist everything with
-    `%`, and then whitelist certain email accounts.)
-    """
-    blacklist_patterns = os.environ.get('EMAIL_PATTERN_BLACKLIST', '').strip()
-    whitelist_patterns = os.environ.get('EMAIL_PATTERN_WHITELIST', '').strip()
-
-    connection = op.get_bind()
-
-    if blacklist_patterns:
-        for pattern in blacklist_patterns.split(','):
-            pattern = pattern.strip()
-            if pattern:
-                connection.execute(
-                    sa.text("""
-                        INSERT INTO user_authorizations
-                            (email_pattern, provider_type, type)
-                        VALUES
-                            (:pattern, NULL, 'blacklist')
-                    """),
-                    {'pattern': pattern},
-                )
-
-    if whitelist_patterns:
-        for pattern in whitelist_patterns.split(','):
-            pattern = pattern.strip()
-            if pattern:
-                connection.execute(
-                    sa.text("""
-                        INSERT INTO user_authorizations
-                            (email_pattern, provider_type, type)
-                        VALUES
-                            (:pattern, NULL, 'whitelist')
-                    """),
-                    {'pattern': pattern},
-                )
-
-
-def upgrade() -> None:
-    """Create user_authorizations table, migrate data, and drop blocked_email_domains."""
-    # Create user_authorizations table
-    op.create_table(
-        'user_authorizations',
-        sa.Column('id', sa.Integer(), sa.Identity(), nullable=False, primary_key=True),
-        sa.Column('email_pattern', sa.String(), nullable=True),
-        sa.Column('provider_type', sa.String(), nullable=True),
-        sa.Column('type', sa.String(), nullable=False),
-        sa.Column(
-            'created_at',
-            sa.DateTime(timezone=True),
-            nullable=False,
-            server_default=sa.text('CURRENT_TIMESTAMP'),
-        ),
-        sa.Column(
-            'updated_at',
-            sa.DateTime(timezone=True),
-            nullable=False,
-            server_default=sa.text('CURRENT_TIMESTAMP'),
-        ),
-        sa.PrimaryKeyConstraint('id'),
-    )
-
-    # Create index on email_pattern for efficient LIKE queries
-    op.create_index(
-        'ix_user_authorizations_email_pattern',
-        'user_authorizations',
-        ['email_pattern'],
-    )
-
-    # Create index on type for efficient filtering
-    op.create_index(
-        'ix_user_authorizations_type',
-        'user_authorizations',
-        ['type'],
-    )
-
-    # Migrate existing blocked_email_domains to user_authorizations as blacklist entries
-    # The domain patterns are converted to SQL LIKE patterns:
-    # - 'example.com' becomes '%@example.com' (matches user@example.com)
-    # - '.us' becomes '%@%.us' (matches user@anything.us)
-    # We also add '%.' prefix for subdomain matching
-    op.execute("""
-        INSERT INTO user_authorizations (email_pattern, provider_type, type, created_at, updated_at)
-        SELECT
-            CASE
-                WHEN domain LIKE '.%' THEN '%' || domain
-                ELSE '%@%' || domain
-            END as email_pattern,
-            NULL as provider_type,
-            'blacklist' as type,
-            created_at,
-            updated_at
-        FROM blocked_email_domains
-    """)
-
-    # Seed additional patterns from environment variables (if set)
-    _seed_from_environment()
-
-
-def downgrade() -> None:
-    """Recreate blocked_email_domains table and migrate data back."""
-    # Drop user_authorizations table
-    op.drop_index('ix_user_authorizations_type', table_name='user_authorizations')
-    op.drop_index(
-        'ix_user_authorizations_email_pattern', table_name='user_authorizations'
-    )
-    op.drop_table('user_authorizations')

enterprise/migrations/versions/100_add_sandbox_grouping_strategy.py

@@ -1,33 +0,0 @@
-"""Add sandbox_grouping_strategy column to user, org, and user_settings tables.
-
-Revision ID: 100
-Revises: 099
-Create Date: 2025-03-12
-"""
-
-import sqlalchemy as sa
-from alembic import op
-
-revision = '100'
-down_revision = '099'
-
-
-def upgrade() -> None:
-    op.add_column(
-        'user',
-        sa.Column('sandbox_grouping_strategy', sa.String, nullable=True),
-    )
-    op.add_column(
-        'org',
-        sa.Column('sandbox_grouping_strategy', sa.String, nullable=True),
-    )
-    op.add_column(
-        'user_settings',
-        sa.Column('sandbox_grouping_strategy', sa.String, nullable=True),
-    )
-
-
-def downgrade() -> None:
-    op.drop_column('user_settings', 'sandbox_grouping_strategy')
-    op.drop_column('org', 'sandbox_grouping_strategy')
-    op.drop_column('user', 'sandbox_grouping_strategy')

enterprise/migrations/versions/101_add_pending_messages_table.py

@@ -1,39 +0,0 @@
-"""Add pending_messages table for server-side message queuing
-
-Revision ID: 101
-Revises: 100
-Create Date: 2025-03-15 00:00:00.000000
-
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '101'
-down_revision: Union[str, None] = '100'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    """Create pending_messages table for storing messages before conversation is ready.
-
-    Messages are stored temporarily until the conversation becomes ready, then
-    delivered and deleted regardless of success or failure.
-    """
-    op.create_table(
-        'pending_messages',
-        sa.Column('id', sa.String(), primary_key=True),
-        sa.Column('conversation_id', sa.String(), nullable=False, index=True),
-        sa.Column('role', sa.String(20), nullable=False, server_default='user'),
-        sa.Column('content', sa.JSON, nullable=False),
-        sa.Column('created_at', sa.DateTime(timezone=True), nullable=False),
-    )
-
-
-def downgrade() -> None:
-    """Remove pending_messages table."""
-    op.drop_table('pending_messages')

enterprise/migrations/versions/102_add_disabled_skills_to_user_settings.py

@@ -1,28 +0,0 @@
-"""Add disabled_skills to user_settings.
-
-Revision ID: 102
-Revises: 101
-Create Date: 2026-02-25
-
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '102'
-down_revision: Union[str, None] = '101'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    op.add_column(
-        'user_settings', sa.Column('disabled_skills', sa.JSON(), nullable=True)
-    )
-
-
-def downgrade() -> None:
-    op.drop_column('user_settings', 'disabled_skills')

enterprise/migrations/versions/103_add_mcp_config_to_org_member.py

@@ -1,41 +0,0 @@
-"""Add mcp_config to org_member for user-specific MCP settings.
-
-Revision ID: 103
-Revises: 102
-Create Date: 2026-03-26
-
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '103'
-down_revision: Union[str, None] = '102'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    op.add_column('org_member', sa.Column('mcp_config', sa.JSON(), nullable=True))
-
-    # Migrate existing org-level MCP configs to all members in each org.
-    # This preserves existing configurations while transitioning to user-specific settings.
-    # Uses server-side SQL to avoid pulling sensitive config data into the Python process.
-    op.execute(
-        sa.text(
-            """
-            UPDATE org_member
-            SET mcp_config = org.mcp_config
-            FROM org
-            WHERE org_member.org_id = org.id
-              AND org.mcp_config IS NOT NULL
-            """
-        )
-    )
-
-
-def downgrade() -> None:
-    op.drop_column('org_member', 'mcp_config')

enterprise/migrations/versions/104_add_disabled_skills_to_user.py

@@ -1,29 +0,0 @@
-"""Add disabled_skills column to user table.
-
-Migration 102 added disabled_skills to the legacy user_settings table,
-but the active SaaS flow (SaasSettingsStore) reads from/writes to the
-user table. This migration adds the column where it is actually needed.
-
-Revision ID: 104
-Revises: 103
-Create Date: 2026-03-31
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '104'
-down_revision: Union[str, None] = '103'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    op.add_column('user', sa.Column('disabled_skills', sa.JSON(), nullable=True))
-
-
-def downgrade() -> None:
-    op.drop_column('user', 'disabled_skills')

