fix: update agent-server image tag to existing build

The previous image tag 2c1e72a-python (from PR #13120) did not exist in the container registry because: 1. Commit 2c1e72a was a merge commit 2. The Agent Server workflow only built images for the pull_request event (targeting commit 3e81846), not for the push event on the merge commit This caused the Changes tab in the local GUI to fail, as the sandbox couldn't start with a non-existent image. Updated to 50d8f1b-python which is a recent successful push build from 2026-03-04T13:58:07Z that includes the query parameter support from SDK PR #2249. Co-authored-by: openhands <openhands@all-hands.dev>
fix(frontend): hide add team members button when anonymous analytics is disabled (#13209 )
2026-04-29 03:00:45 -04:00 · 2026-03-04 20:09:32 +00:00 · 2026-03-05 02:03:47 +07:00 · 2026-03-05 01:52:33 +07:00 · 2026-03-04 13:43:46 -05:00 · 2026-03-05 01:24:06 +07:00
399 changed files with 29081 additions and 7142 deletions
--- a/.agents/skills/upcoming-release.md
+++ b/.agents/skills/upcoming-release.md
@@ -0,0 +1,22 @@
+---
+name: upcoming-release
+description: Generate a concise summary of PRs included in the upcoming release.
+triggers:
+- /upcoming-release
+---
+
+We want to know what is part of the upcoming release.
+
+To do this, you need two commit SHAs. One SHA is what is currently running. The second SHA is what is going to be
+released. The user must provide these. If the user does not provide these, ask the user to provide them before doing
+anything.
+
+Once you have received the two SHAs:
+1. Run the `.github/scripts/find_prs_between_commits.py` script from the repository root directory with the `--json` flag. The **first SHA** should be the older commit (current release), and the **second SHA** should be the newer commit (what's being released).
+2. Do not show PRs that are chores, dependency updates, adding logs, refactors.
+3. From the remaining PRs, split them into these categories:
+   - Features
+   - Bug fixes
+   - Security/CVE fixes
+   - Other
+4. The output should list the PRs under their category, including the PR number with a brief description of the PR.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,2 @@
+# disable blank issue creation
+blank_issues_enabled: false
--- a/.github/scripts/find_prs_between_commits.py
+++ b/.github/scripts/find_prs_between_commits.py
@@ -0,0 +1,330 @@
+#!/usr/bin/env python3
+"""
+Find all PRs that went in between two commits in the OpenHands/OpenHands repository.
+Handles cherry-picks and different merge strategies.
+
+This script is designed to run from within the OpenHands repository under .github/scripts:
+    .github/scripts/find_prs_between_commits.py
+
+Usage: find_prs_between_commits <older_commit> <newer_commit> [--repo <path>]
+"""
+
+import json
+import os
+import re
+import subprocess
+import sys
+from collections import defaultdict
+from pathlib import Path
+from typing import Optional
+
+
+def find_openhands_repo() -> Optional[Path]:
+    """
+    Find the OpenHands repository.
+    Since this script is designed to live in .github/scripts/, it assumes
+    the repository root is two levels up from the script location.
+    Tries:
+    1. Repository root (../../ from script location)
+    2. Current directory
+    3. Environment variable OPENHANDS_REPO
+    """
+    # Check repository root (assuming script is in .github/scripts/)
+    script_dir = Path(__file__).parent.absolute()
+    repo_root = (
+        script_dir.parent.parent
+    )  # Go up two levels: scripts -> .github -> repo root
+    if (repo_root / '.git').exists():
+        return repo_root
+
+    # Check current directory
+    if (Path.cwd() / '.git').exists():
+        return Path.cwd()
+
+    # Check environment variable
+    if 'OPENHANDS_REPO' in os.environ:
+        repo_path = Path(os.environ['OPENHANDS_REPO'])
+        if (repo_path / '.git').exists():
+            return repo_path
+
+    return None
+
+
+def run_git_command(cmd: list[str], repo_path: Path) -> str:
+    """Run a git command in the repository directory and return its output."""
+    try:
+        result = subprocess.run(
+            cmd, capture_output=True, text=True, check=True, cwd=str(repo_path)
+        )
+        return result.stdout.strip()
+    except subprocess.CalledProcessError as e:
+        print(f'Error running git command: {" ".join(cmd)}', file=sys.stderr)
+        print(f'Error: {e.stderr}', file=sys.stderr)
+        sys.exit(1)
+
+
+def extract_pr_numbers_from_message(message: str) -> set[int]:
+    """Extract PR numbers from commit message in any common format."""
+    # Match #12345 anywhere, including in patterns like (#12345) or "Merge pull request #12345"
+    matches = re.findall(r'#(\d+)', message)
+    return set(int(m) for m in matches)
+
+
+def get_commit_info(commit_hash: str, repo_path: Path) -> tuple[str, str, str]:
+    """Get commit subject, body, and author from a commit hash."""
+    subject = run_git_command(
+        ['git', 'log', '-1', '--format=%s', commit_hash], repo_path
+    )
+    body = run_git_command(['git', 'log', '-1', '--format=%b', commit_hash], repo_path)
+    author = run_git_command(
+        ['git', 'log', '-1', '--format=%an <%ae>', commit_hash], repo_path
+    )
+    return subject, body, author
+
+
+def get_commits_between(
+    older_commit: str, newer_commit: str, repo_path: Path
+) -> list[str]:
+    """Get all commit hashes between two commits."""
+    commits_output = run_git_command(
+        ['git', 'rev-list', f'{older_commit}..{newer_commit}'], repo_path
+    )
+
+    if not commits_output:
+        return []
+
+    return commits_output.split('\n')
+
+
+def get_pr_info_from_github(pr_number: int, repo_path: Path) -> Optional[dict]:
+    """Get PR information from GitHub API if GITHUB_TOKEN is available."""
+    try:
+        # Set up environment with GitHub token
+        env = os.environ.copy()
+        if 'GITHUB_TOKEN' in env:
+            env['GH_TOKEN'] = env['GITHUB_TOKEN']
+
+        result = subprocess.run(
+            [
+                'gh',
+                'pr',
+                'view',
+                str(pr_number),
+                '--json',
+                'number,title,author,mergedAt,baseRefName,headRefName,url',
+            ],
+            capture_output=True,
+            text=True,
+            check=True,
+            env=env,
+            cwd=str(repo_path),
+        )
+        return json.loads(result.stdout)
+    except (subprocess.CalledProcessError, FileNotFoundError, json.JSONDecodeError):
+        return None
+
+
+def find_prs_between_commits(
+    older_commit: str, newer_commit: str, repo_path: Path
+) -> dict[int, dict]:
+    """
+    Find all PRs that went in between two commits.
+    Returns a dictionary mapping PR numbers to their information.
+    """
+    print(f'Repository: {repo_path}', file=sys.stderr)
+    print('Finding PRs between commits:', file=sys.stderr)
+    print(f'  Older: {older_commit}', file=sys.stderr)
+    print(f'  Newer: {newer_commit}', file=sys.stderr)
+    print(file=sys.stderr)
+
+    # Verify commits exist
+    try:
+        run_git_command(['git', 'rev-parse', '--verify', older_commit], repo_path)
+        run_git_command(['git', 'rev-parse', '--verify', newer_commit], repo_path)
+    except SystemExit:
+        print('Error: One or both commits not found in repository', file=sys.stderr)
+        sys.exit(1)
+
+    # Extract PRs from the older commit itself (to exclude from results)
+    # These PRs are already included at or before the older commit
+    older_subject, older_body, _ = get_commit_info(older_commit, repo_path)
+    older_message = f'{older_subject}\n{older_body}'
+    excluded_prs = extract_pr_numbers_from_message(older_message)
+
+    if excluded_prs:
+        print(
+            f'Excluding PRs already in older commit: {", ".join(f"#{pr}" for pr in sorted(excluded_prs))}',
+            file=sys.stderr,
+        )
+        print(file=sys.stderr)
+
+    # Get all commits between the two
+    commits = get_commits_between(older_commit, newer_commit, repo_path)
+    print(f'Found {len(commits)} commits to analyze', file=sys.stderr)
+    print(file=sys.stderr)
+
+    # Extract PR numbers from all commits
+    pr_info: dict[int, dict] = {}
+    commits_by_pr: dict[int, list[str]] = defaultdict(list)
+
+    for commit_hash in commits:
+        subject, body, author = get_commit_info(commit_hash, repo_path)
+        full_message = f'{subject}\n{body}'
+
+        pr_numbers = extract_pr_numbers_from_message(full_message)
+
+        for pr_num in pr_numbers:
+            # Skip PRs that are already in the older commit
+            if pr_num in excluded_prs:
+                continue
+
+            commits_by_pr[pr_num].append(commit_hash)
+
+            if pr_num not in pr_info:
+                pr_info[pr_num] = {
+                    'number': pr_num,
+                    'first_commit': commit_hash[:8],
+                    'first_commit_subject': subject,
+                    'commits': [],
+                    'github_info': None,
+                }
+
+            pr_info[pr_num]['commits'].append(
+                {'hash': commit_hash[:8], 'subject': subject, 'author': author}
+            )
+
+    # Try to get additional info from GitHub API
+    print('Fetching additional info from GitHub API...', file=sys.stderr)
+    for pr_num in pr_info.keys():
+        github_info = get_pr_info_from_github(pr_num, repo_path)
+        if github_info:
+            pr_info[pr_num]['github_info'] = github_info
+
+    print(file=sys.stderr)
+
+    return pr_info
+
+
+def print_results(pr_info: dict[int, dict]):
+    """Print the results in a readable format."""
+    sorted_prs = sorted(pr_info.items(), key=lambda x: x[0])
+
+    print(f'{"=" * 80}')
+    print(f'Found {len(sorted_prs)} PRs')
+    print(f'{"=" * 80}')
+    print()
+
+    for pr_num, info in sorted_prs:
+        print(f'PR #{pr_num}')
+
+        if info['github_info']:
+            gh = info['github_info']
+            print(f'  Title: {gh["title"]}')
+            print(f'  Author: {gh["author"]["login"]}')
+            print(f'  URL: {gh["url"]}')
+            if gh.get('mergedAt'):
+                print(f'  Merged: {gh["mergedAt"]}')
+            if gh.get('baseRefName'):
+                print(f'  Base: {gh["baseRefName"]} ← {gh["headRefName"]}')
+        else:
+            print(f'  Subject: {info["first_commit_subject"]}')
+
+        # Show if this PR has multiple commits (cherry-picked or multiple commits)
+        commit_count = len(info['commits'])
+        if commit_count > 1:
+            print(
+                f'  ⚠️  Found {commit_count} commits (possible cherry-pick or multi-commit PR):'
+            )
+            for commit in info['commits'][:3]:  # Show first 3
+                print(f'      {commit["hash"]}: {commit["subject"][:60]}')
+            if commit_count > 3:
+                print(f'      ... and {commit_count - 3} more')
+        else:
+            print(f'  Commit: {info["first_commit"]}')
+
+        print()
+
+
+def main():
+    if len(sys.argv) < 3:
+        print('Usage: find_prs_between_commits <older_commit> <newer_commit> [options]')
+        print()
+        print('Arguments:')
+        print('  <older_commit>  The older commit hash (or ref)')
+        print('  <newer_commit>  The newer commit hash (or ref)')
+        print()
+        print('Options:')
+        print('  --json          Output results in JSON format')
+        print('  --repo <path>   Path to OpenHands repository (default: auto-detect)')
+        print()
+        print('Example:')
+        print(
+            '  find_prs_between_commits c79e0cd3c7a2501a719c9296828d7a31e4030585 35bddb14f15124a3dc448a74651a6592911d99e9'
+        )
+        print()
+        print('Repository Detection:')
+        print('  The script will try to find the OpenHands repository in this order:')
+        print('  1. --repo argument')
+        print('  2. Repository root (../../ from script location)')
+        print('  3. Current directory')
+        print('  4. OPENHANDS_REPO environment variable')
+        print()
+        print('Environment variables:')
+        print(
+            '  GITHUB_TOKEN    Optional. If set, will fetch additional PR info from GitHub API'
+        )
+        print('  OPENHANDS_REPO  Optional. Path to OpenHands repository')
+        sys.exit(1)
+
+    older_commit = sys.argv[1]
+    newer_commit = sys.argv[2]
+    json_output = '--json' in sys.argv
+
+    # Check for --repo argument
+    repo_path = None
+    if '--repo' in sys.argv:
+        repo_idx = sys.argv.index('--repo')
+        if repo_idx + 1 < len(sys.argv):
+            repo_path = Path(sys.argv[repo_idx + 1])
+            if not (repo_path / '.git').exists():
+                print(f'Error: {repo_path} is not a git repository', file=sys.stderr)
+                sys.exit(1)
+
+    # Auto-detect repository if not specified
+    if repo_path is None:
+        repo_path = find_openhands_repo()
+        if repo_path is None:
+            print('Error: Could not find OpenHands repository', file=sys.stderr)
+            print('Please either:', file=sys.stderr)
+            print(
+                '  1. Place this script in .github/scripts/ within the OpenHands repository',
+                file=sys.stderr,
+            )
+            print('  2. Run from the OpenHands repository directory', file=sys.stderr)
+            print(
+                '  3. Use --repo <path> to specify the repository location',
+                file=sys.stderr,
+            )
+            print('  4. Set OPENHANDS_REPO environment variable', file=sys.stderr)
+            sys.exit(1)
+
+    # Find PRs
+    pr_info = find_prs_between_commits(older_commit, newer_commit, repo_path)
+
+    if json_output:
+        # Output as JSON
+        print(json.dumps(pr_info, indent=2))
+    else:
+        # Print results in human-readable format
+        print_results(pr_info)
+
+        # Also print a simple list for easy copying
+        print(f'{"=" * 80}')
+        print('PR Numbers (for easy copying):')
+        print(f'{"=" * 80}')
+        sorted_pr_nums = sorted(pr_info.keys())
+        print(', '.join(f'#{pr}' for pr in sorted_pr_nums))
+
+
+if __name__ == '__main__':
+    main()
--- a/.github/workflows/enterprise-preview.yml
+++ b/.github/workflows/enterprise-preview.yml
@@ -1,29 +0,0 @@
-# Feature branch preview for enterprise code
-name: Enterprise Preview
-
-# Run on PRs labeled
-on:
-  pull_request:
-    types: [labeled]
-
-# Match ghcr-build.yml, but don't interrupt it.
-concurrency:
-  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
-  cancel-in-progress: false
-
-jobs:
-  # This must happen for the PR Docker workflow when the label is present,
-  # and also if it's added after the fact. Thus, it exists in both places.
-  enterprise-preview:
-    name: Enterprise preview
-    if: github.event.label.name == 'deploy'
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    steps:
-      # This should match the version in ghcr-build.yml
-      - name: Trigger remote job
-        run: |
-          curl --fail-with-body -sS -X POST \
-            -H "Authorization: Bearer ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}" \
-            -H "Accept: application/vnd.github+json" \
-            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
-            https://api.github.com/repos/OpenHands/deploy/actions/workflows/deploy.yaml/dispatches
--- a/.github/workflows/ghcr-build.yml
+++ b/.github/workflows/ghcr-build.yml
@@ -240,21 +240,6 @@ jobs:
          # Add build attestations for better security
          sbom: true

-  enterprise-preview:
-    name: Enterprise preview
-    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy')
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    needs: [ghcr_build_enterprise]
-    steps:
-      # This should match the version in enterprise-preview.yml
-      - name: Trigger remote job
-        run: |
-          curl --fail-with-body -sS -X POST \
-            -H "Authorization: Bearer ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}" \
-            -H "Accept: application/vnd.github+json" \
-            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
-            https://api.github.com/repos/OpenHands/deploy/actions/workflows/deploy.yaml/dispatches
-
  # "All Runtime Tests Passed" is a required job for PRs to merge
  # We can remove this once the config changes
  runtime_tests_check_success:
--- a/.github/workflows/pr-review-by-openhands.yml
+++ b/.github/workflows/pr-review-by-openhands.yml
@@ -2,16 +2,11 @@
 name: PR Review by OpenHands

 on:
-    # Use pull_request_target to allow fork PRs to access secrets when triggered by maintainers
-    # Security: This workflow runs when:
-    #   1. A new PR is opened (non-draft), OR
-    #   2. A draft PR is marked as ready for review, OR
-    #   3. A maintainer adds the 'review-this' label, OR
-    #   4. A maintainer requests openhands-agent or all-hands-bot as a reviewer
-    # Only users with write access can add labels or request reviews, ensuring security.
-    # The PR code is explicitly checked out for review, but secrets are only accessible
-    # because the workflow runs in the base repository context
-    pull_request_target:
+    # TEMPORARY MITIGATION (Clinejection hardening)
+    #
+    # We temporarily avoid `pull_request_target` here. We'll restore it after the PR review
+    # workflow is fully hardened for untrusted execution.
+    pull_request:
        types: [opened, ready_for_review, labeled, review_requested]

 permissions:
@@ -21,107 +16,33 @@ permissions:

 jobs:
    pr-review:
-        # Run when one of the following conditions is met:
-        #   1. A new non-draft PR is opened by a trusted contributor, OR
-        #   2. A draft PR is converted to ready for review by a trusted contributor, OR
-        #   3. 'review-this' label is added, OR
-        #   4. openhands-agent or all-hands-bot is requested as a reviewer
-        # Note: FIRST_TIME_CONTRIBUTOR PRs require manual trigger via label/reviewer request
+        # Note: fork PRs will not have access to repository secrets under `pull_request`.
+        # Skip forks to avoid noisy failures until we restore a hardened `pull_request_target` flow.
        if: |
-            (github.event.action == 'opened' && github.event.pull_request.draft == false && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR') ||
-            (github.event.action == 'ready_for_review' && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR') ||
-            github.event.label.name == 'review-this' ||
-            github.event.requested_reviewer.login == 'openhands-agent' ||
-            github.event.requested_reviewer.login == 'all-hands-bot'
+            github.event.pull_request.head.repo.full_name == github.repository &&
+            (
+                (github.event.action == 'opened' && github.event.pull_request.draft == false) ||
+                github.event.action == 'ready_for_review' ||
+                (github.event.action == 'labeled' && github.event.label.name == 'review-this') ||
+                (
+                    github.event.action == 'review_requested' &&
+                    (
+                        github.event.requested_reviewer.login == 'openhands-agent' ||
+                        github.event.requested_reviewer.login == 'all-hands-bot'
+                    )
+                )
+            )
        concurrency:
            group: pr-review-${{ github.event.pull_request.number }}
            cancel-in-progress: true
-        runs-on: blacksmith-4vcpu-ubuntu-2404
-        env:
-            LLM_MODEL: litellm_proxy/claude-sonnet-4-5-20250929
-            LLM_BASE_URL: https://llm-proxy.app.all-hands.dev
-            # PR context will be automatically provided by the agent script
-            PR_NUMBER: ${{ github.event.pull_request.number }}
-            PR_TITLE: ${{ github.event.pull_request.title }}
-            PR_BODY: ${{ github.event.pull_request.body }}
-            PR_BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
-            PR_HEAD_BRANCH: ${{ github.event.pull_request.head.ref }}
-            REPO_NAME: ${{ github.repository }}
+        runs-on: ubuntu-24.04
        steps:
-            - name: Checkout software-agent-sdk repository
-              uses: actions/checkout@v5
+            - name: Run PR Review
+              uses: OpenHands/extensions/plugins/pr-review@main
              with:
-                  repository: OpenHands/software-agent-sdk
-                  path: software-agent-sdk
-
-            - name: Checkout PR repository
-              uses: actions/checkout@v5
-              with:
-                  # When using pull_request_target, explicitly checkout the PR branch
-                  # This ensures we review the actual PR code (including fork PRs)
-                  repository: ${{ github.event.pull_request.head.repo.full_name }}
-                  ref: ${{ github.event.pull_request.head.ref }}
-                  fetch-depth: 0
-                  # Security: Don't persist credentials to prevent untrusted PR code from using them
-                  persist-credentials: false
-                  path: pr-repo
-
-            - name: Set up Python
-              uses: actions/setup-python@v6
-              with:
-                  python-version: '3.13'
-
-            - name: Install uv
-              uses: astral-sh/setup-uv@v7
-              with:
-                  enable-cache: true
-
-            - name: Install GitHub CLI
-              run: |
-                  # Install GitHub CLI for posting review comments
-                  sudo apt-get update
-                  sudo apt-get install -y gh
-
-            - name: Install OpenHands dependencies
-              run: |
-                  # Install OpenHands SDK and tools from local checkout
-                  uv pip install --system ./software-agent-sdk/openhands-sdk ./software-agent-sdk/openhands-tools
-
-            - name: Check required configuration
-              env:
-                  LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-              run: |
-                  if [ -z "$LLM_API_KEY" ]; then
-                    echo "Error: LLM_API_KEY secret is not set."
-                    exit 1
-                  fi
-
-                  echo "PR Number: $PR_NUMBER"
-                  echo "PR Title: $PR_TITLE"
-                  echo "Repository: $REPO_NAME"
-                  echo "LLM model: $LLM_MODEL"
-                  if [ -n "$LLM_BASE_URL" ]; then
-                    echo "LLM base URL: $LLM_BASE_URL"
-                  fi
-
-            - name: Run PR review
-              env:
-                  LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-                  GITHUB_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
-                  LMNR_PROJECT_API_KEY: ${{ secrets.LMNR_SKILLS_API_KEY }}
-              run: |
-                  # Change to the PR repository directory so agent can analyze the code
-                  cd pr-repo
-
-                  # Run the PR review script from the software-agent-sdk checkout
-                  uv run python ../software-agent-sdk/examples/03_github_workflows/02_pr_review/agent_script.py
-
-            - name: Upload logs as artifact
-              uses: actions/upload-artifact@v5
-              if: always()
-              with:
-                  name: openhands-pr-review-logs
-                  path: |
-                      *.log
-                      output/
-                  retention-days: 7
+                  llm-model: litellm_proxy/claude-sonnet-4-5-20250929
+                  llm-base-url: https://llm-proxy.app.all-hands.dev
+                  review-style: roasted
+                  llm-api-key: ${{ secrets.LLM_API_KEY }}
+                  github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+                  lmnr-api-key: ${{ secrets.LMNR_SKILLS_API_KEY }}
--- a/.github/workflows/pr-review-evaluation.yml
+++ b/.github/workflows/pr-review-evaluation.yml
@@ -0,0 +1,85 @@
+---
+name: PR Review Evaluation
+
+# This workflow evaluates how well PR review comments were addressed.
+# It runs when a PR is closed to assess review effectiveness.
+#
+# Security note: pull_request_target is safe here because:
+# 1. Only triggers on PR close (not on code changes)
+# 2. Does not checkout PR code - only downloads artifacts from trusted workflow runs
+# 3. Runs evaluation scripts from the extensions repo, not from the PR
+
+on:
+    pull_request_target:
+        types: [closed]
+
+permissions:
+    contents: read
+    pull-requests: read
+
+jobs:
+    evaluate:
+        runs-on: ubuntu-24.04
+        env:
+            PR_NUMBER: ${{ github.event.pull_request.number }}
+            REPO_NAME: ${{ github.repository }}
+            PR_MERGED: ${{ github.event.pull_request.merged }}
+
+        steps:
+            - name: Download review trace artifact
+              id: download-trace
+              uses: dawidd6/action-download-artifact@v6
+              continue-on-error: true
+              with:
+                  workflow: pr-review-by-openhands.yml
+                  name: pr-review-trace-${{ github.event.pull_request.number }}
+                  path: trace-info
+                  search_artifacts: true
+                  if_no_artifact_found: warn
+
+            - name: Check if trace file exists
+              id: check-trace
+              run: |
+                  if [ -f "trace-info/laminar_trace_info.json" ]; then
+                    echo "trace_exists=true" >> $GITHUB_OUTPUT
+                    echo "Found trace file for PR #$PR_NUMBER"
+                  else
+                    echo "trace_exists=false" >> $GITHUB_OUTPUT
+                    echo "No trace file found for PR #$PR_NUMBER - skipping evaluation"
+                  fi
+
+            # Always checkout main branch for security - cannot test script changes in PRs
+            - name: Checkout extensions repository
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              uses: actions/checkout@v5
+              with:
+                  repository: OpenHands/extensions
+                  path: extensions
+
+            - name: Set up Python
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              uses: actions/setup-python@v6
+              with:
+                  python-version: '3.12'
+
+            - name: Install dependencies
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              run: pip install lmnr
+
+            - name: Run evaluation
+              if: steps.check-trace.outputs.trace_exists == 'true'
+              env:
+                  # Script expects LMNR_PROJECT_API_KEY; org secret is named LMNR_SKILLS_API_KEY
+                  LMNR_PROJECT_API_KEY: ${{ secrets.LMNR_SKILLS_API_KEY }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              run: |
+                  python extensions/plugins/pr-review/scripts/evaluate_review.py \
+                      --trace-file trace-info/laminar_trace_info.json
+
+            - name: Upload evaluation logs
+              uses: actions/upload-artifact@v5
+              if: always() && steps.check-trace.outputs.trace_exists == 'true'
+              with:
+                  name: pr-review-evaluation-${{ github.event.pull_request.number }}
+                  path: '*.log'
+                  retention-days: 30
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -165,7 +165,7 @@ Each integration follows a consistent pattern with service classes, storage mode

 **Import Patterns:**
 - Use relative imports without `enterprise.` prefix in enterprise code
- Example: `from storage.database import session_maker` not `from enterprise.storage.database import session_maker`
+- Example: `from storage.database import a_session_maker` not `from enterprise.storage.database import a_session_maker`
 - This ensures code works in both OpenHands and enterprise contexts

 **Test Structure:**
--- a/enterprise/dev_config/python/.pre-commit-config.yaml
+++ b/enterprise/dev_config/python/.pre-commit-config.yaml
@@ -50,8 +50,10 @@ repos:
          - ./
          - stripe==11.5.0
          - pygithub==2.6.1
-        # To see gaps add `--html-report mypy-report/`
-        entry: mypy --config-file enterprise/dev_config/python/mypy.ini enterprise/
+        # Use -p (package) to avoid dual module name conflict when using MYPYPATH
+        # MYPYPATH=enterprise allows resolving bare imports like "from integrations.xxx"
+        # Note: tests package excluded to avoid conflict with core openhands tests
+        entry: bash -c 'MYPYPATH=enterprise mypy --config-file enterprise/dev_config/python/mypy.ini -p integrations -p server -p storage -p sync -p experiments'
        always_run: true
        pass_filenames: false
        files: ^enterprise/
--- a/enterprise/dev_config/python/mypy.ini
+++ b/enterprise/dev_config/python/mypy.ini
@@ -2,7 +2,6 @@
 warn_unused_configs = True
 ignore_missing_imports = True
 check_untyped_defs = True
-explicit_package_bases = True
 warn_unreachable = True
 warn_redundant_casts = True
 no_implicit_optional = True
--- a/enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md
+++ b/enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md
@@ -200,7 +200,7 @@ class MetricsCollector(ABC):
    """Base class for metrics collectors."""

    @abstractmethod
-    def collect(self) -> List[MetricResult]:
+    async def collect(self) -> List[MetricResult]:
        """Collect metrics and return results."""
        pass

@@ -264,12 +264,13 @@ class SystemMetricsCollector(MetricsCollector):
    def collector_name(self) -> str:
        return "system_metrics"

-    def collect(self) -> List[MetricResult]:
+    async def collect(self) -> List[MetricResult]:
        results = []

        # Collect user count
-        with session_maker() as session:
-            user_count = session.query(UserSettings).count()
+        async with a_session_maker() as session:
+            user_count_result = await session.execute(select(func.count()).select_from(UserSettings))
+            user_count = user_count_result.scalar()
            results.append(MetricResult(
                key="total_users",
                value=user_count
@@ -277,9 +278,11 @@ class SystemMetricsCollector(MetricsCollector):

            # Collect conversation count (last 30 days)
            thirty_days_ago = datetime.now(timezone.utc) - timedelta(days=30)
-            conversation_count = session.query(StoredConversationMetadata)\
-                .filter(StoredConversationMetadata.created_at >= thirty_days_ago)\
-                .count()
+            conversation_count_result = await session.execute(
+                select(func.count()).select_from(StoredConversationMetadata)
+                .where(StoredConversationMetadata.created_at >= thirty_days_ago)
+            )
+            conversation_count = conversation_count_result.scalar()

            results.append(MetricResult(
                key="conversations_30d",
@@ -303,7 +306,7 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
        """Collect metrics from all registered collectors."""

        # Check if collection is needed
-        if not self._should_collect():
+        if not await self._should_collect():
            return {"status": "skipped", "reason": "too_recent"}

        # Collect metrics from all registered collectors
@@ -313,7 +316,7 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
        for collector in collector_registry.get_all_collectors():
            try:
                if collector.should_collect():
-                    results = collector.collect()
+                    results = await collector.collect()
                    for result in results:
                        all_metrics[result.key] = result.value
                    collector_results[collector.collector_name] = len(results)
@@ -322,13 +325,13 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
                collector_results[collector.collector_name] = f"error: {e}"

        # Store metrics in database
-        with session_maker() as session:
+        async with a_session_maker() as session:
            telemetry_record = TelemetryMetrics(
                metrics_data=all_metrics,
                collected_at=datetime.now(timezone.utc)
            )
            session.add(telemetry_record)
-            session.commit()
+            await session.commit()

            # Note: No need to track last_collection_at separately
            # Can be derived from MAX(collected_at) in telemetry_metrics
@@ -339,11 +342,12 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
            "collectors_run": collector_results
        }

-    def _should_collect(self) -> bool:
+    async def _should_collect(self) -> bool:
        """Check if collection is needed based on interval."""
-        with session_maker() as session:
+        async with a_session_maker() as session:
            # Get last collection time from metrics table
-            last_collected = session.query(func.max(TelemetryMetrics.collected_at)).scalar()
+            result = await session.execute(select(func.max(TelemetryMetrics.collected_at)))
+            last_collected = result.scalar()
            if not last_collected:
                return True

@@ -366,17 +370,19 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
        """Upload pending metrics to Replicated."""

        # Get pending metrics
-        with session_maker() as session:
-            pending_metrics = session.query(TelemetryMetrics)\
-                .filter(TelemetryMetrics.uploaded_at.is_(None))\
-                .order_by(TelemetryMetrics.collected_at)\
-                .all()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(TelemetryMetrics)
+                .where(TelemetryMetrics.uploaded_at.is_(None))
+                .order_by(TelemetryMetrics.collected_at)
+            )
+            pending_metrics = result.scalars().all()

        if not pending_metrics:
            return {"status": "no_pending_metrics"}

        # Get admin email - skip if not available
-        admin_email = self._get_admin_email()
+        admin_email = await self._get_admin_email()
        if not admin_email:
            logger.info("Skipping telemetry upload - no admin email available")
            return {
@@ -413,13 +419,15 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
                    await instance.set_status(InstanceStatus.RUNNING)

                    # Mark as uploaded
-                    with session_maker() as session:
-                        record = session.query(TelemetryMetrics)\
-                            .filter(TelemetryMetrics.id == metric_record.id)\
-                            .first()
+                    async with a_session_maker() as session:
+                        result = await session.execute(
+                            select(TelemetryMetrics)
+                            .where(TelemetryMetrics.id == metric_record.id)
+                        )
+                        record = result.scalar_one_or_none()
                        if record:
                            record.uploaded_at = datetime.now(timezone.utc)
-                            session.commit()
+                            await session.commit()

                    uploaded_count += 1

@@ -427,14 +435,16 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
                    logger.error(f"Failed to upload metrics {metric_record.id}: {e}")

                    # Update error info
-                    with session_maker() as session:
-                        record = session.query(TelemetryMetrics)\
-                            .filter(TelemetryMetrics.id == metric_record.id)\
-                            .first()
+                    async with a_session_maker() as session:
+                        result = await session.execute(
+                            select(TelemetryMetrics)
+                            .where(TelemetryMetrics.id == metric_record.id)
+                        )
+                        record = result.scalar_one_or_none()
                        if record:
                            record.upload_attempts += 1
                            record.last_upload_error = str(e)
-                            session.commit()
+                            await session.commit()

                    failed_count += 1

@@ -448,7 +458,7 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
            "total_processed": len(pending_metrics)
        }

-    def _get_admin_email(self) -> str | None:
+    async def _get_admin_email(self) -> str | None:
        """Get administrator email for customer identification."""
        # 1. Check environment variable first
        env_admin_email = os.getenv('OPENHANDS_ADMIN_EMAIL')
@@ -457,12 +467,15 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
            return env_admin_email

        # 2. Use first active user's email (earliest accepted_tos)
-        with session_maker() as session:
-            first_user = session.query(UserSettings)\
-                .filter(UserSettings.email.isnot(None))\
-                .filter(UserSettings.accepted_tos.isnot(None))\
-                .order_by(UserSettings.accepted_tos.asc())\
-                .first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(UserSettings)
+                .where(UserSettings.email.isnot(None))
+                .where(UserSettings.accepted_tos.isnot(None))
+                .order_by(UserSettings.accepted_tos.asc())
+                .limit(1)
+            )
+            first_user = result.scalar_one_or_none()

            if first_user and first_user.email:
                logger.info(f"Using first active user email: {first_user.email}")
@@ -474,15 +487,16 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):

    async def _update_telemetry_identity(self, customer_id: str, instance_id: str) -> None:
        """Update or create telemetry identity record."""
-        with session_maker() as session:
-            identity = session.query(TelemetryIdentity).first()
+        async with a_session_maker() as session:
+            result = await session.execute(select(TelemetryIdentity).limit(1))
+            identity = result.scalar_one_or_none()
            if not identity:
                identity = TelemetryIdentity()
                session.add(identity)

            identity.customer_id = customer_id
            identity.instance_id = instance_id
-            session.commit()
+            await session.commit()
 ```

 ### 4.4 License Warning System
@@ -503,11 +517,13 @@ async def get_license_status():
    if not _is_openhands_enterprise():
        return {"warn": False, "message": ""}

-    with session_maker() as session:
+    async with a_session_maker() as session:
        # Get last successful upload time from metrics table
-        last_upload = session.query(func.max(TelemetryMetrics.uploaded_at))\
-            .filter(TelemetryMetrics.uploaded_at.isnot(None))\
-            .scalar()
+        result = await session.execute(
+            select(func.max(TelemetryMetrics.uploaded_at))
+            .where(TelemetryMetrics.uploaded_at.isnot(None))
+        )
+        last_upload = result.scalar()

        if not last_upload:
            # No successful uploads yet - show warning after 4 days
@@ -521,10 +537,13 @@ async def get_license_status():

        if days_since_upload > 4:
            # Find oldest unsent batch
-            oldest_unsent = session.query(TelemetryMetrics)\
-                .filter(TelemetryMetrics.uploaded_at.is_(None))\
-                .order_by(TelemetryMetrics.collected_at)\
-                .first()
+            result = await session.execute(
+                select(TelemetryMetrics)
+                .where(TelemetryMetrics.uploaded_at.is_(None))
+                .order_by(TelemetryMetrics.collected_at)
+                .limit(1)
+            )
+            oldest_unsent = result.scalar_one_or_none()

            if oldest_unsent:
                # Calculate expiration date (oldest unsent + 34 days)
@@ -630,19 +649,23 @@ spec:
            - python
            - -c
            - |
+              import asyncio
              from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
-              from enterprise.storage.database import session_maker
+              from enterprise.storage.database import a_session_maker
              from enterprise.server.telemetry.collection_processor import TelemetryCollectionProcessor

-              # Create collection task
-              processor = TelemetryCollectionProcessor()
-              task = MaintenanceTask()
-              task.set_processor(processor)
-              task.status = MaintenanceTaskStatus.PENDING
+              async def main():
+                  # Create collection task
+                  processor = TelemetryCollectionProcessor()
+                  task = MaintenanceTask()
+                  task.set_processor(processor)
+                  task.status = MaintenanceTaskStatus.PENDING

-              with session_maker() as session:
-                  session.add(task)
-                  session.commit()
+                  async with a_session_maker() as session:
+                      session.add(task)
+                      await session.commit()
+
+              asyncio.run(main())
          restartPolicy: OnFailure
 ```

@@ -680,23 +703,27 @@ spec:
            - python
            - -c
            - |
+              import asyncio
              from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
-              from enterprise.storage.database import session_maker
+              from enterprise.storage.database import a_session_maker
              from enterprise.server.telemetry.upload_processor import TelemetryUploadProcessor
              import os

-              # Create upload task
-              processor = TelemetryUploadProcessor(
-                  replicated_publishable_key=os.getenv('REPLICATED_PUBLISHABLE_KEY'),
-                  replicated_app_slug=os.getenv('REPLICATED_APP_SLUG', 'openhands-enterprise')
-              )
-              task = MaintenanceTask()
-              task.set_processor(processor)
-              task.status = MaintenanceTaskStatus.PENDING
+              async def main():
+                  # Create upload task
+                  processor = TelemetryUploadProcessor(
+                      replicated_publishable_key=os.getenv('REPLICATED_PUBLISHABLE_KEY'),
+                      replicated_app_slug=os.getenv('REPLICATED_APP_SLUG', 'openhands-enterprise')
+                  )
+                  task = MaintenanceTask()
+                  task.set_processor(processor)
+                  task.status = MaintenanceTaskStatus.PENDING