enterprise/migrations/versions/105_create_org_git_claim_table.py

@@ -1,37 +0,0 @@
-"""Create org_git_claim table for tracking Git organization claims.
-
-Revision ID: 105
-Revises: 104
-Create Date: 2026-04-01
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '105'
-down_revision: Union[str, None] = '104'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    op.create_table(
-        'org_git_claim',
-        sa.Column('id', sa.UUID(), nullable=False),
-        sa.Column('org_id', sa.UUID(), nullable=False),
-        sa.Column('provider', sa.String(), nullable=False),
-        sa.Column('git_organization', sa.String(), nullable=False),
-        sa.Column('claimed_by', sa.UUID(), nullable=False),
-        sa.Column('claimed_at', sa.DateTime(timezone=True), nullable=False),
-        sa.ForeignKeyConstraint(['org_id'], ['org.id'], ondelete='CASCADE'),
-        sa.ForeignKeyConstraint(['claimed_by'], ['user.id']),
-        sa.PrimaryKeyConstraint('id'),
-        sa.UniqueConstraint('provider', 'git_organization', name='uq_provider_git_org'),
-    )
-
-
-def downgrade() -> None:
-    op.drop_table('org_git_claim')

enterprise/migrations/versions/106_add_tags_column_to_conversation_metadata.py

@@ -1,32 +0,0 @@
-"""Add tags column to conversation_metadata table.
-
-Tags store key-value pairs for automation context (trigger type, automation_id),
-skills used, and other metadata. This enables querying conversations by
-automation source and associating SDK-provided context with conversations.
-
-Revision ID: 106
-Revises: 105
-Create Date: 2026-03-31
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '106'
-down_revision: Union[str, None] = '105'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    op.add_column(
-        'conversation_metadata',
-        sa.Column('tags', sa.JSON(), nullable=True),
-    )
-
-
-def downgrade() -> None:
-    op.drop_column('conversation_metadata', 'tags')

enterprise/pyproject.toml

@@ -64,7 +64,6 @@ pytest-asyncio = "*"
 pytest-forked = "*"
 pytest-xdist = "*"
 flake8 = "*"
-freezegun = "^1.5.1"
 openai = "*"
 opencv-python = "*"
 pandas = "*"

enterprise/run_maintenance_tasks.py

@@ -21,12 +21,11 @@ async def main():
 
 
 def set_stale_task_error():
-    # started_at is naive UTC; strip tzinfo before comparing.
-    cutoff = datetime.now(timezone.utc).replace(tzinfo=None) - timedelta(hours=1)
     with session_maker() as session:
         session.query(MaintenanceTask).filter(
             MaintenanceTask.status == MaintenanceTaskStatus.WORKING,
-            MaintenanceTask.started_at < cutoff,
+            MaintenanceTask.started_at
+            < datetime.now(timezone.utc) - timedelta(hours=1),
         ).update({MaintenanceTask.status: MaintenanceTaskStatus.ERROR})
         session.commit()
 
@@ -38,10 +37,9 @@ async def run_tasks():
             if not task:
                 return
 
-            # started_at/updated_at are naive UTC; strip tzinfo.
-            now_utc = datetime.now(timezone.utc).replace(tzinfo=None)
+            # Update the status
             task.status = MaintenanceTaskStatus.WORKING
-            task.updated_at = task.started_at = now_utc
+            task.updated_at = task.started_at = datetime.now(timezone.utc)
             session.commit()
 
             try:

enterprise/saas_server.py

@@ -14,7 +14,6 @@ from fastapi.middleware.cors import CORSMiddleware  # noqa: E402
 from fastapi.responses import JSONResponse  # noqa: E402
 from server.auth.auth_error import ExpiredError, NoCredentialsError  # noqa: E402
 from server.auth.constants import (  # noqa: E402
-    BITBUCKET_DATA_CENTER_HOST,
     ENABLE_JIRA,
     ENABLE_JIRA_DC,
     ENABLE_LINEAR,
@@ -46,12 +45,8 @@ from server.routes.org_invitations import (  # noqa: E402
 )
 from server.routes.orgs import org_router  # noqa: E402
 from server.routes.readiness import readiness_router  # noqa: E402
-from server.routes.service import service_router  # noqa: E402
 from server.routes.user import saas_user_router  # noqa: E402
 from server.routes.user_app_settings import user_app_settings_router  # noqa: E402
-from server.routes.users_v1 import (  # noqa: E402
-    override_users_me_endpoint,
-)
 from server.sharing.shared_conversation_router import (  # noqa: E402
     router as shared_conversation_router,
 )
@@ -116,7 +111,6 @@ if GITLAB_APP_CLIENT_ID:
     base_app.include_router(gitlab_integration_router)
 
 base_app.include_router(api_keys_router)  # Add routes for API key management
-base_app.include_router(service_router)  # Add routes for internal service API
 base_app.include_router(org_router)  # Add routes for organization management
 base_app.include_router(
     verified_models_router
@@ -126,10 +120,6 @@ base_app.include_router(
 # This must happen after all routers are included
 override_llm_models_dependency(base_app)
 
-# Override the /api/v1/users/me endpoint to include organization info
-# This replaces the OSS endpoint with a SAAS version that adds org_id, org_name, role, permissions
-override_users_me_endpoint(base_app)
-
 base_app.include_router(invitation_router)  # Add routes for org invitation management
 base_app.include_router(invitation_accept_router)  # Add route for accepting invitations
 add_github_proxy_routes(base_app)
@@ -140,12 +130,6 @@ if ENABLE_JIRA_DC:
     base_app.include_router(jira_dc_integration_router)
 if ENABLE_LINEAR:
     base_app.include_router(linear_integration_router)
-if BITBUCKET_DATA_CENTER_HOST:
-    from server.routes.bitbucket_dc_proxy import (
-        router as bitbucket_dc_proxy_router,  # noqa: E402
-    )
-
-    base_app.include_router(bitbucket_dc_proxy_router)
 base_app.include_router(email_router)  # Add routes for email management
 base_app.include_router(feedback_router)  # Add routes for conversation feedback
 base_app.include_router(

enterprise/server/auth/auth_utils.py

@@ -0,0 +1,53 @@
+import os
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class UserVerifier:
+    def __init__(self) -> None:
+        logger.debug('Initializing UserVerifier')
+        self.file_users: list[str] | None = None
+
+        # Initialize from environment variables
+        self._init_file_users()
+
+    def _init_file_users(self) -> None:
+        """Load users from text file if configured."""
+        waitlist = os.getenv('GITHUB_USER_LIST_FILE')
+        if not waitlist:
+            logger.debug('GITHUB_USER_LIST_FILE not configured')
+            return
+
+        if not os.path.exists(waitlist):
+            logger.error(f'User list file not found: {waitlist}')
+            raise FileNotFoundError(f'User list file not found: {waitlist}')
+
+        try:
+            with open(waitlist, 'r') as f:
+                self.file_users = [line.strip().lower() for line in f if line.strip()]
+            logger.info(
+                f'Successfully loaded {len(self.file_users)} users from {waitlist}'
+            )
+        except Exception:
+            logger.exception(f'Error reading user list file {waitlist}')
+
+    def is_active(self) -> bool:
+        if os.getenv('DISABLE_WAITLIST', '').lower() == 'true':
+            logger.info('Waitlist disabled via DISABLE_WAITLIST env var')
+            return False
+        return bool(self.file_users)
+
+    def is_user_allowed(self, username: str) -> bool:
+        """Check if user is allowed based on file and/or sheet configuration."""
+        logger.debug(f'Checking if GitHub user {username} is allowed')
+        if self.file_users:
+            if username.lower() in self.file_users:
+                logger.debug(f'User {username} found in text file allowlist')
+                return True
+            logger.debug(f'User {username} not found in text file allowlist')
+
+        logger.debug(f'User {username} not found in any allowlist')
+        return False
+
+
+user_verifier = UserVerifier()

enterprise/server/auth/authorization.py

@@ -35,13 +35,13 @@ Usage:
 from enum import Enum
 from uuid import UUID
 
-from fastapi import Depends, HTTPException, Request, status
+from fastapi import Depends, HTTPException, status
 from storage.org_member_store import OrgMemberStore
 from storage.role import Role
 from storage.role_store import RoleStore
 
 from openhands.core.logger import openhands_logger as logger
-from openhands.server.user_auth import get_user_auth, get_user_id
+from openhands.server.user_auth import get_user_id
 
 
 class Permission(str, Enum):
@@ -84,12 +84,6 @@ class Permission(str, Enum):
     # Temporary permissions until we finish the API updates.
     EDIT_ORG_SETTINGS = 'edit_org_settings'
 
-    # Git organization claims
-    MANAGE_ORG_CLAIMS = 'manage_org_claims'
-
-    # Manage Automations
-    MANAGE_AUTOMATIONS = 'manage_automations'
-
 
 class RoleName(str, Enum):
     """Role names used in the system."""
@@ -124,10 +118,6 @@ ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = {
             # Organization Management (Owner only)
             Permission.CHANGE_ORGANIZATION_NAME,
             Permission.DELETE_ORGANIZATION,
-            # Git organization claims
-            Permission.MANAGE_ORG_CLAIMS,
-            # Manage Automations
-            Permission.MANAGE_AUTOMATIONS,
         ]
     ),
     RoleName.ADMIN: frozenset(
@@ -149,10 +139,6 @@ ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = {
             # Organization Management
             Permission.VIEW_ORG_SETTINGS,
             Permission.EDIT_ORG_SETTINGS,
-            # Git organization claims
-            Permission.MANAGE_ORG_CLAIMS,
-            # Manage Automations
-            Permission.MANAGE_AUTOMATIONS,
         ]
     ),
     RoleName.MEMBER: frozenset(
@@ -166,8 +152,6 @@ ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = {
             # Settings (View only)
             Permission.VIEW_ORG_SETTINGS,
             Permission.VIEW_LLM_SETTINGS,
-            # Manage Automations
-            Permission.MANAGE_AUTOMATIONS,
         ]
     ),
 }
@@ -230,19 +214,6 @@ def has_permission(user_role: Role, permission: Permission) -> bool:
     return permission in permissions
 
 
-async def get_api_key_org_id_from_request(request: Request) -> UUID | None:
-    """Get the org_id bound to the API key used for authentication.
-
-    Returns None if:
-    - Not authenticated via API key (cookie auth)
-    - API key is a legacy key without org binding
-    """
-    user_auth = getattr(request.state, 'user_auth', None)
-    if user_auth and hasattr(user_auth, 'get_api_key_org_id'):
-        return user_auth.get_api_key_org_id()
-    return None
-
-
 def require_permission(permission: Permission):
     """
     Factory function that creates a dependency to require a specific permission.
@@ -250,9 +221,8 @@ def require_permission(permission: Permission):
     This creates a FastAPI dependency that:
     1. Extracts org_id from the path parameter
     2. Gets the authenticated user_id
-    3. Validates API key org binding (if using API key auth)
-    4. Checks if the user has the required permission in the organization
-    5. Returns the user_id if authorized, raises HTTPException otherwise
+    3. Checks if the user has the required permission in the organization
+    4. Returns the user_id if authorized, raises HTTPException otherwise
 
     Usage:
         @router.get('/{org_id}/settings')
@@ -270,7 +240,6 @@ def require_permission(permission: Permission):
     """
 
     async def permission_checker(
-        request: Request,
         org_id: UUID | None = None,
         user_id: str | None = Depends(get_user_id),
     ) -> str:
@@ -280,23 +249,6 @@ def require_permission(permission: Permission):
                 detail='User not authenticated',
             )
 
-        # Validate API key organization binding
-        api_key_org_id = await get_api_key_org_id_from_request(request)
-        if api_key_org_id is not None and org_id is not None:
-            if api_key_org_id != org_id:
-                logger.warning(
-                    'API key organization mismatch',
-                    extra={
-                        'user_id': user_id,
-                        'api_key_org_id': str(api_key_org_id),
-                        'target_org_id': str(org_id),
-                    },
-                )
-                raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail='API key is not authorized for this organization',
-                )
-
         user_role = await get_user_org_role(user_id, org_id)
 
         if not user_role:
@@ -327,96 +279,3 @@ def require_permission(permission: Permission):
         return user_id
 
     return permission_checker
-
-
-async def require_financial_data_access(
-    request: Request,
-    org_id: UUID,
-    user_id: str | None = Depends(get_user_id),
-) -> str:
-    """
-    Authorization dependency for accessing organization financial data.
-
-    Allows access if ANY of these conditions are met:
-    1. User has Admin or Owner role in the organization
-    2. User has @openhands.dev email domain
-
-    This is used for the organization members financial data endpoint.
-
-    Args:
-        request: FastAPI request object
-        org_id: Organization UUID from path parameter
-        user_id: User ID from authentication
-
-    Returns:
-        str: User ID if authorized
-
-    Raises:
-        HTTPException: 401 if not authenticated, 403 if not authorized
-    """
-    if not user_id:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail='User not authenticated',
-        )
-
-    # Validate API key organization binding
-    api_key_org_id = await get_api_key_org_id_from_request(request)
-    if api_key_org_id is not None:
-        if api_key_org_id != org_id:
-            logger.warning(
-                'API key organization mismatch for financial data access',
-                extra={
-                    'user_id': user_id,
-                    'api_key_org_id': str(api_key_org_id),
-                    'target_org_id': str(org_id),
-                },
-            )
-            raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail='API key is not authorized for this organization',
-            )
-
-    # Check if user has @openhands.dev email
-    user_auth = await get_user_auth(request)
-    user_email = await user_auth.get_user_email()
-
-    if user_email and user_email.endswith('@openhands.dev'):
-        logger.debug(
-            'Financial data access granted via @openhands.dev email',
-            extra={'user_id': user_id, 'org_id': str(org_id)},
-        )
-        return user_id
-
-    # Check if user has Admin or Owner role in the organization
-    user_role = await get_user_org_role(user_id, org_id)
-
-    if not user_role:
-        logger.warning(
-            'Financial data access denied - user not a member of organization',
-            extra={'user_id': user_id, 'org_id': str(org_id)},
-        )
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail='User is not a member of this organization',
-        )
-
-    if user_role.name not in (RoleName.OWNER.value, RoleName.ADMIN.value):
-        logger.warning(
-            'Financial data access denied - insufficient role',
-            extra={
-                'user_id': user_id,
-                'org_id': str(org_id),
-                'user_role': user_role.name,
-            },
-        )
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail='Access restricted to organization admins, owners, or OpenHands members',
-        )
-
-    logger.debug(
-        'Financial data access granted via admin/owner role',
-        extra={'user_id': user_id, 'org_id': str(org_id), 'role': user_role.name},
-    )
-    return user_id

enterprise/server/auth/constants.py

@@ -6,6 +6,7 @@ GITHUB_APP_WEBHOOK_SECRET = os.getenv('GITHUB_APP_WEBHOOK_SECRET', '')
 GITHUB_APP_PRIVATE_KEY = os.getenv('GITHUB_APP_PRIVATE_KEY', '').replace('\\n', '\n')
 KEYCLOAK_SERVER_URL = os.getenv('KEYCLOAK_SERVER_URL', '').rstrip('/')
 KEYCLOAK_REALM_NAME = os.getenv('KEYCLOAK_REALM_NAME', '')
+KEYCLOAK_PROVIDER_NAME = os.getenv('KEYCLOAK_PROVIDER_NAME', '')
 KEYCLOAK_CLIENT_ID = os.getenv('KEYCLOAK_CLIENT_ID', '')
 KEYCLOAK_CLIENT_SECRET = os.getenv('KEYCLOAK_CLIENT_SECRET', '')
 KEYCLOAK_SERVER_URL_EXT = os.getenv(
@@ -39,16 +40,6 @@ ROLE_CHECK_ENABLED = os.getenv('ROLE_CHECK_ENABLED', 'false').lower() in (
 )
 
 DUPLICATE_EMAIL_CHECK = os.getenv('DUPLICATE_EMAIL_CHECK', 'true') in ('1', 'true')
-BITBUCKET_DATA_CENTER_CLIENT_ID = os.getenv(
-    'BITBUCKET_DATA_CENTER_CLIENT_ID', ''
-).strip()
-BITBUCKET_DATA_CENTER_CLIENT_SECRET = os.getenv(
-    'BITBUCKET_DATA_CENTER_CLIENT_SECRET', ''
-).strip()
-BITBUCKET_DATA_CENTER_HOST = os.getenv('BITBUCKET_DATA_CENTER_HOST', '').strip()
-BITBUCKET_DATA_CENTER_TOKEN_URL = (
-    f'https://{BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/token'
-)
 