-              with session_maker() as session:
-                  session.add(task)
-                  session.commit()
+                  async with a_session_maker() as session:
+                      session.add(task)
+                      await session.commit()
+
+              asyncio.run(main())
          restartPolicy: OnFailure
 ```

--- a/enterprise/doc/design-doc/plugin-launch-flow.md
+++ b/enterprise/doc/design-doc/plugin-launch-flow.md
@@ -0,0 +1,131 @@
+# Plugin Launch Flow
+
+This document describes how plugins are launched in OpenHands Saas / Enterprise, from the plugin directory through to agent execution.
+
+## Architecture Overview
+
+```
+Plugin Directory ──▶ Frontend /launch ──▶ App Server ──▶ Agent Server ──▶ SDK
+    (external)           (modal)           (API)        (in sandbox)    (plugin loading)
+```
+
+| Component | Responsibility |
+|-----------|---------------|
+| **Plugin Directory** | Index plugins, present to user, construct launch URLs |
+| **Frontend** | Display confirmation modal, collect parameters, call API |
+| **App Server** | Validate request, pass plugin specs to agent server |
+| **Agent Server** | Run inside sandbox, delegate plugin loading to SDK |
+| **SDK** | Fetch plugins, load contents, merge skills/hooks/MCP into agent |
+
+## User Experience
+
+### Plugin Directory
+
+The plugin directory presents users with a catalog of available plugins. For each plugin, users see:
+- Plugin name and description (from `plugin.json`)
+- Author and version information
+- A "Launch" button
+
+When a user clicks "Launch", the plugin directory:
+1. Reads the plugin's `entry_command` to know which slash command to invoke
+2. Determines what parameters the plugin accepts (if any)
+3. Redirects to OpenHands with this information encoded in the URL
+
+### Parameter Collection
+
+If a plugin requires user input (API keys, configuration values, etc.), the frontend displays a form modal before starting the conversation. Parameters are passed in the launch URL and rendered as form fields based on their type:
+
+- **String values** → Text input
+- **Number values** → Number input
+- **Boolean values** → Checkbox
+
+Only primitive types are supported. Complex types (arrays, objects) are not currently supported for parameter input.
+
+The user fills in required values, then clicks "Start Conversation" to proceed.
+
+## Launch Flow
+
+1. **Plugin Directory** (external) constructs a launch URL to the OpenHands app server when user clicks "Launch":
+   ```
+   /launch?plugins=BASE64_JSON&message=/city-weather:now%20Tokyo
+   ```
+
+   The `plugins` parameter includes any parameter definitions with default values:
+   ```json
+   [{
+     "source": "github:owner/repo",
+     "repo_path": "plugins/my-plugin",
+     "parameters": {"api_key": "", "timeout": 30, "debug": false}
+   }]
+   ```
+
+2. **OpenHands Frontend** (`/launch` route, [PR #12699](https://github.com/OpenHands/OpenHands/pull/12699)) displays modal with parameter form, collects user input
+
+3. **OpenHands App Server** ([PR #12338](https://github.com/OpenHands/OpenHands/pull/12338)) receives the API call:
+   ```
+   POST /api/v1/app-conversations
+   {
+     "plugins": [{"source": "github:owner/repo", "repo_path": "plugins/city-weather"}],
+     "initial_message": {"content": [{"type": "text", "text": "/city-weather:now Tokyo"}]}
+   }
+   ```
+
+   Call stack:
+   - `AppConversationRouter` receives request with `PluginSpec` list
+   - `LiveStatusAppConversationService._finalize_conversation_request()` converts `PluginSpec` → `PluginSource`
+   - Creates `StartConversationRequest(plugins=sdk_plugins, ...)` and sends to agent server
+
+4. **Agent Server** (inside sandbox, [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651)) stores specs, defers loading:
+
+   Call stack:
+   - `ConversationService.start_conversation()` receives `StartConversationRequest`
+   - Creates `StoredConversation` with plugin specs
+   - Creates `LocalConversation(plugins=request.plugins, ...)`
+   - Plugin loading deferred until first `run()` or `send_message()`
+
+5. **SDK** fetches and loads plugins on first use:
+
+   Call stack:
+   - `LocalConversation._ensure_plugins_loaded()` triggered by first message
+   - For each plugin spec:
+     - `Plugin.fetch(source, ref, repo_path)` → clones/caches git repo
+     - `Plugin.load(path)` → parses `plugin.json`, loads commands/skills/hooks
+     - `plugin.add_skills_to(context)` → merges skills into agent
+     - `plugin.add_mcp_config_to(config)` → merges MCP servers
+
+6. **Agent** receives message, `/city-weather:now` triggers the skill
+
+## Key Design Decisions
+
+### Plugin Loading in Sandbox
+
+Plugins load **inside the sandbox** because:
+- Plugin hooks and scripts need isolated execution
+- MCP servers run inside the sandbox
+- Skills may reference sandbox filesystem
+
+### Entry Command Handling
+
+The `entry_command` field in `plugin.json` allows plugin authors to declare a default command:
+
+```json
+{
+  "name": "city-weather",
+  "entry_command": "now"
+}
+```
+
+This flows through the system:
+1. Plugin author declares `entry_command` in plugin.json
+2. Plugin directory reads it when indexing
+3. Plugin directory includes `/city-weather:now` in the launch URL's `message` parameter
+4. Message passes through to agent as `initial_message`
+
+The SDK exposes this field but does not auto-invoke it—callers control the initial message.
+
+## Related
+
+- [OpenHands PR #12338](https://github.com/OpenHands/OpenHands/pull/12338) - App server plugin support
+- [OpenHands PR #12699](https://github.com/OpenHands/OpenHands/pull/12699) - Frontend `/launch` route
+- [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651) - Agent server plugin loading
+- [SDK PR #1647](https://github.com/OpenHands/software-agent-sdk/pull/1647) - Plugin.fetch() for remote plugin fetching
--- a/enterprise/downgrade_migrated_users.py
+++ b/enterprise/downgrade_migrated_users.py
@@ -1,207 +0,0 @@
-#!/usr/bin/env python
-"""
-This script can be removed once orgs is established - probably after Feb 15 2026
-
-Downgrade script for migrated users.
-
-This script identifies users who have been migrated (already_migrated=True)
-and reverts them back to the pre-migration state.
-
-Usage:
-    # Dry run - just list the users that would be downgraded
-    python downgrade_migrated_users.py --dry-run
-
-    # Downgrade a specific user by their keycloak_user_id
-    python downgrade_migrated_users.py --user-id <user_id>
-
-    # Downgrade all migrated users (with confirmation)
-    python downgrade_migrated_users.py --all
-
-    # Downgrade all migrated users without confirmation (dangerous!)
-    python downgrade_migrated_users.py --all --no-confirm
-"""
-
-import argparse
-import asyncio
-import sys
-
-# Add the enterprise directory to the path
-sys.path.insert(0, '/workspace/project/OpenHands/enterprise')
-
-from server.logger import logger
-from sqlalchemy import select, text
-from storage.database import session_maker
-from storage.user_settings import UserSettings
-from storage.user_store import UserStore
-
-
-def get_migrated_users() -> list[str]:
-    """Get list of keycloak_user_ids for users who have been migrated.
-
-    This includes:
-    1. Users with already_migrated=True in user_settings (migrated users)
-    2. Users in the 'user' table who don't have a user_settings entry (new sign-ups)
-    """
-    with session_maker() as session:
-        # Get users from user_settings with already_migrated=True
-        migrated_result = session.execute(
-            select(UserSettings.keycloak_user_id).where(
-                UserSettings.already_migrated.is_(True)
-            )
-        )
-        migrated_users = {row[0] for row in migrated_result.fetchall() if row[0]}
-
-        # Get users from the 'user' table (new sign-ups won't have user_settings)
-        # These are users who signed up after the migration was deployed
-        new_signup_result = session.execute(
-            text("""
-                SELECT CAST(u.id AS VARCHAR)
-                FROM "user" u
-                WHERE NOT EXISTS (
-                    SELECT 1 FROM user_settings us
-                    WHERE us.keycloak_user_id = CAST(u.id AS VARCHAR)
-                )
-            """)
-        )
-        new_signups = {row[0] for row in new_signup_result.fetchall() if row[0]}
-
-        # Combine both sets
-        all_users = migrated_users | new_signups
-        return list(all_users)
-
-
-async def downgrade_user(user_id: str) -> bool:
-    """Downgrade a single user.
-
-    Args:
-        user_id: The keycloak_user_id to downgrade
-
-    Returns:
-        True if successful, False otherwise
-    """
-    try:
-        result = await UserStore.downgrade_user(user_id)
-        if result:
-            print(f'✓ Successfully downgraded user: {user_id}')
-            return True
-        else:
-            print(f'✗ Failed to downgrade user: {user_id}')
-            return False
-    except Exception as e:
-        print(f'✗ Error downgrading user {user_id}: {e}')
-        logger.exception(
-            'downgrade_script:error',
-            extra={'user_id': user_id, 'error': str(e)},
-        )
-        return False
-
-
-async def main():
-    parser = argparse.ArgumentParser(
-        description='Downgrade migrated users back to pre-migration state'
-    )
-    parser.add_argument(
-        '--dry-run',
-        action='store_true',
-        help='Just list users that would be downgraded, without making changes',
-    )
-    parser.add_argument(
-        '--user-id',
-        type=str,
-        help='Downgrade a specific user by keycloak_user_id',
-    )
-    parser.add_argument(
-        '--all',
-        action='store_true',
-        help='Downgrade all migrated users',
-    )
-    parser.add_argument(
-        '--no-confirm',
-        action='store_true',
-        help='Skip confirmation prompt (use with caution!)',
-    )
-
-    args = parser.parse_args()
-
-    # Get list of migrated users
-    migrated_users = get_migrated_users()
-    print(f'\nFound {len(migrated_users)} migrated user(s).')
-
-    if args.dry_run:
-        print('\n--- DRY RUN MODE ---')
-        print('The following users would be downgraded:')
-        for user_id in migrated_users:
-            print(f'  - {user_id}')
-        print('\nNo changes were made.')
-        return
-
-    if args.user_id:
-        # Downgrade a specific user
-        if args.user_id not in migrated_users:
-            print(f'\nUser {args.user_id} is not in the migrated users list.')
-            print('Either the user was not migrated, or the user_id is incorrect.')
-            return
-
-        print(f'\nDowngrading user: {args.user_id}')
-        if not args.no_confirm:
-            confirm = input('Are you sure? (yes/no): ')
-            if confirm.lower() != 'yes':
-                print('Cancelled.')
-                return
-
-        success = await downgrade_user(args.user_id)
-        if success:
-            print('\nDowngrade completed successfully.')
-        else:
-            print('\nDowngrade failed. Check logs for details.')
-            sys.exit(1)
-
-    elif args.all:
-        # Downgrade all migrated users
-        if not migrated_users:
-            print('\nNo migrated users to downgrade.')
-            return
-
-        print(f'\n⚠️  About to downgrade {len(migrated_users)} user(s).')
-        if not args.no_confirm:
-            print('\nThis will:')
-            print('  - Revert LiteLLM team/user budget settings')
-            print('  - Delete organization entries')
-            print('  - Delete user entries in the new schema')
-            print('  - Reset the already_migrated flag')
-            print('\nUsers to downgrade:')
-            for user_id in migrated_users[:10]:  # Show first 10
-                print(f'  - {user_id}')
-            if len(migrated_users) > 10:
-                print(f'  ... and {len(migrated_users) - 10} more')
-
-            confirm = input('\nType "yes" to proceed: ')
-            if confirm.lower() != 'yes':
-                print('Cancelled.')
-                return
-
-        print('\nStarting downgrade...\n')
-        success_count = 0
-        fail_count = 0
-
-        for user_id in migrated_users:
-            success = await downgrade_user(user_id)
-            if success:
-                success_count += 1
-            else:
-                fail_count += 1
-
-        print('\n--- Summary ---')
-        print(f'Successful: {success_count}')
-        print(f'Failed: {fail_count}')
-
-        if fail_count > 0:
-            sys.exit(1)
-
-    else:
-        parser.print_help()
-        print('\nPlease specify --dry-run, --user-id, or --all')
-
-
-if __name__ == '__main__':
-    asyncio.run(main())
--- a/enterprise/integrations/github/data_collector.py
+++ b/enterprise/integrations/github/data_collector.py
@@ -116,10 +116,8 @@ class GitHubDataCollector:

        return suffix

-    def _get_installation_access_token(self, installation_id: str) -> str:
-        token_data = self.github_integration.get_access_token(
-            installation_id  # type: ignore[arg-type]
-        )
+    def _get_installation_access_token(self, installation_id: int) -> str:
+        token_data = self.github_integration.get_access_token(installation_id)
        return token_data.token

    def _check_openhands_author(self, name, login) -> bool:
@@ -134,7 +132,7 @@ class GitHubDataCollector:
        )

    def _get_issue_comments(
-        self, installation_id: str, repo_name: str, issue_number: int, conversation_id
+        self, installation_id: int, repo_name: str, issue_number: int, conversation_id
    ) -> list[dict[str, Any]]:
        """
        Retrieve all comments from an issue until a comment with conversation_id is found
@@ -234,7 +232,7 @@ class GitHubDataCollector:
            f'[Github]: Saved issue #{issue_number} for {github_view.full_repo_name}'
        )

-    def _get_pr_commits(self, installation_id: str, repo_name: str, pr_number: int):
+    def _get_pr_commits(self, installation_id: int, repo_name: str, pr_number: int):
        commits = []
        installation_token = self._get_installation_access_token(installation_id)
        with Github(auth=Auth.Token(installation_token)) as github_client:
@@ -431,7 +429,7 @@ class GitHubDataCollector:
        - Num openhands review comments
        """
        pr_number = openhands_pr.pr_number
-        installation_id = openhands_pr.installation_id
+        installation_id = int(openhands_pr.installation_id)
        repo_id = openhands_pr.repo_id

        # Get installation token and create Github client
@@ -569,7 +567,7 @@ class GitHubDataCollector:
        openhands_helped_author = openhands_commit_count > 0

        # Update the PR with OpenHands statistics
-        update_success = store.update_pr_openhands_stats(
+        update_success = await store.update_pr_openhands_stats(
            repo_id=repo_id,
            pr_number=pr_number,
            original_updated_at=openhands_pr.updated_at,
@@ -612,7 +610,7 @@ class GitHubDataCollector:
        action = payload.get('action', '')
        return action == 'closed' and 'pull_request' in payload

-    def _track_closed_or_merged_pr(self, payload):
+    async def _track_closed_or_merged_pr(self, payload):
        """
        Track PR closed/merged event
        """
@@ -671,17 +669,17 @@ class GitHubDataCollector:
            num_general_comments=num_general_comments,
        )

-        store.insert_pr(pr)
+        await store.insert_pr(pr)
        logger.info(f'Tracked PR {status}: {repo_id}#{pr_number}')

-    def process_payload(self, message: Message):
+    async def process_payload(self, message: Message):
        if not COLLECT_GITHUB_INTERACTIONS:
            return

        raw_payload = message.message.get('payload', {})

        if self._is_pr_closed_or_merged(raw_payload):
-            self._track_closed_or_merged_pr(raw_payload)
+            await self._track_closed_or_merged_pr(raw_payload)

    async def save_data(self, github_view: ResolverViewInterface):
        if not COLLECT_GITHUB_INTERACTIONS:
--- a/enterprise/integrations/github/github_manager.py
+++ b/enterprise/integrations/github/github_manager.py
@@ -10,6 +10,7 @@ from integrations.github.github_view import (
    GithubIssue,
    GithubIssueComment,
    GithubPRComment,
+    GithubViewType,
 )
 from integrations.manager import Manager
 from integrations.models import (
@@ -22,6 +23,7 @@ from integrations.utils import (
    HOST_URL,
    OPENHANDS_RESOLVER_TEMPLATES_DIR,
    get_session_expired_message,
+    get_user_not_found_message,
 )
 from integrations.v1_utils import get_saas_user_auth
 from jinja2 import Environment, FileSystemLoader
@@ -40,10 +42,9 @@ from openhands.server.types import (
    SessionExpiredError,
 )
 from openhands.storage.data_models.secrets import Secrets
-from openhands.utils.async_utils import call_sync_from_async


-class GithubManager(Manager):
+class GithubManager(Manager[GithubViewType]):
    def __init__(
        self, token_manager: TokenManager, data_collector: GitHubDataCollector
    ):
@@ -67,11 +68,8 @@ class GithubManager(Manager):

        return f'{owner}/{repo_name}'

-    def _get_installation_access_token(self, installation_id: str) -> str:
-        # get_access_token is typed to only accept int, but it can handle str.
-        token_data = self.github_integration.get_access_token(
-            installation_id  # type: ignore[arg-type]
-        )
+    def _get_installation_access_token(self, installation_id: int) -> str:
+        token_data = self.github_integration.get_access_token(installation_id)
        return token_data.token

    def _add_reaction(
@@ -126,6 +124,76 @@ class GithubManager(Manager):

            return False

+    def _get_issue_number_from_payload(self, message: Message) -> int | None:
+        """Extract issue/PR number from a GitHub webhook payload.
+
+        Supports all event types that can trigger jobs:
+        - Labeled issues: payload['issue']['number']
+        - Issue comments: payload['issue']['number']
+        - PR comments: payload['issue']['number'] (PRs are accessed via issue endpoint)
+        - Inline PR comments: payload['pull_request']['number']
+
+        Args:
+            message: The incoming GitHub webhook message
+
+        Returns:
+            The issue/PR number, or None if not found
+        """
+        payload = message.message.get('payload', {})
+
+        # Labeled issues, issue comments, and PR comments all have 'issue' in payload
+        if 'issue' in payload:
+            return payload['issue']['number']
+
+        # Inline PR comments have 'pull_request' directly in payload
+        if 'pull_request' in payload:
+            return payload['pull_request']['number']
+
+        return None
+
+    def _send_user_not_found_message(self, message: Message, username: str):
+        """Send a message to the user informing them they need to create an OpenHands account.
+
+        This method handles all supported trigger types:
+        - Labeled issues (action='labeled' with openhands label)
+        - Issue comments (comment containing @openhands)
+        - PR comments (comment containing @openhands on a PR)
+        - Inline PR review comments (comment containing @openhands)
+
+        Args:
+            message: The incoming GitHub webhook message
+            username: The GitHub username to mention in the response
+        """
+        payload = message.message.get('payload', {})
+        installation_id = message.message['installation']
+        repo_obj = payload['repository']
+        full_repo_name = self._get_full_repo_name(repo_obj)
+
+        # Get installation token to post the comment
+        installation_token = self._get_installation_access_token(installation_id)
+
+        # Determine the issue/PR number based on the event type
+        issue_number = self._get_issue_number_from_payload(message)
+
+        if not issue_number:
+            logger.warning(
+                f'[GitHub] Could not determine issue/PR number to send user not found message for {username}. '
+                f'Payload keys: {list(payload.keys())}'
+            )
+            return
+
+        # Post the comment
+        try:
+            with Github(auth=Auth.Token(installation_token)) as github_client:
+                repo = github_client.get_repo(full_repo_name)
+                issue = repo.get_issue(number=issue_number)
+                issue.create_comment(get_user_not_found_message(username))
+        except Exception as e:
+            logger.error(
+                f'[GitHub] Failed to send user not found message to {username} '
+                f'on {full_repo_name}#{issue_number}: {e}'
+            )
+
    async def is_job_requested(self, message: Message) -> bool:
        self._confirm_incoming_source_type(message)

@@ -170,7 +238,7 @@ class GithubManager(Manager):
    async def receive_message(self, message: Message):
        self._confirm_incoming_source_type(message)
        try:
-            await call_sync_from_async(self.data_collector.process_payload, message)
+            await self.data_collector.process_payload(message)
        except Exception:
            logger.warning(
                '[Github]: Error processing payload for gh interaction', exc_info=True
@@ -179,9 +247,20 @@ class GithubManager(Manager):
        if await self.is_job_requested(message):
            payload = message.message.get('payload', {})
            user_id = payload['sender']['id']
+            username = payload['sender']['login']
            keycloak_user_id = await self.token_manager.get_user_id_from_idp_user_id(
                user_id, ProviderType.GITHUB
            )
+
+            # Check if the user has an OpenHands account
+            if not keycloak_user_id:
+                logger.warning(
+                    f'[GitHub] User {username} (id={user_id}) not found in Keycloak. '
+                    f'User must create an OpenHands account first.'
+                )
+                self._send_user_not_found_message(message, username)
+                return
+
            github_view = await GithubFactory.create_github_view_from_payload(
                message, keycloak_user_id
            )
@@ -193,46 +272,51 @@ class GithubManager(Manager):
                github_view.installation_id
            )
            # Store the installation token
-            self.token_manager.store_org_token(
+            await self.token_manager.store_org_token(
                github_view.installation_id, installation_token
            )
            # Add eyes reaction to acknowledge we've read the request
            self._add_reaction(github_view, 'eyes', installation_token)
            await self.start_job(github_view)

-    async def send_message(self, message: Message, github_view: ResolverViewInterface):
-        installation_token = self.token_manager.load_org_token(
+    async def send_message(self, message: str, github_view: GithubViewType):
+        """Send a message to GitHub.
+
+        Args:
+            message: The message content to send (plain text string)
+            github_view: The GitHub view object containing issue/PR/comment info
+        """
+        installation_token = await self.token_manager.load_org_token(
            github_view.installation_id
        )
        if not installation_token:
            logger.warning('Missing installation token')
            return

-        outgoing_message = message.message
-
        if isinstance(github_view, GithubInlinePRComment):
            with Github(auth=Auth.Token(installation_token)) as github_client:
                repo = github_client.get_repo(github_view.full_repo_name)
                pr = repo.get_pull(github_view.issue_number)
                pr.create_review_comment_reply(
-                    comment_id=github_view.comment_id, body=outgoing_message
+                    comment_id=github_view.comment_id, body=message
                )

-        elif (
-            isinstance(github_view, GithubPRComment)
-            or isinstance(github_view, GithubIssueComment)
-            or isinstance(github_view, GithubIssue)
+        elif isinstance(
+            github_view, (GithubPRComment, GithubIssueComment, GithubIssue)
        ):
            with Github(auth=Auth.Token(installation_token)) as github_client:
                repo = github_client.get_repo(github_view.full_repo_name)
                issue = repo.get_issue(number=github_view.issue_number)
-                issue.create_comment(outgoing_message)
+                issue.create_comment(message)

        else:
-            logger.warning('Unsupported location')
+            # Catch any new types added to GithubViewType that aren't handled above
+            logger.warning(  # type: ignore[unreachable]
+                f'Unsupported github_view type: {type(github_view).__name__}'
+            )
            return

-    async def start_job(self, github_view: ResolverViewInterface):
+    async def start_job(self, github_view: GithubViewType) -> None:
        """Kick off a job with openhands agent.

        1. Get user credential
@@ -245,7 +329,7 @@ class GithubManager(Manager):
        )

        try:
-            msg_info = None
+            msg_info: str = ''

            try:
                user_info = github_view.user_info
@@ -361,15 +445,13 @@ class GithubManager(Manager):

                msg_info = get_session_expired_message(user_info.username)

-            msg = self.create_outgoing_message(msg_info)
-            await self.send_message(msg, github_view)
+            await self.send_message(msg_info, github_view)

        except Exception:
            logger.exception('[Github]: Error starting job')
-            msg = self.create_outgoing_message(
-                msg='Uh oh! There was an unexpected error starting the job :('
+            await self.send_message(
+                'Uh oh! There was an unexpected error starting the job :(', github_view
            )
-            await self.send_message(msg, github_view)

        try:
            await self.data_collector.save_data(github_view)
--- a/enterprise/integrations/github/github_service.py
+++ b/enterprise/integrations/github/github_service.py
@@ -122,13 +122,37 @@ class SaaSGitHubService(GitHubService):
            raise Exception(f'No node_id found for repository {repo_id}')
        return node_id

+    async def _get_external_auth_id(self) -> str | None:
+        """Get or fetch external_auth_id from Keycloak token if not already set."""
+        if self.external_auth_id:
+            return self.external_auth_id
+
+        if self.external_auth_token:
+            try:
+                user_info = await self.token_manager.get_user_info(
+                    self.external_auth_token.get_secret_value()
+                )
+                self.external_auth_id = user_info.sub
+                logger.info(
+                    f'Determined external_auth_id from Keycloak token: {self.external_auth_id}'
+                )
+                return self.external_auth_id
+            except Exception as e:
+                logger.warning(
+                    f'Could not determine external_auth_id from token: {e}',
+                    exc_info=True,
+                )
+        return None
+
    async def get_paginated_repos(self, page, per_page, sort, installation_id):
        repositories = await super().get_paginated_repos(
            page, per_page, sort, installation_id
        )
-        asyncio.create_task(
-            store_repositories_in_db(repositories, self.external_auth_id)
-        )
+        external_auth_id = await self._get_external_auth_id()
+        if external_auth_id:
+            asyncio.create_task(
+                store_repositories_in_db(repositories, external_auth_id)
+            )
        return repositories

    async def get_all_repositories(
@@ -136,8 +160,10 @@ class SaaSGitHubService(GitHubService):
    ) -> list[Repository]:
        repositories = await super().get_all_repositories(sort, app_mode)
        # Schedule the background task without awaiting it
-        asyncio.create_task(
-            store_repositories_in_db(repositories, self.external_auth_id)
-        )
+        external_auth_id = await self._get_external_auth_id()
+        if external_auth_id:
+            asyncio.create_task(
+                store_repositories_in_db(repositories, external_auth_id)
+            )
        # Return repositories immediately
        return repositories
--- a/enterprise/integrations/github/github_solvability.py
+++ b/enterprise/integrations/github/github_solvability.py
@@ -14,7 +14,6 @@ from integrations.solvability.models.summary import SolvabilitySummary
 from integrations.utils import ENABLE_SOLVABILITY_ANALYSIS
 from pydantic import ValidationError
 from server.config import get_config
-from storage.database import session_maker
 from storage.saas_settings_store import SaasSettingsStore

 from openhands.core.config import LLMConfig
@@ -90,7 +89,6 @@ async def summarize_issue_solvability(
    # Grab the user's information so we can load their LLM configuration
    store = SaasSettingsStore(
        user_id=github_view.user_info.keycloak_user_id,
-        session_maker=session_maker,
        config=get_config(),
    )

@@ -108,6 +106,11 @@ async def summarize_issue_solvability(
            f'Solvability analysis disabled for user {github_view.user_info.user_id}'
        )

+    if user_settings.llm_api_key is None:
+        raise ValueError(
+            f'[Solvability] No LLM API key found for user {github_view.user_info.user_id}'
+        )
+
    try:
        llm_config = LLMConfig(
            model=user_settings.llm_model,
--- a/enterprise/integrations/github/github_view.py
+++ b/enterprise/integrations/github/github_view.py
@@ -24,7 +24,6 @@ from jinja2 import Environment
 from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
 from server.auth.token_manager import TokenManager
 from server.config import get_config
-from storage.database import session_maker
 from storage.org_store import OrgStore
 from storage.proactive_conversation_store import ProactiveConversationStore
 from storage.saas_secrets_store import SaasSecretsStore
@@ -73,7 +72,6 @@ async def get_user_proactive_conversation_setting(user_id: str | None) -> bool:
        This function checks both the global environment variable kill switch AND
        the user's individual setting. Both must be true for the function to return true.
    """
-
    # If no user ID is provided, we can't check user settings
    if not user_id:
        return False
@@ -82,13 +80,10 @@ async def get_user_proactive_conversation_setting(user_id: str | None) -> bool:
    if not ENABLE_PROACTIVE_CONVERSATION_STARTERS:
        return False

-    def _get_setting():
-        org = OrgStore.get_current_org_from_keycloak_user_id(user_id)
-        if not org:
-            return False
-        return bool(org.enable_proactive_conversation_starters)
-
-    return await call_sync_from_async(_get_setting)
+    org = await OrgStore.get_current_org_from_keycloak_user_id(user_id)
+    if not org:
+        return False
+    return bool(org.enable_proactive_conversation_starters)


 # =================================================
@@ -153,9 +148,7 @@ class GithubIssue(ResolverViewInterface):
        return user_instructions, conversation_instructions

    async def _get_user_secrets(self):
-        secrets_store = SaasSecretsStore(
-            self.user_info.keycloak_user_id, session_maker, get_config()
-        )
+        secrets_store = SaasSecretsStore(self.user_info.keycloak_user_id, get_config())
        user_secrets = await secrets_store.load()

        return user_secrets.custom_secrets if user_secrets else None
@@ -238,6 +231,29 @@ class GithubIssue(ResolverViewInterface):
            conversation_instructions=conversation_instructions,
        )

+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        """Build the initial user message for V1 resolver conversations.
+
+        For "issue opened" events (no specific comment body), we can simply
+        concatenate the user prompt and the rendered issue context.
+
+        Subclasses that represent comment-driven events (issue comments, PR review
+        comments, inline review comments) override this method to control ordering
+        (e.g., context first, then the triggering comment, then previous comments).
+        """
+
+        user_instructions, conversation_instructions = await self._get_instructions(
+            jinja_env
+        )
+
+        parts: list[str] = []
+        if user_instructions.strip():
+            parts.append(user_instructions.strip())
+        if conversation_instructions.strip():
+            parts.append(conversation_instructions.strip())
+
+        return '\n\n'.join(parts)
+
    async def _create_v1_conversation(
        self,
        jinja_env: Environment,
@@ -247,13 +263,11 @@ class GithubIssue(ResolverViewInterface):
        """Create conversation using the new V1 app conversation system."""
        logger.info('[GitHub V1]: Creating V1 conversation')

-        user_instructions, conversation_instructions = await self._get_instructions(
-            jinja_env
-        )
+        initial_user_text = await self._get_v1_initial_user_message(jinja_env)

        # Create the initial message request
        initial_message = SendMessageRequest(
-            role='user', content=[TextContent(text=user_instructions)]
+            role='user', content=[TextContent(text=initial_user_text)]
        )

        # Create the GitHub V1 callback processor
@@ -265,7 +279,9 @@ class GithubIssue(ResolverViewInterface):
        # Create the V1 conversation start request with the callback processor
        start_request = AppConversationStartRequest(
            conversation_id=UUID(conversation_metadata.conversation_id),
-            system_message_suffix=conversation_instructions,
+            # NOTE: Resolver instructions are intended to be lower priority than the
+            # system prompt, so we inject them into the initial user message.
+            system_message_suffix=None,
            initial_message=initial_message,
            selected_repository=self.full_repo_name,
            selected_branch=self._get_branch_name(),
@@ -336,6 +352,17 @@ class GithubIssueComment(GithubIssue):

        return user_instructions, conversation_instructions

+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        await self._load_resolver_context()
+        template = jinja_env.get_template('issue_comment_initial_message.j2')
+        return template.render(
+            issue_number=self.issue_number,
+            issue_title=self.title,
+            issue_body=self.description,
+            issue_comment=self.comment_body,
+            previous_comments=self.previous_comments,
+        ).strip()
+

@dataclass
 class GithubPRComment(GithubIssueComment):
@@ -362,6 +389,18 @@ class GithubPRComment(GithubIssueComment):

        return user_instructions, conversation_instructions

+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        await self._load_resolver_context()
+        template = jinja_env.get_template('pr_update_initial_message.j2')
+        return template.render(
+            pr_number=self.issue_number,
+            branch_name=self.branch_name,
+            pr_title=self.title,
+            pr_body=self.description,
+            pr_comment=self.comment_body,
+            comments=self.previous_comments,
+        ).strip()
+

@dataclass
 class GithubInlinePRComment(GithubPRComment):
@@ -408,6 +447,20 @@ class GithubInlinePRComment(GithubPRComment):

        return user_instructions, conversation_instructions

+    async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str:
+        await self._load_resolver_context()
+        template = jinja_env.get_template('pr_update_initial_message.j2')
+        return template.render(
+            pr_number=self.issue_number,
+            branch_name=self.branch_name,
+            pr_title=self.title,
+            pr_body=self.description,
+            file_location=self.file_location,
+            line_number=self.line_number,
+            pr_comment=self.comment_body,
+            comments=self.previous_comments,
+        ).strip()
+
    def _create_github_v1_callback_processor(self):
        """Create a V1 callback processor for GitHub integration."""
        from integrations.github.github_v1_callback_processor import (
@@ -740,7 +793,7 @@ class GithubFactory:
    @staticmethod
    async def create_github_view_from_payload(
        message: Message, keycloak_user_id: str
-    ) -> ResolverViewInterface:
+    ) -> GithubViewType:
        """Create the appropriate class (GithubIssue or GithubPRComment) based on the payload.
        Also return metadata about the event (e.g., action type).
        """
--- a/enterprise/integrations/gitlab/gitlab_manager.py
+++ b/enterprise/integrations/gitlab/gitlab_manager.py
@@ -1,4 +1,7 @@
+from __future__ import annotations
+
 from types import MappingProxyType
+from typing import cast

 from integrations.gitlab.gitlab_view import (
    GitlabFactory,
@@ -17,6 +20,7 @@ from integrations.utils import (
    OPENHANDS_RESOLVER_TEMPLATES_DIR,
    get_session_expired_message,
 )
+from integrations.v1_utils import get_saas_user_auth
 from jinja2 import Environment, FileSystemLoader
 from pydantic import SecretStr
 from server.auth.token_manager import TokenManager
@@ -33,7 +37,7 @@ from openhands.server.types import (
 from openhands.storage.data_models.secrets import Secrets


-class GitlabManager(Manager):
+class GitlabManager(Manager[GitlabViewType]):
    def __init__(self, token_manager: TokenManager, data_collector: None = None):
        self.token_manager = token_manager

@@ -67,11 +71,11 @@ class GitlabManager(Manager):
            logger.warning(f'Got invalid keyloak user id for GitLab User {user_id}')
            return False

-        # Importing here prevents circular import
+        # GitLabServiceImpl returns SaaSGitLabService in enterprise context
        from integrations.gitlab.gitlab_service import SaaSGitLabService

-        gitlab_service: SaaSGitLabService = GitLabServiceImpl(
-            external_auth_id=keycloak_user_id
+        gitlab_service = cast(
+            SaaSGitLabService, GitLabServiceImpl(external_auth_id=keycloak_user_id)
        )

        return await gitlab_service.user_has_write_access(project_id)
@@ -121,55 +125,52 @@ class GitlabManager(Manager):
        # Check if the user has write access to the repository
        return has_write_access

-    async def send_message(self, message: Message, gitlab_view: ResolverViewInterface):
-        """
-        Send a message to GitLab based on the view type.
+    async def send_message(self, message: str, gitlab_view: ResolverViewInterface):
+        """Send a message to GitLab based on the view type.

        Args:
-            message: The message to send
+            message: The message content to send (plain text string)
            gitlab_view: The GitLab view object containing issue/PR/comment info
        """
        keycloak_user_id = gitlab_view.user_info.keycloak_user_id

-        # Importing here prevents circular import
+        # GitLabServiceImpl returns SaaSGitLabService in enterprise context
        from integrations.gitlab.gitlab_service import SaaSGitLabService

-        gitlab_service: SaaSGitLabService = GitLabServiceImpl(
-            external_auth_id=keycloak_user_id
+        gitlab_service = cast(
+            SaaSGitLabService, GitLabServiceImpl(external_auth_id=keycloak_user_id)
        )

-        outgoing_message = message.message
-
        if isinstance(gitlab_view, GitlabInlineMRComment) or isinstance(
            gitlab_view, GitlabMRComment
        ):
            await gitlab_service.reply_to_mr(
-                gitlab_view.project_id,
-                gitlab_view.issue_number,
-                gitlab_view.discussion_id,
-                message.message,
+                project_id=str(gitlab_view.project_id),
+                merge_request_iid=str(gitlab_view.issue_number),
+                discussion_id=gitlab_view.discussion_id,
+                body=message,
            )

        elif isinstance(gitlab_view, GitlabIssueComment):
            await gitlab_service.reply_to_issue(
-                gitlab_view.project_id,
-                gitlab_view.issue_number,
-                gitlab_view.discussion_id,
-                outgoing_message,
+                project_id=str(gitlab_view.project_id),
+                issue_number=str(gitlab_view.issue_number),
+                discussion_id=gitlab_view.discussion_id,
+                body=message,
            )
        elif isinstance(gitlab_view, GitlabIssue):
            await gitlab_service.reply_to_issue(
-                gitlab_view.project_id,
-                gitlab_view.issue_number,
-                None,  # no discussion id, issue is tagged
-                outgoing_message,
+                project_id=str(gitlab_view.project_id),
+                issue_number=str(gitlab_view.issue_number),
+                discussion_id=None,  # no discussion id, issue is tagged
+                body=message,
            )
        else:
            logger.warning(
                f'[GitLab] Unsupported view type: {type(gitlab_view).__name__}'
            )

-    async def start_job(self, gitlab_view: GitlabViewType):
+    async def start_job(self, gitlab_view: GitlabViewType) -> None:
        """
        Start a job for the GitLab view.

@@ -214,8 +215,18 @@ class GitlabManager(Manager):
                    )
                )

+                # Initialize conversation and get metadata (following GitHub pattern)
+                convo_metadata = await gitlab_view.initialize_new_conversation()
+
+                saas_user_auth = await get_saas_user_auth(
+                    gitlab_view.user_info.keycloak_user_id, self.token_manager
+                )
+
                await gitlab_view.create_new_conversation(
-                    self.jinja_env, secret_store.provider_tokens
+                    self.jinja_env,
+                    secret_store.provider_tokens,
+                    convo_metadata,
+                    saas_user_auth,
                )

                conversation_id = gitlab_view.conversation_id
@@ -224,18 +235,19 @@ class GitlabManager(Manager):
                    f'[GitLab] Created conversation {conversation_id} for user {user_info.username}'
                )

-                # Create a GitlabCallbackProcessor for this conversation
-                processor = GitlabCallbackProcessor(
-                    gitlab_view=gitlab_view,
-                    send_summary_instruction=True,
-                )
+                if not gitlab_view.v1_enabled:
+                    # Create a GitlabCallbackProcessor for this conversation
+                    processor = GitlabCallbackProcessor(
+                        gitlab_view=gitlab_view,
+                        send_summary_instruction=True,
+                    )

-                # Register the callback processor
-                register_callback_processor(conversation_id, processor)
+                    # Register the callback processor
+                    register_callback_processor(conversation_id, processor)

-                logger.info(
-                    f'[GitLab] Created callback processor for conversation {conversation_id}'
-                )
+                    logger.info(
+                        f'[GitLab] Created callback processor for conversation {conversation_id}'
+                    )

                conversation_link = CONVERSATION_URL.format(conversation_id)
                msg_info = f"I'm on it! {user_info.username} can [track my progress at all-hands.dev]({conversation_link})"
@@ -262,12 +274,10 @@ class GitlabManager(Manager):
                msg_info = get_session_expired_message(user_info.username)

            # Send the acknowledgment message
-            msg = self.create_outgoing_message(msg_info)
-            await self.send_message(msg, gitlab_view)
+            await self.send_message(msg_info, gitlab_view)

        except Exception as e:
            logger.exception(f'[GitLab] Error starting job: {str(e)}')
-            msg = self.create_outgoing_message(
-                msg='Uh oh! There was an unexpected error starting the job :('
+            await self.send_message(
+                'Uh oh! There was an unexpected error starting the job :(', gitlab_view
            )
-            await self.send_message(msg, gitlab_view)
--- a/enterprise/integrations/gitlab/gitlab_service.py
+++ b/enterprise/integrations/gitlab/gitlab_service.py
@@ -185,6 +185,30 @@ class SaaSGitLabService(GitLabService):
            users_personal_projects: List of personal projects owned by the user
            repositories: List of Repository objects to store
        """
+        # If external_auth_id is not set, try to determine it from the Keycloak token
+        if not self.external_auth_id and self.external_auth_token:
+            try:
+                user_info = await self.token_manager.get_user_info(
+                    self.external_auth_token.get_secret_value()
+                )
+                keycloak_user_id = user_info.sub
+                self.external_auth_id = keycloak_user_id
+                logger.info(
+                    f'Determined external_auth_id from Keycloak token: {self.external_auth_id}'
+                )
+            except Exception:
+                logger.warning(
+                    'Cannot store repository data: external_auth_id is not set and could not be determined from token',
+                    exc_info=True,
+                )
+                return
+
+        if not self.external_auth_id:
+            logger.warning(
+                'Cannot store repository data: external_auth_id could not be determined'
+            )
+            return
+
        try:
            # First, add owned projects and groups to the database
            await self.add_owned_projects_and_groups_to_db(users_personal_projects)
--- a/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py
+++ b/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py
@@ -0,0 +1,273 @@
+import logging
+from typing import Any
+from uuid import UUID
+
+import httpx
+from integrations.utils import CONVERSATION_URL, get_summary_instruction
+from pydantic import Field
+
+from openhands.agent_server.models import AskAgentRequest, AskAgentResponse
+from openhands.app_server.event_callback.event_callback_models import (
+    EventCallback,
+    EventCallbackProcessor,
+)
+from openhands.app_server.event_callback.event_callback_result_models import (
+    EventCallbackResult,
+    EventCallbackResultStatus,
+)
+from openhands.app_server.event_callback.util import (
+    ensure_conversation_found,
+    ensure_running_sandbox,
+    get_agent_server_url_from_sandbox,
+)
+from openhands.sdk import Event
+from openhands.sdk.event import ConversationStateUpdateEvent
+
+_logger = logging.getLogger(__name__)
+
+
+class GitlabV1CallbackProcessor(EventCallbackProcessor):
+    """Callback processor for GitLab V1 integrations."""
+
+    gitlab_view_data: dict[str, Any] = Field(default_factory=dict)
+    should_request_summary: bool = Field(default=True)
+    inline_mr_comment: bool = Field(default=False)
+
+    async def __call__(
+        self,
+        conversation_id: UUID,
+        callback: EventCallback,
+        event: Event,
+    ) -> EventCallbackResult | None:
+        """Process events for GitLab V1 integration."""
+        # Only handle ConversationStateUpdateEvent
+        if not isinstance(event, ConversationStateUpdateEvent):
+            return None
+
+        # Only act when execution has finished
+        if not (event.key == 'execution_status' and event.value == 'finished'):
+            return None
+
+        _logger.info('[GitLab V1] Callback agent state was %s', event)
+        _logger.info(
+            '[GitLab V1] Should request summary: %s', self.should_request_summary
+        )
+
+        if not self.should_request_summary:
+            return None
+
+        self.should_request_summary = False
+
+        try:
+            _logger.info(f'[GitLab V1] Requesting summary {conversation_id}')
+            summary = await self._request_summary(conversation_id)
+            _logger.info(
+                f'[GitLab V1] Posting summary {conversation_id}',
+                extra={'summary': summary},
+            )
+            await self._post_summary_to_gitlab(summary)
+
+            return EventCallbackResult(
+                status=EventCallbackResultStatus.SUCCESS,
+                event_callback_id=callback.id,
+                event_id=event.id,
+                conversation_id=conversation_id,
+                detail=summary,
+            )
+        except Exception as e:
+            _logger.exception('[GitLab V1] Error processing callback: %s', e)
+
+            # Only try to post error to GitLab if we have basic requirements
+            try:
+                if self.gitlab_view_data.get('keycloak_user_id'):
+                    await self._post_summary_to_gitlab(
+                        f'OpenHands encountered an error: **{str(e)}**.\n\n'
+                        f'[See the conversation]({CONVERSATION_URL.format(conversation_id)}) '
+                        'for more information.'
+                    )
+            except Exception as post_error:
+                _logger.warning(
+                    '[GitLab V1] Failed to post error message to GitLab: %s', post_error
+                )
+
+            return EventCallbackResult(
+                status=EventCallbackResultStatus.ERROR,
+                event_callback_id=callback.id,
+                event_id=event.id,
+                conversation_id=conversation_id,
+                detail=str(e),
+            )
+
+    # -------------------------------------------------------------------------
+    # GitLab helpers
+    # -------------------------------------------------------------------------
+
+    async def _post_summary_to_gitlab(self, summary: str) -> None:
+        """Post a summary comment to the configured GitLab issue or MR."""
+        # Import here to avoid circular imports
+        from integrations.gitlab.gitlab_service import SaaSGitLabService
+
+        keycloak_user_id = self.gitlab_view_data.get('keycloak_user_id')
+        if not keycloak_user_id:
+            raise RuntimeError('Missing keycloak user ID for GitLab')
+
+        gitlab_service = SaaSGitLabService(external_auth_id=keycloak_user_id)
+
+        project_id = self.gitlab_view_data['project_id']
+        issue_number = self.gitlab_view_data['issue_number']