 # reCAPTCHA Enterprise
 RECAPTCHA_PROJECT_ID = os.getenv('RECAPTCHA_PROJECT_ID', '').strip()

enterprise/server/auth/domain_blocker.py

@@ -0,0 +1,66 @@
+from storage.blocked_email_domain_store import BlockedEmailDomainStore
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class DomainBlocker:
+    def __init__(self, store: BlockedEmailDomainStore) -> None:
+        logger.debug('Initializing DomainBlocker')
+        self.store = store
+
+    def _extract_domain(self, email: str) -> str | None:
+        """Extract and normalize email domain from email address"""
+        if not email:
+            return None
+        try:
+            # Extract domain part after @
+            if '@' not in email:
+                return None
+            domain = email.split('@')[1].strip().lower()
+            return domain if domain else None
+        except Exception:
+            logger.debug(f'Error extracting domain from email: {email}', exc_info=True)
+            return None
+
+    async def is_domain_blocked(self, email: str) -> bool:
+        """Check if email domain is blocked by querying the database directly via SQL.
+
+        Supports blocking:
+        - Exact domains: 'example.com' blocks 'user@example.com'
+        - Subdomains: 'example.com' blocks 'user@subdomain.example.com'
+        - TLDs: '.us' blocks 'user@company.us' and 'user@subdomain.company.us'
+
+        The blocking logic is handled efficiently in SQL, avoiding the need to load
+        all blocked domains into memory.
+        """
+        if not email:
+            logger.debug('No email provided for domain check')
+            return False
+
+        domain = self._extract_domain(email)
+        if not domain:
+            logger.debug(f'Could not extract domain from email: {email}')
+            return False
+
+        try:
+            # Query database directly via SQL to check if domain is blocked
+            is_blocked = await self.store.is_domain_blocked(domain)
+
+            if is_blocked:
+                logger.warning(f'Email domain {domain} is blocked for email: {email}')
+            else:
+                logger.debug(f'Email domain {domain} is not blocked')
+
+            return is_blocked
+        except Exception as e:
+            logger.error(
+                f'Error checking if domain is blocked for email {email}: {e}',
+                exc_info=True,
+            )
+            # Fail-safe: if database query fails, don't block (allow auth to proceed)
+            return False
+
+
+# Initialize store and domain blocker
+_store = BlockedEmailDomainStore()
+domain_blocker = DomainBlocker(store=_store)

enterprise/server/auth/keycloak_manager.py

@@ -4,6 +4,7 @@ from server.auth.constants import (
     KEYCLOAK_ADMIN_PASSWORD,
     KEYCLOAK_CLIENT_ID,
     KEYCLOAK_CLIENT_SECRET,
+    KEYCLOAK_PROVIDER_NAME,
     KEYCLOAK_REALM_NAME,
     KEYCLOAK_SERVER_URL,
     KEYCLOAK_SERVER_URL_EXT,
@@ -11,7 +12,7 @@ from server.auth.constants import (
 from server.logger import logger
 
 logger.debug(
-    f'KEYCLOAK_SERVER_URL:{KEYCLOAK_SERVER_URL}, KEYCLOAK_SERVER_URL_EXT:{KEYCLOAK_SERVER_URL_EXT}, KEYCLOAK_CLIENT_ID:{KEYCLOAK_CLIENT_ID}'
+    f'KEYCLOAK_SERVER_URL:{KEYCLOAK_SERVER_URL}, KEYCLOAK_SERVER_URL_EXT:{KEYCLOAK_SERVER_URL_EXT}, KEYCLOAK_PROVIDER_NAME:{KEYCLOAK_PROVIDER_NAME}, KEYCLOAK_CLIENT_ID:{KEYCLOAK_CLIENT_ID}'
 )
 
 _keycloak_instances = {}

enterprise/server/auth/saas_user_auth.py

@@ -1,7 +1,6 @@
 import time
 from dataclasses import dataclass
 from types import MappingProxyType
-from uuid import UUID
 
 import jwt
 from fastapi import Request
@@ -14,11 +13,7 @@ from server.auth.auth_error import (
     ExpiredError,
     NoCredentialsError,
 )
-from server.auth.authorization import (
-    get_role_permissions,
-    get_user_org_role,
-)
-from server.auth.constants import BITBUCKET_DATA_CENTER_HOST
+from server.auth.domain_blocker import domain_blocker
 from server.auth.token_manager import TokenManager
 from server.config import get_config
 from server.logger import logger
@@ -27,12 +22,8 @@ from sqlalchemy import delete, select
 from storage.api_key_store import ApiKeyStore
 from storage.auth_tokens import AuthTokens
 from storage.database import a_session_maker
-from storage.org_store import OrgStore
 from storage.saas_secrets_store import SaasSecretsStore
 from storage.saas_settings_store import SaasSettingsStore
-from storage.user_authorization import UserAuthorizationType
-from storage.user_authorization_store import UserAuthorizationStore
-from storage.user_store import UserStore
 from tenacity import retry, retry_if_exception_type, stop_after_attempt, wait_fixed
 
 from openhands.integrations.provider import (
@@ -66,25 +57,6 @@ class SaasUserAuth(UserAuth):
     _secrets: Secrets | None = None
     accepted_tos: bool | None = None
     auth_type: AuthType = AuthType.COOKIE
-    # API key context fields - populated when authenticated via API key
-    api_key_org_id: UUID | None = None  # Org bound to the API key used for auth
-    api_key_id: int | None = None
-    api_key_name: str | None = None
-    # Organization context fields - populated lazily via get_org_info()
-    _org_id: str | None = None
-    _org_name: str | None = None
-    _role: str | None = None
-    _permissions: list[str] | None = None
-    _org_info_loaded: bool = False
-
-    def get_api_key_org_id(self) -> UUID | None:
-        """Get the organization ID bound to the API key used for authentication.
-
-        Returns:
-            The org_id if authenticated via API key with org binding, None otherwise
-            (cookie auth or legacy API keys without org binding).
-        """
-        return self.api_key_org_id
 
     async def get_user_id(self) -> str | None:
         return self.user_id
@@ -204,9 +176,6 @@ class SaasUserAuth(UserAuth):
                     if user_secrets and idp_type in user_secrets.provider_tokens:
                         host = user_secrets.provider_tokens[idp_type].host
 
-                    if idp_type == ProviderType.BITBUCKET_DATA_CENTER and not host:
-                        host = BITBUCKET_DATA_CENTER_HOST or None
-
                     provider_token = await token_manager.get_idp_token(
                         access_token.get_secret_value(),
                         idp=idp_type,
@@ -254,72 +223,6 @@ class SaasUserAuth(UserAuth):
             )
         return mcp_api_key
 
-    async def get_org_info(self) -> dict | None:
-        """Get organization info for the current user.
-
-        Lazily loads and caches organization data including:
-        - org_id: Current organization ID
-        - org_name: Current organization name
-        - role: User's role in the organization
-        - permissions: List of permission names for the role
-
-        Returns:
-            dict with org_id, org_name, role, permissions or None if not available
-        """
-        if self._org_info_loaded:
-            if self._org_id is None:
-                return None
-            return {
-                'org_id': self._org_id,
-                'org_name': self._org_name,
-                'role': self._role,
-                'permissions': self._permissions,
-            }
-
-        # Mark as loaded to avoid repeated attempts on failure
-        self._org_info_loaded = True
-
-        try:
-            # Get user and their current org
-            user = await UserStore.get_user_by_id(self.user_id)
-            if not user:
-                logger.warning(f'User {self.user_id} not found for org info')
-                return None
-
-            # Get the current org
-            org = await OrgStore.get_org_by_id(user.current_org_id)
-            if not org:
-                logger.warning(
-                    f'Organization {user.current_org_id} not found for user {self.user_id}'
-                )
-                return None
-
-            # Get user's role in the current org
-            role = await get_user_org_role(self.user_id, user.current_org_id)
-            role_name = role.name if role else None
-
-            # Get permissions for the role
-            permissions: list[str] = []
-            if role_name:
-                role_permissions = get_role_permissions(role_name)
-                permissions = [p.value for p in role_permissions]
-
-            # Cache the results
-            self._org_id = str(user.current_org_id)
-            self._org_name = org.name
-            self._role = role_name
-            self._permissions = permissions
-
-            return {
-                'org_id': self._org_id,
-                'org_name': self._org_name,
-                'role': self._role,
-                'permissions': self._permissions,
-            }
-        except Exception as e:
-            logger.error(f'Error fetching org info for user {self.user_id}: {e}')
-            return None
-
     @classmethod
     async def get_instance(cls, request: Request) -> UserAuth:
         logger.debug('saas_user_auth_get_instance')
@@ -375,19 +278,14 @@ async def saas_user_auth_from_bearer(request: Request) -> SaasUserAuth | None:
             return None
 
         api_key_store = ApiKeyStore.get_instance()
-        validation_result = await api_key_store.validate_api_key(api_key)
-        if not validation_result:
+        user_id = await api_key_store.validate_api_key(api_key)
+        if not user_id:
             return None
-        offline_token = await token_manager.load_offline_token(
-            validation_result.user_id
-        )
+        offline_token = await token_manager.load_offline_token(user_id)
         saas_user_auth = SaasUserAuth(
-            user_id=validation_result.user_id,
+            user_id=user_id,
             refresh_token=SecretStr(offline_token),
             auth_type=AuthType.BEARER,
-            api_key_org_id=validation_result.org_id,
-            api_key_id=validation_result.key_id,
-            api_key_name=validation_result.key_name,
         )
         await saas_user_auth.refresh()
         return saas_user_auth
@@ -428,16 +326,14 @@ async def saas_user_auth_from_signed_token(signed_token: str) -> SaasUserAuth:
     email = access_token_payload['email']
     email_verified = access_token_payload['email_verified']
 
-    # Check if email is blacklisted (whitelist takes precedence)
-    if email:
-        auth_type = await UserAuthorizationStore.get_authorization_type(email, None)
-        if auth_type == UserAuthorizationType.BLACKLIST:
-            logger.warning(
-                f'Blocked authentication attempt for existing user with email: {email}'
-            )
-            raise AuthError(
-                'Access denied: Your email domain is not allowed to access this service'
-            )
+    # Check if email domain is blocked
+    if email and await domain_blocker.is_domain_blocked(email):
+        logger.warning(
+            f'Blocked authentication attempt for existing user with email: {email}'
+        )
+        raise AuthError(
+            'Access denied: Your email domain is not allowed to access this service'
+        )
 
     logger.debug('saas_user_auth_from_signed_token:return')
 

enterprise/server/auth/token_manager.py

@@ -21,10 +21,6 @@ from server.auth.auth_error import ExpiredError
 from server.auth.constants import (
     BITBUCKET_APP_CLIENT_ID,
     BITBUCKET_APP_CLIENT_SECRET,
-    BITBUCKET_DATA_CENTER_CLIENT_ID,
-    BITBUCKET_DATA_CENTER_CLIENT_SECRET,
-    BITBUCKET_DATA_CENTER_HOST,
-    BITBUCKET_DATA_CENTER_TOKEN_URL,
     DUPLICATE_EMAIL_CHECK,
     GITHUB_APP_CLIENT_ID,
     GITHUB_APP_CLIENT_SECRET,
@@ -383,8 +379,6 @@ class TokenManager:
             return await self._refresh_gitlab_token(refresh_token)
         elif idp == ProviderType.BITBUCKET:
             return await self._refresh_bitbucket_token(refresh_token)
-        elif idp == ProviderType.BITBUCKET_DATA_CENTER:
-            return await self._refresh_bitbucket_data_center_token(refresh_token)
         else:
             raise ValueError(f'Unsupported IDP: {idp}')
 
@@ -466,33 +460,6 @@ class TokenManager:
             data = response.json()
             return await self._parse_refresh_response(data)
 
-    async def _refresh_bitbucket_data_center_token(
-        self, refresh_token: str
-    ) -> dict[str, str | int]:
-        if not BITBUCKET_DATA_CENTER_HOST:
-            raise ValueError(
-                'BITBUCKET_DATA_CENTER_HOST is not configured. '
-                'Set the BITBUCKET_DATA_CENTER_HOST environment variable.'
-            )
-        url = BITBUCKET_DATA_CENTER_TOKEN_URL
-        logger.info(f'Refreshing Bitbucket Data Center token with URL: {url}')
-
-        payload = {
-            'client_id': BITBUCKET_DATA_CENTER_CLIENT_ID,
-            'client_secret': BITBUCKET_DATA_CENTER_CLIENT_SECRET,
-            'refresh_token': refresh_token,
-            'grant_type': 'refresh_token',
-        }
-        async with httpx.AsyncClient(
-            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
-        ) as client:
-            response = await client.post(url, data=payload)
-            response.raise_for_status()
-            logger.info('Successfully refreshed Bitbucket Data Center token')
-
-            data = response.json()
-            return await self._parse_refresh_response(data)
-
     async def _parse_refresh_response(self, data: dict) -> dict[str, str | int]:
         access_token = data.get('access_token')
         refresh_token = data.get('refresh_token')

enterprise/server/auth/user/default_user_authorizer.py

@@ -1,98 +0,0 @@
-import logging
-from dataclasses import dataclass
-from typing import AsyncGenerator
-
-from fastapi import Request
-from pydantic import Field
-from server.auth.email_validation import extract_base_email
-from server.auth.token_manager import KeycloakUserInfo, TokenManager
-from server.auth.user.user_authorizer import (
-    UserAuthorizationResponse,
-    UserAuthorizer,
-    UserAuthorizerInjector,
-)
-from storage.user_authorization import UserAuthorizationType
-from storage.user_authorization_store import UserAuthorizationStore
-
-from openhands.app_server.services.injector import InjectorState
-
-logger = logging.getLogger(__name__)
-token_manager = TokenManager()
-
-
-@dataclass
-class DefaultUserAuthorizer(UserAuthorizer):
-    """Class determining whether a user may be authorized.
-
-    Uses the user_authorizations database table to check whitelist/blacklist rules.
-    """
-
-    prevent_duplicates: bool
-
-    async def authorize_user(
-        self, user_info: KeycloakUserInfo
-    ) -> UserAuthorizationResponse:
-        user_id = user_info.sub
-        email = user_info.email
-        provider_type = user_info.identity_provider
-        try:
-            if not email:
-                logger.warning(f'No email provided for user_id: {user_id}')
-                return UserAuthorizationResponse(
-                    success=False, error_detail='missing_email'
-                )
-
-            if self.prevent_duplicates:
-                has_duplicate = await token_manager.check_duplicate_base_email(
-                    email, user_id
-                )
-                if has_duplicate:
-                    logger.warning(
-                        f'Blocked signup attempt for email {email} - duplicate base email found',
-                        extra={'user_id': user_id, 'email': email},
-                    )
-                    return UserAuthorizationResponse(
-                        success=False, error_detail='duplicate_email'
-                    )
-
-            # Check authorization rules (whitelist takes precedence over blacklist)
-            base_email = extract_base_email(email)
-            if base_email is None:
-                return UserAuthorizationResponse(
-                    success=False, error_detail='invalid_email'
-                )
-            auth_type = await UserAuthorizationStore.get_authorization_type(
-                base_email, provider_type
-            )
-
-            if auth_type == UserAuthorizationType.WHITELIST:
-                logger.debug(
-                    f'User {email} matched whitelist rule',
-                    extra={'user_id': user_id, 'email': email},
-                )
-                return UserAuthorizationResponse(success=True)
-
-            if auth_type == UserAuthorizationType.BLACKLIST:
-                logger.warning(
-                    f'Blocked authentication attempt for email: {email}, user_id: {user_id}'
-                )
-                return UserAuthorizationResponse(success=False, error_detail='blocked')
-
-            return UserAuthorizationResponse(success=True)
-        except Exception:
-            logger.exception('error authorizing user', extra={'user_id': user_id})
-            return UserAuthorizationResponse(success=False)
-
-
-class DefaultUserAuthorizerInjector(UserAuthorizerInjector):
-    prevent_duplicates: bool = Field(
-        default=True,
-        description='Whether duplicate emails (containing +) are filtered',
-    )
-
-    async def inject(
-        self, state: InjectorState, request: Request | None = None
-    ) -> AsyncGenerator[UserAuthorizer, None]:
-        yield DefaultUserAuthorizer(
-            prevent_duplicates=self.prevent_duplicates,
-        )

enterprise/server/auth/user/user_authorizer.py

@@ -1,48 +0,0 @@
-import logging
-from abc import ABC, abstractmethod
-
-from fastapi import Depends
-from pydantic import BaseModel
-from server.auth.token_manager import KeycloakUserInfo
-
-from openhands.agent_server.env_parser import from_env
-from openhands.app_server.services.injector import Injector
-from openhands.sdk.utils.models import DiscriminatedUnionMixin
-
-logger = logging.getLogger(__name__)
-
-
-class UserAuthorizationResponse(BaseModel):
-    success: bool
-    error_detail: str | None = None
-
-
-class UserAuthorizer(ABC):
-    """Class determining whether a user may be authorized."""
-
-    @abstractmethod
-    async def authorize_user(
-        self, user_info: KeycloakUserInfo
-    ) -> UserAuthorizationResponse:
-        """Determine whether the info given is permitted."""
-
-
-class UserAuthorizerInjector(DiscriminatedUnionMixin, Injector[UserAuthorizer], ABC):
-    pass
-
-
-def depends_user_authorizer():
-    from server.auth.user.default_user_authorizer import (
-        DefaultUserAuthorizerInjector,
-    )
-
-    try:
-        injector: UserAuthorizerInjector = from_env(
-            UserAuthorizerInjector, 'OH_USER_AUTHORIZER'
-        )
-    except Exception as ex:
-        print(ex)
-        logger.info('Using default UserAuthorizer')
-        injector = DefaultUserAuthorizerInjector()
-
-    return Depends(injector.depends)

enterprise/server/config.py

@@ -9,7 +9,6 @@ import requests  # type: ignore
 from fastapi import HTTPException
 from server.auth.constants import (
     BITBUCKET_APP_CLIENT_ID,
-    BITBUCKET_DATA_CENTER_CLIENT_ID,
     ENABLE_ENTERPRISE_SSO,
     ENABLE_JIRA,
     ENABLE_JIRA_DC,
@@ -165,9 +164,6 @@ class SaaSServerConfig(ServerConfig):
         if ENABLE_ENTERPRISE_SSO:
             providers_configured.append(ProviderType.ENTERPRISE_SSO)
 