+        discussion_id = self.gitlab_view_data['discussion_id']
+        is_mr = self.gitlab_view_data.get('is_mr', False)
+
+        if is_mr:
+            await gitlab_service.reply_to_mr(
+                project_id,
+                issue_number,
+                discussion_id,
+                summary,
+            )
+        else:
+            await gitlab_service.reply_to_issue(
+                project_id,
+                issue_number,
+                discussion_id,
+                summary,
+            )
+
+    # -------------------------------------------------------------------------
+    # Agent / sandbox helpers
+    # -------------------------------------------------------------------------
+
+    async def _ask_question(
+        self,
+        httpx_client: httpx.AsyncClient,
+        agent_server_url: str,
+        conversation_id: UUID,
+        session_api_key: str,
+        message_content: str,
+    ) -> str:
+        """Send a message to the agent server via the V1 API and return response text."""
+        send_message_request = AskAgentRequest(question=message_content)
+
+        url = (
+            f'{agent_server_url.rstrip("/")}'
+            f'/api/conversations/{conversation_id}/ask_agent'
+        )
+        headers = {'X-Session-API-Key': session_api_key}
+        payload = send_message_request.model_dump()
+
+        try:
+            response = await httpx_client.post(
+                url,
+                json=payload,
+                headers=headers,
+                timeout=30.0,
+            )
+            response.raise_for_status()
+
+            agent_response = AskAgentResponse.model_validate(response.json())
+            return agent_response.response
+
+        except httpx.HTTPStatusError as e:
+            error_detail = f'HTTP {e.response.status_code} error'
+            try:
+                error_body = e.response.text
+                if error_body:
+                    error_detail += f': {error_body}'
+            except Exception:  # noqa: BLE001
+                pass
+
+            _logger.error(
+                '[GitLab V1] HTTP error sending message to %s: %s. '
+                'Request payload: %s. Response headers: %s',
+                url,
+                error_detail,
+                payload,
+                dict(e.response.headers),
+                exc_info=True,
+            )
+            raise Exception(f'Failed to send message to agent server: {error_detail}')
+
+        except httpx.TimeoutException:
+            error_detail = f'Request timeout after 30 seconds to {url}'
+            _logger.error(
+                '[GitLab V1] %s. Request payload: %s',
+                error_detail,
+                payload,
+                exc_info=True,
+            )
+            raise Exception(error_detail)
+
+        except httpx.RequestError as e:
+            error_detail = f'Request error to {url}: {str(e)}'
+            _logger.error(
+                '[GitLab V1] %s. Request payload: %s',
+                error_detail,
+                payload,
+                exc_info=True,
+            )
+            raise Exception(error_detail)
+
+    # -------------------------------------------------------------------------
+    # Summary orchestration
+    # -------------------------------------------------------------------------
+
+    async def _request_summary(self, conversation_id: UUID) -> str:
+        """Ask the agent to produce a summary of its work and return the agent response.
+
+        NOTE: This method now returns a string (the agent server's response text)
+        and raises exceptions on errors. The wrapping into EventCallbackResult
+        is handled by __call__.
+        """
+        # Import services within the method to avoid circular imports
+        from openhands.app_server.config import (
+            get_app_conversation_info_service,
+            get_httpx_client,
+            get_sandbox_service,
+        )
+        from openhands.app_server.services.injector import InjectorState
+        from openhands.app_server.user.specifiy_user_context import (
+            ADMIN,
+            USER_CONTEXT_ATTR,
+        )
+
+        # Create injector state for dependency injection
+        state = InjectorState()
+        setattr(state, USER_CONTEXT_ATTR, ADMIN)
+
+        async with (
+            get_app_conversation_info_service(state) as app_conversation_info_service,
+            get_sandbox_service(state) as sandbox_service,
+            get_httpx_client(state) as httpx_client,
+        ):
+            # 1. Conversation lookup
+            app_conversation_info = ensure_conversation_found(
+                await app_conversation_info_service.get_app_conversation_info(
+                    conversation_id
+                ),
+                conversation_id,
+            )
+
+            # 2. Sandbox lookup + validation
+            sandbox = ensure_running_sandbox(
+                await sandbox_service.get_sandbox(app_conversation_info.sandbox_id),
+                app_conversation_info.sandbox_id,
+            )
+
+            assert (
+                sandbox.session_api_key is not None
+            ), f'No session API key for sandbox: {sandbox.id}'
+
+            # 3. URL + instruction
+            agent_server_url = get_agent_server_url_from_sandbox(sandbox)
+
+            # Prepare message based on agent state
+            message_content = get_summary_instruction()
+
+            # Ask the agent and return the response text
+            return await self._ask_question(
+                httpx_client=httpx_client,
+                agent_server_url=agent_server_url,
+                conversation_id=conversation_id,
+                session_api_key=sandbox.session_api_key,
+                message_content=message_content,
+            )
--- a/enterprise/integrations/gitlab/gitlab_view.py
+++ b/enterprise/integrations/gitlab/gitlab_view.py
@@ -1,25 +1,53 @@
 from dataclasses import dataclass
+from uuid import UUID, uuid4

 from integrations.models import Message
+from integrations.resolver_context import ResolverUserContext
 from integrations.types import ResolverViewInterface, UserData
-from integrations.utils import HOST, get_oh_labels, has_exact_mention
+from integrations.utils import (
+    ENABLE_V1_GITLAB_RESOLVER,
+    HOST,
+    get_oh_labels,
+    get_user_v1_enabled_setting,
+    has_exact_mention,
+)
 from jinja2 import Environment
 from server.auth.token_manager import TokenManager
 from server.config import get_config
-from storage.database import session_maker
 from storage.saas_secrets_store import SaasSecretsStore

+from openhands.agent_server.models import SendMessageRequest
+from openhands.app_server.app_conversation.app_conversation_models import (
+    AppConversationStartRequest,
+    AppConversationStartTaskStatus,
+)
+from openhands.app_server.config import get_app_conversation_service
+from openhands.app_server.services.injector import InjectorState
+from openhands.app_server.user.specifiy_user_context import USER_CONTEXT_ATTR
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
-from openhands.server.services.conversation_service import create_new_conversation
-from openhands.storage.data_models.conversation_metadata import ConversationTrigger
+from openhands.sdk import TextContent
+from openhands.server.services.conversation_service import (
+    initialize_conversation,
+    start_conversation,
+)
+from openhands.server.user_auth.user_auth import UserAuth
+from openhands.storage.data_models.conversation_metadata import (
+    ConversationMetadata,
+    ConversationTrigger,
+)

 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)
 CONFIDENTIAL_NOTE = 'confidential_note'
 NOTE_TYPES = ['note', CONFIDENTIAL_NOTE]

+
+async def is_v1_enabled_for_gitlab_resolver(user_id: str) -> bool:
+    return await get_user_v1_enabled_setting(user_id) and ENABLE_V1_GITLAB_RESOLVER
+
+
 # =================================================
 # SECTION: Factory to create appriorate Gitlab view
 # =================================================
@@ -41,6 +69,10 @@ class GitlabIssue(ResolverViewInterface):
    description: str
    previous_comments: list[Comment]
    is_mr: bool
+    v1_enabled: bool
+
+    def _get_branch_name(self) -> str | None:
+        return getattr(self, 'branch_name', None)

    async def _load_resolver_context(self):
        gitlab_service = GitLabServiceImpl(
@@ -78,35 +110,158 @@ class GitlabIssue(ResolverViewInterface):
        return user_instructions, conversation_instructions

    async def _get_user_secrets(self):
-        secrets_store = SaasSecretsStore(
-            self.user_info.keycloak_user_id, session_maker, get_config()
-        )
+        secrets_store = SaasSecretsStore(self.user_info.keycloak_user_id, get_config())
        user_secrets = await secrets_store.load()

        return user_secrets.custom_secrets if user_secrets else None

+    async def initialize_new_conversation(self) -> ConversationMetadata:
+        # v1_enabled is already set at construction time in the factory method
+        # This is the source of truth for the conversation type
+        if self.v1_enabled:
+            # Create dummy conversation metadata
+            # Don't save to conversation store
+            # V1 conversations are stored in a separate table
+            self.conversation_id = uuid4().hex
+            return ConversationMetadata(
+                conversation_id=self.conversation_id,
+                selected_repository=self.full_repo_name,
+            )
+
+        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
+            user_id=self.user_info.keycloak_user_id,
+            conversation_id=None,
+            selected_repository=self.full_repo_name,
+            selected_branch=self._get_branch_name(),
+            conversation_trigger=ConversationTrigger.RESOLVER,
+            git_provider=ProviderType.GITLAB,
+        )
+
+        self.conversation_id = conversation_metadata.conversation_id
+        return conversation_metadata
+
    async def create_new_conversation(
-        self, jinja_env: Environment, git_provider_tokens: PROVIDER_TOKEN_TYPE
+        self,
+        jinja_env: Environment,
+        git_provider_tokens: PROVIDER_TOKEN_TYPE,
+        conversation_metadata: ConversationMetadata,
+        saas_user_auth: UserAuth,
    ):
+        # v1_enabled is already set at construction time in the factory method
+        if self.v1_enabled:
+            # Use V1 app conversation service
+            await self._create_v1_conversation(
+                jinja_env, saas_user_auth, conversation_metadata
+            )
+        else:
+            await self._create_v0_conversation(
+                jinja_env, git_provider_tokens, conversation_metadata
+            )
+
+    async def _create_v0_conversation(
+        self,
+        jinja_env: Environment,
+        git_provider_tokens: PROVIDER_TOKEN_TYPE,
+        conversation_metadata: ConversationMetadata,
+    ):
+        """Create conversation using the legacy V0 system."""
+        logger.info('[GitLab]: Creating V0 conversation')
        custom_secrets = await self._get_user_secrets()

        user_instructions, conversation_instructions = await self._get_instructions(
            jinja_env
        )
-        agent_loop_info = await create_new_conversation(
+
+        await start_conversation(
            user_id=self.user_info.keycloak_user_id,
            git_provider_tokens=git_provider_tokens,
            custom_secrets=custom_secrets,
-            selected_repository=self.full_repo_name,
-            selected_branch=None,
            initial_user_msg=user_instructions,
-            conversation_instructions=conversation_instructions,
            image_urls=None,
-            conversation_trigger=ConversationTrigger.RESOLVER,
            replay_json=None,
+            conversation_id=conversation_metadata.conversation_id,
+            conversation_metadata=conversation_metadata,
+            conversation_instructions=conversation_instructions,
+        )
+
+    async def _create_v1_conversation(
+        self,
+        jinja_env: Environment,
+        saas_user_auth: UserAuth,
+        conversation_metadata: ConversationMetadata,
+    ):
+        """Create conversation using the new V1 app conversation system."""
+        logger.info('[GitLab V1]: Creating V1 conversation')
+
+        user_instructions, conversation_instructions = await self._get_instructions(
+            jinja_env
+        )
+
+        # Create the initial message request
+        initial_message = SendMessageRequest(
+            role='user', content=[TextContent(text=user_instructions)]
+        )
+
+        # Create the GitLab V1 callback processor
+        gitlab_callback_processor = self._create_gitlab_v1_callback_processor()
+
+        # Get the app conversation service and start the conversation
+        injector_state = InjectorState()
+
+        # Determine the title based on whether it's an MR or issue
+        title_prefix = 'GitLab MR' if self.is_mr else 'GitLab Issue'
+        title = f'{title_prefix} #{self.issue_number}: {self.title}'
+
+        # Create the V1 conversation start request with the callback processor
+        start_request = AppConversationStartRequest(
+            conversation_id=UUID(conversation_metadata.conversation_id),
+            system_message_suffix=conversation_instructions,
+            initial_message=initial_message,
+            selected_repository=self.full_repo_name,
+            selected_branch=self._get_branch_name(),
+            git_provider=ProviderType.GITLAB,
+            title=title,
+            trigger=ConversationTrigger.RESOLVER,
+            processors=[
+                gitlab_callback_processor
+            ],  # Pass the callback processor directly
+        )
+
+        # Set up the GitLab user context for the V1 system
+        gitlab_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
+        setattr(injector_state, USER_CONTEXT_ATTR, gitlab_user_context)
+
+        async with get_app_conversation_service(
+            injector_state
+        ) as app_conversation_service:
+            async for task in app_conversation_service.start_app_conversation(
+                start_request
+            ):
+                if task.status == AppConversationStartTaskStatus.ERROR:
+                    logger.error(f'Failed to start V1 conversation: {task.detail}')
+                    raise RuntimeError(
+                        f'Failed to start V1 conversation: {task.detail}'
+                    )
+
+    def _create_gitlab_v1_callback_processor(self):
+        """Create a V1 callback processor for GitLab integration."""
+        from integrations.gitlab.gitlab_v1_callback_processor import (
+            GitlabV1CallbackProcessor,
+        )
+
+        # Create and return the GitLab V1 callback processor
+        return GitlabV1CallbackProcessor(
+            gitlab_view_data={
+                'issue_number': self.issue_number,
+                'project_id': self.project_id,
+                'full_repo_name': self.full_repo_name,
+                'installation_id': self.installation_id,
+                'keycloak_user_id': self.user_info.keycloak_user_id,
+                'is_mr': self.is_mr,
+                'discussion_id': getattr(self, 'discussion_id', None),
+            },
+            send_summary_instruction=self.send_summary_instruction,
        )
-        self.conversation_id = agent_loop_info.conversation_id
-        return self.conversation_id


@dataclass
@@ -141,6 +296,9 @@ class GitlabIssueComment(GitlabIssue):
 class GitlabMRComment(GitlabIssueComment):
    branch_name: str

+    def _get_branch_name(self) -> str | None:
+        return self.branch_name
+
    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        user_instructions_template = jinja_env.get_template('mr_update_prompt.j2')
        await self._load_resolver_context()
@@ -162,29 +320,6 @@ class GitlabMRComment(GitlabIssueComment):

        return user_instructions, conversation_instructions

-    async def create_new_conversation(
-        self, jinja_env: Environment, git_provider_tokens: PROVIDER_TOKEN_TYPE
-    ):
-        custom_secrets = await self._get_user_secrets()
-
-        user_instructions, conversation_instructions = await self._get_instructions(
-            jinja_env
-        )
-        agent_loop_info = await create_new_conversation(
-            user_id=self.user_info.keycloak_user_id,
-            git_provider_tokens=git_provider_tokens,
-            custom_secrets=custom_secrets,
-            selected_repository=self.full_repo_name,
-            selected_branch=self.branch_name,
-            initial_user_msg=user_instructions,
-            conversation_instructions=conversation_instructions,
-            image_urls=None,
-            conversation_trigger=ConversationTrigger.RESOLVER,
-            replay_json=None,
-        )
-        self.conversation_id = agent_loop_info.conversation_id
-        return self.conversation_id
-

@dataclass
 class GitlabInlineMRComment(GitlabMRComment):
@@ -306,7 +441,7 @@ class GitlabFactory:
    @staticmethod
    async def create_gitlab_view_from_payload(
        message: Message, token_manager: TokenManager
-    ) -> ResolverViewInterface:
+    ) -> GitlabViewType:
        payload = message.message['payload']
        installation_id = message.message['installation_id']
        user = payload['user']
@@ -325,6 +460,16 @@ class GitlabFactory:
            user_id=user_id, username=username, keycloak_user_id=keycloak_user_id
        )

+        # Check v1_enabled at construction time - this is the source of truth
+        v1_enabled = (
+            await is_v1_enabled_for_gitlab_resolver(keycloak_user_id)
+            if keycloak_user_id
+            else False
+        )
+        logger.info(
+            f'[GitLab V1]: User flag found for {keycloak_user_id} is {v1_enabled}'
+        )
+
        if GitlabFactory.is_labeled_issue(message):
            issue_iid = payload['object_attributes']['iid']

@@ -346,6 +491,7 @@ class GitlabFactory:
                description='',
                previous_comments=[],
                is_mr=False,
+                v1_enabled=v1_enabled,
            )

        elif GitlabFactory.is_issue_comment(message):
@@ -376,6 +522,7 @@ class GitlabFactory:
                description='',
                previous_comments=[],
                is_mr=False,
+                v1_enabled=v1_enabled,
            )

        elif GitlabFactory.is_mr_comment(message):
@@ -408,6 +555,7 @@ class GitlabFactory:
                description='',
                previous_comments=[],
                is_mr=True,
+                v1_enabled=v1_enabled,
            )

        elif GitlabFactory.is_mr_comment(message, inline=True):
@@ -448,4 +596,7 @@ class GitlabFactory:
                description='',
                previous_comments=[],
                is_mr=True,
+                v1_enabled=v1_enabled,
            )
+
+        raise ValueError(f'Unhandled GitLab webhook event: {message}')
--- a/enterprise/integrations/gitlab/webhook_installation.py
+++ b/enterprise/integrations/gitlab/webhook_installation.py
@@ -4,7 +4,9 @@ This module contains reusable functions and classes for installing GitLab webhoo
 that can be used by both the cron job and API routes.
 """

-from typing import cast
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
 from uuid import uuid4

 from integrations.types import GitLabResourceType
@@ -13,7 +15,9 @@ from storage.gitlab_webhook import GitlabWebhook, WebhookStatus
 from storage.gitlab_webhook_store import GitlabWebhookStore

 from openhands.core.logger import openhands_logger as logger
-from openhands.integrations.service_types import GitService
+
+if TYPE_CHECKING:
+    from integrations.gitlab.gitlab_service import SaaSGitLabService

 # Webhook configuration constants
 WEBHOOK_NAME = 'OpenHands Resolver'
@@ -35,7 +39,7 @@ class BreakLoopException(Exception):


 async def verify_webhook_conditions(
-    gitlab_service: type[GitService],
+    gitlab_service: SaaSGitLabService,
    resource_type: GitLabResourceType,
    resource_id: str,
    webhook_store: GitlabWebhookStore,
@@ -52,10 +56,6 @@ async def verify_webhook_conditions(
        webhook_store: Webhook store instance
        webhook: Webhook object to verify
    """
-    from integrations.gitlab.gitlab_service import SaaSGitLabService
-
-    gitlab_service = cast(type[SaaSGitLabService], gitlab_service)
-
    # Check if resource exists
    does_resource_exist, status = await gitlab_service.check_resource_exists(
        resource_type, resource_id
@@ -106,7 +106,9 @@ async def verify_webhook_conditions(
        does_webhook_exist_on_resource,
        status,
    ) = await gitlab_service.check_webhook_exists_on_resource(
-        resource_type, resource_id, GITLAB_WEBHOOK_URL
+        resource_type=resource_type,
+        resource_id=resource_id,
+        webhook_url=GITLAB_WEBHOOK_URL,
    )

    logger.info(
@@ -131,7 +133,7 @@ async def verify_webhook_conditions(


 async def install_webhook_on_resource(
-    gitlab_service: type[GitService],
+    gitlab_service: SaaSGitLabService,
    resource_type: GitLabResourceType,
    resource_id: str,
    webhook_store: GitlabWebhookStore,
@@ -150,10 +152,6 @@ async def install_webhook_on_resource(
    Returns:
        Tuple of (webhook_id, status)
    """
-    from integrations.gitlab.gitlab_service import SaaSGitLabService
-
-    gitlab_service = cast(type[SaaSGitLabService], gitlab_service)
-
    webhook_secret = f'{webhook.user_id}-{str(uuid4())}'
    webhook_uuid = f'{str(uuid4())}'

--- a/enterprise/integrations/jira/jira_manager.py
+++ b/enterprise/integrations/jira/jira_manager.py
@@ -57,7 +57,7 @@ JIRA_CLOUD_API_URL = 'https://api.atlassian.com/ex/jira'
 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)


-class JiraManager(Manager):
+class JiraManager(Manager[JiraViewInterface]):
    """Manager for processing Jira webhook events.

    This class orchestrates the flow from webhook receipt to conversation creation,
@@ -257,7 +257,7 @@ class JiraManager(Manager):

        return jira_user, saas_user_auth

-    async def start_job(self, view: JiraViewInterface):
+    async def start_job(self, view: JiraViewInterface) -> None:
        """Start a Jira job/conversation."""
        # Import here to prevent circular import
        from server.conversation_callback_processor.jira_callback_processor import (
@@ -341,17 +341,25 @@ class JiraManager(Manager):

    async def send_message(
        self,
-        message: Message,
+        message: str,
        issue_key: str,
        jira_cloud_id: str,
        svc_acc_email: str,
        svc_acc_api_key: str,
    ):
-        """Send a comment to a Jira issue."""
+        """Send a comment to a Jira issue.
+
+        Args:
+            message: The message content to send (plain text string)
+            issue_key: The Jira issue key (e.g., 'PROJ-123')
+            jira_cloud_id: The Jira Cloud ID
+            svc_acc_email: Service account email for authentication
+            svc_acc_api_key: Service account API key for authentication
+        """
        url = (
            f'{JIRA_CLOUD_API_URL}/{jira_cloud_id}/rest/api/2/issue/{issue_key}/comment'
        )
-        data = {'body': message.message}
+        data = {'body': message}
        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
            response = await client.post(
                url, auth=(svc_acc_email, svc_acc_api_key), json=data
@@ -366,7 +374,7 @@ class JiraManager(Manager):
                view.jira_workspace.svc_acc_api_key
            )
            await self.send_message(
-                self.create_outgoing_message(msg=msg),
+                msg,
                issue_key=view.payload.issue_key,
                jira_cloud_id=view.jira_workspace.jira_cloud_id,
                svc_acc_email=view.jira_workspace.svc_acc_email,
@@ -388,7 +396,7 @@ class JiraManager(Manager):
        try:
            api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
            await self.send_message(
-                self.create_outgoing_message(msg=error_msg),
+                error_msg,
                issue_key=payload.issue_key,
                jira_cloud_id=workspace.jira_cloud_id,
                svc_acc_email=workspace.svc_acc_email,
--- a/enterprise/integrations/jira/jira_payload.py
+++ b/enterprise/integrations/jira/jira_payload.py
@@ -212,8 +212,6 @@ class JiraPayloadParser:
            missing.append('issue.id')
        if not issue_key:
            missing.append('issue.key')
-        if not user_email:
-            missing.append('user.emailAddress')
        if not display_name:
            missing.append('user.displayName')
        if not account_id:
--- a/enterprise/integrations/jira_dc/jira_dc_manager.py
+++ b/enterprise/integrations/jira_dc/jira_dc_manager.py
@@ -42,7 +42,7 @@ from openhands.server.user_auth.user_auth import UserAuth
 from openhands.utils.http_session import httpx_verify_option


-class JiraDcManager(Manager):
+class JiraDcManager(Manager[JiraDcViewInterface]):
    def __init__(self, token_manager: TokenManager):
        self.token_manager = token_manager
        self.integration_store = JiraDcIntegrationStore.get_instance()
@@ -353,7 +353,7 @@ class JiraDcManager(Manager):
            logger.error(f'[Jira DC] Error in is_job_requested: {str(e)}')
            return False

-    async def start_job(self, jira_dc_view: JiraDcViewInterface):
+    async def start_job(self, jira_dc_view: JiraDcViewInterface) -> None:
        """Start a Jira DC job/conversation."""
        # Import here to prevent circular import
        from server.conversation_callback_processor.jira_dc_callback_processor import (
@@ -418,7 +418,7 @@ class JiraDcManager(Manager):
                jira_dc_view.jira_dc_workspace.svc_acc_api_key
            )
            await self.send_message(
-                self.create_outgoing_message(msg=msg_info),
+                msg_info,
                issue_key=jira_dc_view.job_context.issue_key,
                base_api_url=jira_dc_view.job_context.base_api_url,
                svc_acc_api_key=api_key,
@@ -456,12 +456,19 @@ class JiraDcManager(Manager):
        return title, description

    async def send_message(
-        self, message: Message, issue_key: str, base_api_url: str, svc_acc_api_key: str
+        self, message: str, issue_key: str, base_api_url: str, svc_acc_api_key: str
    ):
-        """Send message/comment to Jira DC issue."""
+        """Send message/comment to Jira DC issue.
+
+        Args:
+            message: The message content to send (plain text string)
+            issue_key: The Jira issue key (e.g., 'PROJ-123')
+            base_api_url: The base API URL for the Jira DC instance
+            svc_acc_api_key: Service account API key for authentication
+        """
        url = f'{base_api_url}/rest/api/2/issue/{issue_key}/comment'
        headers = {'Authorization': f'Bearer {svc_acc_api_key}'}
-        data = {'body': message.message}
+        data = {'body': message}
        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
            response = await client.post(url, headers=headers, json=data)
            response.raise_for_status()
@@ -481,7 +488,7 @@ class JiraDcManager(Manager):
        try:
            api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
            await self.send_message(
-                self.create_outgoing_message(msg=error_msg),
+                error_msg,
                issue_key=job_context.issue_key,
                base_api_url=job_context.base_api_url,
                svc_acc_api_key=api_key,
@@ -502,7 +509,7 @@ class JiraDcManager(Manager):
            )

            await self.send_message(
-                self.create_outgoing_message(msg=comment_msg),
+                comment_msg,
                issue_key=jira_dc_view.job_context.issue_key,
                base_api_url=jira_dc_view.job_context.base_api_url,
                svc_acc_api_key=api_key,
--- a/enterprise/integrations/jira_dc/jira_dc_types.py
+++ b/enterprise/integrations/jira_dc/jira_dc_types.py
@@ -19,7 +19,7 @@ class JiraDcViewInterface(ABC):
    conversation_id: str

    @abstractmethod
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Get initial instructions for the conversation."""
        pass

--- a/enterprise/integrations/jira_dc/jira_dc_view.py
+++ b/enterprise/integrations/jira_dc/jira_dc_view.py
@@ -36,7 +36,7 @@ class JiraDcNewConversationView(JiraDcViewInterface):
    selected_repo: str | None
    conversation_id: str

-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Instructions passed when conversation is first initialized"""

        instructions_template = jinja_env.get_template('jira_dc_instructions.j2')
@@ -61,7 +61,7 @@ class JiraDcNewConversationView(JiraDcViewInterface):

        provider_tokens = await self.saas_user_auth.get_provider_tokens()
        user_secrets = await self.saas_user_auth.get_secrets()
-        instructions, user_msg = self._get_instructions(jinja_env)
+        instructions, user_msg = await self._get_instructions(jinja_env)

        try:
            agent_loop_info = await create_new_conversation(
@@ -113,7 +113,7 @@ class JiraDcExistingConversationView(JiraDcViewInterface):
    selected_repo: str | None
    conversation_id: str

-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Instructions passed when conversation is first initialized"""

        user_msg_template = jinja_env.get_template('jira_dc_existing_conversation.j2')
@@ -155,6 +155,9 @@ class JiraDcExistingConversationView(JiraDcViewInterface):
                self.conversation_id, conversation_init_data, user_id
            )

+            if agent_loop_info.event_store is None:
+                raise StartingConvoException('Event store not available')
+
            final_agent_observation = get_final_agent_observation(
                agent_loop_info.event_store
            )
@@ -167,7 +170,7 @@ class JiraDcExistingConversationView(JiraDcViewInterface):
            if not agent_state or agent_state == AgentState.LOADING:
                raise StartingConvoException('Conversation is still starting')

-            _, user_msg = self._get_instructions(jinja_env)
+            _, user_msg = await self._get_instructions(jinja_env)
            user_message_event = MessageAction(content=user_msg)
            await conversation_manager.send_event_to_conversation(
                self.conversation_id, event_to_dict(user_message_event)
--- a/enterprise/integrations/linear/linear_manager.py
+++ b/enterprise/integrations/linear/linear_manager.py
@@ -39,7 +39,7 @@ from openhands.server.user_auth.user_auth import UserAuth
 from openhands.utils.http_session import httpx_verify_option


-class LinearManager(Manager):
+class LinearManager(Manager[LinearViewInterface]):
    def __init__(self, token_manager: TokenManager):
        self.token_manager = token_manager
        self.integration_store = LinearIntegrationStore.get_instance()
@@ -343,7 +343,7 @@ class LinearManager(Manager):
            logger.error(f'[Linear] Error in is_job_requested: {str(e)}')
            return False

-    async def start_job(self, linear_view: LinearViewInterface):
+    async def start_job(self, linear_view: LinearViewInterface) -> None:
        """Start a Linear job/conversation."""
        # Import here to prevent circular import
        from server.conversation_callback_processor.linear_callback_processor import (
@@ -408,7 +408,7 @@ class LinearManager(Manager):
                linear_view.linear_workspace.svc_acc_api_key
            )
            await self.send_message(
-                self.create_outgoing_message(msg=msg_info),
+                msg_info,
                linear_view.job_context.issue_id,
                api_key,
            )
@@ -473,8 +473,14 @@ class LinearManager(Manager):

        return title, description

-    async def send_message(self, message: Message, issue_id: str, api_key: str):
-        """Send message/comment to Linear issue."""
+    async def send_message(self, message: str, issue_id: str, api_key: str):
+        """Send message/comment to Linear issue.
+
+        Args:
+            message: The message content to send (plain text string)
+            issue_id: The Linear issue ID to comment on
+            api_key: The Linear API key for authentication
+        """
        query = """
            mutation CommentCreate($input: CommentCreateInput!) {
              commentCreate(input: $input) {
@@ -485,7 +491,7 @@ class LinearManager(Manager):
              }
            }
        """
-        variables = {'input': {'issueId': issue_id, 'body': message.message}}
+        variables = {'input': {'issueId': issue_id, 'body': message}}
        return await self._query_api(query, variables, api_key)

    async def _send_error_comment(
@@ -498,9 +504,7 @@ class LinearManager(Manager):

        try:
            api_key = self.token_manager.decrypt_text(workspace.svc_acc_api_key)
-            await self.send_message(
-                self.create_outgoing_message(msg=error_msg), issue_id, api_key
-            )
+            await self.send_message(error_msg, issue_id, api_key)
        except Exception as e:
            logger.error(f'[Linear] Failed to send error comment: {str(e)}')

@@ -517,7 +521,7 @@ class LinearManager(Manager):
            )

            await self.send_message(
-                self.create_outgoing_message(msg=comment_msg),
+                comment_msg,
                linear_view.job_context.issue_id,
                api_key,
            )
--- a/enterprise/integrations/linear/linear_types.py
+++ b/enterprise/integrations/linear/linear_types.py
@@ -19,7 +19,7 @@ class LinearViewInterface(ABC):
    conversation_id: str

    @abstractmethod
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Get initial instructions for the conversation."""
        pass

--- a/enterprise/integrations/linear/linear_view.py
+++ b/enterprise/integrations/linear/linear_view.py
@@ -33,7 +33,7 @@ class LinearNewConversationView(LinearViewInterface):
    selected_repo: str | None
    conversation_id: str

-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Instructions passed when conversation is first initialized"""

        instructions_template = jinja_env.get_template('linear_instructions.j2')
@@ -58,7 +58,7 @@ class LinearNewConversationView(LinearViewInterface):

        provider_tokens = await self.saas_user_auth.get_provider_tokens()
        user_secrets = await self.saas_user_auth.get_secrets()
-        instructions, user_msg = self._get_instructions(jinja_env)
+        instructions, user_msg = await self._get_instructions(jinja_env)

        try:
            agent_loop_info = await create_new_conversation(
@@ -110,7 +110,7 @@ class LinearExistingConversationView(LinearViewInterface):
    selected_repo: str | None
    conversation_id: str

-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Instructions passed when conversation is first initialized"""

        user_msg_template = jinja_env.get_template('linear_existing_conversation.j2')
@@ -152,6 +152,9 @@ class LinearExistingConversationView(LinearViewInterface):
                self.conversation_id, conversation_init_data, user_id
            )

+            if agent_loop_info.event_store is None:
+                raise StartingConvoException('Event store not available')
+
            final_agent_observation = get_final_agent_observation(
                agent_loop_info.event_store
            )
@@ -164,7 +167,7 @@ class LinearExistingConversationView(LinearViewInterface):
            if not agent_state or agent_state == AgentState.LOADING:
                raise StartingConvoException('Conversation is still starting')

-            _, user_msg = self._get_instructions(jinja_env)
+            _, user_msg = await self._get_instructions(jinja_env)
            user_message_event = MessageAction(content=user_msg)
            await conversation_manager.send_event_to_conversation(
                self.conversation_id, event_to_dict(user_message_event)
--- a/enterprise/integrations/manager.py
+++ b/enterprise/integrations/manager.py
@@ -1,9 +1,13 @@
 from abc import ABC, abstractmethod
+from typing import Any, Generic, TypeVar

 from integrations.models import Message, SourceType

+# TypeVar for view types - each manager subclass specifies its own view type
+ViewT = TypeVar('ViewT')

-class Manager(ABC):
+
+class Manager(ABC, Generic[ViewT]):
    manager_type: SourceType

    @abstractmethod
@@ -12,14 +16,21 @@ class Manager(ABC):
        raise NotImplementedError

    @abstractmethod
-    def send_message(self, message: Message):
-        "Send message to integration from Openhands server"
+    def send_message(self, message: str, *args: Any, **kwargs: Any):
+        """Send message to integration from OpenHands server.
+
+        Args:
+            message: The message content to send (plain text string).
+        """
        raise NotImplementedError

    @abstractmethod
-    def start_job(self):
-        "Kick off a job with openhands agent"
-        raise NotImplementedError
+    async def start_job(self, view: ViewT) -> None:
+        """Kick off a job with openhands agent.

-    def create_outgoing_message(self, msg: str | dict, ephemeral: bool = False):
-        return Message(source=SourceType.OPENHANDS, message=msg, ephemeral=ephemeral)
+        Args:
+            view: Integration-specific view object containing job context.
+                  Each manager subclass accepts its own view type
+                  (e.g., SlackViewInterface, JiraViewInterface, etc.)
+        """
+        raise NotImplementedError
--- a/enterprise/integrations/models.py
+++ b/enterprise/integrations/models.py
@@ -1,4 +1,5 @@
 from enum import Enum
+from typing import Any

 from pydantic import BaseModel

@@ -16,8 +17,16 @@ class SourceType(str, Enum):


 class Message(BaseModel):
+    """Message model for incoming webhook payloads from integrations.
+
+    Note: This model is intended for INCOMING messages only.
+    For outgoing messages (e.g., sending comments to GitHub/GitLab),
+    pass strings directly to the send_message methods instead of
+    wrapping them in a Message object.
+    """
+
    source: SourceType
-    message: str | dict
+    message: dict[str, Any]
    ephemeral: bool = False


--- a/enterprise/integrations/slack/slack_manager.py
+++ b/enterprise/integrations/slack/slack_manager.py
@@ -1,9 +1,14 @@
 import re
+from typing import Any

 import jwt
 from integrations.manager import Manager
 from integrations.models import Message, SourceType
-from integrations.slack.slack_types import SlackViewInterface, StartingConvoException
+from integrations.slack.slack_types import (
+    SlackMessageView,
+    SlackViewInterface,
+    StartingConvoException,
+)
 from integrations.slack.slack_view import (
    SlackFactory,
    SlackNewConversationFromRepoFormView,
@@ -22,7 +27,8 @@ from server.constants import SLACK_CLIENT_ID
 from server.utils.conversation_callback_utils import register_callback_processor
 from slack_sdk.oauth import AuthorizeUrlGenerator
 from slack_sdk.web.async_client import AsyncWebClient
-from storage.database import session_maker
+from sqlalchemy import select
+from storage.database import a_session_maker
 from storage.slack_user import SlackUser

 from openhands.core.logger import openhands_logger as logger
@@ -43,7 +49,7 @@ authorize_url_generator = AuthorizeUrlGenerator(
 )


-class SlackManager(Manager):
+class SlackManager(Manager[SlackViewInterface]):
    def __init__(self, token_manager):
        self.token_manager = token_manager
        self.login_link = (
@@ -63,12 +69,11 @@ class SlackManager(Manager):
    ) -> tuple[SlackUser | None, UserAuth | None]:
        # We get the user and correlate them back to a user in OpenHands - if we can
        slack_user = None
-        with session_maker() as session:
-            slack_user = (
-                session.query(SlackUser)
-                .filter(SlackUser.slack_user_id == slack_user_id)
-                .first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(SlackUser).where(SlackUser.slack_user_id == slack_user_id)
            )
+            slack_user = result.scalar_one_or_none()

            # slack_view.slack_to_openhands_user = slack_user # attach user auth info to view

@@ -180,7 +185,7 @@ class SlackManager(Manager):
        )

        try:
-            slack_view = SlackFactory.create_slack_view_from_payload(
+            slack_view = await SlackFactory.create_slack_view_from_payload(
                message, slack_user, saas_user_auth
            )
        except Exception as e:
@@ -202,9 +207,7 @@ class SlackManager(Manager):
            msg = self.login_link.format(link)

            logger.info('slack_not_yet_authenticated')
-            await self.send_message(
-                self.create_outgoing_message(msg, ephemeral=True), slack_view
-            )
+            await self.send_message(msg, slack_view, ephemeral=True)
            return

        if not await self.is_job_requested(message, slack_view):
@@ -212,27 +215,42 @@ class SlackManager(Manager):

        await self.start_job(slack_view)

-    async def send_message(self, message: Message, slack_view: SlackViewInterface):
+    async def send_message(
+        self,
+        message: str | dict[str, Any],
+        slack_view: SlackMessageView,
+        ephemeral: bool = False,
+    ):
+        """Send a message to Slack.
+
+        Args:
+            message: The message content. Can be a string (for simple text) or
+                     a dict with 'text' and 'blocks' keys (for structured messages).
+            slack_view: The Slack view object containing channel/thread info.
+                        Can be either SlackMessageView (for unauthenticated users)
+                        or SlackViewInterface (for authenticated users).
+            ephemeral: If True, send as an ephemeral message visible only to the user.
+        """
        client = AsyncWebClient(token=slack_view.bot_access_token)
-        if message.ephemeral and isinstance(message.message, str):
+        if ephemeral and isinstance(message, str):
            await client.chat_postEphemeral(
                channel=slack_view.channel_id,
-                markdown_text=message.message,
+                markdown_text=message,
                user=slack_view.slack_user_id,
                thread_ts=slack_view.thread_ts,
            )
-        elif message.ephemeral and isinstance(message.message, dict):
+        elif ephemeral and isinstance(message, dict):
            await client.chat_postEphemeral(
                channel=slack_view.channel_id,
                user=slack_view.slack_user_id,
                thread_ts=slack_view.thread_ts,
-                text=message.message['text'],
-                blocks=message.message['blocks'],
+                text=message['text'],
+                blocks=message['blocks'],
            )
        else:
            await client.chat_postMessage(
                channel=slack_view.channel_id,
-                markdown_text=message.message,
+                markdown_text=message,
                thread_ts=slack_view.message_ts,
            )

@@ -279,16 +297,13 @@ class SlackManager(Manager):
                    repos, slack_view.message_ts, slack_view.thread_ts
                ),
            }
-            await self.send_message(
-                self.create_outgoing_message(repo_selection_msg, ephemeral=True),
-                slack_view,
-            )
+            await self.send_message(repo_selection_msg, slack_view, ephemeral=True)

            return False

        return True

-    async def start_job(self, slack_view: SlackViewInterface):
+    async def start_job(self, slack_view: SlackViewInterface) -> None:
        # Importing here prevents circular import
        from server.conversation_callback_processor.slack_callback_processor import (
            SlackCallbackProcessor,
@@ -296,7 +311,7 @@ class SlackManager(Manager):

        try:
            msg_info = None
-            user_info: SlackUser = slack_view.slack_to_openhands_user
+            user_info = slack_view.slack_to_openhands_user
            try:
                logger.info(
                    f'[Slack] Starting job for user {user_info.slack_display_name} (id={user_info.slack_user_id})',
@@ -368,9 +383,10 @@ class SlackManager(Manager):
            except StartingConvoException as e:
                msg_info = str(e)

-            await self.send_message(self.create_outgoing_message(msg_info), slack_view)
+            await self.send_message(msg_info, slack_view)

        except Exception:
            logger.exception('[Slack]: Error starting job')
-            msg = 'Uh oh! There was an unexpected error starting the job :('
-            await self.send_message(self.create_outgoing_message(msg), slack_view)
+            await self.send_message(
+                'Uh oh! There was an unexpected error starting the job :(', slack_view
+            )
--- a/enterprise/integrations/slack/slack_types.py
+++ b/enterprise/integrations/slack/slack_types.py
@@ -7,15 +7,31 @@ from storage.slack_user import SlackUser
 from openhands.server.user_auth.user_auth import UserAuth


-class SlackViewInterface(SummaryExtractionTracker, ABC):
+class SlackMessageView(ABC):
+    """Minimal interface for sending messages to Slack.
+
+    This base class contains only the fields needed to send messages,
+    without requiring user authentication. Used by both authenticated
+    and unauthenticated Slack views.
+    """
+
    bot_access_token: str
-    user_msg: str | None
    slack_user_id: str
-    slack_to_openhands_user: SlackUser | None
-    saas_user_auth: UserAuth | None
    channel_id: str
    message_ts: str
    thread_ts: str | None
+
+
+class SlackViewInterface(SlackMessageView, SummaryExtractionTracker, ABC):
+    """Interface for authenticated Slack views that can create conversations.
+
+    All fields are required (non-None) because this interface is only used
+    for users who have linked their Slack account to OpenHands.
+    """
+
+    user_msg: str
+    slack_to_openhands_user: SlackUser
+    saas_user_auth: UserAuth
    selected_repo: str | None
    should_extract: bool
    send_summary_instruction: bool
@@ -24,7 +40,7 @@ class SlackViewInterface(SummaryExtractionTracker, ABC):
    v1_enabled: bool

    @abstractmethod
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Instructions passed when conversation is first initialized"""
        pass

--- a/enterprise/integrations/slack/slack_v1_callback_processor.py
+++ b/enterprise/integrations/slack/slack_v1_callback_processor.py
@@ -88,17 +88,18 @@ class SlackV1CallbackProcessor(EventCallbackProcessor):
    # Slack helpers
    # -------------------------------------------------------------------------

-    def _get_bot_access_token(self):
+    async def _get_bot_access_token(self) -> str | None:
+        team_id = self.slack_view_data.get('team_id')
+        if team_id is None:
+            return None
        slack_team_store = SlackTeamStore.get_instance()
-        bot_access_token = slack_team_store.get_team_bot_token(
-            self.slack_view_data['team_id']
-        )
+        bot_access_token = await slack_team_store.get_team_bot_token(team_id)

        return bot_access_token

    async def _post_summary_to_slack(self, summary: str) -> None:
        """Post a summary message to the configured Slack channel."""
-        bot_access_token = self._get_bot_access_token()
+        bot_access_token = await self._get_bot_access_token()
        if not bot_access_token:
            raise RuntimeError('Missing Slack bot access token')

--- a/enterprise/integrations/slack/slack_view.py
+++ b/enterprise/integrations/slack/slack_view.py
@@ -1,9 +1,14 @@
+import asyncio
 from dataclasses import dataclass
 from uuid import UUID, uuid4

 from integrations.models import Message
 from integrations.resolver_context import ResolverUserContext
-from integrations.slack.slack_types import SlackViewInterface, StartingConvoException
+from integrations.slack.slack_types import (
+    SlackMessageView,
+    SlackViewInterface,
+    StartingConvoException,
+)
 from integrations.slack.slack_v1_callback_processor import SlackV1CallbackProcessor
 from integrations.utils import (
    CONVERSATION_URL,
@@ -42,7 +47,7 @@ from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
    ConversationTrigger,
 )
-from openhands.utils.async_utils import GENERAL_TIMEOUT, call_async_from_sync
+from openhands.utils.async_utils import GENERAL_TIMEOUT

 # =================================================
 # SECTION: Slack view types
@@ -59,36 +64,25 @@ async def is_v1_enabled_for_slack_resolver(user_id: str) -> bool:


@dataclass
-class SlackUnkownUserView(SlackViewInterface):
+class SlackUnkownUserView(SlackMessageView):
+    """View for unauthenticated Slack users who haven't linked their account.
+
+    This view only contains the minimal fields needed to send a login link
+    message back to the user. It does not implement SlackViewInterface
+    because it cannot create conversations without user authentication.
+    """
+
    bot_access_token: str
-    user_msg: str | None
    slack_user_id: str
-    slack_to_openhands_user: SlackUser | None
-    saas_user_auth: UserAuth | None
    channel_id: str
    message_ts: str
    thread_ts: str | None
-    selected_repo: str | None
-    should_extract: bool
-    send_summary_instruction: bool
-    conversation_id: str
-    team_id: str
-    v1_enabled: bool
-
-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
-        raise NotImplementedError
-
-    async def create_or_update_conversation(self, jinja_env: Environment):
-        raise NotImplementedError
-
-    def get_response_msg(self) -> str:
-        raise NotImplementedError


@dataclass
 class SlackNewConversationView(SlackViewInterface):
    bot_access_token: str
-    user_msg: str | None
+    user_msg: str
    slack_user_id: str
    slack_to_openhands_user: SlackUser
    saas_user_auth: UserAuth
@@ -118,7 +112,7 @@ class SlackNewConversationView(SlackViewInterface):
                return block['user_id']
        return ''

-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        """Instructions passed when conversation is first initialized"""
        user_info: SlackUser = self.slack_to_openhands_user

@@ -242,7 +236,9 @@ class SlackNewConversationView(SlackViewInterface):
        self, jinja: Environment, provider_tokens, user_secrets
    ) -> None:
        """Create conversation using the legacy V0 system."""
-        user_instructions, conversation_instructions = self._get_instructions(jinja)
+        user_instructions, conversation_instructions = await self._get_instructions(