-        if BITBUCKET_DATA_CENTER_CLIENT_ID:
-            providers_configured.append(ProviderType.BITBUCKET_DATA_CENTER)
-
         config: dict[str, typing.Any] = {
             'APP_MODE': self.app_mode,
             'APP_SLUG': self.app_slug,

enterprise/server/constants.py

@@ -77,9 +77,6 @@ PERMITTED_CORS_ORIGINS = [
     )
 ]
 
-# Controls whether new orgs/users default to V1 API (env: DEFAULT_V1_ENABLED)
-DEFAULT_V1_ENABLED = os.getenv('DEFAULT_V1_ENABLED', '1').lower() in ('1', 'true')
-
 
 def build_litellm_proxy_model_path(model_name: str) -> str:
     """Build the LiteLLM proxy model path based on model name.

enterprise/server/logger.py

@@ -80,11 +80,10 @@ def setup_json_logger(
     handler.setLevel(level)
 
     formatter = JsonFormatter(
-        '%(message)s%(levelname)s%(module)s%(funcName)s%(lineno)d',
+        '{message}{levelname}',
+        style='{',
         rename_fields={'levelname': 'severity'},
         json_serializer=custom_json_serializer,
-        # Use 'ts' for consistency with LOG_JSON_FOR_CONSOLE mode (skip when console mode to avoid duplicates)
-        timestamp='ts' if not LOG_JSON_FOR_CONSOLE else False,
     )
 
     handler.setFormatter(formatter)

enterprise/server/middleware.py

@@ -12,8 +12,11 @@ from server.auth.auth_error import (
 )
 from server.auth.gitlab_sync import schedule_gitlab_repo_sync
 from server.auth.saas_user_auth import SaasUserAuth, token_manager
-from server.routes.auth import set_response_cookie
-from server.utils.url_utils import get_cookie_domain, get_cookie_samesite
+from server.routes.auth import (
+    get_cookie_domain,
+    get_cookie_samesite,
+    set_response_cookie,
+)
 
 from openhands.core.logger import openhands_logger as logger
 from openhands.server.user_auth.user_auth import AuthType, UserAuth, get_user_auth
@@ -90,8 +93,8 @@ class SetAuthCookieMiddleware:
             if keycloak_auth_cookie:
                 response.delete_cookie(
                     key='keycloak_auth',
-                    domain=get_cookie_domain(),
-                    samesite=get_cookie_samesite(),
+                    domain=get_cookie_domain(request),
+                    samesite=get_cookie_samesite(request),
                 )
             return response
 
@@ -182,10 +185,6 @@ class SetAuthCookieMiddleware:
         if path.startswith('/api/v1/webhooks/'):
             return False
 
-        # Service API uses its own authentication (X-Service-API-Key header)
-        if path.startswith('/api/service/'):
-            return False
-
         is_mcp = path.startswith('/mcp')
         is_api_route = path.startswith('/api')
         return is_api_route or is_mcp

enterprise/server/models/__init__.py

@@ -1 +0,0 @@
-# Enterprise server models

enterprise/server/models/user_models.py

@@ -1,16 +0,0 @@
-"""SAAS-specific user models that extend OSS UserInfo with organization fields."""
-
-from openhands.app_server.user.user_models import UserInfo
-
-
-class SaasUserInfo(UserInfo):
-    """User info model for SAAS mode with organization context.
-
-    Extends the base UserInfo with SAAS-specific fields for organization
-    membership, role, and permissions.
-    """
-
-    org_id: str | None = None
-    org_name: str | None = None
-    role: str | None = None
-    permissions: list[str] | None = None

enterprise/server/routes/api_keys.py

@@ -1,9 +1,7 @@
 from datetime import UTC, datetime
-from typing import cast
 
-from fastapi import APIRouter, Depends, HTTPException, Request, status
+from fastapi import APIRouter, Depends, HTTPException, status
 from pydantic import BaseModel, field_validator
-from server.auth.saas_user_auth import SaasUserAuth
 from storage.api_key import ApiKey
 from storage.api_key_store import ApiKeyStore
 from storage.lite_llm_manager import LiteLlmManager
@@ -13,8 +11,7 @@ from storage.org_service import OrgService
 from storage.user_store import UserStore
 
 from openhands.core.logger import openhands_logger as logger
-from openhands.server.user_auth import get_user_auth, get_user_id
-from openhands.server.user_auth.user_auth import AuthType
+from openhands.server.user_auth import get_user_id
 
 
 # Helper functions for BYOR API key management
@@ -153,16 +150,6 @@ class MessageResponse(BaseModel):
     message: str
 
 
-class CurrentApiKeyResponse(BaseModel):
-    """Response model for the current API key endpoint."""
-
-    id: int
-    name: str | None
-    org_id: str
-    user_id: str
-    auth_type: str
-
-
 def api_key_to_response(key: ApiKey) -> ApiKeyResponse:
     """Convert an ApiKey model to an ApiKeyResponse."""
     return ApiKeyResponse(
@@ -275,46 +262,6 @@ async def delete_api_key(
         )
 
 
-@api_router.get('/current', tags=['Keys'])
-async def get_current_api_key(
-    request: Request,
-    user_id: str = Depends(get_user_id),
-) -> CurrentApiKeyResponse:
-    """Get information about the currently authenticated API key.
-
-    This endpoint returns metadata about the API key used for the current request,
-    including the org_id associated with the key. This is useful for API key
-    callers who need to know which organization context their key operates in.
-
-    Returns 400 if not authenticated via API key (e.g., using cookie auth).
-    """
-    user_auth = await get_user_auth(request)
-
-    # Check if authenticated via API key
-    if user_auth.get_auth_type() != AuthType.BEARER:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail='This endpoint requires API key authentication. Not available for cookie-based auth.',
-        )
-
-    # In SaaS context, bearer auth always produces SaasUserAuth
-    saas_user_auth = cast(SaasUserAuth, user_auth)
-
-    if saas_user_auth.api_key_org_id is None:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail='This API key was created before organization support. Please regenerate your API key to use this endpoint.',
-        )
-
-    return CurrentApiKeyResponse(
-        id=saas_user_auth.api_key_id,
-        name=saas_user_auth.api_key_name,
-        org_id=str(saas_user_auth.api_key_org_id),
-        user_id=user_id,
-        auth_type=saas_user_auth.auth_type.value,
-    )
-
-
 @api_router.get('/llm/byor', tags=['Keys'])
 async def get_llm_api_key_for_byor(
     user_id: str = Depends(get_user_id),

enterprise/server/routes/auth.py

@@ -3,14 +3,15 @@ import json
 import uuid
 import warnings
 from datetime import datetime, timezone
-from typing import Annotated, Optional, cast
-from urllib.parse import quote, urlencode
+from typing import Annotated, Literal, Optional, cast
+from urllib.parse import quote
 from uuid import UUID as parse_uuid
 
 import posthog
 from fastapi import APIRouter, Header, HTTPException, Request, Response, status
 from fastapi.responses import JSONResponse, RedirectResponse
 from pydantic import SecretStr
+from server.auth.auth_utils import user_verifier
 from server.auth.constants import (
     KEYCLOAK_CLIENT_ID,
     KEYCLOAK_REALM_NAME,
@@ -18,16 +19,13 @@ from server.auth.constants import (
     RECAPTCHA_SITE_KEY,
     ROLE_CHECK_ENABLED,
 )
+from server.auth.domain_blocker import domain_blocker
 from server.auth.gitlab_sync import schedule_gitlab_repo_sync
 from server.auth.recaptcha_service import recaptcha_service
 from server.auth.saas_user_auth import SaasUserAuth
 from server.auth.token_manager import TokenManager
-from server.auth.user.user_authorizer import (
-    UserAuthorizer,
-    depends_user_authorizer,
-)
 from server.config import sign_token
-from server.constants import IS_FEATURE_ENV, IS_LOCAL_ENV
+from server.constants import IS_FEATURE_ENV
 from server.routes.event_webhook import _get_session_api_key, _get_user_id
 from server.services.org_invitation_service import (
     EmailMismatchError,
@@ -36,8 +34,6 @@ from server.services.org_invitation_service import (
     OrgInvitationService,
     UserAlreadyMemberError,
 )
-from server.utils.rate_limit_utils import check_rate_limit_by_user_id
-from server.utils.url_utils import get_cookie_domain, get_cookie_samesite, get_web_url
 from sqlalchemy import select
 from storage.database import a_session_maker
 from storage.user import User
@@ -77,7 +73,7 @@ def set_response_cookie(
     signed_token = sign_token(cookie_data, config.jwt_secret.get_secret_value())  # type: ignore
 