+            jinja
+        )

        # Determine git provider from repository
        git_provider = None
@@ -273,7 +269,9 @@ class SlackNewConversationView(SlackViewInterface):

    async def _create_v1_conversation(self, jinja: Environment) -> None:
        """Create conversation using the new V1 app conversation system."""
-        user_instructions, conversation_instructions = self._get_instructions(jinja)
+        user_instructions, conversation_instructions = await self._get_instructions(
+            jinja
+        )

        # Create the initial message request
        initial_message = SendMessageRequest(
@@ -346,7 +344,7 @@ class SlackNewConversationFromRepoFormView(SlackNewConversationView):
 class SlackUpdateExistingConversationView(SlackNewConversationView):
    slack_conversation: SlackConversation

-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
        client = WebClient(token=self.bot_access_token)
        result = client.conversations_replies(
            channel=self.channel_id,
@@ -389,6 +387,9 @@ class SlackUpdateExistingConversationView(SlackNewConversationView):
            self.conversation_id, conversation_init_data, user_id
        )

+        if agent_loop_info.event_store is None:
+            raise StartingConvoException('Event store not available')
+
        final_agent_observation = get_final_agent_observation(
            agent_loop_info.event_store
        )
@@ -401,7 +402,7 @@ class SlackUpdateExistingConversationView(SlackNewConversationView):
        if not agent_state or agent_state == AgentState.LOADING:
            raise StartingConvoException('Conversation is still starting')

-        instructions, _ = self._get_instructions(jinja)
+        instructions, _ = await self._get_instructions(jinja)
        user_msg = MessageAction(content=instructions)
        await conversation_manager.send_event_to_conversation(
            self.conversation_id, event_to_dict(user_msg)
@@ -469,7 +470,7 @@ class SlackUpdateExistingConversationView(SlackNewConversationView):
            agent_server_url = get_agent_server_url_from_sandbox(running_sandbox)

            # 4. Prepare the message content
-            user_msg, _ = self._get_instructions(jinja)
+            user_msg, _ = await self._get_instructions(jinja)

            # 5. Create the message request
            send_message_request = SendMessageRequest(
@@ -545,11 +546,14 @@ class SlackFactory:
            return None

        # thread_ts in slack payloads in the parent's (root level msg's) message ID
+        if channel_id is None:
+            return None
        return await slack_conversation_store.get_slack_conversation(
            channel_id, thread_ts
        )

-    def create_slack_view_from_payload(
+    @staticmethod
+    async def create_slack_view_from_payload(
        message: Message, slack_user: SlackUser | None, saas_user_auth: UserAuth | None
    ):
        payload = message.message
@@ -560,7 +564,7 @@ class SlackFactory:
        team_id = payload['team_id']
        user_msg = payload.get('user_msg')

-        bot_access_token = slack_team_store.get_team_bot_token(team_id)
+        bot_access_token = await slack_team_store.get_team_bot_token(team_id)
        if not bot_access_token:
            logger.error(
                'Did not find slack team',
@@ -572,28 +576,25 @@ class SlackFactory:
            raise Exception('Did not find slack team')

        # Determine if this is a known slack user by openhands
-        if not slack_user or not saas_user_auth or not channel_id:
+        if not slack_user or not saas_user_auth or not channel_id or not message_ts:
            return SlackUnkownUserView(
                bot_access_token=bot_access_token,
-                user_msg=user_msg,
                slack_user_id=slack_user_id,
-                slack_to_openhands_user=slack_user,
-                saas_user_auth=saas_user_auth,
-                channel_id=channel_id,
-                message_ts=message_ts,
+                channel_id=channel_id or '',
+                message_ts=message_ts or '',
                thread_ts=thread_ts,
-                selected_repo=None,
-                should_extract=False,
-                send_summary_instruction=False,
-                conversation_id='',
-                team_id=team_id,
-                v1_enabled=False,
            )

-        conversation: SlackConversation | None = call_async_from_sync(
-            SlackFactory.determine_if_updating_existing_conversation,
-            GENERAL_TIMEOUT,
-            message,
+        # At this point, we've verified slack_user, saas_user_auth, channel_id, and message_ts are set
+        # user_msg should always be present in Slack payloads
+        if not user_msg:
+            raise ValueError('user_msg is required but was not provided in payload')
+        assert channel_id is not None
+        assert message_ts is not None
+
+        conversation = await asyncio.wait_for(
+            SlackFactory.determine_if_updating_existing_conversation(message),
+            timeout=GENERAL_TIMEOUT,
        )
        if conversation:
            logger.info(
--- a/enterprise/integrations/store_repo_utils.py
+++ b/enterprise/integrations/store_repo_utils.py
@@ -42,11 +42,11 @@ async def store_repositories_in_db(repos: list[Repository], user_id: str) -> Non
    try:
        # Store repositories in the repos table
        repo_store = RepositoryStore.get_instance(config)
-        repo_store.store_projects(stored_repos)
+        await repo_store.store_projects(stored_repos)

        # Store user-repository mappings in the user-repos table
        user_repo_store = UserRepositoryMapStore.get_instance(config)
-        user_repo_store.store_user_repo_mappings(user_repos)
+        await user_repo_store.store_user_repo_mappings(user_repos)

        logger.info(f'Saved repos for user {user_id}')
    except Exception:
--- a/enterprise/integrations/stripe_service.py
+++ b/enterprise/integrations/stripe_service.py
@@ -3,24 +3,20 @@ from uuid import UUID
 import stripe
 from server.constants import STRIPE_API_KEY
 from server.logger import logger
-from sqlalchemy.orm import Session
-from storage.database import session_maker
+from sqlalchemy import select
+from storage.database import a_session_maker
 from storage.org import Org
 from storage.org_store import OrgStore
 from storage.stripe_customer import StripeCustomer

-from openhands.utils.async_utils import call_sync_from_async
-
 stripe.api_key = STRIPE_API_KEY


 async def find_customer_id_by_org_id(org_id: UUID) -> str | None:
-    with session_maker() as session:
-        stripe_customer = (
-            session.query(StripeCustomer)
-            .filter(StripeCustomer.org_id == org_id)
-            .first()
-        )
+    async with a_session_maker() as session:
+        stmt = select(StripeCustomer).where(StripeCustomer.org_id == org_id)
+        result = await session.execute(stmt)
+        stripe_customer = result.scalar_one_or_none()
        if stripe_customer:
            return stripe_customer.stripe_customer_id

@@ -40,9 +36,7 @@ async def find_customer_id_by_org_id(org_id: UUID) -> str | None:

 async def find_customer_id_by_user_id(user_id: str) -> str | None:
    # First search our own DB...
-    org = await call_sync_from_async(
-        OrgStore.get_current_org_from_keycloak_user_id, user_id
-    )
+    org = await OrgStore.get_current_org_from_keycloak_user_id(user_id)
    if not org:
        logger.warning(f'Org not found for user {user_id}')
        return None
@@ -52,9 +46,7 @@ async def find_customer_id_by_user_id(user_id: str) -> str | None:

 async def find_or_create_customer_by_user_id(user_id: str) -> dict | None:
    # Get the current org for the user
-    org = await call_sync_from_async(
-        OrgStore.get_current_org_from_keycloak_user_id, user_id
-    )
+    org = await OrgStore.get_current_org_from_keycloak_user_id(user_id)
    if not org:
        logger.warning(f'Org not found for user {user_id}')
        return None
@@ -74,7 +66,7 @@ async def find_or_create_customer_by_user_id(user_id: str) -> dict | None:
    )

    # Save the stripe customer in the local db
-    with session_maker() as session:
+    async with a_session_maker() as session:
        session.add(
            StripeCustomer(
                keycloak_user_id=user_id,
@@ -82,7 +74,7 @@ async def find_or_create_customer_by_user_id(user_id: str) -> dict | None:
                stripe_customer_id=customer.id,
            )
        )
-        session.commit()
+        await session.commit()

    logger.info(
        'created_customer',
@@ -108,26 +100,27 @@ async def has_payment_method_by_user_id(user_id: str) -> bool:
    return bool(payment_methods.data)


-async def migrate_customer(session: Session, user_id: str, org: Org):
-    stripe_customer = (
-        session.query(StripeCustomer)
-        .filter(StripeCustomer.keycloak_user_id == user_id)
-        .first()
-    )
-    if stripe_customer is None:
-        return
-    stripe_customer.org_id = org.id
-    customer = await stripe.Customer.modify_async(
-        id=stripe_customer.stripe_customer_id,
-        email=org.contact_email,
-        metadata={'user_id': '', 'org_id': str(org.id)},
-    )
+async def migrate_customer(user_id: str, org: Org):
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(StripeCustomer).where(StripeCustomer.keycloak_user_id == user_id)
+        )
+        stripe_customer = result.scalar_one_or_none()
+        if stripe_customer is None:
+            return
+        stripe_customer.org_id = org.id
+        customer = await stripe.Customer.modify_async(
+            id=stripe_customer.stripe_customer_id,
+            email=org.contact_email,
+            metadata={'user_id': '', 'org_id': str(org.id)},
+        )

-    logger.info(
-        'migrated_customer',
-        extra={
-            'user_id': user_id,
-            'org_id': str(org.id),
-            'stripe_customer_id': customer.id,
-        },
-    )
+        logger.info(
+            'migrated_customer',
+            extra={
+                'user_id': user_id,
+                'org_id': str(org.id),
+                'stripe_customer_id': customer.id,
+            },
+        )
+        await session.commit()
--- a/enterprise/integrations/types.py
+++ b/enterprise/integrations/types.py
@@ -1,9 +1,17 @@
 from dataclasses import dataclass
 from enum import Enum
+from typing import TYPE_CHECKING

 from jinja2 import Environment
 from pydantic import BaseModel

+if TYPE_CHECKING:
+    from integrations.models import Message
+
+    from openhands.integrations.provider import PROVIDER_TOKEN_TYPE
+    from openhands.server.user_auth.user_auth import UserAuth
+    from openhands.storage.data_models.conversation_metadata import ConversationMetadata
+

 class GitLabResourceType(Enum):
    GROUP = 'group'
@@ -31,17 +39,41 @@ class SummaryExtractionTracker:

@dataclass
 class ResolverViewInterface(SummaryExtractionTracker):
-    installation_id: int
+    # installation_id type varies by provider:
+    # - GitHub: int (GitHub App installation ID)
+    # - GitLab: str (webhook installation ID from our DB)
+    installation_id: int | str
    user_info: UserData
    issue_number: int
    full_repo_name: str
    is_public_repo: bool
-    raw_payload: dict
+    raw_payload: 'Message'

-    def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
-        "Instructions passed when conversation is first initialized"
+    async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]:
+        """Instructions passed when conversation is first initialized."""
        raise NotImplementedError()

-    async def create_new_conversation(self, jinja_env: Environment, token: str):
-        "Create a new conversation"
+    async def initialize_new_conversation(self) -> 'ConversationMetadata':
+        """Initialize a new conversation and return metadata.
+
+        For V1 conversations, creates a dummy ConversationMetadata.
+        For V0 conversations, initializes through the conversation store.
+        """
+        raise NotImplementedError()
+
+    async def create_new_conversation(
+        self,
+        jinja_env: Environment,
+        git_provider_tokens: 'PROVIDER_TOKEN_TYPE',
+        conversation_metadata: 'ConversationMetadata',
+        saas_user_auth: 'UserAuth',
+    ) -> None:
+        """Create a new conversation.
+
+        Args:
+            jinja_env: Jinja2 environment for template rendering
+            git_provider_tokens: Token mapping for git providers
+            conversation_metadata: Metadata for the conversation
+            saas_user_auth: User authentication for SaaS
+        """
        raise NotImplementedError()
--- a/enterprise/integrations/utils.py
+++ b/enterprise/integrations/utils.py
@@ -21,7 +21,6 @@ from openhands.events.event_store_abc import EventStoreABC
 from openhands.events.observation.agent import AgentStateChangedObservation
 from openhands.integrations.service_types import Repository
 from openhands.storage.data_models.conversation_status import ConversationStatus
-from openhands.utils.async_utils import call_sync_from_async

 if TYPE_CHECKING:
    from openhands.server.conversation_manager.conversation_manager import (
@@ -33,7 +32,8 @@ if TYPE_CHECKING:
 HOST = WEB_HOST
 # ---- DO NOT REMOVE ----

-HOST_URL = f'https://{HOST}' if 'localhost' not in HOST else f'http://{HOST}'
+IS_LOCAL_DEPLOYMENT = 'localhost' in HOST
+HOST_URL = f'https://{HOST}' if not IS_LOCAL_DEPLOYMENT else f'http://{HOST}'
 GITHUB_WEBHOOK_URL = f'{HOST_URL}/integration/github/events'
 GITLAB_WEBHOOK_URL = f'{HOST_URL}/integration/gitlab/events'
 conversation_prefix = 'conversations/{}'
@@ -65,6 +65,25 @@ def get_session_expired_message(username: str | None = None) -> str:
    return f'Your session has expired. Please login again at [OpenHands Cloud]({HOST_URL}) and try again.'


+def get_user_not_found_message(username: str | None = None) -> str:
+    """Get a user-friendly message when a user hasn't created an OpenHands account.
+
+    Used by integrations to notify users when they try to use OpenHands features
+    but haven't logged into OpenHands Cloud yet (no Keycloak account exists).
+
+    Args:
+        username: Optional username to mention in the message. If provided,
+                  the message will include @username prefix (used by Git providers
+                  like GitHub, GitLab, Slack). If None, returns a generic message.
+
+    Returns:
+        A formatted user not found message
+    """
+    if username:
+        return f"@{username} it looks like you haven't created an OpenHands account yet. Please sign up at [OpenHands Cloud]({HOST_URL}) and try again."
+    return f"It looks like you haven't created an OpenHands account yet. Please sign up at [OpenHands Cloud]({HOST_URL}) and try again."
+
+
 # Toggle for solvability report feature
 ENABLE_SOLVABILITY_ANALYSIS = (
    os.getenv('ENABLE_SOLVABILITY_ANALYSIS', 'false').lower() == 'true'
@@ -79,6 +98,11 @@ ENABLE_V1_SLACK_RESOLVER = (
    os.getenv('ENABLE_V1_SLACK_RESOLVER', 'false').lower() == 'true'
 )

+# Toggle for V1 GitLab resolver feature
+ENABLE_V1_GITLAB_RESOLVER = (
+    os.getenv('ENABLE_V1_GITLAB_RESOLVER', 'false').lower() == 'true'
+)
+
 OPENHANDS_RESOLVER_TEMPLATES_DIR = (
    os.getenv('OPENHANDS_RESOLVER_TEMPLATES_DIR')
    or 'openhands/integrations/templates/resolver/'
@@ -122,9 +146,7 @@ async def get_user_v1_enabled_setting(user_id: str | None) -> bool:
    if not user_id:
        return False

-    org = await call_sync_from_async(
-        OrgStore.get_current_org_from_keycloak_user_id, user_id
-    )
+    org = await OrgStore.get_current_org_from_keycloak_user_id(user_id)

    if not org or org.v1_enabled is None:
        return False
--- a/enterprise/migrations/versions/097_add_session_api_key_hash_to_v1_remote_sandbox.py
+++ b/enterprise/migrations/versions/097_add_session_api_key_hash_to_v1_remote_sandbox.py
@@ -0,0 +1,41 @@
+"""Add session_api_key_hash to v1_remote_sandbox table
+
+Revision ID: 097
+Revises: 096
+Create Date: 2025-02-24 00:00:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '097'
+down_revision: Union[str, None] = '096'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Add session_api_key_hash column to v1_remote_sandbox table."""
+    op.add_column(
+        'v1_remote_sandbox',
+        sa.Column('session_api_key_hash', sa.String(), nullable=True),
+    )
+    op.create_index(
+        op.f('ix_v1_remote_sandbox_session_api_key_hash'),
+        'v1_remote_sandbox',
+        ['session_api_key_hash'],
+        unique=False,
+    )
+
+
+def downgrade() -> None:
+    """Remove session_api_key_hash column from v1_remote_sandbox table."""
+    op.drop_index(
+        op.f('ix_v1_remote_sandbox_session_api_key_hash'),
+        table_name='v1_remote_sandbox',
+    )
+    op.drop_column('v1_remote_sandbox', 'session_api_key_hash')
--- a/enterprise/migrations/versions/098_create_verified_models_table.py
+++ b/enterprise/migrations/versions/098_create_verified_models_table.py
@@ -0,0 +1,92 @@
+"""Create verified_models table.
+
+Revision ID: 098
+Revises: 097
+Create Date: 2026-02-26 00:00:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '098'
+down_revision: Union[str, None] = '097'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Create verified_models table and seed with current model list."""
+    op.create_table(
+        'verified_models',
+        sa.Column('id', sa.Integer, sa.Identity(), primary_key=True),
+        sa.Column('model_name', sa.String(255), nullable=False),
+        sa.Column('provider', sa.String(100), nullable=False),
+        sa.Column(
+            'is_enabled',
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.text('true'),
+        ),
+        sa.Column(
+            'created_at',
+            sa.DateTime(),
+            nullable=False,
+            server_default=sa.text('CURRENT_TIMESTAMP'),
+        ),
+        sa.Column(
+            'updated_at',
+            sa.DateTime(),
+            nullable=False,
+            server_default=sa.text('CURRENT_TIMESTAMP'),
+        ),
+        sa.UniqueConstraint(
+            'model_name', 'provider', name='uq_verified_model_provider'
+        ),
+    )
+
+    op.create_index(
+        'ix_verified_models_provider',
+        'verified_models',
+        ['provider'],
+    )
+    op.create_index(
+        'ix_verified_models_is_enabled',
+        'verified_models',
+        ['is_enabled'],
+    )
+
+    # Seed with current openhands provider models
+    models = [
+        ('claude-opus-4-5-20251101', 'openhands'),
+        ('claude-sonnet-4-5-20250929', 'openhands'),
+        ('gpt-5.2-codex', 'openhands'),
+        ('gpt-5.2', 'openhands'),
+        ('minimax-m2.5', 'openhands'),
+        ('gemini-3-pro-preview', 'openhands'),
+        ('gemini-3-flash-preview', 'openhands'),
+        ('deepseek-chat', 'openhands'),
+        ('devstral-medium-2512', 'openhands'),
+        ('kimi-k2-0711-preview', 'openhands'),
+        ('qwen3-coder-480b', 'openhands'),
+    ]
+
+    for model_name, provider in models:
+        op.execute(
+            sa.text(
+                """
+                INSERT INTO verified_models (model_name, provider)
+                VALUES (:model_name, :provider)
+                """
+            ).bindparams(model_name=model_name, provider=provider)
+        )
+
+
+def downgrade() -> None:
+    """Drop verified_models table."""
+    op.drop_index('ix_verified_models_is_enabled', table_name='verified_models')
+    op.drop_index('ix_verified_models_provider', table_name='verified_models')
+    op.drop_table('verified_models')
--- a/enterprise/poetry.lock
+++ b/enterprise/poetry.lock
@@ -26,98 +26,132 @@ files = [

 [[package]]
 name = "aiohttp"
-version = "3.12.15"
+version = "3.13.3"
 description = "Async http client/server framework (asyncio)"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "aiohttp-3.12.15-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:b6fc902bff74d9b1879ad55f5404153e2b33a82e72a95c89cec5eb6cc9e92fbc"},
-    {file = "aiohttp-3.12.15-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:098e92835b8119b54c693f2f88a1dec690e20798ca5f5fe5f0520245253ee0af"},
-    {file = "aiohttp-3.12.15-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:40b3fee496a47c3b4a39a731954c06f0bd9bd3e8258c059a4beb76ac23f8e421"},
-    {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2ce13fcfb0bb2f259fb42106cdc63fa5515fb85b7e87177267d89a771a660b79"},
-    {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:3beb14f053222b391bf9cf92ae82e0171067cc9c8f52453a0f1ec7c37df12a77"},
-    {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4c39e87afe48aa3e814cac5f535bc6199180a53e38d3f51c5e2530f5aa4ec58c"},
-    {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d5f1b4ce5bc528a6ee38dbf5f39bbf11dd127048726323b72b8e85769319ffc4"},
-    {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1004e67962efabbaf3f03b11b4c43b834081c9e3f9b32b16a7d97d4708a9abe6"},
-    {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8faa08fcc2e411f7ab91d1541d9d597d3a90e9004180edb2072238c085eac8c2"},
-    {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:fe086edf38b2222328cdf89af0dde2439ee173b8ad7cb659b4e4c6f385b2be3d"},
-    {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:79b26fe467219add81d5e47b4a4ba0f2394e8b7c7c3198ed36609f9ba161aecb"},
-    {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:b761bac1192ef24e16706d761aefcb581438b34b13a2f069a6d343ec8fb693a5"},
-    {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:e153e8adacfe2af562861b72f8bc47f8a5c08e010ac94eebbe33dc21d677cd5b"},
-    {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:fc49c4de44977aa8601a00edbf157e9a421f227aa7eb477d9e3df48343311065"},
-    {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:2776c7ec89c54a47029940177e75c8c07c29c66f73464784971d6a81904ce9d1"},
-    {file = "aiohttp-3.12.15-cp310-cp310-win32.whl", hash = "sha256:2c7d81a277fa78b2203ab626ced1487420e8c11a8e373707ab72d189fcdad20a"},
-    {file = "aiohttp-3.12.15-cp310-cp310-win_amd64.whl", hash = "sha256:83603f881e11f0f710f8e2327817c82e79431ec976448839f3cd05d7afe8f830"},
-    {file = "aiohttp-3.12.15-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:d3ce17ce0220383a0f9ea07175eeaa6aa13ae5a41f30bc61d84df17f0e9b1117"},
-    {file = "aiohttp-3.12.15-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:010cc9bbd06db80fe234d9003f67e97a10fe003bfbedb40da7d71c1008eda0fe"},
-    {file = "aiohttp-3.12.15-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:3f9d7c55b41ed687b9d7165b17672340187f87a773c98236c987f08c858145a9"},
-    {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bc4fbc61bb3548d3b482f9ac7ddd0f18c67e4225aaa4e8552b9f1ac7e6bda9e5"},
-    {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:7fbc8a7c410bb3ad5d595bb7118147dfbb6449d862cc1125cf8867cb337e8728"},
-    {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:74dad41b3458dbb0511e760fb355bb0b6689e0630de8a22b1b62a98777136e16"},
-    {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3b6f0af863cf17e6222b1735a756d664159e58855da99cfe965134a3ff63b0b0"},
-    {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b5b7fe4972d48a4da367043b8e023fb70a04d1490aa7d68800e465d1b97e493b"},
-    {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6443cca89553b7a5485331bc9bedb2342b08d073fa10b8c7d1c60579c4a7b9bd"},
-    {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:6c5f40ec615e5264f44b4282ee27628cea221fcad52f27405b80abb346d9f3f8"},
-    {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:2abbb216a1d3a2fe86dbd2edce20cdc5e9ad0be6378455b05ec7f77361b3ab50"},
-    {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:db71ce547012a5420a39c1b744d485cfb823564d01d5d20805977f5ea1345676"},
-    {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:ced339d7c9b5030abad5854aa5413a77565e5b6e6248ff927d3e174baf3badf7"},
-    {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:7c7dd29c7b5bda137464dc9bfc738d7ceea46ff70309859ffde8c022e9b08ba7"},
-    {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:421da6fd326460517873274875c6c5a18ff225b40da2616083c5a34a7570b685"},
-    {file = "aiohttp-3.12.15-cp311-cp311-win32.whl", hash = "sha256:4420cf9d179ec8dfe4be10e7d0fe47d6d606485512ea2265b0d8c5113372771b"},
-    {file = "aiohttp-3.12.15-cp311-cp311-win_amd64.whl", hash = "sha256:edd533a07da85baa4b423ee8839e3e91681c7bfa19b04260a469ee94b778bf6d"},
-    {file = "aiohttp-3.12.15-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:802d3868f5776e28f7bf69d349c26fc0efadb81676d0afa88ed00d98a26340b7"},
-    {file = "aiohttp-3.12.15-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:f2800614cd560287be05e33a679638e586a2d7401f4ddf99e304d98878c29444"},
-    {file = "aiohttp-3.12.15-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8466151554b593909d30a0a125d638b4e5f3836e5aecde85b66b80ded1cb5b0d"},
-    {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2e5a495cb1be69dae4b08f35a6c4579c539e9b5706f606632102c0f855bcba7c"},
-    {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:6404dfc8cdde35c69aaa489bb3542fb86ef215fc70277c892be8af540e5e21c0"},
-    {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3ead1c00f8521a5c9070fcb88f02967b1d8a0544e6d85c253f6968b785e1a2ab"},
-    {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6990ef617f14450bc6b34941dba4f12d5613cbf4e33805932f853fbd1cf18bfb"},
-    {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fd736ed420f4db2b8148b52b46b88ed038d0354255f9a73196b7bbce3ea97545"},
-    {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3c5092ce14361a73086b90c6efb3948ffa5be2f5b6fbcf52e8d8c8b8848bb97c"},
-    {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:aaa2234bb60c4dbf82893e934d8ee8dea30446f0647e024074237a56a08c01bd"},
-    {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:6d86a2fbdd14192e2f234a92d3b494dd4457e683ba07e5905a0b3ee25389ac9f"},
-    {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:a041e7e2612041a6ddf1c6a33b883be6a421247c7afd47e885969ee4cc58bd8d"},
-    {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:5015082477abeafad7203757ae44299a610e89ee82a1503e3d4184e6bafdd519"},
-    {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:56822ff5ddfd1b745534e658faba944012346184fbfe732e0d6134b744516eea"},
-    {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:b2acbbfff69019d9014508c4ba0401822e8bae5a5fdc3b6814285b71231b60f3"},
-    {file = "aiohttp-3.12.15-cp312-cp312-win32.whl", hash = "sha256:d849b0901b50f2185874b9a232f38e26b9b3d4810095a7572eacea939132d4e1"},
-    {file = "aiohttp-3.12.15-cp312-cp312-win_amd64.whl", hash = "sha256:b390ef5f62bb508a9d67cb3bba9b8356e23b3996da7062f1a57ce1a79d2b3d34"},
-    {file = "aiohttp-3.12.15-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:9f922ffd05034d439dde1c77a20461cf4a1b0831e6caa26151fe7aa8aaebc315"},
-    {file = "aiohttp-3.12.15-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:2ee8a8ac39ce45f3e55663891d4b1d15598c157b4d494a4613e704c8b43112cd"},
-    {file = "aiohttp-3.12.15-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:3eae49032c29d356b94eee45a3f39fdf4b0814b397638c2f718e96cfadf4c4e4"},
-    {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b97752ff12cc12f46a9b20327104448042fce5c33a624f88c18f66f9368091c7"},
-    {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:894261472691d6fe76ebb7fcf2e5870a2ac284c7406ddc95823c8598a1390f0d"},
-    {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5fa5d9eb82ce98959fc1031c28198b431b4d9396894f385cb63f1e2f3f20ca6b"},
-    {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0fa751efb11a541f57db59c1dd821bec09031e01452b2b6217319b3a1f34f3d"},
-    {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5346b93e62ab51ee2a9d68e8f73c7cf96ffb73568a23e683f931e52450e4148d"},
-    {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:049ec0360f939cd164ecbfd2873eaa432613d5e77d6b04535e3d1fbae5a9e645"},
-    {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:b52dcf013b57464b6d1e51b627adfd69a8053e84b7103a7cd49c030f9ca44461"},
-    {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:9b2af240143dd2765e0fb661fd0361a1b469cab235039ea57663cda087250ea9"},
-    {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ac77f709a2cde2cc71257ab2d8c74dd157c67a0558a0d2799d5d571b4c63d44d"},
-    {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:47f6b962246f0a774fbd3b6b7be25d59b06fdb2f164cf2513097998fc6a29693"},
-    {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:760fb7db442f284996e39cf9915a94492e1896baac44f06ae551974907922b64"},
-    {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ad702e57dc385cae679c39d318def49aef754455f237499d5b99bea4ef582e51"},
-    {file = "aiohttp-3.12.15-cp313-cp313-win32.whl", hash = "sha256:f813c3e9032331024de2eb2e32a88d86afb69291fbc37a3a3ae81cc9917fb3d0"},
-    {file = "aiohttp-3.12.15-cp313-cp313-win_amd64.whl", hash = "sha256:1a649001580bdb37c6fdb1bebbd7e3bc688e8ec2b5c6f52edbb664662b17dc84"},
-    {file = "aiohttp-3.12.15-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:691d203c2bdf4f4637792efbbcdcd157ae11e55eaeb5e9c360c1206fb03d4d98"},
-    {file = "aiohttp-3.12.15-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:8e995e1abc4ed2a454c731385bf4082be06f875822adc4c6d9eaadf96e20d406"},
-    {file = "aiohttp-3.12.15-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:bd44d5936ab3193c617bfd6c9a7d8d1085a8dc8c3f44d5f1dcf554d17d04cf7d"},
-    {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:46749be6e89cd78d6068cdf7da51dbcfa4321147ab8e4116ee6678d9a056a0cf"},
-    {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:0c643f4d75adea39e92c0f01b3fb83d57abdec8c9279b3078b68a3a52b3933b6"},
-    {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0a23918fedc05806966a2438489dcffccbdf83e921a1170773b6178d04ade142"},
-    {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:74bdd8c864b36c3673741023343565d95bfbd778ffe1eb4d412c135a28a8dc89"},
-    {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0a146708808c9b7a988a4af3821379e379e0f0e5e466ca31a73dbdd0325b0263"},
-    {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b7011a70b56facde58d6d26da4fec3280cc8e2a78c714c96b7a01a87930a9530"},
-    {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:3bdd6e17e16e1dbd3db74d7f989e8af29c4d2e025f9828e6ef45fbdee158ec75"},
-    {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:57d16590a351dfc914670bd72530fd78344b885a00b250e992faea565b7fdc05"},
-    {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:bc9a0f6569ff990e0bbd75506c8d8fe7214c8f6579cca32f0546e54372a3bb54"},
-    {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:536ad7234747a37e50e7b6794ea868833d5220b49c92806ae2d7e8a9d6b5de02"},
-    {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:f0adb4177fa748072546fb650d9bd7398caaf0e15b370ed3317280b13f4083b0"},
-    {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:14954a2988feae3987f1eb49c706bff39947605f4b6fa4027c1d75743723eb09"},
-    {file = "aiohttp-3.12.15-cp39-cp39-win32.whl", hash = "sha256:b784d6ed757f27574dca1c336f968f4e81130b27595e458e69457e6878251f5d"},
-    {file = "aiohttp-3.12.15-cp39-cp39-win_amd64.whl", hash = "sha256:86ceded4e78a992f835209e236617bffae649371c4a50d5e5a3987f237db84b8"},
-    {file = "aiohttp-3.12.15.tar.gz", hash = "sha256:4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"},
+    {file = "aiohttp-3.13.3-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d5a372fd5afd301b3a89582817fdcdb6c34124787c70dbcc616f259013e7eef7"},
+    {file = "aiohttp-3.13.3-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:147e422fd1223005c22b4fe080f5d93ced44460f5f9c105406b753612b587821"},
+    {file = "aiohttp-3.13.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:859bd3f2156e81dd01432f5849fc73e2243d4a487c4fd26609b1299534ee1845"},
+    {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:dca68018bf48c251ba17c72ed479f4dafe9dbd5a73707ad8d28a38d11f3d42af"},
+    {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:fee0c6bc7db1de362252affec009707a17478a00ec69f797d23ca256e36d5940"},
+    {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c048058117fd649334d81b4b526e94bde3ccaddb20463a815ced6ecbb7d11160"},
+    {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:215a685b6fbbfcf71dfe96e3eba7a6f58f10da1dfdf4889c7dd856abe430dca7"},
+    {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:de2c184bb1fe2cbd2cefba613e9db29a5ab559323f994b6737e370d3da0ac455"},
+    {file = "aiohttp-3.13.3-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:75ca857eba4e20ce9f546cd59c7007b33906a4cd48f2ff6ccf1ccfc3b646f279"},
+    {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:81e97251d9298386c2b7dbeb490d3d1badbdc69107fb8c9299dd04eb39bddc0e"},
+    {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:c0e2d366af265797506f0283487223146af57815b388623f0357ef7eac9b209d"},
+    {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:4e239d501f73d6db1522599e14b9b321a7e3b1de66ce33d53a765d975e9f4808"},
+    {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:0db318f7a6f065d84cb1e02662c526294450b314a02bd9e2a8e67f0d8564ce40"},
+    {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:bfc1cc2fe31a6026a8a88e4ecfb98d7f6b1fec150cfd708adbfd1d2f42257c29"},
+    {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:af71fff7bac6bb7508956696dce8f6eec2bbb045eceb40343944b1ae62b5ef11"},
+    {file = "aiohttp-3.13.3-cp310-cp310-win32.whl", hash = "sha256:37da61e244d1749798c151421602884db5270faf479cf0ef03af0ff68954c9dd"},
+    {file = "aiohttp-3.13.3-cp310-cp310-win_amd64.whl", hash = "sha256:7e63f210bc1b57ef699035f2b4b6d9ce096b5914414a49b0997c839b2bd2223c"},
+    {file = "aiohttp-3.13.3-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:5b6073099fb654e0a068ae678b10feff95c5cae95bbfcbfa7af669d361a8aa6b"},
+    {file = "aiohttp-3.13.3-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:1cb93e166e6c28716c8c6aeb5f99dfb6d5ccf482d29fe9bf9a794110e6d0ab64"},
+    {file = "aiohttp-3.13.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:28e027cf2f6b641693a09f631759b4d9ce9165099d2b5d92af9bd4e197690eea"},
+    {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3b61b7169ababd7802f9568ed96142616a9118dd2be0d1866e920e77ec8fa92a"},
+    {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:80dd4c21b0f6237676449c6baaa1039abae86b91636b6c91a7f8e61c87f89540"},
+    {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:65d2ccb7eabee90ce0503c17716fc77226be026dcc3e65cce859a30db715025b"},
+    {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5b179331a481cb5529fca8b432d8d3c7001cb217513c94cd72d668d1248688a3"},
+    {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9d4c940f02f49483b18b079d1c27ab948721852b281f8b015c058100e9421dd1"},
+    {file = "aiohttp-3.13.3-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:f9444f105664c4ce47a2a7171a2418bce5b7bae45fb610f4e2c36045d85911d3"},
+    {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:694976222c711d1d00ba131904beb60534f93966562f64440d0c9d41b8cdb440"},
+    {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:f33ed1a2bf1997a36661874b017f5c4b760f41266341af36febaf271d179f6d7"},
+    {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:e636b3c5f61da31a92bf0d91da83e58fdfa96f178ba682f11d24f31944cdd28c"},
+    {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:5d2d94f1f5fcbe40838ac51a6ab5704a6f9ea42e72ceda48de5e6b898521da51"},
+    {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:2be0e9ccf23e8a94f6f0650ce06042cefc6ac703d0d7ab6c7a917289f2539ad4"},
+    {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:9af5e68ee47d6534d36791bbe9b646d2a7c7deb6fc24d7943628edfbb3581f29"},
+    {file = "aiohttp-3.13.3-cp311-cp311-win32.whl", hash = "sha256:a2212ad43c0833a873d0fb3c63fa1bacedd4cf6af2fee62bf4b739ceec3ab239"},
+    {file = "aiohttp-3.13.3-cp311-cp311-win_amd64.whl", hash = "sha256:642f752c3eb117b105acbd87e2c143de710987e09860d674e068c4c2c441034f"},
+    {file = "aiohttp-3.13.3-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:b903a4dfee7d347e2d87697d0713be59e0b87925be030c9178c5faa58ea58d5c"},
+    {file = "aiohttp-3.13.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:a45530014d7a1e09f4a55f4f43097ba0fd155089372e105e4bff4ca76cb1b168"},
+    {file = "aiohttp-3.13.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:27234ef6d85c914f9efeb77ff616dbf4ad2380be0cda40b4db086ffc7ddd1b7d"},
+    {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d32764c6c9aafb7fb55366a224756387cd50bfa720f32b88e0e6fa45b27dcf29"},
+    {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:b1a6102b4d3ebc07dad44fbf07b45bb600300f15b552ddf1851b5390202ea2e3"},
+    {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c014c7ea7fb775dd015b2d3137378b7be0249a448a1612268b5a90c2d81de04d"},
+    {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2b8d8ddba8f95ba17582226f80e2de99c7a7948e66490ef8d947e272a93e9463"},
+    {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9ae8dd55c8e6c4257eae3a20fd2c8f41edaea5992ed67156642493b8daf3cecc"},
+    {file = "aiohttp-3.13.3-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:01ad2529d4b5035578f5081606a465f3b814c542882804e2e8cda61adf5c71bf"},
+    {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:bb4f7475e359992b580559e008c598091c45b5088f28614e855e42d39c2f1033"},
+    {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:c19b90316ad3b24c69cd78d5c9b4f3aa4497643685901185b65166293d36a00f"},
+    {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:96d604498a7c782cb15a51c406acaea70d8c027ee6b90c569baa6e7b93073679"},
+    {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:084911a532763e9d3dd95adf78a78f4096cd5f58cdc18e6fdbc1b58417a45423"},
+    {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:7a4a94eb787e606d0a09404b9c38c113d3b099d508021faa615d70a0131907ce"},
+    {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:87797e645d9d8e222e04160ee32aa06bc5c163e8499f24db719e7852ec23093a"},
+    {file = "aiohttp-3.13.3-cp312-cp312-win32.whl", hash = "sha256:b04be762396457bef43f3597c991e192ee7da460a4953d7e647ee4b1c28e7046"},
+    {file = "aiohttp-3.13.3-cp312-cp312-win_amd64.whl", hash = "sha256:e3531d63d3bdfa7e3ac5e9b27b2dd7ec9df3206a98e0b3445fa906f233264c57"},
+    {file = "aiohttp-3.13.3-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:5dff64413671b0d3e7d5918ea490bdccb97a4ad29b3f311ed423200b2203e01c"},
+    {file = "aiohttp-3.13.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:87b9aab6d6ed88235aa2970294f496ff1a1f9adcd724d800e9b952395a80ffd9"},
+    {file = "aiohttp-3.13.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:425c126c0dc43861e22cb1c14ba4c8e45d09516d0a3ae0a3f7494b79f5f233a3"},
+    {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7f9120f7093c2a32d9647abcaf21e6ad275b4fbec5b55969f978b1a97c7c86bf"},
+    {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:697753042d57f4bf7122cab985bf15d0cef23c770864580f5af4f52023a56bd6"},
+    {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:6de499a1a44e7de70735d0b39f67c8f25eb3d91eb3103be99ca0fa882cdd987d"},
+    {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:37239e9f9a7ea9ac5bf6b92b0260b01f8a22281996da609206a84df860bc1261"},
+    {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:f76c1e3fe7d7c8afad7ed193f89a292e1999608170dcc9751a7462a87dfd5bc0"},
+    {file = "aiohttp-3.13.3-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:fc290605db2a917f6e81b0e1e0796469871f5af381ce15c604a3c5c7e51cb730"},
+    {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4021b51936308aeea0367b8f006dc999ca02bc118a0cc78c303f50a2ff6afb91"},
+    {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:49a03727c1bba9a97d3e93c9f93ca03a57300f484b6e935463099841261195d3"},
+    {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:3d9908a48eb7416dc1f4524e69f1d32e5d90e3981e4e37eb0aa1cd18f9cfa2a4"},
+    {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:2712039939ec963c237286113c68dbad80a82a4281543f3abf766d9d73228998"},
+    {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:7bfdc049127717581866fa4708791220970ce291c23e28ccf3922c700740fdc0"},
+    {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:8057c98e0c8472d8846b9c79f56766bcc57e3e8ac7bfd510482332366c56c591"},
+    {file = "aiohttp-3.13.3-cp313-cp313-win32.whl", hash = "sha256:1449ceddcdbcf2e0446957863af03ebaaa03f94c090f945411b61269e2cb5daf"},
+    {file = "aiohttp-3.13.3-cp313-cp313-win_amd64.whl", hash = "sha256:693781c45a4033d31d4187d2436f5ac701e7bbfe5df40d917736108c1cc7436e"},
+    {file = "aiohttp-3.13.3-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:ea37047c6b367fd4bd632bff8077449b8fa034b69e812a18e0132a00fae6e808"},
+    {file = "aiohttp-3.13.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:6fc0e2337d1a4c3e6acafda6a78a39d4c14caea625124817420abceed36e2415"},
+    {file = "aiohttp-3.13.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:c685f2d80bb67ca8c3837823ad76196b3694b0159d232206d1e461d3d434666f"},
+    {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:48e377758516d262bde50c2584fc6c578af272559c409eecbdd2bae1601184d6"},
+    {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:34749271508078b261c4abb1767d42b8d0c0cc9449c73a4df494777dc55f0687"},
+    {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:82611aeec80eb144416956ec85b6ca45a64d76429c1ed46ae1b5f86c6e0c9a26"},
+    {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2fff83cfc93f18f215896e3a190e8e5cb413ce01553901aca925176e7568963a"},
+    {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:bbe7d4cecacb439e2e2a8a1a7b935c25b812af7a5fd26503a66dadf428e79ec1"},
+    {file = "aiohttp-3.13.3-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:b928f30fe49574253644b1ca44b1b8adbd903aa0da4b9054a6c20fc7f4092a25"},
+    {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7b5e8fe4de30df199155baaf64f2fcd604f4c678ed20910db8e2c66dc4b11603"},
+    {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:8542f41a62bcc58fc7f11cf7c90e0ec324ce44950003feb70640fc2a9092c32a"},
+    {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:5e1d8c8b8f1d91cd08d8f4a3c2b067bfca6ec043d3ff36de0f3a715feeedf926"},
+    {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:90455115e5da1c3c51ab619ac57f877da8fd6d73c05aacd125c5ae9819582aba"},
+    {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:042e9e0bcb5fba81886c8b4fbb9a09d6b8a00245fd8d88e4d989c1f96c74164c"},
+    {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:2eb752b102b12a76ca02dff751a801f028b4ffbbc478840b473597fc91a9ed43"},
+    {file = "aiohttp-3.13.3-cp314-cp314-win32.whl", hash = "sha256:b556c85915d8efaed322bf1bdae9486aa0f3f764195a0fb6ee962e5c71ef5ce1"},
+    {file = "aiohttp-3.13.3-cp314-cp314-win_amd64.whl", hash = "sha256:9bf9f7a65e7aa20dd764151fb3d616c81088f91f8df39c3893a536e279b4b984"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-macosx_10_13_universal2.whl", hash = "sha256:05861afbbec40650d8a07ea324367cb93e9e8cc7762e04dd4405df99fa65159c"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:2fc82186fadc4a8316768d61f3722c230e2c1dcab4200d52d2ebdf2482e47592"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:0add0900ff220d1d5c5ebbf99ed88b0c1bbf87aa7e4262300ed1376a6b13414f"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:568f416a4072fbfae453dcf9a99194bbb8bdeab718e08ee13dfa2ba0e4bebf29"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:add1da70de90a2569c5e15249ff76a631ccacfe198375eead4aadf3b8dc849dc"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:10b47b7ba335d2e9b1239fa571131a87e2d8ec96b333e68b2a305e7a98b0bae2"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:3dd4dce1c718e38081c8f35f323209d4c1df7d4db4bab1b5c88a6b4d12b74587"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:34bac00a67a812570d4a460447e1e9e06fae622946955f939051e7cc895cfab8"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a19884d2ee70b06d9204b2727a7b9f983d0c684c650254679e716b0b77920632"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:5f8ca7f2bb6ba8348a3614c7918cc4bb73268c5ac2a207576b7afea19d3d9f64"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_armv7l.whl", hash = "sha256:b0d95340658b9d2f11d9697f59b3814a9d3bb4b7a7c20b131df4bcef464037c0"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_ppc64le.whl", hash = "sha256:a1e53262fd202e4b40b70c3aff944a8155059beedc8a89bba9dc1f9ef06a1b56"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:d60ac9663f44168038586cab2157e122e46bdef09e9368b37f2d82d354c23f72"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_s390x.whl", hash = "sha256:90751b8eed69435bac9ff4e3d2f6b3af1f57e37ecb0fbeee59c0174c9e2d41df"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:fc353029f176fd2b3ec6cfc71be166aba1936fe5d73dd1992ce289ca6647a9aa"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-win32.whl", hash = "sha256:2e41b18a58da1e474a057b3d35248d8320029f61d70a37629535b16a0c8f3767"},
+    {file = "aiohttp-3.13.3-cp314-cp314t-win_amd64.whl", hash = "sha256:44531a36aa2264a1860089ffd4dce7baf875ee5a6079d5fb42e261c704ef7344"},
+    {file = "aiohttp-3.13.3-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:31a83ea4aead760dfcb6962efb1d861db48c34379f2ff72db9ddddd4cda9ea2e"},
+    {file = "aiohttp-3.13.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:988a8c5e317544fdf0d39871559e67b6341065b87fceac641108c2096d5506b7"},
+    {file = "aiohttp-3.13.3-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9b174f267b5cfb9a7dba9ee6859cecd234e9a681841eb85068059bc867fb8f02"},
+    {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:947c26539750deeaee933b000fb6517cc770bbd064bad6033f1cff4803881e43"},
+    {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:9ebf57d09e131f5323464bd347135a88622d1c0976e88ce15b670e7ad57e4bd6"},
+    {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:4ae5b5a0e1926e504c81c5b84353e7a5516d8778fbbff00429fe7b05bb25cbce"},
+    {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2ba0eea45eb5cc3172dbfc497c066f19c41bac70963ea1a67d51fc92e4cf9a80"},
+    {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:bae5c2ed2eae26cc382020edad80d01f36cb8e746da40b292e68fec40421dc6a"},
+    {file = "aiohttp-3.13.3-cp39-cp39-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:8a60e60746623925eab7d25823329941aee7242d559baa119ca2b253c88a7bd6"},
+    {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:e50a2e1404f063427c9d027378472316201a2290959a295169bcf25992d04558"},
+    {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:9a9dc347e5a3dc7dfdbc1f82da0ef29e388ddb2ed281bfce9dd8248a313e62b7"},
+    {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:b46020d11d23fe16551466c77823df9cc2f2c1e63cc965daf67fa5eec6ca1877"},
+    {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_riscv64.whl", hash = "sha256:69c56fbc1993fa17043e24a546959c0178fe2b5782405ad4559e6c13975c15e3"},
+    {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:b99281b0704c103d4e11e72a76f1b543d4946fea7dd10767e7e1b5f00d4e5704"},
+    {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:40c5e40ecc29ba010656c18052b877a1c28f84344825efa106705e835c28530f"},
+    {file = "aiohttp-3.13.3-cp39-cp39-win32.whl", hash = "sha256:56339a36b9f1fc708260c76c87e593e2afb30d26de9ae1eb445b5e051b98a7a1"},
+    {file = "aiohttp-3.13.3-cp39-cp39-win_amd64.whl", hash = "sha256:c6b8568a3bb5819a0ad087f16d40e5a3fb6099f39ea1d5625a3edc1e923fc538"},
+    {file = "aiohttp-3.13.3.tar.gz", hash = "sha256:a949eee43d3782f2daae4f4a2819b2cb9b0c5d3b7f7a927067cc84dafdbb9f88"},
 ]

 [package.dependencies]
@@ -130,7 +164,7 @@ propcache = ">=0.2.0"
 yarl = ">=1.17.0,<2.0"

 [package.extras]
-speedups = ["Brotli ; platform_python_implementation == \"CPython\"", "aiodns (>=3.3.0)", "brotlicffi ; platform_python_implementation != \"CPython\""]
+speedups = ["Brotli (>=1.2) ; platform_python_implementation == \"CPython\"", "aiodns (>=3.3.0)", "backports.zstd ; platform_python_implementation == \"CPython\" and python_version < \"3.14\"", "brotlicffi (>=1.2) ; platform_python_implementation != \"CPython\""]

 [[package]]
 name = "aiosignal"
@@ -703,24 +737,24 @@ crt = ["awscrt (==0.29.2)"]

 [[package]]
 name = "browser-use"
-version = "0.11.2"
+version = "0.11.13"
 description = "Make websites accessible for AI agents"
 optional = false
 python-versions = "<4.0,>=3.11"
 groups = ["main"]
 files = [
-    {file = "browser_use-0.11.2-py3-none-any.whl", hash = "sha256:6ac57c0e2a495749fc83c1faee85001737567f8cd4301ebfcda2a886018a325b"},
-    {file = "browser_use-0.11.2.tar.gz", hash = "sha256:543face2fd5662ee89526d2099a79e01468b51784cdcc85faa36a81fdae4aa68"},
+    {file = "browser_use-0.11.13-py3-none-any.whl", hash = "sha256:f5232309213715e66e8f2079fb7097ac79a880728735968e4c7d41031ed15e83"},
+    {file = "browser_use-0.11.13.tar.gz", hash = "sha256:c20d029f17c44add2047a72c836cb589b85e90a31a91cf3632a22a2de1928dfe"},
 ]

 [package.dependencies]
-aiohttp = "3.12.15"
+aiohttp = ">=3.13.3"
 anthropic = ">=0.72.1,<1.0.0"
 anyio = ">=4.9.0"
 authlib = ">=1.6.0"
 browser-use-sdk = ">=2.0.12"
 bubus = ">=1.5.6"
-cdp-use = ">=1.4.4"
+cdp-use = ">=1.4.5"
 click = ">=8.1.8"
 cloudpickle = ">=3.1.1"
 google-api-core = ">=2.25.0"
@@ -758,7 +792,7 @@ aws = ["boto3 (>=1.38.45)"]
 cli = ["textual (>=3.2.0)"]
 cli-oci = ["oci (>=2.126.4)", "textual (>=3.2.0)"]
 code = ["matplotlib (>=3.9.0)", "numpy (>=2.3.2)", "pandas (>=2.2.0)", "tabulate (>=0.9.0)"]
-eval = ["anyio (>=4.9.0)", "datamodel-code-generator (>=0.26.0)", "lmnr[all] (==0.7.17)", "psutil (>=7.0.0)"]
+eval = ["anyio (>=4.9.0)", "datamodel-code-generator (>=0.26.0)", "lmnr[all] (==0.7.42)", "psutil (>=7.0.0)"]
 examples = ["agentmail (==0.0.59)", "botocore (>=1.37.23)", "imgcat (>=0.6.0)", "langchain-openai (>=0.3.26)"]
 oci = ["oci (>=2.126.4)"]
 video = ["imageio[ffmpeg] (>=2.37.0)", "numpy (>=2.3.2)"]
@@ -891,18 +925,19 @@ files = [

 [[package]]
 name = "cdp-use"
-version = "1.4.4"
+version = "1.4.5"
 description = "Type safe generator/client library for CDP"
 optional = false
 python-versions = ">=3.11"
 groups = ["main"]
 files = [
-    {file = "cdp_use-1.4.4-py3-none-any.whl", hash = "sha256:e37e80e067db2653d6fdf953d4ff9e5d80d75daa27b7c6d48c0261cccbef73e1"},
-    {file = "cdp_use-1.4.4.tar.gz", hash = "sha256:330a848b517006eb9ad1dc468aa6434d913cf0c6918610760c36c3fdfdba0fab"},
+    {file = "cdp_use-1.4.5-py3-none-any.whl", hash = "sha256:8f8e2435e3a20e4009d2974144192cf3c132f6c2971338e156198814d9b91ecb"},
+    {file = "cdp_use-1.4.5.tar.gz", hash = "sha256:0da3a32df46336a03ff5a22bc6bc442cd7d2f2d50a118fd4856f29d37f6d26a0"},
 ]

 [package.dependencies]
 httpx = ">=0.28.1"
+typing-extensions = ">=4.12.2"
 websockets = ">=15.0.1"

 [[package]]
@@ -1540,66 +1575,61 @@ files = [

 [[package]]
 name = "cryptography"
-version = "46.0.3"
+version = "46.0.5"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 optional = false
 python-versions = "!=3.9.0,!=3.9.1,>=3.8"
 groups = ["main"]
 files = [