     # Set secure cookie with signed token
-    domain = get_cookie_domain()
+    domain = get_cookie_domain(request)
     if domain:
         response.set_cookie(
             key='keycloak_auth',
@@ -85,7 +81,7 @@ def set_response_cookie(
             domain=domain,
             httponly=True,
             secure=secure,
-            samesite=get_cookie_samesite(),
+            samesite=get_cookie_samesite(request),
         )
     else:
         response.set_cookie(
@@ -93,10 +89,30 @@ def set_response_cookie(
             value=signed_token,
             httponly=True,
             secure=secure,
-            samesite=get_cookie_samesite(),
+            samesite=get_cookie_samesite(request),
         )
 
 
+def get_cookie_domain(request: Request) -> str | None:
+    # for now just use the full hostname except for staging stacks.
+    return (
+        None
+        if not request.url.hostname
+        or request.url.hostname.endswith('staging.all-hands.dev')
+        else request.url.hostname
+    )
+
+
+def get_cookie_samesite(request: Request) -> Literal['lax', 'strict']:
+    # for localhost and feature/staging stacks we set it to 'lax' as the cookie domain won't allow 'strict'
+    return (
+        'lax'
+        if request.url.hostname == 'localhost'
+        or (request.url.hostname or '').endswith('staging.all-hands.dev')
+        else 'strict'
+    )
+
+
 def _extract_oauth_state(state: str | None) -> tuple[str, str | None, str | None]:
     """Extract redirect URL, reCAPTCHA token, and invitation token from OAuth state.
 
@@ -120,6 +136,19 @@ def _extract_oauth_state(state: str | None) -> tuple[str, str | None, str | None
         return state, None, None
 
 
+# Keep alias for backward compatibility
+def _extract_recaptcha_state(state: str | None) -> tuple[str, str | None]:
+    """Extract redirect URL and reCAPTCHA token from OAuth state.
+
+    Deprecated: Use _extract_oauth_state instead.
+
+    Returns:
+        Tuple of (redirect_url, recaptcha_token). Token may be None.
+    """
+    redirect_url, recaptcha_token, _ = _extract_oauth_state(state)
+    return redirect_url, recaptcha_token
+
+
 @oauth_router.get('/keycloak/callback')
 async def keycloak_callback(
     request: Request,
@@ -127,16 +156,11 @@ async def keycloak_callback(
     state: Optional[str] = None,
     error: Optional[str] = None,
     error_description: Optional[str] = None,
-    user_authorizer: UserAuthorizer = depends_user_authorizer(),
 ):
     # Extract redirect URL, reCAPTCHA token, and invitation token from state
     redirect_url, recaptcha_token, invitation_token = _extract_oauth_state(state)
-
-    if redirect_url is None:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail='Missing state in request params',
-        )
+    if not redirect_url:
+        redirect_url = str(request.base_url)
 
     if not code:
         # check if this is a forward from the account linking page
@@ -145,54 +169,36 @@ async def keycloak_callback(
             and error_description == 'authentication_expired'
         ):
             return RedirectResponse(redirect_url, status_code=302)
-        raise HTTPException(
+        return JSONResponse(
             status_code=status.HTTP_400_BAD_REQUEST,
-            detail='Missing code in request params',
+            content={'error': 'Missing code in request params'},
         )
-
-    web_url = get_web_url(request)
-    redirect_uri = web_url + request.url.path
+    scheme = 'http' if request.url.hostname == 'localhost' else 'https'
+    redirect_uri = f'{scheme}://{request.url.netloc}{request.url.path}'
+    logger.debug(f'code: {code}, redirect_uri: {redirect_uri}')
 
     (
         keycloak_access_token,
         keycloak_refresh_token,
     ) = await token_manager.get_keycloak_tokens(code, redirect_uri)
     if not keycloak_access_token or not keycloak_refresh_token:
-        raise HTTPException(
+        return JSONResponse(
             status_code=status.HTTP_400_BAD_REQUEST,
-            detail='Problem retrieving Keycloak tokens',
+            content={'error': 'Problem retrieving Keycloak tokens'},
         )
 
     user_info = await token_manager.get_user_info(keycloak_access_token)
     logger.debug(f'user_info: {user_info}')
     if ROLE_CHECK_ENABLED and user_info.roles is None:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED, detail='Missing required role'
+        return JSONResponse(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            content={'error': 'Missing required role'},
         )
 
-    authorization = await user_authorizer.authorize_user(user_info)
-    if not authorization.success:
-        # For duplicate_email errors, clean up the newly created Keycloak user
-        # (only if they're not already in our UserStore, i.e., they're a new user)
-        if authorization.error_detail == 'duplicate_email':
-            try:
-                existing_user = await UserStore.get_user_by_id(user_info.sub)
-                if not existing_user:
-                    # New user created during OAuth should be deleted from Keycloak
-                    await token_manager.delete_keycloak_user(user_info.sub)
-                    logger.info(
-                        f'Deleted orphaned Keycloak user {user_info.sub} '
-                        'after duplicate_email rejection'
-                    )
-            except Exception as e:
-                # Log but don't fail - user should still get 401 response
-                logger.warning(
-                    f'Failed to clean up orphaned Keycloak user {user_info.sub}: {e}'
-                )
-        # Return unauthorized
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail=authorization.error_detail,
+    if user_info.preferred_username is None:
+        return JSONResponse(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            content={'error': 'Missing user ID or username in response'},
         )
 
     email = user_info.email
@@ -207,10 +213,12 @@ async def keycloak_callback(
         await UserStore.backfill_user_email(user_id, user_info_dict)
 
     if not user:
-        logger.error(f'Failed to authenticate user {user_info.email}')
-        raise HTTPException(
+        logger.error(f'Failed to authenticate user {user_info.preferred_username}')
+        return JSONResponse(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail=f'Failed to authenticate user {user_info.email}',
+            content={
+                'error': f'Failed to authenticate user {user_info.preferred_username}'
+            },
         )
 
     logger.info(f'Logging in user {str(user.id)} in org {user.current_org_id}')
@@ -225,7 +233,7 @@ async def keycloak_callback(
                     'email': email,
                 },
             )
-            error_url = f'{web_url}/login?recaptcha_blocked=true'
+            error_url = f'{request.base_url}login?recaptcha_blocked=true'
             return RedirectResponse(error_url, status_code=302)
 
         user_ip = request.client.host if request.client else 'unknown'
@@ -256,50 +264,74 @@ async def keycloak_callback(
                     },
                 )
                 # Redirect to home with error parameter
-                error_url = f'{web_url}/login?recaptcha_blocked=true'
+                error_url = f'{request.base_url}login?recaptcha_blocked=true'
                 return RedirectResponse(error_url, status_code=302)
 
         except Exception as e:
             logger.exception(f'reCAPTCHA verification error at callback: {e}')
             # Fail open - continue with login if reCAPTCHA service unavailable
 