-    {file = "cryptography-46.0.3-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:109d4ddfadf17e8e7779c39f9b18111a09efb969a301a31e987416a0191ed93a"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:09859af8466b69bc3c27bdf4f5d84a665e0f7ab5088412e9e2ec49758eca5cbc"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:01ca9ff2885f3acc98c29f1860552e37f6d7c7d013d7334ff2a9de43a449315d"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:6eae65d4c3d33da080cff9c4ab1f711b15c1d9760809dad6ea763f3812d254cb"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:e5bf0ed4490068a2e72ac03d786693adeb909981cc596425d09032d372bcc849"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:5ecfccd2329e37e9b7112a888e76d9feca2347f12f37918facbb893d7bb88ee8"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:a2c0cd47381a3229c403062f764160d57d4d175e022c1df84e168c6251a22eec"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:549e234ff32571b1f4076ac269fcce7a808d3bf98b76c8dd560e42dbc66d7d91"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:c0a7bb1a68a5d3471880e264621346c48665b3bf1c3759d682fc0864c540bd9e"},
-    {file = "cryptography-46.0.3-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:10b01676fc208c3e6feeb25a8b83d81767e8059e1fe86e1dc62d10a3018fa926"},
-    {file = "cryptography-46.0.3-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:0abf1ffd6e57c67e92af68330d05760b7b7efb243aab8377e583284dbab72c71"},
-    {file = "cryptography-46.0.3-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a04bee9ab6a4da801eb9b51f1b708a1b5b5c9eb48c03f74198464c66f0d344ac"},
-    {file = "cryptography-46.0.3-cp311-abi3-win32.whl", hash = "sha256:f260d0d41e9b4da1ed1e0f1ce571f97fe370b152ab18778e9e8f67d6af432018"},
-    {file = "cryptography-46.0.3-cp311-abi3-win_amd64.whl", hash = "sha256:a9a3008438615669153eb86b26b61e09993921ebdd75385ddd748702c5adfddb"},
-    {file = "cryptography-46.0.3-cp311-abi3-win_arm64.whl", hash = "sha256:5d7f93296ee28f68447397bf5198428c9aeeab45705a55d53a6343455dcb2c3c"},
-    {file = "cryptography-46.0.3-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:00a5e7e87938e5ff9ff5447ab086a5706a957137e6e433841e9d24f38a065217"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:c8daeb2d2174beb4575b77482320303f3d39b8e81153da4f0fb08eb5fe86a6c5"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:39b6755623145ad5eff1dab323f4eae2a32a77a7abef2c5089a04a3d04366715"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:db391fa7c66df6762ee3f00c95a89e6d428f4d60e7abc8328f4fe155b5ac6e54"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:78a97cf6a8839a48c49271cdcbd5cf37ca2c1d6b7fdd86cc864f302b5e9bf459"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:dfb781ff7eaa91a6f7fd41776ec37c5853c795d3b358d4896fdbb5df168af422"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:6f61efb26e76c45c4a227835ddeae96d83624fb0d29eb5df5b96e14ed1a0afb7"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:23b1a8f26e43f47ceb6d6a43115f33a5a37d57df4ea0ca295b780ae8546e8044"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:b419ae593c86b87014b9be7396b385491ad7f320bde96826d0dd174459e54665"},
-    {file = "cryptography-46.0.3-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:50fc3343ac490c6b08c0cf0d704e881d0d660be923fd3076db3e932007e726e3"},
-    {file = "cryptography-46.0.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:22d7e97932f511d6b0b04f2bfd818d73dcd5928db509460aaf48384778eb6d20"},
-    {file = "cryptography-46.0.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:d55f3dffadd674514ad19451161118fd010988540cee43d8bc20675e775925de"},
-    {file = "cryptography-46.0.3-cp314-cp314t-win32.whl", hash = "sha256:8a6e050cb6164d3f830453754094c086ff2d0b2f3a897a1d9820f6139a1f0914"},
-    {file = "cryptography-46.0.3-cp314-cp314t-win_amd64.whl", hash = "sha256:760f83faa07f8b64e9c33fc963d790a2edb24efb479e3520c14a45741cd9b2db"},
-    {file = "cryptography-46.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:516ea134e703e9fe26bcd1277a4b59ad30586ea90c365a87781d7887a646fe21"},
-    {file = "cryptography-46.0.3-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:cb3d760a6117f621261d662bccc8ef5bc32ca673e037c83fbe565324f5c46936"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:4b7387121ac7d15e550f5cb4a43aef2559ed759c35df7336c402bb8275ac9683"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:15ab9b093e8f09daab0f2159bb7e47532596075139dd74365da52ecc9cb46c5d"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:46acf53b40ea38f9c6c229599a4a13f0d46a6c3fa9ef19fc1a124d62e338dfa0"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:10ca84c4668d066a9878890047f03546f3ae0a6b8b39b697457b7757aaf18dbc"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:36e627112085bb3b81b19fed209c05ce2a52ee8b15d161b7c643a7d5a88491f3"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1000713389b75c449a6e979ffc7dcc8ac90b437048766cef052d4d30b8220971"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:b02cf04496f6576afffef5ddd04a0cb7d49cf6be16a9059d793a30b035f6b6ac"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:71e842ec9bc7abf543b47cf86b9a743baa95f4677d22baa4c7d5c69e49e9bc04"},
-    {file = "cryptography-46.0.3-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:402b58fc32614f00980b66d6e56a5b4118e6cb362ae8f3fda141ba4689bd4506"},
-    {file = "cryptography-46.0.3-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:ef639cb3372f69ec44915fafcd6698b6cc78fbe0c2ea41be867f6ed612811963"},
-    {file = "cryptography-46.0.3-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:3b51b8ca4f1c6453d8829e1eb7299499ca7f313900dd4d89a24b8b87c0a780d4"},
-    {file = "cryptography-46.0.3-cp38-abi3-win32.whl", hash = "sha256:6276eb85ef938dc035d59b87c8a7dc559a232f954962520137529d77b18ff1df"},
-    {file = "cryptography-46.0.3-cp38-abi3-win_amd64.whl", hash = "sha256:416260257577718c05135c55958b674000baef9a1c7d9e8f306ec60d71db850f"},
-    {file = "cryptography-46.0.3-cp38-abi3-win_arm64.whl", hash = "sha256:d89c3468de4cdc4f08a57e214384d0471911a3830fcdaf7a8cc587e42a866372"},
-    {file = "cryptography-46.0.3-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:a23582810fedb8c0bc47524558fb6c56aac3fc252cb306072fd2815da2a47c32"},
-    {file = "cryptography-46.0.3-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:e7aec276d68421f9574040c26e2a7c3771060bc0cff408bae1dcb19d3ab1e63c"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-macosx_10_9_x86_64.whl", hash = "sha256:7ce938a99998ed3c8aa7e7272dca1a610401ede816d36d0693907d863b10d9ea"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:191bb60a7be5e6f54e30ba16fdfae78ad3a342a0599eb4193ba88e3f3d6e185b"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:c70cc23f12726be8f8bc72e41d5065d77e4515efae3690326764ea1b07845cfb"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:9394673a9f4de09e28b5356e7fff97d778f8abad85c9d5ac4a4b7e25a0de7717"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:94cd0549accc38d1494e1f8de71eca837d0509d0d44bf11d158524b0e12cebf9"},
-    {file = "cryptography-46.0.3-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6b5063083824e5509fdba180721d55909ffacccc8adbec85268b48439423d78c"},
-    {file = "cryptography-46.0.3.tar.gz", hash = "sha256:a8b17438104fed022ce745b362294d9ce35b4c2e45c1d958ad4a4b019285f4a1"},
+    {file = "cryptography-46.0.5-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:351695ada9ea9618b3500b490ad54c739860883df6c1f555e088eaf25b1bbaad"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:c18ff11e86df2e28854939acde2d003f7984f721eba450b56a200ad90eeb0e6b"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:4d7e3d356b8cd4ea5aff04f129d5f66ebdc7b6f8eae802b93739ed520c47c79b"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:50bfb6925eff619c9c023b967d5b77a54e04256c4281b0e21336a130cd7fc263"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:803812e111e75d1aa73690d2facc295eaefd4439be1023fefc4995eaea2af90d"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ee190460e2fbe447175cda91b88b84ae8322a104fc27766ad09428754a618ed"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:f145bba11b878005c496e93e257c1e88f154d278d2638e6450d17e0f31e558d2"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:e9251e3be159d1020c4030bd2e5f84d6a43fe54b6c19c12f51cde9542a2817b2"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:47fb8a66058b80e509c47118ef8a75d14c455e81ac369050f20ba0d23e77fee0"},
+    {file = "cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:4c3341037c136030cb46e4b1e17b7418ea4cbd9dd207e4a6f3b2b24e0d4ac731"},
+    {file = "cryptography-46.0.5-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:890bcb4abd5a2d3f852196437129eb3667d62630333aacc13dfd470fad3aaa82"},
+    {file = "cryptography-46.0.5-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:80a8d7bfdf38f87ca30a5391c0c9ce4ed2926918e017c29ddf643d0ed2778ea1"},
+    {file = "cryptography-46.0.5-cp311-abi3-win32.whl", hash = "sha256:60ee7e19e95104d4c03871d7d7dfb3d22ef8a9b9c6778c94e1c8fcc8365afd48"},
+    {file = "cryptography-46.0.5-cp311-abi3-win_amd64.whl", hash = "sha256:38946c54b16c885c72c4f59846be9743d699eee2b69b6988e0a00a01f46a61a4"},
+    {file = "cryptography-46.0.5-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:94a76daa32eb78d61339aff7952ea819b1734b46f73646a07decb40e5b3448e2"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5be7bf2fb40769e05739dd0046e7b26f9d4670badc7b032d6ce4db64dddc0678"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fe346b143ff9685e40192a4960938545c699054ba11d4f9029f94751e3f71d87"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:c69fd885df7d089548a42d5ec05be26050ebcd2283d89b3d30676eb32ff87dee"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:8293f3dea7fc929ef7240796ba231413afa7b68ce38fd21da2995549f5961981"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:1abfdb89b41c3be0365328a410baa9df3ff8a9110fb75e7b52e66803ddabc9a9"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:d66e421495fdb797610a08f43b05269e0a5ea7f5e652a89bfd5a7d3c1dee3648"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:4e817a8920bfbcff8940ecfd60f23d01836408242b30f1a708d93198393a80b4"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:68f68d13f2e1cb95163fa3b4db4bf9a159a418f5f6e7242564fc75fcae667fd0"},
+    {file = "cryptography-46.0.5-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:a3d1fae9863299076f05cb8a778c467578262fae09f9dc0ee9b12eb4268ce663"},
+    {file = "cryptography-46.0.5-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:c4143987a42a2397f2fc3b4d7e3a7d313fbe684f67ff443999e803dd75a76826"},
+    {file = "cryptography-46.0.5-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:7d731d4b107030987fd61a7f8ab512b25b53cef8f233a97379ede116f30eb67d"},
+    {file = "cryptography-46.0.5-cp314-cp314t-win32.whl", hash = "sha256:c3bcce8521d785d510b2aad26ae2c966092b7daa8f45dd8f44734a104dc0bc1a"},
+    {file = "cryptography-46.0.5-cp314-cp314t-win_amd64.whl", hash = "sha256:4d8ae8659ab18c65ced284993c2265910f6c9e650189d4e3f68445ef82a810e4"},
+    {file = "cryptography-46.0.5-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:4108d4c09fbbf2789d0c926eb4152ae1760d5a2d97612b92d508d96c861e4d31"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7d1f30a86d2757199cb2d56e48cce14deddf1f9c95f1ef1b64ee91ea43fe2e18"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:039917b0dc418bb9f6edce8a906572d69e74bd330b0b3fea4f79dab7f8ddd235"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ba2a27ff02f48193fc4daeadf8ad2590516fa3d0adeeb34336b96f7fa64c1e3a"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:61aa400dce22cb001a98014f647dc21cda08f7915ceb95df0c9eaf84b4b6af76"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ce58ba46e1bc2aac4f7d9290223cead56743fa6ab94a5d53292ffaac6a91614"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:420d0e909050490d04359e7fdb5ed7e667ca5c3c402b809ae2563d7e66a92229"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:582f5fcd2afa31622f317f80426a027f30dc792e9c80ffee87b993200ea115f1"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:bfd56bb4b37ed4f330b82402f6f435845a5f5648edf1ad497da51a8452d5d62d"},
+    {file = "cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:a3d507bb6a513ca96ba84443226af944b0f7f47dcc9a399d110cd6146481d24c"},
+    {file = "cryptography-46.0.5-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9f16fbdf4da055efb21c22d81b89f155f02ba420558db21288b3d0035bafd5f4"},
+    {file = "cryptography-46.0.5-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:ced80795227d70549a411a4ab66e8ce307899fad2220ce5ab2f296e687eacde9"},
+    {file = "cryptography-46.0.5-cp38-abi3-win32.whl", hash = "sha256:02f547fce831f5096c9a567fd41bc12ca8f11df260959ecc7c3202555cc47a72"},
+    {file = "cryptography-46.0.5-cp38-abi3-win_amd64.whl", hash = "sha256:556e106ee01aa13484ce9b0239bca667be5004efb0aabbed28d353df86445595"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:3b4995dc971c9fb83c25aa44cf45f02ba86f71ee600d81091c2f0cbae116b06c"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:bc84e875994c3b445871ea7181d424588171efec3e185dced958dad9e001950a"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:2ae6971afd6246710480e3f15824ed3029a60fc16991db250034efd0b9fb4356"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:d861ee9e76ace6cf36a6a89b959ec08e7bc2493ee39d07ffe5acb23ef46d27da"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:2b7a67c9cd56372f3249b39699f2ad479f6991e62ea15800973b956f4b73e257"},
+    {file = "cryptography-46.0.5-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:8456928655f856c6e1533ff59d5be76578a7157224dbd9ce6872f25055ab9ab7"},
+    {file = "cryptography-46.0.5.tar.gz", hash = "sha256:abace499247268e3757271b2f1e244b36b06f8515cf27c4d49468fc9eb16e93d"},
 ]

 [package.dependencies]
@@ -1612,7 +1642,7 @@ nox = ["nox[uv] (>=2024.4.15)"]
 pep8test = ["check-sdist", "click (>=8.0.1)", "mypy (>=1.14)", "ruff (>=0.11.11)"]
 sdist = ["build (>=1.0.0)"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["certifi (>=2024)", "cryptography-vectors (==46.0.3)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
+test = ["certifi (>=2024)", "cryptography-vectors (==46.0.5)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
 test-randomorder = ["pytest-randomly"]

 [[package]]
@@ -2084,25 +2114,6 @@ files = [
    {file = "durationpy-0.10.tar.gz", hash = "sha256:1fa6893409a6e739c9c72334fc65cca1f355dbdd93405d30f726deb5bde42fba"},
 ]

-[[package]]
-name = "ecdsa"
-version = "0.19.1"
-description = "ECDSA cryptographic signature library (pure python)"
-optional = false
-python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.6"
-groups = ["main"]
-files = [
-    {file = "ecdsa-0.19.1-py2.py3-none-any.whl", hash = "sha256:30638e27cf77b7e15c4c4cc1973720149e1033827cfd00661ca5c8cc0cdb24c3"},
-    {file = "ecdsa-0.19.1.tar.gz", hash = "sha256:478cba7b62555866fcb3bb3fe985e06decbdb68ef55713c4e5ab98c57d508e61"},
-]
-
-[package.dependencies]
-six = ">=1.9.0"
-
-[package.extras]
-gmpy = ["gmpy"]
-gmpy2 = ["gmpy2"]
-
 [[package]]
 name = "email-validator"
 version = "2.3.0"
@@ -5754,14 +5765,14 @@ test = ["flaky", "ipykernel (>=6.19.3)", "ipython", "ipywidgets", "nbconvert (>=

 [[package]]
 name = "nbconvert"
-version = "7.16.6"
-description = "Converting Jupyter Notebooks (.ipynb files) to other formats.  Output formats include asciidoc, html, latex, markdown, pdf, py, rst, script.  nbconvert can be used both as a Python library (`import nbconvert`) or as a command line tool (invoked as `jupyter nbconvert ...`)."
+version = "7.17.0"
+description = "Convert Jupyter Notebooks (.ipynb files) to other formats."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "nbconvert-7.16.6-py3-none-any.whl", hash = "sha256:1375a7b67e0c2883678c48e506dc320febb57685e5ee67faa51b18a90f3a712b"},
-    {file = "nbconvert-7.16.6.tar.gz", hash = "sha256:576a7e37c6480da7b8465eefa66c17844243816ce1ccc372633c6b71c3c0f582"},
+    {file = "nbconvert-7.17.0-py3-none-any.whl", hash = "sha256:4f99a63b337b9a23504347afdab24a11faa7d86b405e5c8f9881cd313336d518"},
+    {file = "nbconvert-7.17.0.tar.gz", hash = "sha256:1b2696f1b5be12309f6c7d707c24af604b87dfaf6d950794c7b07acab96dda78"},
 ]

 [package.dependencies]
@@ -5781,8 +5792,8 @@ pygments = ">=2.4.1"
 traitlets = ">=5.1"

 [package.extras]
-all = ["flaky", "ipykernel", "ipython", "ipywidgets (>=7.5)", "myst-parser", "nbsphinx (>=0.2.12)", "playwright", "pydata-sphinx-theme", "pyqtwebengine (>=5.15)", "pytest (>=7)", "sphinx (==5.0.2)", "sphinxcontrib-spelling", "tornado (>=6.1)"]
-docs = ["ipykernel", "ipython", "myst-parser", "nbsphinx (>=0.2.12)", "pydata-sphinx-theme", "sphinx (==5.0.2)", "sphinxcontrib-spelling"]
+all = ["flaky", "intersphinx-registry", "ipykernel", "ipython", "ipywidgets (>=7.5)", "myst-parser", "nbsphinx (>=0.2.12)", "playwright", "pydata-sphinx-theme", "pyqtwebengine (>=5.15)", "pytest (>=7)", "sphinx (>=5.0.2)", "sphinxcontrib-spelling", "tornado (>=6.1)"]
+docs = ["intersphinx-registry", "ipykernel", "ipython", "myst-parser", "nbsphinx (>=0.2.12)", "pydata-sphinx-theme", "sphinx (>=5.0.2)", "sphinxcontrib-spelling"]
 qtpdf = ["pyqtwebengine (>=5.15)"]
 qtpng = ["pyqtwebengine (>=5.15)"]
 serve = ["tornado (>=6.1)"]
@@ -6056,14 +6067,14 @@ numpy = {version = ">=2,<2.3.0", markers = "python_version >= \"3.9\""}

 [[package]]
 name = "openhands-aci"
-version = "0.3.2"
+version = "0.3.3"
 description = "An Agent-Computer Interface (ACI) designed for software development agents OpenHands."
 optional = false
 python-versions = "<4.0,>=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_aci-0.3.2-py3-none-any.whl", hash = "sha256:a3ff6fe3dd50124598b8bc3aff8d9742d6e75f933f7e7635a9d0b37d45eb826e"},
-    {file = "openhands_aci-0.3.2.tar.gz", hash = "sha256:df7b64df6acb70b45b23e88c13508e7af8f27725bed30c3e88691a0f3d1f7a44"},
+    {file = "openhands_aci-0.3.3-py3-none-any.whl", hash = "sha256:35795a4d6f5939290f74b26190d5b4cd7477b06ffb7c7f0b505166739461d651"},
+    {file = "openhands_aci-0.3.3.tar.gz", hash = "sha256:567fc65bb881e3ea56c987f4251c8f703d3c88fae99402b46ea7dcc48d85adb2"},
 ]

 [package.dependencies]
@@ -6086,7 +6097,6 @@ puremagic = ">=1.28"
 pydantic = ">=2.11.3,<3.0.0"
 pydub = ">=0.25.1,<0.26.0"
 pypdf = ">=5.1.0"
-pypdf2 = ">=3.0.1,<4.0.0"
 python-pptx = ">=1.0.2,<2.0.0"
 rapidfuzz = ">=3.13.0,<4.0.0"
 requests = ">=2.32.3"
@@ -6102,14 +6112,14 @@ llama = ["llama-index (>=0.12.29,<0.13.0)", "llama-index-core (>=0.12.29,<0.13.0

 [[package]]
 name = "openhands-agent-server"
-version = "1.11.4"
+version = "1.11.5"
 description = "OpenHands Agent Server - REST/WebSocket interface for OpenHands AI Agent"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_agent_server-1.11.4-py3-none-any.whl", hash = "sha256:739bdb774dbfcd23d6e87ee6ee32bc0999f22300037506b6dd33e9ea67fa5c2a"},
-    {file = "openhands_agent_server-1.11.4.tar.gz", hash = "sha256:41247f7022a046eb50ca3b552bc6d12bfa9776e1bd27d0989da91b9f7ac77ca2"},
+    {file = "openhands_agent_server-1.11.5-py3-none-any.whl", hash = "sha256:8bae7063f232791d58a5c31919f58b557f7cce60e6295773985c7dadc556cb9e"},
+    {file = "openhands_agent_server-1.11.5.tar.gz", hash = "sha256:b61366d727c61ab9b7fcd66faab53f230f8ef0928c1177a388d2c5c4be6ebbd0"},
 ]

 [package.dependencies]
@@ -6126,7 +6136,7 @@ wsproto = ">=1.2.0"

 [[package]]
 name = "openhands-ai"
-version = "1.3.0"
+version = "1.4.0"
 description = "OpenHands: Code Less, Make More"
 optional = false
 python-versions = "^3.12,<3.14"
@@ -6135,7 +6145,7 @@ files = []
 develop = true

 [package.dependencies]
-aiohttp = ">=3.9,<3.11.13 || >3.11.13"
+aiohttp = ">=3.13.3"
 anthropic = {version = "*", extras = ["vertex"]}
 anyio = "4.9"
 asyncpg = ">=0.30"
@@ -6160,6 +6170,7 @@ jinja2 = ">=3.1.6"
 joblib = "*"
 json-repair = "*"
 jupyter-kernel-gateway = "*"
+jwcrypto = ">=1.5.6"
 kubernetes = ">=33.1"
 libtmux = ">=0.46.2"
 litellm = ">=1.74.3"
@@ -6167,34 +6178,33 @@ lmnr = ">=0.7.20"
 memory-profiler = ">=0.61"
 numpy = "*"
 openai = "2.8"
-openhands-aci = "0.3.2"
-openhands-agent-server = "1.11.4"
-openhands-sdk = "1.11.4"
-openhands-tools = "1.11.4"
+openhands-aci = "0.3.3"
+openhands-agent-server = "1.11.5"
+openhands-sdk = "1.11.5"
+openhands-tools = "1.11.5"
 opentelemetry-api = ">=1.33.1"
 opentelemetry-exporter-otlp-proto-grpc = ">=1.33.1"
 pathspec = ">=0.12.1"
 pexpect = "*"
 pg8000 = ">=1.31.5"
-pillow = ">=11.3"
+pillow = ">=12.1.1"
 playwright = ">=1.55"
 poetry = ">=2.1.2"
 prompt-toolkit = ">=3.0.50"
-protobuf = ">=5,<6"
+protobuf = ">=5.29.6,<6"
 psutil = "*"
 pybase62 = ">=1"
 pygithub = ">=2.5"
 pyjwt = ">=2.9"
 pylatexenc = "*"
-pypdf = ">=6"
+pypdf = ">=6.7.2"
 python-docx = "*"
 python-dotenv = "*"
 python-frontmatter = ">=1.1"
-python-jose = {version = ">=3.3", extras = ["cryptography"]}
 python-json-logger = ">=3.2.1"
-python-multipart = "*"
+python-multipart = ">=0.0.22"
 python-pptx = "*"
-python-socketio = "5.13"
+python-socketio = "5.14"
 pythonnet = "*"
 pyyaml = ">=6.0.2"
 qtconsole = ">=5.6.1"
@@ -6205,7 +6215,7 @@ setuptools = ">=78.1.1"
 shellingham = ">=1.5.4"
 sqlalchemy = {version = ">=2.0.40", extras = ["asyncio"]}
 sse-starlette = ">=3.0.2"
-starlette = ">=0.48"
+starlette = ">=0.49.1"
 tenacity = ">=8.5,<10"
 termcolor = "*"
 toml = "*"
@@ -6225,14 +6235,14 @@ url = ".."

 [[package]]
 name = "openhands-sdk"
-version = "1.11.4"
+version = "1.11.5"
 description = "OpenHands SDK - Core functionality for building AI agents"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_sdk-1.11.4-py3-none-any.whl", hash = "sha256:9f4607c5d94b56fbcd533207026ee892779dd50e29bce79277ff82454a4f76d5"},
-    {file = "openhands_sdk-1.11.4.tar.gz", hash = "sha256:4088744f6b8856eeab22d3bc17e47d1736ea7ced945c2fa126bd7d48c14bb313"},
+    {file = "openhands_sdk-1.11.5-py3-none-any.whl", hash = "sha256:f949cd540cbecc339d90fb0cca2a5f29e1b62566b82b5aee82ef40f259d14e60"},
+    {file = "openhands_sdk-1.11.5.tar.gz", hash = "sha256:dd6225876b7b8dbb6c608559f2718c3d0bf44d0bb741e990b185c6cdc5150c5a"},
 ]

 [package.dependencies]
@@ -6253,14 +6263,14 @@ boto3 = ["boto3 (>=1.35.0)"]

 [[package]]
 name = "openhands-tools"
-version = "1.11.4"
+version = "1.11.5"
 description = "OpenHands Tools - Runtime tools for AI agents"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_tools-1.11.4-py3-none-any.whl", hash = "sha256:efd721b73e87a0dac69171a76931363fa59fcde98107ca86081ee7bf0253673a"},
-    {file = "openhands_tools-1.11.4.tar.gz", hash = "sha256:80671b1ea8c85a5247a75ea2340ae31d76363e9c723b104699a9a77e66d2043c"},
+    {file = "openhands_tools-1.11.5-py3-none-any.whl", hash = "sha256:1e981e1e7f3544184fe946cee8eb6bd287010cdef77d83ebac945c9f42df3baf"},
+    {file = "openhands_tools-1.11.5.tar.gz", hash = "sha256:d7b1163f6505a51b07147e7d8972062c129ecc46571a71f28d5470355e06650e"},
 ]

 [package.dependencies]
@@ -7323,23 +7333,23 @@ testing = ["google-api-core (>=1.31.5)"]

 [[package]]
 name = "protobuf"
-version = "5.29.5"
+version = "5.29.6"
 description = ""
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "protobuf-5.29.5-cp310-abi3-win32.whl", hash = "sha256:3f1c6468a2cfd102ff4703976138844f78ebd1fb45f49011afc5139e9e283079"},
-    {file = "protobuf-5.29.5-cp310-abi3-win_amd64.whl", hash = "sha256:3f76e3a3675b4a4d867b52e4a5f5b78a2ef9565549d4037e06cf7b0942b1d3fc"},
-    {file = "protobuf-5.29.5-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:e38c5add5a311f2a6eb0340716ef9b039c1dfa428b28f25a7838ac329204a671"},
-    {file = "protobuf-5.29.5-cp38-abi3-manylinux2014_aarch64.whl", hash = "sha256:fa18533a299d7ab6c55a238bf8629311439995f2e7eca5caaff08663606e9015"},
-    {file = "protobuf-5.29.5-cp38-abi3-manylinux2014_x86_64.whl", hash = "sha256:63848923da3325e1bf7e9003d680ce6e14b07e55d0473253a690c3a8b8fd6e61"},
-    {file = "protobuf-5.29.5-cp38-cp38-win32.whl", hash = "sha256:ef91363ad4faba7b25d844ef1ada59ff1604184c0bcd8b39b8a6bef15e1af238"},
-    {file = "protobuf-5.29.5-cp38-cp38-win_amd64.whl", hash = "sha256:7318608d56b6402d2ea7704ff1e1e4597bee46d760e7e4dd42a3d45e24b87f2e"},
-    {file = "protobuf-5.29.5-cp39-cp39-win32.whl", hash = "sha256:6f642dc9a61782fa72b90878af134c5afe1917c89a568cd3476d758d3c3a0736"},
-    {file = "protobuf-5.29.5-cp39-cp39-win_amd64.whl", hash = "sha256:470f3af547ef17847a28e1f47200a1cbf0ba3ff57b7de50d22776607cd2ea353"},
-    {file = "protobuf-5.29.5-py3-none-any.whl", hash = "sha256:6cf42630262c59b2d8de33954443d94b746c952b01434fc58a417fdbd2e84bd5"},
-    {file = "protobuf-5.29.5.tar.gz", hash = "sha256:bc1463bafd4b0929216c35f437a8e28731a2b7fe3d98bb77a600efced5a15c84"},
+    {file = "protobuf-5.29.6-cp310-abi3-win32.whl", hash = "sha256:62e8a3114992c7c647bce37dcc93647575fc52d50e48de30c6fcb28a6a291eb1"},
+    {file = "protobuf-5.29.6-cp310-abi3-win_amd64.whl", hash = "sha256:7e6ad413275be172f67fdee0f43484b6de5a904cc1c3ea9804cb6fe2ff366eda"},
+    {file = "protobuf-5.29.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:b5a169e664b4057183a34bdc424540e86eea47560f3c123a0d64de4e137f9269"},
+    {file = "protobuf-5.29.6-cp38-abi3-manylinux2014_aarch64.whl", hash = "sha256:a8866b2cff111f0f863c1b3b9e7572dc7eaea23a7fae27f6fc613304046483e6"},
+    {file = "protobuf-5.29.6-cp38-abi3-manylinux2014_x86_64.whl", hash = "sha256:e3387f44798ac1106af0233c04fb8abf543772ff241169946f698b3a9a3d3ab9"},
+    {file = "protobuf-5.29.6-cp38-cp38-win32.whl", hash = "sha256:36ade6ff88212e91aef4e687a971a11d7d24d6948a66751abc1b3238648f5d05"},
+    {file = "protobuf-5.29.6-cp38-cp38-win_amd64.whl", hash = "sha256:831e2da16b6cc9d8f1654c041dd594eda43391affd3c03a91bea7f7f6da106d6"},
+    {file = "protobuf-5.29.6-cp39-cp39-win32.whl", hash = "sha256:cb4c86de9cd8a7f3a256b9744220d87b847371c6b2f10bde87768918ef33ba49"},
+    {file = "protobuf-5.29.6-cp39-cp39-win_amd64.whl", hash = "sha256:76e07e6567f8baf827137e8d5b8204b6c7b6488bbbff1bf0a72b383f77999c18"},
+    {file = "protobuf-5.29.6-py3-none-any.whl", hash = "sha256:6b9edb641441b2da9fa8f428760fc136a49cf97a52076010cf22a2ff73438a86"},
+    {file = "protobuf-5.29.6.tar.gz", hash = "sha256:da9ee6a5424b6b30fd5e45c5ea663aef540ca95f9ad99d1e887e819cdf9b8723"},
 ]

 [[package]]
@@ -7562,14 +7572,14 @@ typing-extensions = ">=4.15.0"

 [[package]]
 name = "pyasn1"
-version = "0.6.1"
+version = "0.6.2"
 description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "pyasn1-0.6.1-py3-none-any.whl", hash = "sha256:0d632f46f2ba09143da3a8afe9e33fb6f92fa2320ab7e886e2d0f7672af84629"},
-    {file = "pyasn1-0.6.1.tar.gz", hash = "sha256:6f580d2bdd84365380830acf45550f2511469f673cb4a5ae3857a3170128b034"},
+    {file = "pyasn1-0.6.2-py3-none-any.whl", hash = "sha256:1eb26d860996a18e9b6ed05e7aae0e9fc21619fcee6af91cca9bad4fbea224bf"},
+    {file = "pyasn1-0.6.2.tar.gz", hash = "sha256:9b59a2b25ba7e4f8197db7686c09fb33e658b98339fadb826e9512629017833b"},
 ]

 [[package]]
@@ -11578,43 +11588,24 @@ diagrams = ["jinja2", "railroad-diagrams"]

 [[package]]
 name = "pypdf"
-version = "6.6.0"
+version = "6.7.5"
 description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pypdf-6.6.0-py3-none-any.whl", hash = "sha256:bca9091ef6de36c7b1a81e09327c554b7ce51e88dad68f5890c2b4a4417f1fd7"},
-    {file = "pypdf-6.6.0.tar.gz", hash = "sha256:4c887ef2ea38d86faded61141995a3c7d068c9d6ae8477be7ae5de8a8e16592f"},
+    {file = "pypdf-6.7.5-py3-none-any.whl", hash = "sha256:07ba7f1d6e6d9aa2a17f5452e320a84718d4ce863367f7ede2fd72280349ab13"},
+    {file = "pypdf-6.7.5.tar.gz", hash = "sha256:40bb2e2e872078655f12b9b89e2f900888bb505e88a82150b64f9f34fa25651d"},
 ]

 [package.extras]
 crypto = ["cryptography"]
 cryptodome = ["PyCryptodome"]
-dev = ["black", "flit", "pip-tools", "pre-commit", "pytest-cov", "pytest-socket", "pytest-timeout", "pytest-xdist", "wheel"]
+dev = ["flit", "pip-tools", "pre-commit", "pytest-cov", "pytest-socket", "pytest-timeout", "pytest-xdist", "wheel"]
 docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"]
 full = ["Pillow (>=8.0.0)", "cryptography"]
 image = ["Pillow (>=8.0.0)"]

-[[package]]
-name = "pypdf2"
-version = "3.0.1"
-description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files"
-optional = false
-python-versions = ">=3.6"
-groups = ["main"]
-files = [
-    {file = "PyPDF2-3.0.1.tar.gz", hash = "sha256:a74408f69ba6271f71b9352ef4ed03dc53a31aa404d29b5d31f53bfecfee1440"},
-    {file = "pypdf2-3.0.1-py3-none-any.whl", hash = "sha256:d16e4205cfee272fbdc0568b68d82be796540b1537508cef59388f839c191928"},
-]
-
-[package.extras]
-crypto = ["PyCryptodome"]
-dev = ["black", "flit", "pip-tools", "pre-commit (<2.18.0)", "pytest-cov", "wheel"]
-docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"]
-full = ["Pillow", "PyCryptodome"]
-image = ["Pillow"]
-
 [[package]]
 name = "pyperclip"
 version = "1.11.0"
@@ -11824,30 +11815,6 @@ PyYAML = "*"
 docs = ["sphinx"]
 test = ["mypy", "pyaml", "pytest", "toml", "types-PyYAML", "types-toml"]

-[[package]]
-name = "python-jose"
-version = "3.5.0"
-description = "JOSE implementation in Python"
-optional = false
-python-versions = ">=3.9"
-groups = ["main"]
-files = [
-    {file = "python_jose-3.5.0-py2.py3-none-any.whl", hash = "sha256:abd1202f23d34dfad2c3d28cb8617b90acf34132c7afd60abd0b0b7d3cb55771"},
-    {file = "python_jose-3.5.0.tar.gz", hash = "sha256:fb4eaa44dbeb1c26dcc69e4bd7ec54a1cb8dd64d3b4d81ef08d90ff453f2b01b"},
-]
-
-[package.dependencies]
-cryptography = {version = ">=3.4.0", optional = true, markers = "extra == \"cryptography\""}
-ecdsa = "!=0.15"
-pyasn1 = ">=0.5.0"
-rsa = ">=4.0,<4.1.1 || >4.1.1,<4.4 || >4.4,<5.0"
-
-[package.extras]
-cryptography = ["cryptography (>=3.4.0)"]
-pycrypto = ["pycrypto (>=2.6.0,<2.7.0)"]
-pycryptodome = ["pycryptodome (>=3.3.1,<4.0.0)"]
-test = ["pytest", "pytest-cov"]
-
 [[package]]
 name = "python-json-logger"
 version = "3.3.0"
@@ -11886,14 +11853,14 @@ requests-toolbelt = ">=0.6.0"

 [[package]]
 name = "python-multipart"
-version = "0.0.21"
+version = "0.0.22"
 description = "A streaming multipart parser for Python"
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "python_multipart-0.0.21-py3-none-any.whl", hash = "sha256:cf7a6713e01c87aa35387f4774e812c4361150938d20d232800f75ffcf266090"},
-    {file = "python_multipart-0.0.21.tar.gz", hash = "sha256:7137ebd4d3bbf70ea1622998f902b97a29434a9e8dc40eb203bbcf7c2a2cba92"},
+    {file = "python_multipart-0.0.22-py3-none-any.whl", hash = "sha256:2b2cd894c83d21bf49d702499531c7bafd057d730c201782048f7945d82de155"},
+    {file = "python_multipart-0.0.22.tar.gz", hash = "sha256:7340bef99a7e0032613f56dc36027b959fd3b30a787ed62d310e951f7c3a3a58"},
 ]

 [[package]]
@@ -11916,14 +11883,14 @@ XlsxWriter = ">=0.5.7"

 [[package]]
 name = "python-socketio"
-version = "5.13.0"
+version = "5.14.0"
 description = "Socket.IO server and client for Python"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "python_socketio-5.13.0-py3-none-any.whl", hash = "sha256:51f68d6499f2df8524668c24bcec13ba1414117cfb3a90115c559b601ab10caf"},
-    {file = "python_socketio-5.13.0.tar.gz", hash = "sha256:ac4e19a0302ae812e23b712ec8b6427ca0521f7c582d6abb096e36e24a263029"},
+    {file = "python_socketio-5.14.0-py3-none-any.whl", hash = "sha256:7de5ad8a55efc33e17897f6cf91d20168d3d259f98c38d38e2940af83136d6f8"},
+    {file = "python_socketio-5.14.0.tar.gz", hash = "sha256:d057737f658b3948392ff452a5c865c5ccc969859c37cf095a73393ce755f98e"},
 ]

 [package.dependencies]
@@ -14917,4 +14884,4 @@ cffi = ["cffi (>=1.17,<2.0) ; platform_python_implementation != \"PyPy\" and pyt
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.12,<3.14"
-content-hash = "1cad6029269393af67155e930c72eae2c03da02e4b3a3699823f6168c14a4218"
+content-hash = "ef037f6d6085d26166d35c56ce266439f8f1a4fea90bc43ccf15cfeaf116cae5"
--- a/enterprise/pyproject.toml
+++ b/enterprise/pyproject.toml
@@ -49,7 +49,7 @@ prometheus-client = "^0.24.0"
 pandas = "^2.2.0"
 numpy = "^2.2.0"
 mcp = "^1.10.0"
-pillow = "^12.1.0"
+pillow = "^12.1.1"

 [tool.poetry.group.dev.dependencies]
 ruff = "0.8.3"
--- a/enterprise/saas_server.py
+++ b/enterprise/saas_server.py
@@ -27,7 +27,6 @@ from server.rate_limit import setup_rate_limit_handler  # noqa: E402
 from server.routes.api_keys import api_router as api_keys_router  # noqa: E402
 from server.routes.auth import api_router, oauth_router  # noqa: E402
 from server.routes.billing import billing_router  # noqa: E402
-from server.routes.debugging import add_debugging_routes  # noqa: E402
 from server.routes.email import api_router as email_router  # noqa: E402
 from server.routes.event_webhook import event_webhook_router  # noqa: E402
 from server.routes.feedback import router as feedback_router  # noqa: E402
@@ -47,12 +46,19 @@ from server.routes.org_invitations import (  # noqa: E402
 from server.routes.orgs import org_router  # noqa: E402
 from server.routes.readiness import readiness_router  # noqa: E402
 from server.routes.user import saas_user_router  # noqa: E402
+from server.routes.user_app_settings import user_app_settings_router  # noqa: E402
 from server.sharing.shared_conversation_router import (  # noqa: E402
    router as shared_conversation_router,
 )
 from server.sharing.shared_event_router import (  # noqa: E402
    router as shared_event_router,
 )
+from server.verified_models.verified_model_router import (  # noqa: E402
+    api_router as verified_models_router,
+)
+from server.verified_models.verified_model_router import (  # noqa: E402
+    override_llm_models_dependency,
+)

 from openhands.server.app import app as base_app  # noqa: E402
 from openhands.server.listen_socket import sio  # noqa: E402
@@ -76,6 +82,7 @@ base_app.include_router(api_router)  # Add additional route for github auth
 base_app.include_router(oauth_router)  # Add additional route for oauth callback
 base_app.include_router(oauth_device_router)  # Add OAuth 2.0 Device Flow routes
 base_app.include_router(saas_user_router)  # Add additional route SAAS user calls
+base_app.include_router(user_app_settings_router)  # Add routes for user app settings
 base_app.include_router(
    billing_router
 )  # Add routes for credit management and Stripe payment integration
@@ -105,12 +112,17 @@ if GITLAB_APP_CLIENT_ID:

 base_app.include_router(api_keys_router)  # Add routes for API key management
 base_app.include_router(org_router)  # Add routes for organization management
+base_app.include_router(
+    verified_models_router
+)  # Add routes for verified models management
+
+# Override the default LLM models implementation with SaaS version
+# This must happen after all routers are included
+override_llm_models_dependency(base_app)
+
 base_app.include_router(invitation_router)  # Add routes for org invitation management
 base_app.include_router(invitation_accept_router)  # Add route for accepting invitations
 add_github_proxy_routes(base_app)
-add_debugging_routes(
-    base_app
-)  # Add diagnostic routes for testing and debugging (disabled in production)
 base_app.include_router(slack_router)
 if ENABLE_JIRA:
    base_app.include_router(jira_integration_router)
--- a/enterprise/server/auth/auth_error.py
+++ b/enterprise/server/auth/auth_error.py
@@ -38,3 +38,9 @@ class ExpiredError(AuthError):
    """Error when a token has expired (Usually the refresh token)"""

    pass
+
+
+class TokenRefreshError(AuthError):
+    """Error when token refresh fails due to timeout or lock contention"""
+
+    pass
--- a/enterprise/server/auth/auth_utils.py
+++ b/enterprise/server/auth/auth_utils.py
@@ -1,7 +1,5 @@
 import os

-from server.auth.sheets_client import GoogleSheetsClient
-
 from openhands.core.logger import openhands_logger as logger


@@ -9,12 +7,9 @@ class UserVerifier:
    def __init__(self) -> None:
        logger.debug('Initializing UserVerifier')
        self.file_users: list[str] | None = None
-        self.sheets_client: GoogleSheetsClient | None = None
-        self.spreadsheet_id: str | None = None

        # Initialize from environment variables
        self._init_file_users()
-        self._init_sheets_client()

    def _init_file_users(self) -> None:
        """Load users from text file if configured."""
@@ -36,23 +31,11 @@ class UserVerifier:
        except Exception:
            logger.exception(f'Error reading user list file {waitlist}')

-    def _init_sheets_client(self) -> None:
-        """Initialize Google Sheets client if configured."""
-        sheet_id = os.getenv('GITHUB_USERS_SHEET_ID')
-
-        if not sheet_id:
-            logger.debug('GITHUB_USERS_SHEET_ID not configured')
-            return
-
-        logger.debug('Initializing Google Sheets integration')
-        self.sheets_client = GoogleSheetsClient()
-        self.spreadsheet_id = sheet_id
-
    def is_active(self) -> bool:
        if os.getenv('DISABLE_WAITLIST', '').lower() == 'true':
            logger.info('Waitlist disabled via DISABLE_WAITLIST env var')
            return False
-        return bool(self.file_users or (self.sheets_client and self.spreadsheet_id))
+        return bool(self.file_users)

    def is_user_allowed(self, username: str) -> bool:
        """Check if user is allowed based on file and/or sheet configuration."""
@@ -63,15 +46,6 @@ class UserVerifier:
                return True
            logger.debug(f'User {username} not found in text file allowlist')

-        if self.sheets_client and self.spreadsheet_id:
-            sheet_users = [
-                u.lower() for u in self.sheets_client.get_usernames(self.spreadsheet_id)
-            ]
-            if username.lower() in sheet_users:
-                logger.debug(f'User {username} found in Google Sheets allowlist')
-                return True
-            logger.debug(f'User {username} not found in Google Sheets allowlist')
-
        logger.debug(f'User {username} not found in any allowlist')
        return False

--- a/enterprise/server/auth/authorization.py
+++ b/enterprise/server/auth/authorization.py
@@ -157,9 +157,9 @@ ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = {
 }


-def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None:
+async def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None:
    """
-    Get the user's role in an organization (synchronous version).
+    Get the user's role in an organization.

    Args:
        user_id: User ID (string that will be converted to UUID)
@@ -171,40 +171,15 @@ def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None:
    from uuid import UUID as parse_uuid

    if org_id is None:
-        org_member = OrgMemberStore.get_org_member_for_current_org(parse_uuid(user_id))
-    else:
-        org_member = OrgMemberStore.get_org_member(org_id, parse_uuid(user_id))
-    if not org_member:
-        return None
-
-    return RoleStore.get_role_by_id(org_member.role_id)
-
-
-async def get_user_org_role_async(user_id: str, org_id: UUID | None) -> Role | None:
-    """
-    Get the user's role in an organization (async version).
-
-    Args:
-        user_id: User ID (string that will be converted to UUID)
-        org_id: Organization ID, or None to use the user's current organization
-
-    Returns:
-        Role object if user is a member, None otherwise
-    """
-    from uuid import UUID as parse_uuid
-
-    if org_id is None:
-        org_member = await OrgMemberStore.get_org_member_for_current_org_async(
+        org_member = await OrgMemberStore.get_org_member_for_current_org(
            parse_uuid(user_id)
        )
    else:
-        org_member = await OrgMemberStore.get_org_member_async(
-            org_id, parse_uuid(user_id)
-        )
+        org_member = await OrgMemberStore.get_org_member(org_id, parse_uuid(user_id))
    if not org_member:
        return None

-    return await RoleStore.get_role_by_id_async(org_member.role_id)
+    return await RoleStore.get_role_by_id(org_member.role_id)


 def get_role_permissions(role_name: str) -> frozenset[Permission]:
@@ -274,7 +249,7 @@ def require_permission(permission: Permission):
                detail='User not authenticated',
            )

-        user_role = await get_user_org_role_async(user_id, org_id)
+        user_role = await get_user_org_role(user_id, org_id)

        if not user_role:
            logger.warning(
--- a/enterprise/server/auth/domain_blocker.py
+++ b/enterprise/server/auth/domain_blocker.py
@@ -1,5 +1,4 @@
 from storage.blocked_email_domain_store import BlockedEmailDomainStore
-from storage.database import session_maker

 from openhands.core.logger import openhands_logger as logger

@@ -23,7 +22,7 @@ class DomainBlocker:
            logger.debug(f'Error extracting domain from email: {email}', exc_info=True)
            return None

-    def is_domain_blocked(self, email: str) -> bool:
+    async def is_domain_blocked(self, email: str) -> bool:
        """Check if email domain is blocked by querying the database directly via SQL.

        Supports blocking:
@@ -45,7 +44,7 @@ class DomainBlocker:

        try:
            # Query database directly via SQL to check if domain is blocked
-            is_blocked = self.store.is_domain_blocked(domain)
+            is_blocked = await self.store.is_domain_blocked(domain)

            if is_blocked:
                logger.warning(f'Email domain {domain} is blocked for email: {email}')
@@ -63,5 +62,5 @@ class DomainBlocker:


 # Initialize store and domain blocker
-_store = BlockedEmailDomainStore(session_maker=session_maker)
+_store = BlockedEmailDomainStore()
 domain_blocker = DomainBlocker(store=_store)
--- a/enterprise/server/auth/github_utils.py
+++ b/enterprise/server/auth/github_utils.py
@@ -1,87 +1,11 @@
-import os
-
 from integrations.github.github_service import SaaSGitHubService
 from pydantic import SecretStr
-from server.auth.sheets_client import GoogleSheetsClient
+from server.auth.auth_utils import user_verifier

 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.github.github_types import GitHubUser


-class UserVerifier:
-    def __init__(self) -> None:
-        logger.debug('Initializing UserVerifier')
-        self.file_users: list[str] | None = None
-        self.sheets_client: GoogleSheetsClient | None = None
-        self.spreadsheet_id: str | None = None
-
-        # Initialize from environment variables
-        self._init_file_users()
-        self._init_sheets_client()
-
-    def _init_file_users(self) -> None:
-        """Load users from text file if configured"""
-        waitlist = os.getenv('GITHUB_USER_LIST_FILE')
-        if not waitlist:
-            logger.debug('GITHUB_USER_LIST_FILE not configured')
-            return
-
-        if not os.path.exists(waitlist):
-            logger.error(f'User list file not found: {waitlist}')
-            raise FileNotFoundError(f'User list file not found: {waitlist}')
-
-        try:
-            with open(waitlist, 'r') as f:
-                self.file_users = [line.strip().lower() for line in f if line.strip()]
-            logger.info(
-                f'Successfully loaded {len(self.file_users)} users from {waitlist}'
-            )
-        except Exception:
-            logger.error(f'Error reading user list file {waitlist}', exc_info=True)
-
-    def _init_sheets_client(self) -> None:
-        """Initialize Google Sheets client if configured"""
-        sheet_id = os.getenv('GITHUB_USERS_SHEET_ID')
-
-        if not sheet_id:
-            logger.debug('GITHUB_USERS_SHEET_ID not configured')
-            return
-
-        logger.debug('Initializing Google Sheets integration')
-        self.sheets_client = GoogleSheetsClient()
-        self.spreadsheet_id = sheet_id
-
-    def is_active(self) -> bool:
-        if os.getenv('DISABLE_WAITLIST', '').lower() == 'true':
-            logger.info('Waitlist disabled via DISABLE_WAITLIST env var')
-            return False
-        return bool(self.file_users or (self.sheets_client and self.spreadsheet_id))
-
-    def is_user_allowed(self, username: str) -> bool:
-        """Check if user is allowed based on file and/or sheet configuration"""
-        logger.debug(f'Checking if GitHub user {username} is allowed')
-        if self.file_users:
-            if username.lower() in self.file_users:
-                logger.debug(f'User {username} found in text file allowlist')
-                return True
-            logger.debug(f'User {username} not found in text file allowlist')
-
-        if self.sheets_client and self.spreadsheet_id:
-            sheet_users = [
-                u.lower() for u in self.sheets_client.get_usernames(self.spreadsheet_id)
-            ]
-            if username.lower() in sheet_users:
-                logger.debug(f'User {username} found in Google Sheets allowlist')
-                return True
-            logger.debug(f'User {username} not found in Google Sheets allowlist')
-
-        logger.debug(f'User {username} not found in any allowlist')
-        return False
-
-
-user_verifier = UserVerifier()
-
-
 def is_user_allowed(user_login: str):
    if user_verifier.is_active() and not user_verifier.is_user_allowed(user_login):
        logger.warning(f'GitHub user {user_login} not in allow list')
--- a/enterprise/server/auth/saas_user_auth.py
+++ b/enterprise/server/auth/saas_user_auth.py
@@ -18,9 +18,10 @@ from server.auth.token_manager import TokenManager
 from server.config import get_config
 from server.logger import logger
 from server.rate_limit import RateLimiter, create_redis_rate_limiter
+from sqlalchemy import delete, select
 from storage.api_key_store import ApiKeyStore
 from storage.auth_tokens import AuthTokens
-from storage.database import session_maker
+from storage.database import a_session_maker
 from storage.saas_secrets_store import SaasSecretsStore
 from storage.saas_settings_store import SaasSettingsStore
 from tenacity import retry, retry_if_exception_type, stop_after_attempt, wait_fixed
@@ -118,13 +119,12 @@ class SaasUserAuth(UserAuth):
            self._settings = settings
        return settings

-    async def get_secrets_store(self):
+    async def get_secrets_store(self) -> SaasSecretsStore:
        logger.debug('saas_user_auth_get_secrets_store')
        secrets_store = self.secrets_store
        if secrets_store:
            return secrets_store
-        user_id = await self.get_user_id()
-        secrets_store = SaasSecretsStore(user_id, session_maker, get_config())
+        secrets_store = SaasSecretsStore(self.user_id, get_config())
        self.secrets_store = secrets_store
        return secrets_store

@@ -161,12 +161,13 @@ class SaasUserAuth(UserAuth):

        try:
            # TODO: I think we can do this in a single request if we refactor
-            with session_maker() as session:
-                tokens = (
-                    session.query(AuthTokens)
-                    .where(AuthTokens.keycloak_user_id == self.user_id)
-                    .all()
+            async with a_session_maker() as session:
+                result = await session.execute(
+                    select(AuthTokens).where(
+                        AuthTokens.keycloak_user_id == self.user_id
+                    )
                )
+                tokens = result.scalars().all()

            for token in tokens:
                idp_type = ProviderType(token.identity_provider)
@@ -192,11 +193,11 @@ class SaasUserAuth(UserAuth):
                            'idp_type': token.identity_provider,
                        },
                    )
-                    with session_maker() as session:
-                        session.query(AuthTokens).filter(
-                            AuthTokens.id == token.id
-                        ).delete()
-                        session.commit()
+                    async with a_session_maker() as session:
+                        await session.execute(
+                            delete(AuthTokens).where(AuthTokens.id == token.id)
+                        )
+                        await session.commit()
                    raise

            self.provider_tokens = MappingProxyType(provider_tokens)
@@ -209,8 +210,7 @@ class SaasUserAuth(UserAuth):
        settings_store = self.settings_store
        if settings_store:
            return settings_store
-        user_id = await self.get_user_id()
-        settings_store = SaasSettingsStore(user_id, session_maker, get_config())
+        settings_store = SaasSettingsStore(self.user_id, get_config())
        self.settings_store = settings_store
        return settings_store

@@ -278,7 +278,7 @@ async def saas_user_auth_from_bearer(request: Request) -> SaasUserAuth | None:
            return None

        api_key_store = ApiKeyStore.get_instance()
-        user_id = api_key_store.validate_api_key(api_key)
+        user_id = await api_key_store.validate_api_key(api_key)
        if not user_id:
            return None
        offline_token = await token_manager.load_offline_token(user_id)
@@ -327,7 +327,7 @@ async def saas_user_auth_from_signed_token(signed_token: str) -> SaasUserAuth:
    email_verified = access_token_payload['email_verified']

    # Check if email domain is blocked
-    if email and domain_blocker.is_domain_blocked(email):
+    if email and await domain_blocker.is_domain_blocked(email):
        logger.warning(
            f'Blocked authentication attempt for existing user with email: {email}'
        )
--- a/enterprise/server/auth/token_manager.py
+++ b/enterprise/server/auth/token_manager.py
@@ -16,6 +16,7 @@ from keycloak.exceptions import (
    KeycloakError,
    KeycloakPostError,
 )
+from pydantic import BaseModel
 from server.auth.auth_error import ExpiredError
 from server.auth.constants import (
    BITBUCKET_APP_CLIENT_ID,
@@ -38,9 +39,9 @@ from server.auth.keycloak_manager import get_keycloak_admin, get_keycloak_openid
 from server.config import get_config
 from server.logger import logger
 from sqlalchemy import String as SQLString
-from sqlalchemy import type_coerce
+from sqlalchemy import select, type_coerce
 from storage.auth_token_store import AuthTokenStore
-from storage.database import session_maker
+from storage.database import a_session_maker
 from storage.github_app_installation import GithubAppInstallation
 from storage.offline_token_store import OfflineTokenStore
 from tenacity import RetryCallState, retry, retry_if_exception_type, stop_after_attempt
@@ -50,6 +51,34 @@ from openhands.server.types import SessionExpiredError
 from openhands.utils.http_session import httpx_verify_option


+class KeycloakUserInfo(BaseModel):
+    """Pydantic model for Keycloak UserInfo endpoint response.
+
+    Based on OIDC standard claims. 'sub' is always required per OIDC spec.
+    Additional fields from Keycloak are captured via model_config extra='allow'.
+    """
+
+    model_config = {'extra': 'allow'}
+
+    sub: str
+    name: str | None = None
+    given_name: str | None = None
+    family_name: str | None = None
+    preferred_username: str | None = None
+    email: str | None = None
+    email_verified: bool | None = None
+    picture: str | None = None
+    attributes: dict[str, list[str]] | None = None
+    identity_provider: str | None = None
+    company: str | None = None
+    roles: list[str] | None = None
+
+
+# HTTP timeout for external IDP calls (in seconds)
+# This prevents indefinite blocking if an IDP is slow or unresponsive
+IDP_HTTP_TIMEOUT = 15.0
+
+
 def _before_sleep_callback(retry_state: RetryCallState) -> None:
    logger.info(f'Retry attempt {retry_state.attempt_number} for Keycloak operation')

@@ -137,22 +166,22 @@ class TokenManager:
                new_keycloak_tokens['refresh_token'],
            )

-    # UserInfo from Keycloak return a dictionary with the following format:
-    # {
-    # 'sub': '248289761001',
-    # 'name': 'Jane Doe',
-    # 'given_name': 'Jane',
-    # 'family_name': 'Doe',
-    # 'preferred_username': 'j.doe',
-    # 'email': 'janedoe@example.com',
-    # 'picture': 'http://example.com/janedoe/me.jpg'
-    # 'github_id': '354322532'
-    # }
-    async def get_user_info(self, access_token: str) -> dict:
-        if not access_token:
-            return {}
+    async def get_user_info(self, access_token: str) -> KeycloakUserInfo:
+        """Get user info from Keycloak userinfo endpoint.
+
+        Args:
+            access_token: A valid Keycloak access token
+
+        Returns:
+            KeycloakUserInfo with user claims. 'sub' is always present per OIDC spec.
+
+        Raises:
+            KeycloakAuthenticationError: If the token is invalid
+            ValidationError: If the response is missing the required 'sub' field
+        """
        user_info = await get_keycloak_openid(self.external).a_userinfo(access_token)
-        return user_info
+        # Pydantic validation will raise ValidationError if 'sub' is missing
+        return KeycloakUserInfo.model_validate(user_info)

    @retry(
        stop=stop_after_attempt(2),
@@ -202,7 +231,9 @@ class TokenManager:
        access_token: str,
        idp: ProviderType,
    ) -> dict[str, str | int]:
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
            base_url = KEYCLOAK_SERVER_URL_EXT if self.external else KEYCLOAK_SERVER_URL
            url = f'{base_url}/realms/{KEYCLOAK_REALM_NAME}/broker/{idp.value}/token'
            headers = {
@@ -264,8 +295,8 @@ class TokenManager:
    ) -> str:
        # Get user info to determine user_id and idp
        user_info = await self.get_user_info(access_token=access_token)
-        user_id = user_info.get('sub')
-        username = user_info.get('preferred_username')
+        user_id = user_info.sub
+        username = user_info.preferred_username
        logger.info(f'Getting token for user {username} and IDP {idp}')
        token_store = await AuthTokenStore.get_instance(
            keycloak_user_id=user_id, idp=idp
@@ -361,7 +392,9 @@ class TokenManager:
            'refresh_token': refresh_token,
            'grant_type': 'refresh_token',
        }
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
            response = await client.post(url, data=payload)
            response.raise_for_status()
            logger.info('Successfully refreshed GitHub token')
@@ -387,7 +420,9 @@ class TokenManager:
            'refresh_token': refresh_token,
            'grant_type': 'refresh_token',
        }
-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
            response = await client.post(url, data=payload)
            response.raise_for_status()
            logger.info('Successfully refreshed GitLab token')
@@ -415,7 +450,9 @@ class TokenManager:
            'refresh_token': refresh_token,
        }

-        async with httpx.AsyncClient(verify=httpx_verify_option()) as client:
+        async with httpx.AsyncClient(
+            verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT
+        ) as client:
            response = await client.post(url, data=data, headers=headers)
            response.raise_for_status()
            logger.info('Successfully refreshed Bitbucket token')
@@ -771,25 +808,24 @@ class TokenManager:
                exc_info=True,
            )

-    def store_org_token(self, installation_id: int, installation_token: str):
+    async def store_org_token(self, installation_id: int, installation_token: str):
        """Store a GitHub App installation token.

        Args:
            installation_id: GitHub installation ID (integer or string)
            installation_token: The token to store
        """
-        with session_maker() as session:
+        async with a_session_maker() as session:
            # Ensure installation_id is a string
            str_installation_id = str(installation_id)
            # Use type_coerce to ensure SQLAlchemy treats the parameter as a string
-            installation = (
-                session.query(GithubAppInstallation)
-                .filter(
+            result = await session.execute(
+                select(GithubAppInstallation).filter(
                    GithubAppInstallation.installation_id
                    == type_coerce(str_installation_id, SQLString)
                )
-                .first()
            )
+            installation = result.scalars().first()
            if installation:
                installation.encrypted_token = self.encrypt_text(installation_token)
            else:
@@ -799,9 +835,9 @@ class TokenManager:
                        encrypted_token=self.encrypt_text(installation_token),
                    )
                )
-            session.commit()
+            await session.commit()

-    def load_org_token(self, installation_id: int) -> str | None:
+    async def load_org_token(self, installation_id: int) -> str | None:
        """Load a GitHub App installation token.

        Args:
@@ -810,17 +846,16 @@ class TokenManager:
        Returns:
            The decrypted token if found, None otherwise
        """
-        with session_maker() as session:
+        async with a_session_maker() as session:
            # Ensure installation_id is a string and use type_coerce
            str_installation_id = str(installation_id)
-            installation = (
-                session.query(GithubAppInstallation)
-                .filter(
+            result = await session.execute(
+                select(GithubAppInstallation).filter(
                    GithubAppInstallation.installation_id
                    == type_coerce(str_installation_id, SQLString)
                )
-                .first()
            )
+            installation = result.scalars().first()
            if not installation:
                return None
            token = self.decrypt_text(installation.encrypted_token)
--- a/enterprise/server/clustered_conversation_manager.py
+++ b/enterprise/server/clustered_conversation_manager.py
@@ -7,7 +7,8 @@ from uuid import uuid4
 import socketio
 from server.logger import logger
 from server.utils.conversation_callback_utils import invoke_conversation_callbacks
-from storage.database import session_maker
+from sqlalchemy import select
+from storage.database import a_session_maker
 from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas

 from openhands.core.config import LLMConfig
@@ -523,15 +524,14 @@ class ClusteredConversationManager(StandaloneConversationManager):
                    f'local_connection_to_stopped_conversation:{connection_id}:{conversation_id}'
                )
                # Look up the user_id from the database
-                with session_maker() as session:
-                    conversation_metadata_saas = (
-                        session.query(StoredConversationMetadataSaas)
-                        .filter(
+                async with a_session_maker() as session:
+                    result = await session.execute(
+                        select(StoredConversationMetadataSaas).where(
                            StoredConversationMetadataSaas.conversation_id
                            == conversation_id
                        )
-                        .first()
                    )
+                    conversation_metadata_saas = result.scalars().first()
                    user_id = (
                        str(conversation_metadata_saas.user_id)
                        if conversation_metadata_saas
@@ -749,6 +749,9 @@ class ClusteredConversationManager(StandaloneConversationManager):
        config = load_openhands_config()
        settings_store = await SaasSettingsStore.get_instance(config, user_id)
        settings = await settings_store.load()
+        if not settings:
+            logger.error(f'Failed to load settings for user {user_id}')
+            return
        await self.maybe_start_agent_loop(conversation_id, settings, user_id)

    async def _start_agent_loop(
--- a/enterprise/server/conversation_callback_processor/github_callback_processor.py
+++ b/enterprise/server/conversation_callback_processor/github_callback_processor.py
@@ -3,7 +3,6 @@ from datetime import datetime

 from integrations.github.github_manager import GithubManager
 from integrations.github.github_view import GithubViewType
-from integrations.models import Message, SourceType
 from integrations.utils import (
    extract_summary_from_conversation_manager,
    get_summary_instruction,
@@ -35,16 +34,12 @@ class GithubCallbackProcessor(ConversationCallbackProcessor):
    send_summary_instruction: bool = True

    async def _send_message_to_github(self, message: str) -> None:
-        """
-        Send a message to GitHub.
+        """Send a message to GitHub.

        Args:
            message: The message content to send to GitHub
        """
        try:
-            # Create a message object for GitHub
-            message_obj = Message(source=SourceType.OPENHANDS, message=message)
-
            # Get the token manager
            token_manager = TokenManager()

@@ -53,8 +48,8 @@ class GithubCallbackProcessor(ConversationCallbackProcessor):

            github_manager = GithubManager(token_manager, GitHubDataCollector())

-            # Send the message
-            await github_manager.send_message(message_obj, self.github_view)
+            # Send the message directly as a string
+            await github_manager.send_message(message, self.github_view)

            logger.info(
                f'[GitHub] Sent summary message to {self.github_view.full_repo_name}#{self.github_view.issue_number}'
--- a/enterprise/server/conversation_callback_processor/gitlab_callback_processor.py
+++ b/enterprise/server/conversation_callback_processor/gitlab_callback_processor.py
@@ -3,7 +3,6 @@ from datetime import datetime

 from integrations.gitlab.gitlab_manager import GitlabManager
 from integrations.gitlab.gitlab_view import GitlabViewType
-from integrations.models import Message, SourceType
 from integrations.utils import (
    extract_summary_from_conversation_manager,
    get_summary_instruction,
@@ -14,7 +13,7 @@ from storage.conversation_callback import (
    ConversationCallback,
    ConversationCallbackProcessor,
 )
-from storage.database import session_maker
+from storage.database import a_session_maker

 from openhands.core.logger import openhands_logger as logger
 from openhands.core.schema.agent import AgentState
@@ -28,8 +27,7 @@ gitlab_manager = GitlabManager(token_manager)


 class GitlabCallbackProcessor(ConversationCallbackProcessor):
-    """
-    Processor for sending conversation summaries to GitLab.
+    """Processor for sending conversation summaries to GitLab.

    This processor is used to send summaries of conversations to GitLab
    when agent state changes occur.
@@ -39,22 +37,18 @@ class GitlabCallbackProcessor(ConversationCallbackProcessor):
    send_summary_instruction: bool = True

    async def _send_message_to_gitlab(self, message: str) -> None:
-        """
-        Send a message to GitLab.
+        """Send a message to GitLab.

        Args:
            message: The message content to send to GitLab
        """
        try:
-            # Create a message object for GitHub
-            message_obj = Message(source=SourceType.OPENHANDS, message=message)
-
            # Get the token manager
            token_manager = TokenManager()
            gitlab_manager = GitlabManager(token_manager)

-            # Send the message
-            await gitlab_manager.send_message(message_obj, self.gitlab_view)
+            # Send the message directly as a string
+            await gitlab_manager.send_message(message, self.gitlab_view)

            logger.info(
                f'[GitLab] Sent summary message to {self.gitlab_view.full_repo_name}#{self.gitlab_view.issue_number}'
@@ -111,9 +105,9 @@ class GitlabCallbackProcessor(ConversationCallbackProcessor):
                self.send_summary_instruction = False
                callback.set_processor(self)
                callback.updated_at = datetime.now()
-                with session_maker() as session:
+                async with a_session_maker() as session:
                    session.merge(callback)
-                    session.commit()
+                    await session.commit()
                return

            # Extract the summary from the event store
@@ -132,9 +126,9 @@ class GitlabCallbackProcessor(ConversationCallbackProcessor):
            # Mark callback as completed status
            callback.status = CallbackStatus.COMPLETED
            callback.updated_at = datetime.now()
-            with session_maker() as session:
+            async with a_session_maker() as session:
                session.merge(callback)
-                session.commit()
+                await session.commit()

        except Exception as e:
            logger.exception(
--- a/enterprise/server/conversation_callback_processor/jira_callback_processor.py
+++ b/enterprise/server/conversation_callback_processor/jira_callback_processor.py
@@ -37,8 +37,7 @@ class JiraCallbackProcessor(ConversationCallbackProcessor):
    workspace_name: str

    async def _send_comment_to_jira(self, message: str) -> None:
-        """
-        Send a comment to Jira issue.
+        """Send a comment to Jira issue.

        Args:
            message: The message content to send to Jira
@@ -59,8 +58,9 @@ class JiraCallbackProcessor(ConversationCallbackProcessor):
            # Decrypt API key
            api_key = jira_manager.token_manager.decrypt_text(workspace.svc_acc_api_key)

+            # Send comment directly as a string
            await jira_manager.send_message(
-                jira_manager.create_outgoing_message(msg=message),
+                message,
                issue_key=self.issue_key,
                jira_cloud_id=workspace.jira_cloud_id,
                svc_acc_email=workspace.svc_acc_email,
--- a/enterprise/server/conversation_callback_processor/jira_dc_callback_processor.py
+++ b/enterprise/server/conversation_callback_processor/jira_dc_callback_processor.py
@@ -37,8 +37,7 @@ class JiraDcCallbackProcessor(ConversationCallbackProcessor):
    base_api_url: str

    async def _send_comment_to_jira_dc(self, message: str) -> None:
-        """
-        Send a comment to Jira DC issue.
+        """Send a comment to Jira DC issue.

        Args:
            message: The message content to send to Jira DC
@@ -61,8 +60,9 @@ class JiraDcCallbackProcessor(ConversationCallbackProcessor):
                workspace.svc_acc_api_key
            )

+            # Send comment directly as a string
            await jira_dc_manager.send_message(
-                jira_dc_manager.create_outgoing_message(msg=message),
+                message,
                issue_key=self.issue_key,
                base_api_url=self.base_api_url,
                svc_acc_api_key=api_key,
--- a/enterprise/server/conversation_callback_processor/linear_callback_processor.py
+++ b/enterprise/server/conversation_callback_processor/linear_callback_processor.py
@@ -36,8 +36,7 @@ class LinearCallbackProcessor(ConversationCallbackProcessor):
    workspace_name: str

    async def _send_comment_to_linear(self, message: str) -> None:
-        """
-        Send a comment to Linear issue.
+        """Send a comment to Linear issue.

        Args:
            message: The message content to send to Linear
@@ -60,9 +59,9 @@ class LinearCallbackProcessor(ConversationCallbackProcessor):
                workspace.svc_acc_api_key
            )

-            # Send comment
+            # Send comment directly as a string
            await linear_manager.send_message(
-                linear_manager.create_outgoing_message(msg=message),
+                message,
                self.issue_id,
                api_key,
            )
--- a/enterprise/server/conversation_callback_processor/slack_callback_processor.py
+++ b/enterprise/server/conversation_callback_processor/slack_callback_processor.py
@@ -26,8 +26,7 @@ slack_manager = SlackManager(token_manager)


 class SlackCallbackProcessor(ConversationCallbackProcessor):
-    """
-    Processor for sending conversation summaries to Slack.
+    """Processor for sending conversation summaries to Slack.

    This processor is used to send summaries of conversations to Slack channels
    when agent state changes occur.
@@ -41,14 +40,13 @@ class SlackCallbackProcessor(ConversationCallbackProcessor):
    last_user_msg_id: int | None = None

    async def _send_message_to_slack(self, message: str) -> None:
-        """
-        Send a message to Slack using the conversation_manager's send_to_event_stream method.
+        """Send a message to Slack.

        Args:
            message: The message content to send to Slack
        """
        try:
-            # Create a message object for Slack
+            # Create a message object for Slack view creation (incoming message format)
            message_obj = Message(
                source=SourceType.SLACK,
                message={
@@ -64,12 +62,11 @@ class SlackCallbackProcessor(ConversationCallbackProcessor):
            slack_user, saas_user_auth = await slack_manager.authenticate_user(
                self.slack_user_id
            )
-            slack_view = SlackFactory.create_slack_view_from_payload(
+            slack_view = await SlackFactory.create_slack_view_from_payload(
                message_obj, slack_user, saas_user_auth
            )
-            await slack_manager.send_message(
-                slack_manager.create_outgoing_message(message), slack_view
-            )
+            # Send the message directly as a string
+            await slack_manager.send_message(message, slack_view)

            logger.info(
                f'[Slack] Sent summary message to channel {self.channel_id} '
--- a/enterprise/server/middleware.py
+++ b/enterprise/server/middleware.py
@@ -1,4 +1,4 @@
-from typing import Callable
+from typing import Callable, cast

 import jwt
 from fastapi import Request, Response, status
@@ -19,7 +19,7 @@ from server.routes.auth import (
 )

 from openhands.core.logger import openhands_logger as logger
-from openhands.server.user_auth.user_auth import AuthType, get_user_auth
+from openhands.server.user_auth.user_auth import AuthType, UserAuth, get_user_auth
 from openhands.server.utils import config


@@ -43,19 +43,21 @@ class SetAuthCookieMiddleware:
            if not user_auth or user_auth.auth_type != AuthType.COOKIE:
                return response
            if user_auth.refreshed:
+                if user_auth.access_token is None:
+                    return response
                set_response_cookie(
                    request=request,
                    response=response,
                    keycloak_access_token=user_auth.access_token.get_secret_value(),
                    keycloak_refresh_token=user_auth.refresh_token.get_secret_value(),
                    secure=False if request.url.hostname == 'localhost' else True,
-                    accepted_tos=user_auth.accepted_tos,
+                    accepted_tos=user_auth.accepted_tos or False,
                )

                # On re-authentication (token refresh), kick off background sync for GitLab repos
-                schedule_gitlab_repo_sync(
-                    await user_auth.get_user_id(),
-                )
+                user_id = await user_auth.get_user_id()
+                if user_id:
+                    schedule_gitlab_repo_sync(user_id)

            if (
                self._should_attach(request)
@@ -97,17 +99,22 @@ class SetAuthCookieMiddleware:
            return response

    def _get_user_auth(self, request: Request) -> SaasUserAuth | None:
-        return getattr(request.state, 'user_auth', None)
+        user_auth: UserAuth | None = getattr(request.state, 'user_auth', None)
+        if user_auth is None:
+            return None
+        return cast(SaasUserAuth, user_auth)

    def _check_tos(self, request: Request):
        keycloak_auth_cookie = request.cookies.get('keycloak_auth')
        auth_header = request.headers.get('Authorization')
        mcp_auth_header = request.headers.get('X-Session-API-Key')
+        api_auth_header = request.headers.get('X-Access-Token')
        accepted_tos: bool | None = False
        if (
            keycloak_auth_cookie is None
            and (auth_header is None or not auth_header.startswith('Bearer '))
            and mcp_auth_header is None
+            and api_auth_header is None
        ):
            raise NoCredentialsError

@@ -164,7 +171,6 @@ class SetAuthCookieMiddleware:
            '/oauth/device/authorize',
            '/oauth/device/token',
            '/api/v1/web-client/config',
-            '/api/v1/webhooks/secrets',
        )
        if path in ignore_paths:
            return False
@@ -175,6 +181,10 @@ class SetAuthCookieMiddleware:
        ):
            return False

+        # Webhooks access is controlled using separate API keys
+        if path.startswith('/api/v1/webhooks/'):
+            return False
+
        is_mcp = path.startswith('/mcp')
        is_api_route = path.startswith('/api')
        return is_api_route or is_mcp
@@ -182,7 +192,7 @@ class SetAuthCookieMiddleware:
    async def _logout(self, request: Request):
        # Log out of keycloak - this prevents issues where you did not log in with the idp you believe you used
        try:
-            user_auth: SaasUserAuth = await get_user_auth(request)
+            user_auth = cast(SaasUserAuth, await get_user_auth(request))
            if user_auth and user_auth.refresh_token:
                await token_manager.logout(user_auth.refresh_token.get_secret_value())
        except Exception:
--- a/enterprise/server/routes/api_keys.py
+++ b/enterprise/server/routes/api_keys.py
@@ -17,12 +17,12 @@ from openhands.server.user_auth import get_user_id
 # Helper functions for BYOR API key management
 async def get_byor_key_from_db(user_id: str) -> str | None:
    """Get the BYOR key from the database for a user."""
-    user = await UserStore.get_user_by_id_async(user_id)
+    user = await UserStore.get_user_by_id(user_id)
    if not user:
        return None

    current_org_id = user.current_org_id
-    current_org_member: OrgMember = None
+    current_org_member: OrgMember | None = None
    for org_member in user.org_members:
        if org_member.org_id == current_org_id:
            current_org_member = org_member
@@ -36,12 +36,12 @@ async def get_byor_key_from_db(user_id: str) -> str | None:

 async def store_byor_key_in_db(user_id: str, key: str) -> None:
    """Store the BYOR key in the database for a user."""
-    user = await UserStore.get_user_by_id_async(user_id)
+    user = await UserStore.get_user_by_id(user_id)
    if not user:
        return None

    current_org_id = user.current_org_id
-    current_org_member: OrgMember = None
+    current_org_member: OrgMember | None = None
    for org_member in user.org_members:
        if org_member.org_id == current_org_id:
            current_org_member = org_member
@@ -49,13 +49,13 @@ async def store_byor_key_in_db(user_id: str, key: str) -> None:
    if not current_org_member:
        return None
    current_org_member.llm_api_key_for_byor = key
-    OrgMemberStore.update_org_member(current_org_member)
+    await OrgMemberStore.update_org_member(current_org_member)


 async def generate_byor_key(user_id: str) -> str | None:
    """Generate a new BYOR key for a user."""
    try:
-        user = await UserStore.get_user_by_id_async(user_id)
+        user = await UserStore.get_user_by_id(user_id)
        if not user:
            return None
        current_org_id = str(user.current_org_id)
@@ -66,22 +66,15 @@ async def generate_byor_key(user_id: str) -> str | None:
            {'type': 'byor'},
        )

-        if key:
-            logger.info(
-                'Successfully generated new BYOR key',
-                extra={
-                    'user_id': user_id,
-                    'key_length': len(key) if key else 0,
-                    'key_prefix': key[:10] + '...' if key and len(key) > 10 else key,
-                },
-            )
-            return key
-        else:
-            logger.error(
-                'Failed to generate BYOR LLM API key - no key in response',
-                extra={'user_id': user_id},
-            )
-            return None
+        logger.info(
+            'Successfully generated new BYOR key',
+            extra={
+                'user_id': user_id,
+                'key_length': len(key),
+                'key_prefix': key[:10] + '...' if len(key) > 10 else key,
+            },
+        )
+        return key
    except Exception as e:
        logger.exception(
            'Error generating BYOR key',
@@ -98,7 +91,7 @@ async def delete_byor_key_from_litellm(user_id: str, byor_key: str) -> bool:
    """
    try:
        # Get user to construct the key alias
-        user = await UserStore.get_user_by_id_async(user_id)
+        user = await UserStore.get_user_by_id(user_id)
        key_alias = None
        if user and user.current_org_id:
            key_alias = f'BYOR Key - user {user_id}, org {user.current_org_id}'
@@ -251,7 +244,7 @@ async def delete_api_key(
            )

        # Delete the key
-        success = api_key_store.delete_api_key_by_id(key_id)
+        success = await api_key_store.delete_api_key_by_id(key_id)

        if not success:
            raise HTTPException(
--- a/enterprise/server/routes/auth.py
+++ b/enterprise/server/routes/auth.py
@@ -3,7 +3,7 @@ import json
 import uuid
 import warnings
 from datetime import datetime, timezone
-from typing import Annotated, Literal, Optional
+from typing import Annotated, Literal, Optional, cast
 from urllib.parse import quote
 from uuid import UUID as parse_uuid

@@ -34,7 +34,8 @@ from server.services.org_invitation_service import (
    OrgInvitationService,
    UserAlreadyMemberError,
 )
-from storage.database import session_maker
+from sqlalchemy import select
+from storage.database import a_session_maker
 from storage.user import User
 from storage.user_store import UserStore

@@ -188,33 +189,35 @@ async def keycloak_callback(

    user_info = await token_manager.get_user_info(keycloak_access_token)
    logger.debug(f'user_info: {user_info}')
-    if ROLE_CHECK_ENABLED and 'roles' not in user_info:
+    if ROLE_CHECK_ENABLED and user_info.roles is None:
        return JSONResponse(
            status_code=status.HTTP_401_UNAUTHORIZED,
            content={'error': 'Missing required role'},
        )

-    if 'sub' not in user_info or 'preferred_username' not in user_info:
+    if user_info.preferred_username is None:
        return JSONResponse(
            status_code=status.HTTP_400_BAD_REQUEST,
            content={'error': 'Missing user ID or username in response'},
        )

-    email = user_info.get('email')
-    user_id = user_info['sub']
-    user = await UserStore.get_user_by_id_async(user_id)
+    email = user_info.email
+    user_id = user_info.sub
+    user_info_dict = user_info.model_dump(exclude_none=True)
+    user = await UserStore.get_user_by_id(user_id)
    if not user:
-        user = await UserStore.create_user(user_id, user_info)
+        user = await UserStore.create_user(user_id, user_info_dict)
    else:
        # Existing user — gradually backfill contact_name if it still has a username-style value
-        await UserStore.backfill_contact_name(user_id, user_info)
+        await UserStore.backfill_contact_name(user_id, user_info_dict)
+        await UserStore.backfill_user_email(user_id, user_info_dict)

    if not user:
-        logger.error(f'Failed to authenticate user {user_info["preferred_username"]}')
+        logger.error(f'Failed to authenticate user {user_info.preferred_username}')
        return JSONResponse(
            status_code=status.HTTP_401_UNAUTHORIZED,
            content={
-                'error': f'Failed to authenticate user {user_info["preferred_username"]}'
+                'error': f'Failed to authenticate user {user_info.preferred_username}'
            },
        )

@@ -269,7 +272,7 @@ async def keycloak_callback(
            # Fail open - continue with login if reCAPTCHA service unavailable

    # Check if email domain is blocked
-    if email and domain_blocker.is_domain_blocked(email):
+    if email and await domain_blocker.is_domain_blocked(email):
        logger.warning(
            f'Blocked authentication attempt for email: {email}, user_id: {user_id}'
        )
@@ -321,7 +324,7 @@ async def keycloak_callback(
            )

    # Check email verification status
-    email_verified = user_info.get('email_verified', False)
+    email_verified = user_info.email_verified or False
    if not email_verified:
        # Send verification email
        # Import locally to avoid circular import with email.py
@@ -339,7 +342,7 @@ async def keycloak_callback(

    # default to github IDP for now.
    # TODO: remove default once Keycloak is updated universally with the new attribute.
-    idp: str = user_info.get('identity_provider', ProviderType.GITHUB.value)
+    idp: str = user_info.identity_provider or ProviderType.GITHUB.value
    logger.info(f'Full IDP is {idp}')
    idp_type = 'oidc'
    if ':' in idp:
@@ -350,7 +353,7 @@ async def keycloak_callback(
        ProviderType(idp), user_id, keycloak_access_token
    )

-    username = user_info['preferred_username']
+    username = user_info.preferred_username
    if user_verifier.is_active() and not user_verifier.is_user_allowed(username):
        return JSONResponse(
            status_code=status.HTTP_401_UNAUTHORIZED,
@@ -358,7 +361,7 @@ async def keycloak_callback(
        )

    valid_offline_token = (
-        await token_manager.validate_offline_token(user_id=user_info['sub'])
+        await token_manager.validate_offline_token(user_id=user_info.sub)
        if idp_type != 'saml'
        else True
    )
@@ -539,17 +542,16 @@ async def keycloak_offline_callback(code: str, state: str, request: Request):

    user_info = await token_manager.get_user_info(keycloak_access_token)
    logger.debug(f'user_info: {user_info}')
-    if 'sub' not in user_info:
-        return JSONResponse(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            content={'error': 'Missing Keycloak ID in response'},
-        )
+    # sub is a required field in KeycloakUserInfo, validation happens in get_user_info

    await token_manager.store_offline_token(
-        user_id=user_info['sub'], offline_token=keycloak_refresh_token
+        user_id=user_info.sub, offline_token=keycloak_refresh_token
    )

-    return RedirectResponse(state if state else request.base_url, status_code=302)
+    redirect_url, _, _ = _extract_oauth_state(state)
+    return RedirectResponse(
+        redirect_url if redirect_url else request.base_url, status_code=302
+    )


@oauth_router.get('/github/callback')
@@ -586,7 +588,7 @@ async def authenticate(request: Request):

@api_router.post('/accept_tos')
 async def accept_tos(request: Request):
-    user_auth: SaasUserAuth = await get_user_auth(request)
+    user_auth = cast(SaasUserAuth, await get_user_auth(request))
    access_token = await user_auth.get_access_token()
    refresh_token = user_auth.refresh_token
    user_id = await user_auth.get_user_id()
@@ -605,18 +607,21 @@ async def accept_tos(request: Request):
    redirect_url = body.get('redirect_url', str(request.base_url))

    # Update user settings with TOS acceptance
-    accepted_tos: datetime = datetime.now(timezone.utc)
-    with session_maker() as session:
-        user = session.query(User).filter(User.id == uuid.UUID(user_id)).first()
+    accepted_tos: datetime = datetime.now(timezone.utc).replace(tzinfo=None)
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(User).where(User.id == uuid.UUID(user_id))
+        )
+        user = result.scalar_one_or_none()
        if not user:
-            session.rollback()
+            await session.rollback()
            logger.error('User for {user_id} not found.')
            return JSONResponse(
                status_code=status.HTTP_401_UNAUTHORIZED,
                content={'error': 'User does not exist'},
            )
        user.accepted_tos = accepted_tos
-        session.commit()
+        await session.commit()

        logger.info(f'User {user_id} accepted TOS')

@@ -652,7 +657,7 @@ async def logout(request: Request):

    # Try to properly logout from Keycloak, but don't fail if it doesn't work
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        if user_auth and user_auth.refresh_token:
            refresh_token = user_auth.refresh_token.get_secret_value()
            await token_manager.logout(refresh_token)
--- a/enterprise/server/routes/billing.py
+++ b/enterprise/server/routes/billing.py
@@ -11,9 +11,10 @@ from integrations import stripe_service
 from pydantic import BaseModel
 from server.constants import STRIPE_API_KEY
 from server.logger import logger
+from sqlalchemy import select
 from starlette.datastructures import URL
 from storage.billing_session import BillingSession
-from storage.database import session_maker
+from storage.database import a_session_maker
 from storage.lite_llm_manager import LiteLlmManager
 from storage.org import Org
 from storage.subscription_access import SubscriptionAccess
@@ -23,7 +24,7 @@ from openhands.app_server.config import get_global_config
 from openhands.server.user_auth import get_user_id

 stripe.api_key = STRIPE_API_KEY
-billing_router = APIRouter(prefix='/api/billing')
+billing_router = APIRouter(prefix='/api/billing', tags=['Billing'])


 async def validate_billing_enabled() -> None:
@@ -89,7 +90,9 @@ def calculate_credits(user_info: LiteLlmUserInfo) -> float:
 async def get_credits(user_id: str = Depends(get_user_id)) -> GetCreditsResponse:
    if not stripe_service.STRIPE_API_KEY:
        return GetCreditsResponse()
-    user = await UserStore.get_user_by_id_async(user_id)
+    user = await UserStore.get_user_by_id(user_id)
+    if user is None:
+        raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found')
    user_team_info = await LiteLlmManager.get_user_team_info(
        user_id, str(user.current_org_id)
    )
@@ -106,16 +109,17 @@ async def get_subscription_access(
    user_id: str = Depends(get_user_id),
 ) -> SubscriptionAccessResponse | None:
    """Get details of the currently valid subscription for the user."""
-    with session_maker() as session:
+    async with a_session_maker() as session:
        now = datetime.now(UTC)
-        subscription_access = (
-            session.query(SubscriptionAccess)
-            .filter(SubscriptionAccess.status == 'ACTIVE')
-            .filter(SubscriptionAccess.user_id == user_id)
-            .filter(SubscriptionAccess.start_at <= now)
-            .filter(SubscriptionAccess.end_at >= now)
-            .first()
+        result = await session.execute(
+            select(SubscriptionAccess).where(
+                SubscriptionAccess.status == 'ACTIVE',
+                SubscriptionAccess.user_id == user_id,
+                SubscriptionAccess.start_at <= now,
+                SubscriptionAccess.end_at >= now,
+            )
        )
+        subscription_access = result.scalar_one_or_none()
        if not subscription_access:
            return None
        return SubscriptionAccessResponse(
@@ -142,6 +146,11 @@ async def create_customer_setup_session(
 ) -> CreateBillingSessionResponse:
    await validate_billing_enabled()
    customer_info = await stripe_service.find_or_create_customer_by_user_id(user_id)
+    if not customer_info:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Could not find or create customer for user',
+        )
    base_url = _get_base_url(request)
    checkout_session = await stripe.checkout.Session.create_async(
        customer=customer_info['customer_id'],
@@ -163,6 +172,11 @@ async def create_checkout_session(
    await validate_billing_enabled()
    base_url = _get_base_url(request)
    customer_info = await stripe_service.find_or_create_customer_by_user_id(user_id)
+    if not customer_info:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Could not find or create customer for user',
+        )
    checkout_session = await stripe.checkout.Session.create_async(
        customer=customer_info['customer_id'],
        line_items=[
@@ -197,7 +211,7 @@ async def create_checkout_session(
            'checkout_session_id': checkout_session.id,
        },
    )
-    with session_maker() as session:
+    async with a_session_maker() as session:
        billing_session = BillingSession(
            id=checkout_session.id,
            user_id=user_id,
@@ -206,7 +220,7 @@ async def create_checkout_session(
            price_code='NA',
        )
        session.add(billing_session)
-        session.commit()
+        await session.commit()

    return CreateBillingSessionResponse(redirect_url=checkout_session.url)

@@ -215,13 +229,14 @@ async def create_checkout_session(
@billing_router.get('/success')
 async def success_callback(session_id: str, request: Request):
    # We can't use the auth cookie because of SameSite=strict
-    with session_maker() as session:
-        billing_session = (
-            session.query(BillingSession)
-            .filter(BillingSession.id == session_id)
-            .filter(BillingSession.status == 'in_progress')
-            .first()
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(BillingSession).where(
+                BillingSession.id == session_id,
+                BillingSession.status == 'in_progress',
+            )
        )
+        billing_session = result.scalar_one_or_none()

        if billing_session is None:
            # Hopefully this never happens - we get a redirect from stripe where the session does not exist
@@ -243,7 +258,9 @@ async def success_callback(session_id: str, request: Request):
            )
            raise HTTPException(status.HTTP_400_BAD_REQUEST)

-        user = await UserStore.get_user_by_id_async(billing_session.user_id)
+        user = await UserStore.get_user_by_id(billing_session.user_id)
+        if user is None:
+            raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found')
        user_team_info = await LiteLlmManager.get_user_team_info(
            billing_session.user_id, str(user.current_org_id)
        )
@@ -253,7 +270,8 @@ async def success_callback(session_id: str, request: Request):
            user_team_info, billing_session.user_id, str(user.current_org_id)
        )

-        org = session.query(Org).filter(Org.id == user.current_org_id).first()
+        result = await session.execute(select(Org).where(Org.id == user.current_org_id))
+        org = result.scalar_one_or_none()
        new_max_budget = max_budget + add_credits

        await LiteLlmManager.update_team_and_users_budget(
@@ -279,7 +297,7 @@ async def success_callback(session_id: str, request: Request):
                'stripe_customer_id': stripe_session.customer,
            },
        )
-        session.commit()
+        await session.commit()

    return RedirectResponse(
        f'{_get_base_url(request)}settings/billing?checkout=success', status_code=302
@@ -289,13 +307,14 @@ async def success_callback(session_id: str, request: Request):
 # Callback endpoint for cancelled Stripe payments - updates billing session status
@billing_router.get('/cancel')
 async def cancel_callback(session_id: str, request: Request):
-    with session_maker() as session:
-        billing_session = (
-            session.query(BillingSession)
-            .filter(BillingSession.id == session_id)
-            .filter(BillingSession.status == 'in_progress')
-            .first()
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(BillingSession).where(
+                BillingSession.id == session_id,
+                BillingSession.status == 'in_progress',
+            )
        )
+        billing_session = result.scalar_one_or_none()
        if billing_session:
            logger.info(
                'stripe_checkout_cancel',
@@ -307,7 +326,7 @@ async def cancel_callback(session_id: str, request: Request):
            billing_session.status = 'cancelled'
            billing_session.updated_at = datetime.now(UTC)
            session.merge(billing_session)
-            session.commit()
+            await session.commit()

    return RedirectResponse(
        f'{_get_base_url(request)}settings/billing?checkout=cancel', status_code=302
--- a/enterprise/server/routes/debugging.py
+++ b/enterprise/server/routes/debugging.py
@@ -1,163 +0,0 @@
-import asyncio
-import os
-import time
-from threading import Thread
-
-from fastapi import APIRouter, FastAPI
-from sqlalchemy import func, select
-from storage.database import a_session_maker, get_engine, session_maker
-from storage.user import User
-
-from openhands.core.logger import openhands_logger as logger
-from openhands.utils.async_utils import wait_all
-
-# Safety flag to prevent chaos routes from being added in production environments
-# Only enables these routes in non-production environments
-ADD_DEBUGGING_ROUTES = os.environ.get('ADD_DEBUGGING_ROUTES') in ('1', 'true')
-
-
-def add_debugging_routes(api: FastAPI):
-    """
-    # HERE BE DRAGONS!
-    Chaos scripts for debugging and stress testing the system.
-
-    This module contains endpoints that deliberately stress test and potentially break
-    the system to help identify weaknesses and bottlenecks. It includes a safety check
-    to ensure these routes are never deployed to production environments.
-
-    The routes in this module are specifically designed for:
-    - Testing connection pool behavior under load
-    - Simulating database connection exhaustion
-    - Testing async vs sync database access patterns
-    - Simulating event loop blocking
-    """
-
-    if not ADD_DEBUGGING_ROUTES:
-        return
-
-    chaos_router = APIRouter(prefix='/debugging')
-
-    @chaos_router.get('/pool-stats')
-    def pool_stats() -> dict[str, int]:
-        """
-        Returns current database connection pool statistics.
-
-        This endpoint provides real-time metrics about the SQLAlchemy connection pool:
-        - checked_in: Number of connections currently available in the pool
-        - checked_out: Number of connections currently in use
-        - overflow: Number of overflow connections created beyond pool_size
-        """
-        engine = get_engine()
-        return {
-            'checked_in': engine.pool.checkedin(),
-            'checked_out': engine.pool.checkedout(),
-            'overflow': engine.pool.overflow(),
-        }
-
-    @chaos_router.get('/test-db')
-    def test_db(num_tests: int = 10, delay: int = 1) -> str:
-        """
-        Stress tests the database connection pool using multiple threads.
-
-        Creates multiple threads that each open a database connection, perform a query,
-        hold the connection for the specified delay, and then release it.
-
-        Parameters:
-            num_tests: Number of concurrent database connections to create
-            delay: Number of seconds each connection is held open
-
-        This test helps identify connection pool exhaustion issues and connection
-        leaks under concurrent load.
-        """
-        threads = [Thread(target=_db_check, args=(delay,)) for _ in range(num_tests)]
-        for thread in threads:
-            thread.start()
-        for thread in threads:
-            thread.join()
-        return 'success'
-
-    @chaos_router.get('/a-test-db')
-    async def a_chaos_monkey(num_tests: int = 10, delay: int = 1) -> str:
-        """
-        Stress tests the async database connection pool.
-
-        Similar to /test-db but uses async connections and coroutines instead of threads.
-        This endpoint helps compare the behavior of async vs sync connection pools
-        under similar load conditions.
-
-        Parameters:
-            num_tests: Number of concurrent async database connections to create
-            delay: Number of seconds each connection is held open
-        """
-        await wait_all((_a_db_check(delay) for _ in range(num_tests)))
-        return 'success'
-
-    @chaos_router.get('/lock-main-runloop')
-    async def lock_main_runloop(duration: int = 10) -> str:
-        """
-        Deliberately blocks the main asyncio event loop.
-
-        This endpoint uses a synchronous sleep operation in an async function,
-        which blocks the entire FastAPI server's event loop for the specified duration.
-        This simulates what happens when CPU-intensive operations or blocking I/O
-        operations are incorrectly used in async code.
-
-        Parameters:
-            duration: Number of seconds to block the event loop
-
-        WARNING: This will make the entire server unresponsive for the duration!
-        """
-        time.sleep(duration)
-        return 'success'
-
-    api.include_router(chaos_router)  # Add routes for readiness checks
-
-
-def _db_check(delay: int):
-    """
-    Executes a single request against the database with an artificial delay.
-
-    This helper function:
-    1. Opens a database connection from the pool
-    2. Executes a simple query to count users
-    3. Holds the connection for the specified delay
-    4. Logs connection pool statistics
-    5. Implicitly returns the connection to the pool when the session closes
-
-    Args:
-        delay: Number of seconds to hold the database connection
-    """
-    with session_maker() as session:
-        num_users = session.query(User).count()
-        time.sleep(delay)
-        engine = get_engine()
-        logger.info(
-            'check',
-            extra={
-                'num_users': num_users,
-                'checked_in': engine.pool.checkedin(),
-                'checked_out': engine.pool.checkedout(),
-                'overflow': engine.pool.overflow(),
-            },
-        )
-
-
-async def _a_db_check(delay: int):
-    """
-    Executes a single async request against the database with an artificial delay.
-
-    This is the async version of _db_check that:
-    1. Opens an async database connection from the pool
-    2. Executes a simple query to count users using SQLAlchemy's async API
-    3. Holds the connection for the specified delay using asyncio.sleep
-    4. Logs the results
-    5. Implicitly returns the connection to the pool when the async session closes
-
-    Args:
-        delay: Number of seconds to hold the database connection
-    """
-    async with a_session_maker() as a_session:
-        stmt = select(func.count(User.id))
-        num_users = await a_session.execute(stmt)
-        await asyncio.sleep(delay)
-        logger.info(f'a_num_users:{num_users.scalar_one()}')
--- a/enterprise/server/routes/email.py
+++ b/enterprise/server/routes/email.py
@@ -1,4 +1,5 @@
 import re
+from typing import cast

 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import JSONResponse, RedirectResponse
@@ -8,6 +9,7 @@ from server.auth.keycloak_manager import get_keycloak_admin
 from server.auth.saas_user_auth import SaasUserAuth
 from server.routes.auth import set_response_cookie
 from server.utils.rate_limit_utils import check_rate_limit_by_user_id
+from storage.user_store import UserStore

 from openhands.core.logger import openhands_logger as logger
 from openhands.server.user_auth import get_user_id
@@ -62,7 +64,11 @@ async def update_email(
            },
        )

-        user_auth: SaasUserAuth = await get_user_auth(request)
+        await UserStore.update_user_email(
+            user_id=user_id, email=email, email_verified=False
+        )
+
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        await user_auth.refresh()  # refresh so access token has updated email
        user_auth.email = email
        user_auth.email_verified = False
@@ -71,13 +77,18 @@ async def update_email(
        )

        # need to set auth cookie to the new tokens
+        if user_auth.access_token is None:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='Access token not found',
+            )
        set_response_cookie(
            request=request,
            response=response,
            keycloak_access_token=user_auth.access_token.get_secret_value(),
            keycloak_refresh_token=user_auth.refresh_token.get_secret_value(),
            secure=False if request.url.hostname == 'localhost' else True,
-            accepted_tos=user_auth.accepted_tos,
+            accepted_tos=user_auth.accepted_tos or False,
        )

        await verify_email(request=request, user_id=user_id)
@@ -141,21 +152,26 @@ async def resend_email_verification(

@api_router.get('/verified')
 async def verified_email(request: Request):
-    user_auth: SaasUserAuth = await get_user_auth(request)
+    user_auth = cast(SaasUserAuth, await get_user_auth(request))
    await user_auth.refresh()  # refresh so access token has updated email
    user_auth.email_verified = True
+    await UserStore.update_user_email(user_id=user_auth.user_id, email_verified=True)
    scheme = 'http' if request.url.hostname == 'localhost' else 'https'
    redirect_uri = f'{scheme}://{request.url.netloc}/settings/user'
    response = RedirectResponse(redirect_uri, status_code=302)

    # need to set auth cookie to the new tokens
+    if user_auth.access_token is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail='Access token not found'
+        )
    set_response_cookie(
        request=request,
        response=response,
        keycloak_access_token=user_auth.access_token.get_secret_value(),
        keycloak_refresh_token=user_auth.refresh_token.get_secret_value(),
        secure=False if request.url.hostname == 'localhost' else True,
-        accepted_tos=user_auth.accepted_tos,
+        accepted_tos=user_auth.accepted_tos or False,
    )

    logger.info(f'Email {user_auth.email} verified.')
--- a/enterprise/server/routes/event_webhook.py
+++ b/enterprise/server/routes/event_webhook.py
@@ -93,6 +93,16 @@ async def _process_batch_operations_background(
                    )
                    continue  # Skip this operation but continue with others

+            if user_id is None:
+                logger.error(
+                    'user_id_not_set_in_batch_webhook',
+                    extra={
+                        'conversation_id': conversation_id,
+                        'path': batch_op.path,
+                    },
+                )
+                continue
+