+    # Check if email domain is blocked
+    if email and await domain_blocker.is_domain_blocked(email):
+        logger.warning(
+            f'Blocked authentication attempt for email: {email}, user_id: {user_id}'
+        )
+
+        # Disable the Keycloak account
+        await token_manager.disable_keycloak_user(user_id, email)
+
+        return JSONResponse(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            content={
+                'error': 'Access denied: Your email domain is not allowed to access this service'
+            },
+        )
+
+    # Check for duplicate email with + modifier
+    if email:
+        try:
+            has_duplicate = await token_manager.check_duplicate_base_email(
+                email, user_id
+            )
+            if has_duplicate:
+                logger.warning(
+                    f'Blocked signup attempt for email {email} - duplicate base email found',
+                    extra={'user_id': user_id, 'email': email},
+                )
+
+                # Delete the Keycloak user that was automatically created during OAuth
+                # This prevents orphaned accounts in Keycloak
+                # The delete_keycloak_user method already handles all errors internally
+                deletion_success = await token_manager.delete_keycloak_user(user_id)
+                if deletion_success:
+                    logger.info(
+                        f'Deleted Keycloak user {user_id} after detecting duplicate email {email}'
+                    )
+                else:
+                    logger.warning(
+                        f'Failed to delete Keycloak user {user_id} after detecting duplicate email {email}. '
+                        f'User may need to be manually cleaned up.'
+                    )
+
+                # Redirect to home page with query parameter indicating the issue
+                home_url = f'{request.base_url}/login?duplicated_email=true'
+                return RedirectResponse(home_url, status_code=302)
+        except Exception as e:
+            # Log error but allow signup to proceed (fail open)
+            logger.error(
+                f'Error checking duplicate email for {email}: {e}',
+                extra={'user_id': user_id, 'email': email},
+            )
+
     # Check email verification status
     email_verified = user_info.email_verified or False
     if not email_verified:
-        # Send verification email with rate limiting to prevent abuse
-        # Users who repeatedly login without verifying would otherwise trigger
-        # unlimited verification emails
+        # Send verification email
         # Import locally to avoid circular import with email.py
         from server.routes.email import verify_email
 
-        # Rate limit verification emails during auth flow (60 seconds per user)
-        # This is separate from the manual resend rate limit which uses 30 seconds
-        rate_limited = False
-        try:
-            await check_rate_limit_by_user_id(
-                request=request,
-                key_prefix='auth_verify_email',
-                user_id=user_id,
-                user_rate_limit_seconds=60,
-                ip_rate_limit_seconds=120,
-            )
-            await verify_email(request=request, user_id=user_id, is_auth_flow=True)
-        except HTTPException as e:
-            if e.status_code == status.HTTP_429_TOO_MANY_REQUESTS:
-                # Rate limited - still redirect to verification page but don't send email
-                rate_limited = True
-                logger.info(
-                    f'Rate limited verification email for user {user_id} during auth flow'
-                )
-            else:
-                raise
-
-        verification_redirect_url = (
-            f'{web_url}/login?email_verification_required=true&user_id={user_id}'
-        )
-        if rate_limited:
-            verification_redirect_url = f'{verification_redirect_url}&rate_limited=true'
-
+        await verify_email(request=request, user_id=user_id, is_auth_flow=True)
+        verification_redirect_url = f'{request.base_url}login?email_verification_required=true&user_id={user_id}'
         # Preserve invitation token so it can be included in OAuth state after verification
         if invitation_token:
             verification_redirect_url = (
@@ -321,6 +353,13 @@ async def keycloak_callback(
         ProviderType(idp), user_id, keycloak_access_token
     )
 
+    username = user_info.preferred_username
+    if user_verifier.is_active() and not user_verifier.is_user_allowed(username):
+        return JSONResponse(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            content={'error': 'Not authorized via waitlist'},
+        )
+
     valid_offline_token = (
         await token_manager.validate_offline_token(user_id=user_info.sub)
         if idp_type != 'saml'
@@ -366,19 +405,13 @@ async def keycloak_callback(
     )
 
     if not valid_offline_token:
-        param_str = urlencode(
-            {
-                'client_id': KEYCLOAK_CLIENT_ID,
-                'response_type': 'code',
-                'kc_idp_hint': idp,
-                'redirect_uri': f'{web_url}/oauth/keycloak/offline/callback',
-                'scope': 'openid email profile offline_access',
-                'state': state,
-            }
-        )
         redirect_url = (
             f'{KEYCLOAK_SERVER_URL_EXT}/realms/{KEYCLOAK_REALM_NAME}/protocol/openid-connect/auth'
-            f'?{param_str}'
+            f'?client_id={KEYCLOAK_CLIENT_ID}&response_type=code'
+            f'&kc_idp_hint={idp}'
+            f'&redirect_uri={scheme}%3A%2F%2F{request.url.netloc}%2Foauth%2Fkeycloak%2Foffline%2Fcallback'
+            f'&scope=openid%20email%20profile%20offline_access'
+            f'&state={state}'
         )
 
     has_accepted_tos = user.accepted_tos is not None
@@ -457,7 +490,9 @@ async def keycloak_callback(
     # If the user hasn't accepted the TOS, redirect to the TOS page
     if not has_accepted_tos:
         encoded_redirect_url = quote(redirect_url, safe='')
-        tos_redirect_url = f'{web_url}/accept-tos?redirect_url={encoded_redirect_url}'
+        tos_redirect_url = (
+            f'{request.base_url}accept-tos?redirect_url={encoded_redirect_url}'
+        )
         if invitation_token:
             tos_redirect_url = f'{tos_redirect_url}&invitation_success=true'
         response = RedirectResponse(tos_redirect_url, status_code=302)
@@ -471,7 +506,7 @@ async def keycloak_callback(
         response=response,
         keycloak_access_token=keycloak_access_token,
         keycloak_refresh_token=keycloak_refresh_token,
-        secure=True if redirect_url.startswith('https') else False,
+        secure=True if scheme == 'https' else False,
         accepted_tos=has_accepted_tos,
     )
 
@@ -489,9 +524,10 @@ async def keycloak_offline_callback(code: str, state: str, request: Request):
             status_code=status.HTTP_400_BAD_REQUEST,
             content={'error': 'Missing code in request params'},
         )
-
-    web_url = get_web_url(request)
-    redirect_uri = web_url + request.url.path
+    scheme = 'https'
+    if request.url.hostname == 'localhost':
+        scheme = 'http'
+    redirect_uri = f'{scheme}://{request.url.netloc}{request.url.path}'
     logger.debug(f'code: {code}, redirect_uri: {redirect_uri}')
 
     (
@@ -513,14 +549,15 @@ async def keycloak_offline_callback(code: str, state: str, request: Request):
     )
 
     redirect_url, _, _ = _extract_oauth_state(state)
-    return RedirectResponse(redirect_url if redirect_url else web_url, status_code=302)
+    return RedirectResponse(
+        redirect_url if redirect_url else request.base_url, status_code=302
+    )
 
 
 @oauth_router.get('/github/callback')
 async def github_dummy_callback(request: Request):
     """Callback for GitHub that just forwards the user to the app base URL."""
-    web_url = get_web_url(request)
-    return RedirectResponse(web_url, status_code=302)
+    return RedirectResponse(request.base_url, status_code=302)
 
 
 @api_router.post('/authenticate')
@@ -542,8 +579,8 @@ async def authenticate(request: Request):
         if keycloak_auth_cookie:
             response.delete_cookie(
                 key='keycloak_auth',
-                domain=get_cookie_domain(),
-                samesite=get_cookie_samesite(),
+                domain=get_cookie_domain(request),
+                samesite=get_cookie_samesite(request),
             )
 
         return response
@@ -567,8 +604,7 @@ async def accept_tos(request: Request):
 
     # Get redirect URL from request body
     body = await request.json()
-    web_url = get_web_url(request)
-    redirect_url = body.get('redirect_url', str(web_url))
+    redirect_url = body.get('redirect_url', str(request.base_url))
 
     # Update user settings with TOS acceptance
     accepted_tos: datetime = datetime.now(timezone.utc).replace(tzinfo=None)
@@ -598,7 +634,7 @@ async def accept_tos(request: Request):
         response=response,
         keycloak_access_token=access_token.get_secret_value(),
         keycloak_refresh_token=refresh_token.get_secret_value(),
-        secure=not IS_LOCAL_ENV,
+        secure=False if request.url.hostname == 'localhost' else True,
         accepted_tos=True,
     )
     return response
@@ -615,8 +651,8 @@ async def logout(request: Request):
     # Always delete the cookie regardless of what happens
     response.delete_cookie(
         key='keycloak_auth',
-        domain=get_cookie_domain(),
-        samesite=get_cookie_samesite(),
+        domain=get_cookie_domain(request),
+        samesite=get_cookie_samesite(request),
     )
 
     # Try to properly logout from Keycloak, but don't fail if it doesn't work