            if subpath == 'agent_state.pkl':
                update_agent_state(user_id, conversation_id, batch_op.get_content())
                continue
--- a/enterprise/server/routes/feedback.py
+++ b/enterprise/server/routes/feedback.py
@@ -3,16 +3,22 @@ from typing import Any, Dict, List, Optional
 from fastapi import APIRouter, Depends, HTTPException, status
 from pydantic import BaseModel, Field
 from sqlalchemy.future import select
-from storage.database import session_maker
+from storage.database import a_session_maker
 from storage.feedback import ConversationFeedback
 from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas

 from openhands.events.event_store import EventStore
+from openhands.server.dependencies import get_dependencies
 from openhands.server.shared import file_store
 from openhands.server.user_auth import get_user_id
-from openhands.utils.async_utils import call_sync_from_async

-router = APIRouter(prefix='/feedback', tags=['feedback'])
+# We use the get_dependencies method here to signal to the OpenAPI docs that this endpoint
+# is protected. The actual protection is provided by SetAuthCookieMiddleware
+# TODO: It may be an error by you can actually post feedback to a conversation you don't
+# own right now - maybe this is useful in the context of public shared conversations?
+router = APIRouter(
+    prefix='/feedback', tags=['feedback'], dependencies=get_dependencies()
+)


 async def get_event_ids(conversation_id: str, user_id: str) -> List[int]:
@@ -30,23 +36,19 @@ async def get_event_ids(conversation_id: str, user_id: str) -> List[int]:
    """

    # Verify the conversation belongs to the user
-    def _verify_conversation():
-        with session_maker() as session:
-            metadata = (
-                session.query(StoredConversationMetadataSaas)
-                .filter(
-                    StoredConversationMetadataSaas.conversation_id == conversation_id,
-                    StoredConversationMetadataSaas.user_id == user_id,
-                )
-                .first()
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(StoredConversationMetadataSaas).where(
+                StoredConversationMetadataSaas.conversation_id == conversation_id,
+                StoredConversationMetadataSaas.user_id == user_id,
+            )
+        )
+        metadata = result.scalars().first()
+        if not metadata:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f'Conversation {conversation_id} not found',
            )
-            if not metadata:
-                raise HTTPException(
-                    status_code=status.HTTP_404_NOT_FOUND,
-                    detail=f'Conversation {conversation_id} not found',
-                )
-
-    await call_sync_from_async(_verify_conversation)

    # Create an event store to access the events directly
    # This works even when the conversation is not running
@@ -96,12 +98,9 @@ async def submit_conversation_feedback(feedback: FeedbackRequest):
    )

    # Add to database
-    def _save_feedback():
-        with session_maker() as session:
-            session.add(new_feedback)
-            session.commit()
-
-    await call_sync_from_async(_save_feedback)
+    async with a_session_maker() as session:
+        session.add(new_feedback)
+        await session.commit()

    return {'status': 'success', 'message': 'Feedback submitted successfully'}

@@ -120,30 +119,27 @@ async def get_batch_feedback(conversation_id: str, user_id: str = Depends(get_us
        return {}

    # Query for existing feedback for all events
-    def _check_feedback():
-        with session_maker() as session:
-            result = session.execute(
-                select(ConversationFeedback).where(
-                    ConversationFeedback.conversation_id == conversation_id,
-                    ConversationFeedback.event_id.in_(event_ids),
-                )
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(ConversationFeedback).where(
+                ConversationFeedback.conversation_id == conversation_id,
+                ConversationFeedback.event_id.in_(event_ids),
            )
+        )

-            # Create a mapping of event_id to feedback
-            feedback_map = {
-                feedback.event_id: {
-                    'exists': True,
-                    'rating': feedback.rating,
-                    'reason': feedback.reason,
-                }
-                for feedback in result.scalars()
+        # Create a mapping of event_id to feedback
+        feedback_map = {
+            feedback.event_id: {
+                'exists': True,
+                'rating': feedback.rating,
+                'reason': feedback.reason,
            }
+            for feedback in result.scalars()
+        }

-            # Build response including all events
-            response = {}
-            for event_id in event_ids:
-                response[str(event_id)] = feedback_map.get(event_id, {'exists': False})
+        # Build response including all events
+        response = {}
+        for event_id in event_ids:
+            response[str(event_id)] = feedback_map.get(event_id, {'exists': False})

-            return response
-
-    return await call_sync_from_async(_check_feedback)
+        return response
--- a/enterprise/server/routes/integration/gitlab.py
+++ b/enterprise/server/routes/integration/gitlab.py
@@ -13,7 +13,7 @@ from integrations.gitlab.webhook_installation import (
 )
 from integrations.models import Message, SourceType
 from integrations.types import GitLabResourceType
-from integrations.utils import GITLAB_WEBHOOK_URL
+from integrations.utils import GITLAB_WEBHOOK_URL, IS_LOCAL_DEPLOYMENT
 from pydantic import BaseModel
 from server.auth.token_manager import TokenManager
 from storage.gitlab_webhook import GitlabWebhook
@@ -68,11 +68,14 @@ async def verify_gitlab_signature(
    if not header_webhook_secret or not webhook_uuid or not user_id:
        raise HTTPException(status_code=403, detail='Required payload headers missing!')

-    webhook_secret = await webhook_store.get_webhook_secret(
-        webhook_uuid=webhook_uuid, user_id=user_id
-    )
+    if IS_LOCAL_DEPLOYMENT:
+        webhook_secret: str | None = 'localdeploymentwebhooktesttoken'
+    else:
+        webhook_secret = await webhook_store.get_webhook_secret(
+            webhook_uuid=webhook_uuid, user_id=user_id
+        )

-    if header_webhook_secret != webhook_secret:
+    if not webhook_secret or header_webhook_secret != webhook_secret:
        raise HTTPException(status_code=403, detail="Request signatures didn't match!")


@@ -329,6 +332,12 @@ async def reinstall_gitlab_webhook(
                resource_type, resource_id
            )

+        if not webhook:
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail='Failed to create or fetch webhook record',
+            )
+
        # Verify conditions and install webhook
        try:
            await verify_webhook_conditions(
--- a/enterprise/server/routes/integration/jira.py
+++ b/enterprise/server/routes/integration/jira.py
@@ -4,7 +4,8 @@ import json
 import os
 import re
 import uuid
-from urllib.parse import urlparse
+from typing import cast
+from urllib.parse import urlencode, urlparse

 import requests
 from fastapi import APIRouter, BackgroundTasks, Header, HTTPException, Request, status
@@ -308,10 +309,11 @@ async def jira_events(
            logger.info(f'Processing new Jira webhook event: {signature}')
            redis_client.setex(key, 300, '1')

-        # Process the webhook
+        # Process the webhook in background after returning response.
+        # Note: For async functions, BackgroundTasks runs them in the same event loop
+        # (not a thread pool), so asyncpg connections work correctly.
        message_payload = {'payload': payload}
        message = Message(source=SourceType.JIRA, message=message_payload)
-
        background_tasks.add_task(jira_manager.receive_message, message)

        return JSONResponse({'success': True})
@@ -331,7 +333,7 @@ async def jira_events(
 async def create_jira_workspace(request: Request, workspace_data: JiraWorkspaceCreate):
    """Create a new Jira workspace registration."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
        user_email = await user_auth.get_user_email()

@@ -371,9 +373,7 @@ async def create_jira_workspace(request: Request, workspace_data: JiraWorkspaceC
            'prompt': 'consent',
        }

-        auth_url = (
-            f"{JIRA_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
-        )
+        auth_url = f'{JIRA_AUTH_URL}?{urlencode(auth_params)}'

        return JSONResponse(
            content={
@@ -397,7 +397,7 @@ async def create_jira_workspace(request: Request, workspace_data: JiraWorkspaceC
 async def create_workspace_link(request: Request, link_data: JiraLinkCreate):
    """Register a user mapping to a Jira workspace."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
        user_email = await user_auth.get_user_email()

@@ -432,9 +432,7 @@ async def create_workspace_link(request: Request, link_data: JiraLinkCreate):
            'response_type': 'code',
            'prompt': 'consent',
        }
-        auth_url = (
-            f"{JIRA_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
-        )
+        auth_url = f'{JIRA_AUTH_URL}?{urlencode(auth_params)}'

        return JSONResponse(
            content={
@@ -600,9 +598,15 @@ async def jira_callback(request: Request, code: str, state: str):
 async def get_current_workspace_link(request: Request):
    """Get current user's Jira integration details."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()

+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User ID not found',
+            )
+
        user = await jira_manager.integration_store.get_user_by_active_workspace(
            user_id
        )
@@ -653,9 +657,15 @@ async def get_current_workspace_link(request: Request):
 async def unlink_workspace(request: Request):
    """Unlink user from Jira integration by setting status to inactive."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()

+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User ID not found',
+            )
+
        user = await jira_manager.integration_store.get_user_by_active_workspace(
            user_id
        )
@@ -709,7 +719,7 @@ async def validate_workspace_integration(request: Request, workspace_name: str):
                detail='workspace_name can only contain alphanumeric characters, hyphens, underscores, and periods',
            )

-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_email = await user_auth.get_user_email()
        if not user_email:
            raise HTTPException(
--- a/enterprise/server/routes/integration/jira_dc.py
+++ b/enterprise/server/routes/integration/jira_dc.py
@@ -2,7 +2,8 @@ import json
 import os
 import re
 import uuid
-from urllib.parse import urlparse
+from typing import cast
+from urllib.parse import urlencode, urlparse

 import requests
 from fastapi import (
@@ -276,10 +277,16 @@ async def create_jira_dc_workspace(
 ):
    """Create a new Jira DC workspace registration."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
        user_email = await user_auth.get_user_email()

+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User ID not found',
+            )
+
        if JIRA_DC_ENABLE_OAUTH:
            # OAuth flow enabled - create session and redirect to OAuth
            state = str(uuid.uuid4())
@@ -316,7 +323,7 @@ async def create_jira_dc_workspace(
                'response_type': 'code',
            }

-            auth_url = f"{JIRA_DC_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
+            auth_url = f'{JIRA_DC_AUTH_URL}?{urlencode(auth_params)}'

            return JSONResponse(
                content={
@@ -399,10 +406,16 @@ async def create_jira_dc_workspace(
 async def create_workspace_link(request: Request, link_data: JiraDcLinkCreate):
    """Register a user mapping to a Jira DC workspace."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
        user_email = await user_auth.get_user_email()

+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User ID not found',
+            )
+
        target_workspace = link_data.workspace_name

        if JIRA_DC_ENABLE_OAUTH:
@@ -436,7 +449,7 @@ async def create_workspace_link(request: Request, link_data: JiraDcLinkCreate):
                'state': state,
                'response_type': 'code',
            }
-            auth_url = f"{JIRA_DC_AUTH_URL}?{'&'.join([f'{k}={v}' for k, v in auth_params.items()])}"
+            auth_url = f'{JIRA_DC_AUTH_URL}?{urlencode(auth_params)}'

            return JSONResponse(
                content={
@@ -589,9 +602,15 @@ async def jira_dc_callback(request: Request, code: str, state: str):
 async def get_current_workspace_link(request: Request):
    """Get current user's Jira DC integration details."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()

+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User ID not found',
+            )
+
        user = await jira_dc_manager.integration_store.get_user_by_active_workspace(
            user_id
        )
@@ -641,9 +660,15 @@ async def get_current_workspace_link(request: Request):
 async def unlink_workspace(request: Request):
    """Unlink user from Jira DC integration by setting status to inactive."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()

+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User ID not found',
+            )
+
        user = await jira_dc_manager.integration_store.get_user_by_active_workspace(
            user_id
        )
--- a/enterprise/server/routes/integration/linear.py
+++ b/enterprise/server/routes/integration/linear.py
@@ -2,6 +2,7 @@ import json
 import os
 import re
 import uuid
+from typing import cast

 import requests
 from fastapi import APIRouter, BackgroundTasks, HTTPException, Request, status
@@ -269,7 +270,7 @@ async def create_linear_workspace(
 ):
    """Create a new Linear workspace registration."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
        user_email = await user_auth.get_user_email()

@@ -331,7 +332,7 @@ async def create_linear_workspace(
 async def create_workspace_link(request: Request, link_data: LinearLinkCreate):
    """Register a user mapping to a Linear workspace."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
        user_email = await user_auth.get_user_email()

@@ -520,8 +521,13 @@ async def linear_callback(request: Request, code: str, state: str):
 async def get_current_workspace_link(request: Request):
    """Get current user's Linear integration details."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User not authenticated',
+            )

        user = await linear_manager.integration_store.get_user_by_active_workspace(
            user_id
@@ -573,8 +579,13 @@ async def get_current_workspace_link(request: Request):
 async def unlink_workspace(request: Request):
    """Unlink user from Linear integration by setting status to inactive."""
    try:
-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_id = await user_auth.get_user_id()
+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='User not authenticated',
+            )

        user = await linear_manager.integration_store.get_user_by_active_workspace(
            user_id
@@ -629,7 +640,7 @@ async def validate_workspace_integration(request: Request, workspace_name: str):
                detail='workspace_name can only contain alphanumeric characters, hyphens, underscores, and periods',
            )

-        user_auth: SaasUserAuth = await get_user_auth(request)
+        user_auth = cast(SaasUserAuth, await get_user_auth(request))
        user_email = await user_auth.get_user_email()
        if not user_email:
            raise HTTPException(
--- a/enterprise/server/routes/integration/slack.py
+++ b/enterprise/server/routes/integration/slack.py
@@ -31,7 +31,8 @@ from server.logger import logger
 from slack_sdk.oauth import AuthorizeUrlGenerator
 from slack_sdk.signature import SignatureVerifier
 from slack_sdk.web.async_client import AsyncWebClient
-from storage.database import session_maker
+from sqlalchemy import delete
+from storage.database import a_session_maker
 from storage.slack_team_store import SlackTeamStore
 from storage.slack_user import SlackUser
 from storage.user_store import UserStore
@@ -170,7 +171,7 @@ async def keycloak_callback(
        state, config.jwt_secret.get_secret_value(), algorithms=['HS256']
    )
    slack_user_id = payload['slack_user_id']
-    bot_access_token = payload['bot_access_token']
+    bot_access_token: str | None = payload['bot_access_token']
    team_id = payload['team_id']

    # Retrieve the keycloak_user_id
@@ -195,8 +196,8 @@ async def keycloak_callback(
        )

    user_info = await token_manager.get_user_info(keycloak_access_token)
-    keycloak_user_id = user_info['sub']
-    user = await UserStore.get_user_by_id_async(keycloak_user_id)
+    keycloak_user_id = user_info.sub
+    user = await UserStore.get_user_by_id(keycloak_user_id)
    if not user:
        return _html_response(
            title='Failed to authenticate.',
@@ -207,7 +208,7 @@ async def keycloak_callback(
    # These tokens are offline access tokens - store them!
    await token_manager.store_offline_token(keycloak_user_id, keycloak_refresh_token)

-    idp: str = user_info.get('identity_provider', ProviderType.GITHUB)
+    idp: str = user_info.identity_provider or ProviderType.GITHUB.value
    idp_type = 'oidc'
    if ':' in idp:
        idp, idp_type = idp.rsplit(':', 1)
@@ -218,9 +219,9 @@ async def keycloak_callback(

    # Retrieve bot token
    if team_id and bot_access_token:
-        slack_team_store.create_team(team_id, bot_access_token)
+        await slack_team_store.create_team(team_id, bot_access_token)
    else:
-        bot_access_token = slack_team_store.get_team_bot_token(team_id)
+        bot_access_token = await slack_team_store.get_team_bot_token(team_id)

    if not bot_access_token:
        logger.error(
@@ -239,15 +240,15 @@ async def keycloak_callback(
        slack_display_name=slack_display_name,
    )

-    with session_maker(expire_on_commit=False) as session:
+    async with a_session_maker(expire_on_commit=False) as session:
        # First delete any existing tokens
-        session.query(SlackUser).filter(
-            SlackUser.slack_user_id == slack_user_id
-        ).delete()
+        await session.execute(
+            delete(SlackUser).where(SlackUser.slack_user_id == slack_user_id)
+        )

        # Store the token
        session.add(slack_user)
-        session.commit()
+        await session.commit()

    message = Message(source=SourceType.SLACK, message=payload)

--- a/enterprise/server/routes/oauth_device.py
+++ b/enterprise/server/routes/oauth_device.py
@@ -7,7 +7,6 @@ from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
 from fastapi.responses import JSONResponse
 from pydantic import BaseModel
 from storage.api_key_store import ApiKeyStore
-from storage.database import session_maker
 from storage.device_code_store import DeviceCodeStore

 from openhands.core.logger import openhands_logger as logger
@@ -54,7 +53,7 @@ class DeviceTokenErrorResponse(BaseModel):
 # ---------------------------------------------------------------------------

 oauth_device_router = APIRouter(prefix='/oauth/device')
-device_code_store = DeviceCodeStore(session_maker)
+device_code_store = DeviceCodeStore()


 # ---------------------------------------------------------------------------
@@ -90,7 +89,7 @@ async def device_authorization(
 ) -> DeviceAuthorizationResponse:
    """Start device flow by generating device and user codes."""
    try:
-        device_code_entry = device_code_store.create_device_code(
+        device_code_entry = await device_code_store.create_device_code(
            expires_in=DEVICE_CODE_EXPIRES_IN,
        )

@@ -125,7 +124,7 @@ async def device_authorization(
 async def device_token(device_code: str = Form(...)):
    """Poll for a token until the user authorizes or the code expires."""
    try:
-        device_code_entry = device_code_store.get_by_device_code(device_code)
+        device_code_entry = await device_code_store.get_by_device_code(device_code)

        if not device_code_entry:
            return _oauth_error(
@@ -138,7 +137,9 @@ async def device_token(device_code: str = Form(...)):
        is_too_fast, current_interval = device_code_entry.check_rate_limit()
        if is_too_fast:
            # Update poll time and increase interval
-            device_code_store.update_poll_time(device_code, increase_interval=True)
+            await device_code_store.update_poll_time(
+                device_code, increase_interval=True
+            )
            logger.warning(
                'Client polling too fast, returning slow_down error',
                extra={
@@ -154,7 +155,7 @@ async def device_token(device_code: str = Form(...)):
            )

        # Update poll time for successful rate limit check
-        device_code_store.update_poll_time(device_code, increase_interval=False)
+        await device_code_store.update_poll_time(device_code, increase_interval=False)

        if device_code_entry.is_expired():
            return _oauth_error(
@@ -181,7 +182,7 @@ async def device_token(device_code: str = Form(...)):
            # Retrieve the specific API key for this device using the user_code
            api_key_store = ApiKeyStore.get_instance()
            device_key_name = f'{API_KEY_NAME} ({device_code_entry.user_code})'
-            device_api_key = api_key_store.retrieve_api_key_by_name(
+            device_api_key = await api_key_store.retrieve_api_key_by_name(
                device_code_entry.keycloak_user_id, device_key_name
            )

@@ -238,7 +239,7 @@ async def device_verification_authenticated(
            )

        # Validate device code
-        device_code_entry = device_code_store.get_by_user_code(user_code)
+        device_code_entry = await device_code_store.get_by_user_code(user_code)
        if not device_code_entry:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
@@ -252,7 +253,7 @@ async def device_verification_authenticated(
            )

        # First, authorize the device code
-        success = device_code_store.authorize_device_code(
+        success = await device_code_store.authorize_device_code(
            user_code=user_code,
            user_id=user_id,
        )
@@ -289,7 +290,7 @@ async def device_verification_authenticated(
            # Clean up: revert the device authorization since API key creation failed
            # This prevents the device from being in an authorized state without an API key
            try:
-                device_code_store.deny_device_code(user_code)
+                await device_code_store.deny_device_code(user_code)
                logger.info(
                    'Reverted device authorization due to API key creation failure',
                    extra={'user_code': user_code, 'user_id': user_id},
--- a/enterprise/server/routes/org_invitation_models.py
+++ b/enterprise/server/routes/org_invitation_models.py
@@ -76,7 +76,7 @@ class InvitationResponse(BaseModel):
    inviter_email: str | None = None

    @classmethod
-    def from_invitation(
+    async def from_invitation(
        cls,
        invitation: OrgInvitation,
        inviter_email: str | None = None,
@@ -94,7 +94,7 @@ class InvitationResponse(BaseModel):
        if invitation.role:
            role_name = invitation.role.name
        elif invitation.role_id:
-            role = RoleStore.get_role_by_id(invitation.role_id)
+            role = await RoleStore.get_role_by_id(invitation.role_id)
            role_name = role.name if role else ''

        return cls(
--- a/enterprise/server/routes/org_invitations.py
+++ b/enterprise/server/routes/org_invitations.py
@@ -91,8 +91,11 @@ async def create_invitation(
            },
        )

+        successful_responses = [
+            await InvitationResponse.from_invitation(inv) for inv in successful
+        ]
        return BatchInvitationResponse(
-            successful=[InvitationResponse.from_invitation(inv) for inv in successful],
+            successful=successful_responses,
            failed=[
                InvitationFailure(email=email, error=error) for email, error in failed
            ],
--- a/enterprise/server/routes/org_models.py
+++ b/enterprise/server/routes/org_models.py
@@ -1,6 +1,13 @@
 from typing import Annotated

-from pydantic import BaseModel, EmailStr, Field, SecretStr, StringConstraints
+from pydantic import (
+    BaseModel,
+    EmailStr,
+    Field,
+    SecretStr,
+    StringConstraints,
+    field_validator,
+)
 from storage.org import Org
 from storage.org_member import OrgMember
 from storage.role import Role
@@ -252,6 +259,115 @@ class OrgUpdate(BaseModel):
    condenser_max_size: int | None = Field(default=None, ge=20)


+class OrgLLMSettingsResponse(BaseModel):
+    """Response model for organization LLM settings."""
+
+    default_llm_model: str | None = None
+    default_llm_base_url: str | None = None
+    search_api_key: str | None = None  # Masked in response
+    agent: str | None = None
+    confirmation_mode: bool | None = None
+    security_analyzer: str | None = None
+    enable_default_condenser: bool = True
+    condenser_max_size: int | None = None
+    default_max_iterations: int | None = None
+
+    @staticmethod
+    def _mask_key(secret: SecretStr | None) -> str | None:
+        """Mask an API key, showing only last 4 characters."""
+        if secret is None:
+            return None
+        raw = secret.get_secret_value()
+        if not raw:
+            return None
+        if len(raw) <= 4:
+            return '****'
+        return '****' + raw[-4:]
+
+    @classmethod
+    def from_org(cls, org: Org) -> 'OrgLLMSettingsResponse':
+        """Create response from Org entity."""
+        return cls(
+            default_llm_model=org.default_llm_model,
+            default_llm_base_url=org.default_llm_base_url,
+            search_api_key=cls._mask_key(org.search_api_key),
+            agent=org.agent,
+            confirmation_mode=org.confirmation_mode,
+            security_analyzer=org.security_analyzer,
+            enable_default_condenser=org.enable_default_condenser
+            if org.enable_default_condenser is not None
+            else True,
+            condenser_max_size=org.condenser_max_size,
+            default_max_iterations=org.default_max_iterations,
+        )
+
+
+class OrgMemberLLMSettings(BaseModel):
+    """LLM settings to propagate to organization members.
+
+    Field names match OrgMember DB columns.
+    """
+
+    llm_model: str | None = None
+    llm_base_url: str | None = None
+    max_iterations: int | None = None
+    llm_api_key: str | None = None
+
+    def has_updates(self) -> bool:
+        """Check if any field is set (not None)."""
+        return any(getattr(self, field) is not None for field in self.model_fields)
+
+
+class OrgLLMSettingsUpdate(BaseModel):
+    """Request model for updating organization LLM settings.
+
+    Field names match Org DB columns exactly.
+    """
+
+    default_llm_model: str | None = None
+    default_llm_base_url: str | None = None
+    search_api_key: str | None = None
+    agent: str | None = None
+    confirmation_mode: bool | None = None
+    security_analyzer: str | None = None
+    enable_default_condenser: bool | None = None
+    condenser_max_size: int | None = Field(default=None, ge=20)
+    default_max_iterations: int | None = Field(default=None, gt=0)
+    llm_api_key: str | None = None
+
+    def has_updates(self) -> bool:
+        """Check if any field is set (not None)."""
+        return any(getattr(self, field) is not None for field in self.model_fields)
+
+    def apply_to_org(self, org: Org) -> None:
+        """Apply non-None settings to the organization model.
+
+        Args:
+            org: Organization entity to update in place
+        """
+        for field_name in self.model_fields:
+            value = getattr(self, field_name)
+            # Skip llm_api_key - it's only for member propagation, not org-level
+            if value is not None and field_name != 'llm_api_key':
+                setattr(org, field_name, value)
+
+    def get_member_updates(self) -> OrgMemberLLMSettings | None:
+        """Get updates that need to be propagated to org members.
+
+        Returns:
+            OrgMemberLLMSettings with mapped field values, or None if no member updates needed.
+            Maps: default_llm_model → llm_model, default_llm_base_url → llm_base_url,
+                  default_max_iterations → max_iterations, llm_api_key → llm_api_key
+        """
+        member_settings = OrgMemberLLMSettings(
+            llm_model=self.default_llm_model,
+            llm_base_url=self.default_llm_base_url,
+            max_iterations=self.default_max_iterations,
+            llm_api_key=self.llm_api_key,
+        )
+        return member_settings if member_settings.has_updates() else None
+
+
 class OrgMemberResponse(BaseModel):
    """Response model for a single organization member."""

@@ -267,7 +383,8 @@ class OrgMemberPage(BaseModel):
    """Paginated response for organization members."""

    items: list[OrgMemberResponse]
-    next_page_id: str | None = None
+    current_page: int = 1
+    per_page: int = 10


 class OrgMemberUpdate(BaseModel):
@@ -326,3 +443,44 @@ class MeResponse(BaseModel):
            llm_base_url=member.llm_base_url,
            status=member.status,
        )
+
+
+class OrgAppSettingsResponse(BaseModel):
+    """Response model for organization app settings."""
+
+    enable_proactive_conversation_starters: bool = True
+    enable_solvability_analysis: bool | None = None
+    max_budget_per_task: float | None = None
+
+    @classmethod
+    def from_org(cls, org: Org) -> 'OrgAppSettingsResponse':
+        """Create an OrgAppSettingsResponse from an Org entity.
+
+        Args:
+            org: The organization entity
+
+        Returns:
+            OrgAppSettingsResponse with app settings
+        """
+        return cls(
+            enable_proactive_conversation_starters=org.enable_proactive_conversation_starters
+            if org.enable_proactive_conversation_starters is not None
+            else True,
+            enable_solvability_analysis=org.enable_solvability_analysis,
+            max_budget_per_task=org.max_budget_per_task,
+        )
+
+
+class OrgAppSettingsUpdate(BaseModel):
+    """Request model for updating organization app settings."""
+
+    enable_proactive_conversation_starters: bool | None = None
+    enable_solvability_analysis: bool | None = None
+    max_budget_per_task: float | None = None
+
+    @field_validator('max_budget_per_task')
+    @classmethod
+    def validate_max_budget_per_task(cls, v: float | None) -> float | None:
+        if v is not None and v <= 0:
+            raise ValueError('max_budget_per_task must be greater than 0')
+        return v
--- a/enterprise/server/routes/orgs.py
+++ b/enterprise/server/routes/orgs.py
@@ -15,9 +15,13 @@ from server.routes.org_models import (
    LiteLLMIntegrationError,
    MemberUpdateError,
    MeResponse,
+    OrgAppSettingsResponse,
+    OrgAppSettingsUpdate,
    OrgAuthorizationError,
    OrgCreate,
    OrgDatabaseError,
+    OrgLLMSettingsResponse,
+    OrgLLMSettingsUpdate,
    OrgMemberNotFoundError,
    OrgMemberPage,
    OrgMemberResponse,
@@ -30,6 +34,14 @@ from server.routes.org_models import (
    OrphanedUserError,
    RoleNotFoundError,
 )
+from server.services.org_app_settings_service import (
+    OrgAppSettingsService,
+    OrgAppSettingsServiceInjector,
+)
+from server.services.org_llm_settings_service import (
+    OrgLLMSettingsService,
+    OrgLLMSettingsServiceInjector,
+)
 from server.services.org_member_service import OrgMemberService
 from storage.org_service import OrgService
 from storage.user_store import UserStore
@@ -38,7 +50,14 @@ from openhands.core.logger import openhands_logger as logger
 from openhands.server.user_auth import get_user_id

 # Initialize API router
-org_router = APIRouter(prefix='/api/organizations')
+org_router = APIRouter(prefix='/api/organizations', tags=['Orgs'])
+
+# Create injector instance and dependency for LLM settings
+_org_llm_settings_injector = OrgLLMSettingsServiceInjector()
+org_llm_settings_service_dependency = Depends(_org_llm_settings_injector.depends)
+# Create injector instance and dependency at module level
+_org_app_settings_injector = OrgAppSettingsServiceInjector()
+org_app_settings_service_dependency = Depends(_org_app_settings_injector.depends)


@org_router.get('', response_model=OrgPage)
@@ -80,13 +99,13 @@ async def list_user_orgs(

    try:
        # Fetch user to get current_org_id
-        user = await UserStore.get_user_by_id_async(user_id)
+        user = await UserStore.get_user_by_id(user_id)
        current_org_id = (
            str(user.current_org_id) if user and user.current_org_id else None
        )

        # Fetch organizations from service layer
-        orgs, next_page_id = OrgService.get_user_orgs_paginated(
+        orgs, next_page_id = await OrgService.get_user_orgs_paginated(
            user_id=user_id,
            page_id=page_id,
            limit=limit,
@@ -201,6 +220,195 @@ async def create_org(
        )


+@org_router.get(
+    '/llm',
+    response_model=OrgLLMSettingsResponse,
+    dependencies=[Depends(require_permission(Permission.VIEW_LLM_SETTINGS))],
+)
+async def get_org_llm_settings(
+    service: OrgLLMSettingsService = org_llm_settings_service_dependency,
+) -> OrgLLMSettingsResponse:
+    """Get LLM settings for the user's current organization.
+
+    This endpoint retrieves the LLM configuration settings for the
+    authenticated user's current organization. All organization members
+    can view these settings.
+
+    Args:
+        service: OrgLLMSettingsService (injected by dependency)
+
+    Returns:
+        OrgLLMSettingsResponse: The organization's LLM settings
+
+    Raises:
+        HTTPException: 401 if not authenticated
+        HTTPException: 403 if not a member of any organization
+        HTTPException: 404 if current organization not found
+        HTTPException: 500 if retrieval fails
+    """
+    try:
+        return await service.get_org_llm_settings()
+    except OrgNotFoundError as e:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=str(e),
+        )
+    except Exception as e:
+        logger.exception(
+            'Error getting organization LLM settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to retrieve LLM settings',
+        )
+
+
+@org_router.post(
+    '/llm',
+    response_model=OrgLLMSettingsResponse,
+    dependencies=[Depends(require_permission(Permission.EDIT_LLM_SETTINGS))],
+)
+async def update_org_llm_settings(
+    settings: OrgLLMSettingsUpdate,
+    service: OrgLLMSettingsService = org_llm_settings_service_dependency,
+) -> OrgLLMSettingsResponse:
+    """Update LLM settings for the user's current organization.
+
+    This endpoint updates the LLM configuration settings for the
+    authenticated user's current organization. Only admins and owners
+    can update these settings.
+
+    Args:
+        settings: The LLM settings to update (only non-None fields are updated)
+        service: OrgLLMSettingsService (injected by dependency)
+
+    Returns:
+        OrgLLMSettingsResponse: The updated organization's LLM settings
+
+    Raises:
+        HTTPException: 401 if not authenticated
+        HTTPException: 403 if user lacks EDIT_LLM_SETTINGS permission
+        HTTPException: 404 if current organization not found
+        HTTPException: 500 if update fails
+    """
+    try:
+        return await service.update_org_llm_settings(settings)
+    except OrgNotFoundError as e:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=str(e),
+        )
+    except OrgDatabaseError as e:
+        logger.error(
+            'Database error updating LLM settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to update LLM settings',
+        )
+    except Exception as e:
+        logger.exception(
+            'Error updating organization LLM settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to update LLM settings',
+        )
+
+
+@org_router.get(
+    '/app',
+    response_model=OrgAppSettingsResponse,
+    dependencies=[Depends(require_permission(Permission.MANAGE_APPLICATION_SETTINGS))],
+)
+async def get_org_app_settings(
+    service: OrgAppSettingsService = org_app_settings_service_dependency,
+) -> OrgAppSettingsResponse:
+    """Get organization app settings for the user's current organization.
+
+    This endpoint retrieves application settings for the authenticated user's
+    current organization. Access requires the MANAGE_APPLICATION_SETTINGS permission,
+    which is granted to all organization members (member, admin, and owner roles).
+
+    Args:
+        service: OrgAppSettingsService (injected by dependency)
+
+    Returns:
+        OrgAppSettingsResponse: The organization app settings
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks MANAGE_APPLICATION_SETTINGS permission
+        HTTPException: 404 if current organization not found
+    """
+    try:
+        return await service.get_org_app_settings()
+    except OrgNotFoundError:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail='Current organization not found',
+        )
+    except Exception as e:
+        logger.exception(
+            'Unexpected error retrieving organization app settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='An unexpected error occurred',
+        )
+
+
+@org_router.post(
+    '/app',
+    response_model=OrgAppSettingsResponse,
+    dependencies=[Depends(require_permission(Permission.MANAGE_APPLICATION_SETTINGS))],
+)
+async def update_org_app_settings(
+    update_data: OrgAppSettingsUpdate,
+    service: OrgAppSettingsService = org_app_settings_service_dependency,
+) -> OrgAppSettingsResponse:
+    """Update organization app settings for the user's current organization.
+
+    This endpoint updates application settings for the authenticated user's
+    current organization. Access requires the MANAGE_APPLICATION_SETTINGS permission,
+    which is granted to all organization members (member, admin, and owner roles).
+
+    Args:
+        update_data: App settings update data
+        service: OrgAppSettingsService (injected by dependency)
+
+    Returns:
+        OrgAppSettingsResponse: The updated organization app settings
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks MANAGE_APPLICATION_SETTINGS permission
+        HTTPException: 404 if current organization not found
+        HTTPException: 422 if validation errors occur (handled by FastAPI)
+        HTTPException: 500 if update fails
+    """
+    try:
+        return await service.update_org_app_settings(update_data)
+    except OrgNotFoundError:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail='Current organization not found',
+        )
+    except Exception as e:
+        logger.exception(
+            'Unexpected error updating organization app settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='An unexpected error occurred',
+        )
+
+
@org_router.get('/{org_id}', response_model=OrgResponse, status_code=status.HTTP_200_OK)
 async def get_org(
    org_id: UUID,
@@ -289,7 +497,7 @@ async def get_me(

    try:
        user_uuid = UUID(user_id)
-        return OrgMemberService.get_me(org_id, user_uuid)
+        return await OrgMemberService.get_me(org_id, user_uuid)

    except OrgMemberNotFoundError:
        raise HTTPException(
@@ -519,7 +727,7 @@ async def get_org_members(
    org_id: UUID,
    page_id: Annotated[
        str | None,
-        Query(title='Optional next_page_id from the previously returned page'),
+        Query(title='Optional page offset for pagination'),
    ] = None,
    limit: Annotated[
        int,
@@ -528,10 +736,18 @@ async def get_org_members(
            gt=0,
            lte=100,
        ),
-    ] = 100,
+    ] = 10,
+    email: Annotated[
+        str | None,
+        Query(
+            title='Filter members by email (case-insensitive partial match)',
+            min_length=1,
+            max_length=255,
+        ),
+    ] = None,
    user_id: str = Depends(require_permission(Permission.VIEW_ORG_SETTINGS)),
 ) -> OrgMemberPage:
-    """Get all members of an organization with cursor-based pagination.
+    """Get all members of an organization with pagination and optional email filter.

    This endpoint retrieves a paginated list of organization members. Access requires
    the VIEW_ORG_SETTINGS permission, which is granted to all organization members
@@ -539,12 +755,15 @@ async def get_org_members(

    Args:
        org_id: Organization ID (UUID)
-        page_id: Optional page ID (offset) for pagination
-        limit: Maximum number of members to return (1-100, default 100)
+        page_id: Optional page offset for pagination
+        limit: Maximum number of members to return (1-100, default 10)
+        email: Optional email filter (case-insensitive partial match)
        user_id: Authenticated user ID (injected by require_permission dependency)

    Returns:
-        OrgMemberPage: Paginated list of organization members
+        OrgMemberPage: Paginated list of organization members with
+            current_page and per_page metadata. Use the /count endpoint
+            to get the total count separately.

    Raises:
        HTTPException: 401 if user is not authenticated
@@ -558,10 +777,11 @@ async def get_org_members(
            current_user_id=UUID(user_id),
            page_id=page_id,
            limit=limit,
+            email_filter=email,
        )

        if not success:
-            error_map = {
+            error_map: dict[str | None, tuple[int, str]] = {
                'not_a_member': (
                    status.HTTP_403_FORBIDDEN,
                    'You are not a member of this organization',
@@ -570,9 +790,14 @@ async def get_org_members(
                    status.HTTP_400_BAD_REQUEST,
                    'Invalid page_id format',
                ),
+                None: (
+                    status.HTTP_500_INTERNAL_SERVER_ERROR,
+                    'An error occurred',
+                ),
            }
            status_code, detail = error_map.get(
-                error_code, (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred')
+                error_code,
+                (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred'),
            )
            raise HTTPException(status_code=status_code, detail=detail)

@@ -600,6 +825,64 @@ async def get_org_members(
        )


+@org_router.get('/{org_id}/members/count')
+async def get_org_members_count(
+    org_id: UUID,
+    email: Annotated[
+        str | None,
+        Query(
+            title='Filter members by email (case-insensitive partial match)',
+            min_length=1,
+            max_length=255,
+        ),
+    ] = None,
+    user_id: str = Depends(require_permission(Permission.VIEW_ORG_SETTINGS)),
+) -> int:
+    """Get count of organization members with optional email filter.
+
+    This endpoint returns the total count of organization members matching
+    the filter criteria. Access requires the VIEW_ORG_SETTINGS permission,
+    which is granted to all organization members (member, admin, and owner roles).
+
+    Args:
+        org_id: Organization ID (UUID)
+        email: Optional email filter (case-insensitive partial match)
+        user_id: Authenticated user ID (injected by require_permission dependency)
+
+    Returns:
+        int: Total count of organization members matching the filter
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks VIEW_ORG_SETTINGS permission or is not a member
+        HTTPException: 400 if org_id format is invalid
+        HTTPException: 500 if retrieval fails
+    """
+    try:
+        return await OrgMemberService.get_org_members_count(
+            org_id=org_id,
+            current_user_id=UUID(user_id),
+            email_filter=email,
+        )
+    except OrgMemberNotFoundError:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail='You are not a member of this organization',
+        )
+    except ValueError:
+        logger.exception('Invalid UUID format')
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Invalid organization ID format',
+        )
+    except Exception:
+        logger.exception('Error retrieving organization member count')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to retrieve member count',
+        )
+
+
@org_router.delete('/{org_id}/members/{user_id}')
 async def remove_org_member(
    org_id: UUID,
@@ -622,7 +905,7 @@ async def remove_org_member(
        )

        if not success:
-            error_map = {
+            error_map: dict[str | None, tuple[int, str]] = {
                'not_a_member': (
                    status.HTTP_403_FORBIDDEN,
                    'You are not a member of this organization',
@@ -647,9 +930,14 @@ async def remove_org_member(
                    status.HTTP_500_INTERNAL_SERVER_ERROR,
                    'Failed to remove member',
                ),
+                None: (
+                    status.HTTP_500_INTERNAL_SERVER_ERROR,
+                    'An error occurred',
+                ),
            }
            status_code, detail = error_map.get(
-                error, (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred')
+                error,
+                (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred'),
            )
            raise HTTPException(status_code=status_code, detail=detail)

--- a/enterprise/server/routes/readiness.py
+++ b/enterprise/server/routes/readiness.py
@@ -1,6 +1,6 @@
 from fastapi import APIRouter, HTTPException, status
 from sqlalchemy.sql import text
-from storage.database import session_maker
+from storage.database import a_session_maker
 from storage.redis import create_redis_client

 from openhands.core.logger import openhands_logger as logger
@@ -9,11 +9,11 @@ readiness_router = APIRouter()


@readiness_router.get('/ready')
-def is_ready():
+async def is_ready():
    # Check database connection
    try:
-        with session_maker() as session:
-            session.execute(text('SELECT 1'))
+        async with a_session_maker() as session:
+            await session.execute(text('SELECT 1'))
    except Exception as e:
        logger.error(f'Database check failed: {str(e)}')
        raise HTTPException(
--- a/enterprise/server/routes/user.py
+++ b/enterprise/server/routes/user.py
@@ -4,6 +4,7 @@ from fastapi import APIRouter, Depends, Query, status
 from fastapi.responses import JSONResponse
 from pydantic import SecretStr
 from server.auth.token_manager import TokenManager
+from storage.user_store import UserStore
 from utils.identity import resolve_display_name

 from openhands.integrations.provider import (
@@ -110,22 +111,26 @@ async def saas_get_user(
                status_code=status.HTTP_401_UNAUTHORIZED,
            )
        user_info = await token_manager.get_user_info(access_token.get_secret_value())
-        if not user_info:
-            return JSONResponse(
-                content='Failed to retrieve user_info.',
-                status_code=status.HTTP_401_UNAUTHORIZED,
-            )
+        # Prefer email from DB; fall back to Keycloak if not yet persisted
+        email = user_info.email
+        sub = user_info.sub
+        if sub:
+            db_user = await UserStore.get_user_by_id(sub)
+            if db_user and db_user.email is not None:
+                email = db_user.email
+
+        user_info_dict = user_info.model_dump(exclude_none=True)
        retval = await _check_idp(
            access_token=access_token,
            default_value=User(
-                id=(user_info.get('sub') if user_info else '') or '',
-                login=(user_info.get('preferred_username') if user_info else '') or '',
+                id=sub,
+                login=user_info.preferred_username or '',
                avatar_url='',
-                email=user_info.get('email') if user_info else None,
-                name=resolve_display_name(user_info) if user_info else None,
-                company=user_info.get('company') if user_info else None,
+                email=email,
+                name=resolve_display_name(user_info_dict),
+                company=user_info.company,
            ),
-            user_info=user_info,
+            user_info=user_info_dict,
        )
        if retval is not None:
            return retval
@@ -355,16 +360,11 @@ async def _check_idp(
            content='User is not authenticated.',
            status_code=status.HTTP_401_UNAUTHORIZED,
        )
-    user_info = (
-        user_info
-        if user_info
-        else await token_manager.get_user_info(access_token.get_secret_value())
-    )
-    if not user_info:
-        return JSONResponse(
-            content='Failed to retrieve user_info.',
-            status_code=status.HTTP_401_UNAUTHORIZED,
+    if user_info is None:
+        user_info_model = await token_manager.get_user_info(
+            access_token.get_secret_value()
        )
+        user_info = user_info_model.model_dump(exclude_none=True)
    idp: str | None = user_info.get('identity_provider')
    if not idp:
        return JSONResponse(
@@ -379,5 +379,4 @@ async def _check_idp(
        access_token.get_secret_value(), ProviderType(idp)
    ):
        return default_value
-
    return None
--- a/enterprise/server/routes/user_app_settings.py
+++ b/enterprise/server/routes/user_app_settings.py
@@ -0,0 +1,115 @@
+"""Routes for user app settings API.
+
+Provides endpoints for managing user-level app preferences:
+- GET /api/users/app - Retrieve current user's app settings
+- POST /api/users/app - Update current user's app settings
+"""
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from server.routes.user_app_settings_models import (
+    UserAppSettingsResponse,
+    UserAppSettingsUpdate,
+    UserNotFoundError,
+)
+from server.services.user_app_settings_service import (
+    UserAppSettingsService,
+    UserAppSettingsServiceInjector,
+)
+
+from openhands.core.logger import openhands_logger as logger
+
+user_app_settings_router = APIRouter(prefix='/api/users')
+
+# Create injector instance and dependency at module level
+_injector = UserAppSettingsServiceInjector()
+user_app_settings_service_dependency = Depends(_injector.depends)
+
+
+@user_app_settings_router.get('/app', response_model=UserAppSettingsResponse)
+async def get_user_app_settings(
+    service: UserAppSettingsService = user_app_settings_service_dependency,
+) -> UserAppSettingsResponse:
+    """Get the current user's app settings.
+
+    Returns language, analytics consent, sound notifications, and git config.
+
+    Args:
+        service: UserAppSettingsService (injected by dependency)
+
+    Returns:
+        UserAppSettingsResponse: The user's app settings
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 404 if user not found
+        HTTPException: 500 if retrieval fails
+    """
+    try:
+        return await service.get_user_app_settings()
+
+    except ValueError as e:
+        # User not authenticated
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+        )
+    except UserNotFoundError as e:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=str(e),
+        )
+    except Exception as e:
+        logger.exception(
+            'Unexpected error retrieving user app settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to retrieve user app settings',
+        )
+
+
+@user_app_settings_router.post('/app', response_model=UserAppSettingsResponse)
+async def update_user_app_settings(
+    update_data: UserAppSettingsUpdate,
+    service: UserAppSettingsService = user_app_settings_service_dependency,
+) -> UserAppSettingsResponse:
+    """Update the current user's app settings (partial update).
+
+    Only provided fields will be updated. Pass null to clear a field.
+
+    Args:
+        update_data: Fields to update
+        service: UserAppSettingsService (injected by dependency)
+
+    Returns:
+        UserAppSettingsResponse: The updated user's app settings
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 404 if user not found
+        HTTPException: 500 if update fails
+    """
+    try:
+        return await service.update_user_app_settings(update_data)
+
+    except ValueError as e:
+        # User not authenticated
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+        )
+    except UserNotFoundError as e:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=str(e),
+        )
+    except Exception as e:
+        logger.exception(
+            'Failed to update user app settings',
+            extra={'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to update user app settings',
+        )
--- a/enterprise/server/routes/user_app_settings_models.py
+++ b/enterprise/server/routes/user_app_settings_models.py
@@ -0,0 +1,57 @@
+"""
+Pydantic models for user app settings API.
+"""
+
+from pydantic import BaseModel, EmailStr
+from storage.user import User
+
+
+class UserAppSettingsError(Exception):
+    """Base exception for user app settings errors."""
+
+    pass
+
+
+class UserNotFoundError(UserAppSettingsError):
+    """Raised when user is not found."""
+
+    def __init__(self, user_id: str):
+        self.user_id = user_id
+        super().__init__(f'User with id "{user_id}" not found')
+
+
+class UserAppSettingsUpdateError(UserAppSettingsError):
+    """Raised when user app settings update fails."""
+
+    pass
+
+
+class UserAppSettingsResponse(BaseModel):
+    """Response model for user app settings."""
+
+    language: str | None = None
+    user_consents_to_analytics: bool | None = None
+    enable_sound_notifications: bool | None = None
+    git_user_name: str | None = None
+    git_user_email: EmailStr | None = None
+
+    @classmethod
+    def from_user(cls, user: User) -> 'UserAppSettingsResponse':
+        """Create response from User entity."""
+        return cls(
+            language=user.language,
+            user_consents_to_analytics=user.user_consents_to_analytics,
+            enable_sound_notifications=user.enable_sound_notifications,
+            git_user_name=user.git_user_name,
+            git_user_email=user.git_user_email,
+        )
+
+
+class UserAppSettingsUpdate(BaseModel):
+    """Request model for updating user app settings (partial update)."""
+
+    language: str | None = None
+    user_consents_to_analytics: bool | None = None
+    enable_sound_notifications: bool | None = None
+    git_user_name: str | None = None
+    git_user_email: EmailStr | None = None
--- a/enterprise/server/saas_nested_conversation_manager.py
+++ b/enterprise/server/saas_nested_conversation_manager.py
@@ -19,9 +19,9 @@ from server.utils.conversation_callback_utils import (
    process_event,
    update_conversation_metadata,
 )
-from sqlalchemy import orm
+from sqlalchemy import select
 from storage.api_key_store import ApiKeyStore
-from storage.database import session_maker
+from storage.database import a_session_maker
 from storage.stored_conversation_metadata import StoredConversationMetadata
 from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas

@@ -59,7 +59,6 @@ from openhands.storage.locations import (
    get_conversation_event_filename,
    get_conversation_events_dir,
 )
-from openhands.utils.async_utils import call_sync_from_async
 from openhands.utils.http_session import httpx_verify_option
 from openhands.utils.import_utils import get_impl
 from openhands.utils.shutdown_listener import should_continue
@@ -166,8 +165,8 @@ class SaasNestedConversationManager(ConversationManager):
            }

        if user_id:
-            user_conversation_ids = await call_sync_from_async(
-                self._get_recent_conversation_ids_for_user, user_id
+            user_conversation_ids = await self._get_recent_conversation_ids_for_user(
+                user_id
            )
            conversation_ids = conversation_ids.intersection(user_conversation_ids)

@@ -643,19 +642,18 @@ class SaasNestedConversationManager(ConversationManager):
                    },
                )

-    def _get_user_id_from_conversation(self, conversation_id: str) -> str:
+    async def _get_user_id_from_conversation(self, conversation_id: str) -> str:
        """
        Get user_id from conversation_id.
        """

-        with session_maker() as session:
-            conversation_metadata_saas = (
-                session.query(StoredConversationMetadataSaas)
-                .filter(
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(StoredConversationMetadataSaas).where(
                    StoredConversationMetadataSaas.conversation_id == conversation_id
                )
-                .first()
            )
+            conversation_metadata_saas = result.scalars().first()

            if not conversation_metadata_saas:
                raise ValueError(f'No conversation found {conversation_id}')
@@ -753,8 +751,8 @@ class SaasNestedConversationManager(ConversationManager):
            user_id_for_convo = user_id
            if not user_id_for_convo:
                try:
-                    user_id_for_convo = await call_sync_from_async(
-                        self._get_user_id_from_conversation, conversation_id
+                    user_id_for_convo = await self._get_user_id_from_conversation(
+                        conversation_id
                    )
                except Exception:
                    continue
@@ -995,23 +993,23 @@ class SaasNestedConversationManager(ConversationManager):
        }
        return conversation_ids

-    def _get_recent_conversation_ids_for_user(self, user_id: str) -> set[str]:
-        with session_maker() as session:
+    async def _get_recent_conversation_ids_for_user(self, user_id: str) -> set[str]:
+        async with a_session_maker() as session:
            # Only include conversations updated in the past week
            one_week_ago = datetime.now(UTC) - timedelta(days=7)
-            query = (
-                session.query(StoredConversationMetadata.conversation_id)
+            result = await session.execute(
+                select(StoredConversationMetadata.conversation_id)
                .join(
                    StoredConversationMetadataSaas,
                    StoredConversationMetadata.conversation_id
                    == StoredConversationMetadataSaas.conversation_id,
                )
-                .filter(
+                .where(
                    StoredConversationMetadataSaas.user_id == user_id,
                    StoredConversationMetadata.last_updated_at >= one_week_ago,
                )
            )
-            user_conversation_ids = set(query)
+            user_conversation_ids = set(result.scalars().all())
            return user_conversation_ids

    async def _get_runtime(self, sid: str) -> dict | None:
@@ -1055,14 +1053,13 @@ class SaasNestedConversationManager(ConversationManager):
                await asyncio.sleep(_POLLING_INTERVAL)
                agent_loop_infos = await self.get_agent_loop_info()

-                with session_maker() as session:
-                    for agent_loop_info in agent_loop_infos:
-                        if agent_loop_info.status != ConversationStatus.RUNNING:
-                            continue
-                        try:
-                            await self._poll_agent_loop_events(agent_loop_info, session)
-                        except Exception as e:
-                            logger.exception(f'error_polling_events:{str(e)}')
+                for agent_loop_info in agent_loop_infos:
+                    if agent_loop_info.status != ConversationStatus.RUNNING:
+                        continue
+                    try:
+                        await self._poll_agent_loop_events(agent_loop_info)
+                    except Exception as e:
+                        logger.exception(f'error_polling_events:{str(e)}')
            except Exception as e:
                try:
                    asyncio.get_running_loop()
@@ -1071,23 +1068,27 @@ class SaasNestedConversationManager(ConversationManager):
                    # Loop has been shut down, exit gracefully
                    return

-    async def _poll_agent_loop_events(
-        self, agent_loop_info: AgentLoopInfo, session: orm.Session
-    ):
+    async def _poll_agent_loop_events(self, agent_loop_info: AgentLoopInfo):
        """This method is typically only run in localhost, where the webhook callbacks from the remote runtime are unavailable"""
        if agent_loop_info.status != ConversationStatus.RUNNING:
            return
        conversation_id = agent_loop_info.conversation_id
-        conversation_metadata = (
-            session.query(StoredConversationMetadata)
-            .filter(StoredConversationMetadata.conversation_id == conversation_id)
-            .first()
-        )
-        conversation_metadata_saas = (
-            session.query(StoredConversationMetadataSaas)
-            .filter(StoredConversationMetadataSaas.conversation_id == conversation_id)
-            .first()
-        )
+
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(StoredConversationMetadata).where(
+                    StoredConversationMetadata.conversation_id == conversation_id
+                )
+            )
+            conversation_metadata = result.scalars().first()
+
+            result = await session.execute(
+                select(StoredConversationMetadataSaas).where(
+                    StoredConversationMetadataSaas.conversation_id == conversation_id
+                )
+            )
+            conversation_metadata_saas = result.scalars().first()
+
        if conversation_metadata is None or conversation_metadata_saas is None:
            # Conversation is running in different server
            return
--- a/enterprise/server/services/org_app_settings_service.py
+++ b/enterprise/server/services/org_app_settings_service.py
@@ -0,0 +1,137 @@
+"""Service class for managing organization app settings.
+
+Separates business logic from route handlers.
+Uses dependency injection for db_session and user_context.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import AsyncGenerator
+
+from fastapi import Request
+from server.routes.org_models import (
+    OrgAppSettingsResponse,
+    OrgAppSettingsUpdate,
+    OrgNotFoundError,
+)
+from storage.org_app_settings_store import OrgAppSettingsStore
+
+from openhands.app_server.errors import AuthError
+from openhands.app_server.services.injector import Injector, InjectorState
+from openhands.app_server.user.user_context import UserContext
+from openhands.core.logger import openhands_logger as logger
+
+
+@dataclass
+class OrgAppSettingsService:
+    """Service for organization app settings with injected dependencies."""
+
+    store: OrgAppSettingsStore
+    user_context: UserContext
+
+    async def get_org_app_settings(self) -> OrgAppSettingsResponse:
+        """Get organization app settings.
+
+        User ID is obtained from the injected user_context.
+
+        Returns:
+            OrgAppSettingsResponse: The organization's app settings
+
+        Raises:
+            OrgNotFoundError: If current organization is not found
+            AuthError: If user is not authenticated
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise AuthError('User not authenticated')
+
+        logger.info(
+            'Getting organization app settings',
+            extra={'user_id': user_id},
+        )
+
+        org = await self.store.get_current_org_by_user_id(user_id)
+
+        if not org:
+            raise OrgNotFoundError('current')
+
+        return OrgAppSettingsResponse.from_org(org)
+
+    async def update_org_app_settings(
+        self,
+        update_data: OrgAppSettingsUpdate,
+    ) -> OrgAppSettingsResponse:
+        """Update organization app settings.
+
+        Only updates fields that are explicitly provided in update_data.
+        User ID is obtained from the injected user_context.
+        Session auto-commits at request end via DbSessionInjector.
+
+        Args:
+            update_data: The update data from the request
+
+        Returns:
+            OrgAppSettingsResponse: The updated organization's app settings
+
+        Raises:
+            OrgNotFoundError: If current organization is not found
+            AuthError: If user is not authenticated
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise AuthError('User not authenticated')
+
+        logger.info(
+            'Updating organization app settings',
+            extra={'user_id': user_id},
+        )
+
+        # Get current org first
+        org = await self.store.get_current_org_by_user_id(user_id)
+
+        if not org:
+            raise OrgNotFoundError('current')
+
+        # Check if any fields are provided
+        update_dict = update_data.model_dump(exclude_unset=True)
+
+        if not update_dict:
+            # No fields to update, just return current settings
+            logger.info(
+                'No fields to update in app settings',
+                extra={'user_id': user_id, 'org_id': str(org.id)},
+            )
+            return OrgAppSettingsResponse.from_org(org)
+
+        updated_org = await self.store.update_org_app_settings(
+            org_id=org.id,
+            update_data=update_data,
+        )
+
+        if not updated_org:
+            raise OrgNotFoundError('current')
+
+        logger.info(
+            'Organization app settings updated successfully',
+            extra={'user_id': user_id, 'updated_fields': list(update_dict.keys())},
+        )
+
+        return OrgAppSettingsResponse.from_org(updated_org)
+
+
+class OrgAppSettingsServiceInjector(Injector[OrgAppSettingsService]):
+    """Injector that composes store and user_context for OrgAppSettingsService."""
+
+    async def inject(
+        self, state: InjectorState, request: Request | None = None
+    ) -> AsyncGenerator[OrgAppSettingsService, None]:
+        # Local imports to avoid circular dependencies
+        from openhands.app_server.config import get_db_session, get_user_context
+
+        async with (
+            get_user_context(state, request) as user_context,
+            get_db_session(state, request) as db_session,
+        ):
+            store = OrgAppSettingsStore(db_session=db_session)
+            yield OrgAppSettingsService(store=store, user_context=user_context)
--- a/enterprise/server/services/org_invitation_service.py
+++ b/enterprise/server/services/org_invitation_service.py
@@ -73,7 +73,7 @@ class OrgInvitationService:
        )

        # Step 1: Validate organization exists
-        org = OrgStore.get_org_by_id(org_id)
+        org = await OrgStore.get_org_by_id(org_id)
        if not org:
            raise ValueError(f'Organization {org_id} not found')

@@ -85,13 +85,13 @@ class OrgInvitationService:
            )

        # Step 3: Check inviter is a member and has permission
-        inviter_member = OrgMemberStore.get_org_member(org_id, inviter_id)
+        inviter_member = await OrgMemberStore.get_org_member(org_id, inviter_id)
        if not inviter_member:
            raise InsufficientPermissionError(
                'You are not a member of this organization'
            )

-        inviter_role = RoleStore.get_role_by_id(inviter_member.role_id)
+        inviter_role = await RoleStore.get_role_by_id(inviter_member.role_id)
        if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]:
            raise InsufficientPermissionError('Only owners and admins can invite users')

@@ -101,14 +101,16 @@ class OrgInvitationService:
            raise InsufficientPermissionError('Only owners can invite with owner role')

        # Get the target role
-        target_role = RoleStore.get_role_by_name(role_name_lower)
+        target_role = await RoleStore.get_role_by_name(role_name_lower)
        if not target_role:
            raise ValueError(f'Invalid role: {role_name}')

        # Step 5: Check if user is already a member (by email)
-        existing_user = await UserStore.get_user_by_email_async(email)
+        existing_user = await UserStore.get_user_by_email(email)
        if existing_user:
-            existing_member = OrgMemberStore.get_org_member(org_id, existing_user.id)
+            existing_member = await OrgMemberStore.get_org_member(
+                org_id, existing_user.id
+            )
            if existing_member:
                raise UserAlreadyMemberError(
                    'User is already a member of this organization'
@@ -125,7 +127,7 @@ class OrgInvitationService:
        # Step 7: Send invitation email
        try:
            # Get inviter info for the email
-            inviter_user = UserStore.get_user_by_id(str(inviter_member.user_id))
+            inviter_user = await UserStore.get_user_by_id(str(inviter_member.user_id))
            inviter_name = 'A team member'
            if inviter_user and inviter_user.email:
                inviter_name = inviter_user.email.split('@')[0]
@@ -187,7 +189,7 @@ class OrgInvitationService:
        )

        # Step 1: Validate permissions upfront (shared for all emails)
-        org = OrgStore.get_org_by_id(org_id)
+        org = await OrgStore.get_org_by_id(org_id)
        if not org:
            raise ValueError(f'Organization {org_id} not found')

@@ -196,13 +198,13 @@ class OrgInvitationService:
                'Cannot invite users to a personal workspace'
            )

-        inviter_member = OrgMemberStore.get_org_member(org_id, inviter_id)
+        inviter_member = await OrgMemberStore.get_org_member(org_id, inviter_id)
        if not inviter_member:
            raise InsufficientPermissionError(
                'You are not a member of this organization'
            )

-        inviter_role = RoleStore.get_role_by_id(inviter_member.role_id)
+        inviter_role = await RoleStore.get_role_by_id(inviter_member.role_id)
        if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]:
            raise InsufficientPermissionError('Only owners and admins can invite users')

@@ -210,7 +212,7 @@ class OrgInvitationService:
        if role_name_lower == ROLE_OWNER and inviter_role.name != ROLE_OWNER:
            raise InsufficientPermissionError('Only owners can invite with owner role')

-        target_role = RoleStore.get_role_by_name(role_name_lower)
+        target_role = await RoleStore.get_role_by_name(role_name_lower)
        if not target_role:
            raise ValueError(f'Invalid role: {role_name}')

@@ -306,7 +308,7 @@ class OrgInvitationService:
            raise InvitationExpiredError('Invitation has expired')

        # Step 2.5: Verify user email matches invitation email
-        user = await UserStore.get_user_by_id_async(str(user_id))
+        user = await UserStore.get_user_by_id(str(user_id))
        if not user:
            raise InvitationInvalidError('User not found')

@@ -336,7 +338,9 @@ class OrgInvitationService:
            raise EmailMismatchError()

        # Step 3: Check if user is already a member
-        existing_member = OrgMemberStore.get_org_member(invitation.org_id, user_id)
+        existing_member = await OrgMemberStore.get_org_member(
+            invitation.org_id, user_id
+        )
        if existing_member:
            raise UserAlreadyMemberError(
                'You are already a member of this organization'
@@ -369,11 +373,16 @@ class OrgInvitationService:
        org_member_kwargs.pop('llm_model', None)
        org_member_kwargs.pop('llm_base_url', None)

-        OrgMemberStore.add_user_to_org(
+        # Get the llm_api_key as string (it's SecretStr | None in Settings)
+        llm_api_key = (
+            settings.llm_api_key.get_secret_value() if settings.llm_api_key else ''
+        )
+
+        await OrgMemberStore.add_user_to_org(
            org_id=invitation.org_id,
            user_id=user_id,
            role_id=invitation.role_id,
-            llm_api_key=settings.llm_api_key,
+            llm_api_key=llm_api_key,
            status='active',
        )

@@ -384,6 +393,9 @@ class OrgInvitationService:
            accepted_by_user_id=user_id,
        )

+        if not updated_invitation:
+            raise InvitationInvalidError('Failed to update invitation status')
+
        logger.info(
            'Organization invitation accepted',
            extra={
--- a/enterprise/server/services/org_llm_settings_service.py
+++ b/enterprise/server/services/org_llm_settings_service.py
@@ -0,0 +1,130 @@
+"""Service class for managing organization LLM settings.
+
+Separates business logic from route handlers.
+Uses dependency injection for db_session and user_context.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import AsyncGenerator
+
+from fastapi import Request
+from server.routes.org_models import (
+    OrgLLMSettingsResponse,
+    OrgLLMSettingsUpdate,
+    OrgNotFoundError,
+)
+from storage.org_llm_settings_store import OrgLLMSettingsStore
+
+from openhands.app_server.services.injector import Injector, InjectorState
+from openhands.app_server.user.user_context import UserContext
+from openhands.core.logger import openhands_logger as logger
+
+
+@dataclass
+class OrgLLMSettingsService:
+    """Service for org LLM settings with injected dependencies."""
+
+    store: OrgLLMSettingsStore
+    user_context: UserContext
+
+    async def get_org_llm_settings(self) -> OrgLLMSettingsResponse:
+        """Get LLM settings for user's current organization.
+
+        User ID is obtained from the injected user_context.
+
+        Returns:
+            OrgLLMSettingsResponse: The organization's LLM settings
+
+        Raises:
+            ValueError: If user is not authenticated
+            OrgNotFoundError: If current organization not found
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise ValueError('User is not authenticated')
+
+        logger.info(
+            'Getting organization LLM settings',
+            extra={'user_id': user_id},
+        )
+
+        org = await self.store.get_current_org_by_user_id(user_id)
+
+        if not org:
+            raise OrgNotFoundError('No current organization')
+
+        return OrgLLMSettingsResponse.from_org(org)
+
+    async def update_org_llm_settings(
+        self,
+        update_data: OrgLLMSettingsUpdate,
+    ) -> OrgLLMSettingsResponse:
+        """Update LLM settings for user's current organization.
+
+        Only updates fields that are explicitly provided in update_data.
+        User ID is obtained from the injected user_context.
+        Session auto-commits at request end via DbSessionInjector.
+
+        Args:
+            update_data: The update data from the request
+
+        Returns:
+            OrgLLMSettingsResponse: The updated organization's LLM settings
+
+        Raises:
+            ValueError: If user is not authenticated
+            OrgNotFoundError: If current organization not found
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise ValueError('User is not authenticated')
+
+        logger.info(
+            'Updating organization LLM settings',
+            extra={'user_id': user_id},
+        )
+
+        # Check if any fields are provided
+        if not update_data.has_updates():
+            # No fields to update, just return current settings
+            return await self.get_org_llm_settings()
+
+        # Get user's current org first
+        org = await self.store.get_current_org_by_user_id(user_id)
+        if not org:
+            raise OrgNotFoundError('No current organization')
+
+        # Update the org LLM settings
+        updated_org = await self.store.update_org_llm_settings(
+            org_id=org.id,
+            update_data=update_data,
+        )
+
+        if not updated_org:
+            raise OrgNotFoundError(str(org.id))
+
+        logger.info(
+            'Organization LLM settings updated successfully',
+            extra={'user_id': user_id, 'org_id': str(org.id)},
+        )
+
+        return OrgLLMSettingsResponse.from_org(updated_org)
+
+
+class OrgLLMSettingsServiceInjector(Injector[OrgLLMSettingsService]):
+    """Injector that composes store and user_context for OrgLLMSettingsService."""
+
+    async def inject(
+        self, state: InjectorState, request: Request | None = None
+    ) -> AsyncGenerator[OrgLLMSettingsService, None]:
+        # Local imports to avoid circular dependencies
+        from openhands.app_server.config import get_db_session, get_user_context
+
+        async with (
+            get_user_context(state, request) as user_context,
+            get_db_session(state, request) as db_session,
+        ):
+            store = OrgLLMSettingsStore(db_session=db_session)
+            yield OrgLLMSettingsService(store=store, user_context=user_context)
--- a/enterprise/server/services/org_member_service.py
+++ b/enterprise/server/services/org_member_service.py
@@ -2,7 +2,7 @@

 from uuid import UUID

-from server.constants import ROLE_ADMIN, ROLE_MEMBER, ROLE_OWNER
+from server.constants import ROLE_ADMIN, ROLE_OWNER
 from server.routes.org_models import (
    CannotModifySelfError,
    InsufficientPermissionError,
@@ -16,18 +16,19 @@ from server.routes.org_models import (
    OrgMemberUpdate,
    RoleNotFoundError,
 )
+from storage.lite_llm_manager import LiteLlmManager
 from storage.org_member_store import OrgMemberStore
 from storage.role_store import RoleStore
 from storage.user_store import UserStore

-from openhands.utils.async_utils import call_sync_from_async
+from openhands.core.logger import openhands_logger as logger


 class OrgMemberService:
    """Service for organization member operations."""

    @staticmethod
-    def get_me(org_id: UUID, user_id: UUID) -> MeResponse:
+    async def get_me(org_id: UUID, user_id: UUID) -> MeResponse:
        """Get the current user's membership record for an organization.

        Retrieves the authenticated user's role, status, email, and LLM override
@@ -45,17 +46,17 @@ class OrgMemberService:
            RoleNotFoundError: If the role associated with the member is not found
        """
        # Look up the user's membership in this org
-        org_member = OrgMemberStore.get_org_member(org_id, user_id)
+        org_member = await OrgMemberStore.get_org_member(org_id, user_id)
        if org_member is None:
            raise OrgMemberNotFoundError(str(org_id), str(user_id))

        # Resolve role name from role_id
-        role = RoleStore.get_role_by_id(org_member.role_id)
+        role = await RoleStore.get_role_by_id(org_member.role_id)
        if role is None:
            raise RoleNotFoundError(org_member.role_id)

        # Get user email
-        user = UserStore.get_user_by_id(str(user_id))
+        user = await UserStore.get_user_by_id(str(user_id))
        email = user.email if user and user.email else ''

        return MeResponse.from_org_member(org_member, role, email)
@@ -65,15 +66,25 @@ class OrgMemberService:
        org_id: UUID,
        current_user_id: UUID,
        page_id: str | None = None,
-        limit: int = 100,
+        limit: int = 10,
+        email_filter: str | None = None,
    ) -> tuple[bool, str | None, OrgMemberPage | None]:
        """Get organization members with authorization check.

+        Args:
+            org_id: Organization UUID.
+            current_user_id: Requesting user's UUID.
+            page_id: Offset encoded as string (e.g., "0", "10", "20").
+            limit: Items per page (default 10).
+            email_filter: Optional case-insensitive partial email match.
+
        Returns:
            Tuple of (success, error_code, data). If success is True, error_code is None.
        """
        # Verify current user is a member of the organization
-        requester_membership = OrgMemberStore.get_org_member(org_id, current_user_id)
+        requester_membership = await OrgMemberStore.get_org_member(
+            org_id, current_user_id
+        )
        if not requester_membership:
            return False, 'not_a_member', None

@@ -88,8 +99,11 @@ class OrgMemberService:
                return False, 'invalid_page_id', None

        # Call store to get paginated members
-        members, has_more = await OrgMemberStore.get_org_members_paginated(
-            org_id=org_id, offset=offset, limit=limit
+        members, _ = await OrgMemberStore.get_org_members_paginated(
+            org_id=org_id,
+            offset=offset,
+            limit=limit,
+            email_filter=email_filter,
        )

        # Transform data to response format
@@ -110,12 +124,49 @@ class OrgMemberService:
                )
            )

-        # Calculate next_page_id
-        next_page_id = None
-        if has_more:
-            next_page_id = str(offset + limit)
+        # Calculate current page (1-indexed)
+        current_page = (offset // limit) + 1

-        return True, None, OrgMemberPage(items=items, next_page_id=next_page_id)
+        return (
+            True,
+            None,
+            OrgMemberPage(
+                items=items,
+                current_page=current_page,
+                per_page=limit,
+            ),
+        )
+
+    @staticmethod
+    async def get_org_members_count(
+        org_id: UUID,
+        current_user_id: UUID,
+        email_filter: str | None = None,
+    ) -> int:
+        """Get count of organization members with authorization check.
+
+        Args:
+            org_id: Organization UUID.
+            current_user_id: Requesting user's UUID.
+            email_filter: Optional case-insensitive partial email match.
+
+        Returns:
+            int: Count of organization members matching the filter.
+
+        Raises:
+            OrgMemberNotFoundError: If requesting user is not a member of the organization.
+        """
+        # Verify current user is a member of the organization
+        requester_membership = await OrgMemberStore.get_org_member(
+            org_id, current_user_id
+        )
+        if not requester_membership:
+            raise OrgMemberNotFoundError(str(org_id), str(current_user_id))
+
+        return await OrgMemberStore.get_org_members_count(
+            org_id=org_id,
+            email_filter=email_filter,
+        )

    @staticmethod
    async def remove_org_member(
@@ -128,49 +179,73 @@ class OrgMemberService:
        Returns:
            Tuple of (success, error_message). If success is True, error_message is None.
        """
+        # Get current user's membership in the org
+        requester_membership = await OrgMemberStore.get_org_member(
+            org_id, current_user_id
+        )
+        if not requester_membership:
+            return False, 'not_a_member'

-        def _remove_member():
-            # Get current user's membership in the org
-            requester_membership = OrgMemberStore.get_org_member(
-                org_id, current_user_id
+        # Check if trying to remove self
+        if str(current_user_id) == str(target_user_id):
+            return False, 'cannot_remove_self'
+
+        # Get target user's membership
+        target_membership = await OrgMemberStore.get_org_member(org_id, target_user_id)
+        if not target_membership:
+            return False, 'member_not_found'
+
+        requester_role = await RoleStore.get_role_by_id(requester_membership.role_id)
+        target_role = await RoleStore.get_role_by_id(target_membership.role_id)
+
+        if not requester_role or not target_role:
+            return False, 'role_not_found'
+
+        # Check permission based on roles
+        if not OrgMemberService._can_remove_member(
+            requester_role.name, target_role.name
+        ):
+            return False, 'insufficient_permission'
+
+        # Check if removing the last owner
+        if target_role.name == ROLE_OWNER:
+            if await OrgMemberService._is_last_owner(org_id, target_user_id):
+                return False, 'cannot_remove_last_owner'
+
+        # Perform the removal
+        success = await OrgMemberStore.remove_user_from_org(org_id, target_user_id)
+        if not success:
+            return False, 'removal_failed'
+
+        # Update user's current_org_id if it points to the org they were removed from
+        user = await UserStore.get_user_by_id(str(target_user_id))
+        if user and user.current_org_id == org_id:
+            # Set current_org_id to personal workspace (org.id == user.id)
+            await UserStore.update_current_org(str(target_user_id), target_user_id)
+
+        # If database removal succeeded, also remove from LiteLLM team
+        try:
+            await LiteLlmManager.remove_user_from_team(str(target_user_id), str(org_id))
+            logger.info(
+                'Successfully removed user from LiteLLM team',
+                extra={
+                    'user_id': str(target_user_id),
+                    'org_id': str(org_id),
+                },
+            )
+        except Exception as e:
+            # Log but don't fail the operation - database removal already succeeded
+            # LiteLLM state will be eventually consistent
+            logger.warning(
+                'Failed to remove user from LiteLLM team',
+                extra={
+                    'user_id': str(target_user_id),
+                    'org_id': str(org_id),
+                    'error': str(e),
+                },
            )
-            if not requester_membership:
-                return False, 'not_a_member'

-            # Check if trying to remove self
-            if str(current_user_id) == str(target_user_id):
-                return False, 'cannot_remove_self'
-
-            # Get target user's membership
-            target_membership = OrgMemberStore.get_org_member(org_id, target_user_id)
-            if not target_membership:
-                return False, 'member_not_found'
-
-            requester_role = RoleStore.get_role_by_id(requester_membership.role_id)
-            target_role = RoleStore.get_role_by_id(target_membership.role_id)
-
-            if not requester_role or not target_role:
-                return False, 'role_not_found'
-
-            # Check permission based on roles
-            if not OrgMemberService._can_remove_member(
-                requester_role.name, target_role.name
-            ):
-                return False, 'insufficient_permission'
-
-            # Check if removing the last owner
-            if target_role.name == ROLE_OWNER:
-                if OrgMemberService._is_last_owner(org_id, target_user_id):
-                    return False, 'cannot_remove_last_owner'
-
-            # Perform the removal
-            success = OrgMemberStore.remove_user_from_org(org_id, target_user_id)
-            if not success:
-                return False, 'removal_failed'
-
-            return True, None
-
-        return await call_sync_from_async(_remove_member)
+        return True, None

    @staticmethod
    async def update_org_member(
@@ -182,10 +257,9 @@ class OrgMemberService:
        """Update a member's role in an organization.

        Permission rules:
-        - Admins can change roles of users (rank > ADMIN_RANK) to Admin or User
-        - Admins cannot modify other Admins or Owners
-        - Owners can change roles of non-owners (rank > OWNER_RANK) to any role
-        - Owners cannot modify other Owners
+        - Owners can modify anyone (including other owners), can set any role
+        - Admins can modify other admins and users
+        - Admins can only set admin or user roles (not owner)

        Args:
            org_id: Organization ID
@@ -207,85 +281,82 @@ class OrgMemberService:
        """
        new_role_name = update_data.role

-        def _update_member():
-            # Get current user's membership in the org
-            requester_membership = OrgMemberStore.get_org_member(
-                org_id, current_user_id
-            )
-            if not requester_membership:
-                raise OrgMemberNotFoundError(str(org_id), str(current_user_id))
+        # Get current user's membership in the org
+        requester_membership = await OrgMemberStore.get_org_member(
+            org_id, current_user_id
+        )
+        if not requester_membership:
+            raise OrgMemberNotFoundError(str(org_id), str(current_user_id))

-            # Check if trying to modify self
-            if str(current_user_id) == str(target_user_id):
-                raise CannotModifySelfError('modify')
+        # Check if trying to modify self
+        if str(current_user_id) == str(target_user_id):
+            raise CannotModifySelfError('modify')

-            # Get target user's membership
-            target_membership = OrgMemberStore.get_org_member(org_id, target_user_id)
-            if not target_membership:
-                raise OrgMemberNotFoundError(str(org_id), str(target_user_id))
+        # Get target user's membership
+        target_membership = await OrgMemberStore.get_org_member(org_id, target_user_id)
+        if not target_membership:
+            raise OrgMemberNotFoundError(str(org_id), str(target_user_id))

-            # Get roles
-            requester_role = RoleStore.get_role_by_id(requester_membership.role_id)
-            target_role = RoleStore.get_role_by_id(target_membership.role_id)
+        # Get roles
+        requester_role = await RoleStore.get_role_by_id(requester_membership.role_id)
+        target_role = await RoleStore.get_role_by_id(target_membership.role_id)

-            if not requester_role:
-                raise RoleNotFoundError(requester_membership.role_id)
-            if not target_role:
-                raise RoleNotFoundError(target_membership.role_id)
-
-            # If no role change requested, return current state
-            if new_role_name is None:
-                user = UserStore.get_user_by_id(str(target_user_id))
-                return OrgMemberResponse(
-                    user_id=str(target_membership.user_id),
-                    email=user.email if user else None,
-                    role_id=target_membership.role_id,
-                    role=target_role.name,
-                    role_rank=target_role.rank,
-                    status=target_membership.status,
-                )
-
-            # Validate new role exists
-            new_role = RoleStore.get_role_by_name(new_role_name.lower())
-            if not new_role:
-                raise InvalidRoleError(new_role_name)
-
-            # Check permission to modify target
-            if not OrgMemberService._can_update_member_role(
-                requester_role.name, target_role.name, new_role.name
-            ):
-                raise InsufficientPermissionError(
-                    'You do not have permission to modify this member'
-                )
-
-            # Check if demoting the last owner
-            if (
-                target_role.name == ROLE_OWNER
-                and new_role.name != ROLE_OWNER
-                and OrgMemberService._is_last_owner(org_id, target_user_id)
-            ):
-                raise LastOwnerError('demote')
-
-            # Perform the update
-            updated_member = OrgMemberStore.update_user_role_in_org(
-                org_id, target_user_id, new_role.id
-            )
-            if not updated_member:
-                raise MemberUpdateError('Failed to update member')
-
-            # Get user email for response
-            user = UserStore.get_user_by_id(str(target_user_id))
+        if not requester_role:
+            raise RoleNotFoundError(requester_membership.role_id)
+        if not target_role:
+            raise RoleNotFoundError(target_membership.role_id)

+        # If no role change requested, return current state
+        if new_role_name is None:
+            user = await UserStore.get_user_by_id(str(target_user_id))
            return OrgMemberResponse(
-                user_id=str(updated_member.user_id),
+                user_id=str(target_membership.user_id),
                email=user.email if user else None,
-                role_id=updated_member.role_id,
-                role=new_role.name,
-                role_rank=new_role.rank,
-                status=updated_member.status,
+                role_id=target_membership.role_id,
+                role=target_role.name,
+                role_rank=target_role.rank,
+                status=target_membership.status,
            )

-        return await call_sync_from_async(_update_member)
+        # Validate new role exists
+        new_role = await RoleStore.get_role_by_name(new_role_name.lower())
+        if not new_role:
+            raise InvalidRoleError(new_role_name)
+
+        # Check permission to modify target
+        if not OrgMemberService._can_update_member_role(
+            requester_role.name, target_role.name, new_role.name
+        ):
+            raise InsufficientPermissionError(
+                'You do not have permission to modify this member'
+            )
+
+        # Check if demoting the last owner
+        if (
+            target_role.name == ROLE_OWNER
+            and new_role.name != ROLE_OWNER
+            and await OrgMemberService._is_last_owner(org_id, target_user_id)
+        ):
+            raise LastOwnerError('demote')
+
+        # Perform the update
+        updated_member = await OrgMemberStore.update_user_role_in_org(
+            org_id, target_user_id, new_role.id
+        )
+        if not updated_member:
+            raise MemberUpdateError('Failed to update member')
+
+        # Get user email for response
+        user = await UserStore.get_user_by_id(str(target_user_id))
+
+        return OrgMemberResponse(
+            user_id=str(updated_member.user_id),
+            email=user.email if user else None,
+            role_id=updated_member.role_id,
+            role=new_role.name,
+            role_rank=new_role.rank,
+            status=updated_member.status,
+        )

    @staticmethod
    def _can_update_member_role(
@@ -294,26 +365,21 @@ class OrgMemberService:
        """Check if requester can change target's role to new_role.

        Permission rules:
-        - Owners can modify admins and users, can set any role
-        - Owners cannot modify other owners
-        - Admins can only modify users
+        - Owners can modify anyone (including other owners), can set any role
+        - Admins can modify other admins and users
        - Admins can only set admin or user roles (not owner)
        """
        is_requester_owner = requester_role_name == ROLE_OWNER
        is_requester_admin = requester_role_name == ROLE_ADMIN
        is_target_owner = target_role_name == ROLE_OWNER
-        is_target_admin = target_role_name == ROLE_ADMIN
        is_new_role_owner = new_role_name == ROLE_OWNER

        if is_requester_owner:
-            # Owners cannot modify other owners
-            if is_target_owner:
-                return False
-            # Owners can set any role (owner, admin, user)
+            # Owners can modify anyone (including other owners)
            return True
        elif is_requester_admin:
-            # Admins cannot modify owners or other admins
-            if is_target_owner or is_target_admin:
+            # Admins cannot modify owners
+            if is_target_owner:
                return False
            # Admins can only set admin or user roles (not owner)
            return not is_new_role_owner
@@ -325,18 +391,18 @@ class OrgMemberService:
        if requester_role_name == ROLE_OWNER:
            return True
        elif requester_role_name == ROLE_ADMIN:
-            # Admins can only remove members (not owners or other admins)
-            return target_role_name == ROLE_MEMBER
+            # Admins can remove admins and members (not owners)
+            return target_role_name != ROLE_OWNER
        return False

    @staticmethod
-    def _is_last_owner(org_id: UUID, user_id: UUID) -> bool:
+    async def _is_last_owner(org_id: UUID, user_id: UUID) -> bool:
        """Check if user is the last owner of the organization."""
-        members = OrgMemberStore.get_org_members(org_id)
+        members = await OrgMemberStore.get_org_members(org_id)
        owners = []
        for m in members:
            # Use role_id (column) instead of role (relationship) to avoid DetachedInstanceError
-            role = RoleStore.get_role_by_id(m.role_id)
+            role = await RoleStore.get_role_by_id(m.role_id)
            if role and role.name == ROLE_OWNER:
                owners.append(m)
        return len(owners) == 1 and str(owners[0].user_id) == str(user_id)
--- a/enterprise/server/services/user_app_settings_service.py
+++ b/enterprise/server/services/user_app_settings_service.py
@@ -0,0 +1,126 @@
+"""Service class for managing user app settings.
+
+Separates business logic from route handlers.
+Uses dependency injection for db_session and user_context.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import AsyncGenerator
+
+from fastapi import Request
+from server.routes.user_app_settings_models import (
+    UserAppSettingsResponse,
+    UserAppSettingsUpdate,
+    UserNotFoundError,
+)
+from storage.user_app_settings_store import UserAppSettingsStore
+
+from openhands.app_server.services.injector import Injector, InjectorState
+from openhands.app_server.user.user_context import UserContext
+from openhands.core.logger import openhands_logger as logger
+
+
+@dataclass
+class UserAppSettingsService:
+    """Service for user app settings with injected dependencies."""
+
+    store: UserAppSettingsStore
+    user_context: UserContext
+
+    async def get_user_app_settings(self) -> UserAppSettingsResponse:
+        """Get user app settings.
+
+        User ID is obtained from the injected user_context.
+
+        Returns:
+            UserAppSettingsResponse: The user's app settings
+
+        Raises:
+            ValueError: If user is not authenticated
+            UserNotFoundError: If user is not found
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise ValueError('User is not authenticated')
+
+        logger.info(
+            'Getting user app settings',
+            extra={'user_id': user_id},
+        )
+
+        user = await self.store.get_user_by_id(user_id)
+
+        if not user:
+            raise UserNotFoundError(user_id)
+
+        return UserAppSettingsResponse.from_user(user)
+
+    async def update_user_app_settings(
+        self,
+        update_data: UserAppSettingsUpdate,
+    ) -> UserAppSettingsResponse:
+        """Update user app settings.
+
+        Only updates fields that are explicitly provided in update_data.
+        User ID is obtained from the injected user_context.
+        Session auto-commits at request end via DbSessionInjector.
+
+        Args:
+            update_data: The update data from the request
+
+        Returns:
+            UserAppSettingsResponse: The updated user's app settings
+
+        Raises:
+            ValueError: If user is not authenticated
+            UserNotFoundError: If user is not found
+        """
+        user_id = await self.user_context.get_user_id()
+        if not user_id:
+            raise ValueError('User is not authenticated')
+
+        logger.info(
+            'Updating user app settings',
+            extra={'user_id': user_id},
+        )
+
+        # Check if any fields are provided
+        update_dict = update_data.model_dump(exclude_unset=True)
+
+        if not update_dict:
+            # No fields to update, just return current settings
+            return await self.get_user_app_settings()
+
+        user = await self.store.update_user_app_settings(
+            user_id=user_id,
+            update_data=update_data,
+        )
+
+        if not user:
+            raise UserNotFoundError(user_id)
+
+        logger.info(
+            'User app settings updated successfully',
+            extra={'user_id': user_id, 'updated_fields': list(update_dict.keys())},
+        )
+
+        return UserAppSettingsResponse.from_user(user)
+
+
+class UserAppSettingsServiceInjector(Injector[UserAppSettingsService]):
+    """Injector that composes store and user_context for UserAppSettingsService."""
+
+    async def inject(
+        self, state: InjectorState, request: Request | None = None
+    ) -> AsyncGenerator[UserAppSettingsService, None]:
+        # Local imports to avoid circular dependencies
+        from openhands.app_server.config import get_db_session, get_user_context
+
+        async with (
+            get_user_context(state, request) as user_context,
+            get_db_session(state, request) as db_session,
+        ):
+            store = UserAppSettingsStore(db_session=db_session)
+            yield UserAppSettingsService(store=store, user_context=user_context)
--- a/enterprise/server/utils/conversation_callback_utils.py
+++ b/enterprise/server/utils/conversation_callback_utils.py
@@ -4,13 +4,14 @@ import pickle
 from datetime import datetime

 from server.logger import logger
+from sqlalchemy import and_, select
 from storage.conversation_callback import (
    CallbackStatus,
    ConversationCallback,
    ConversationCallbackProcessor,
 )
 from storage.conversation_work import ConversationWork
-from storage.database import session_maker
+from storage.database import a_session_maker, session_maker
 from storage.stored_conversation_metadata import StoredConversationMetadata

 from openhands.core.config import load_openhands_config
@@ -79,15 +80,16 @@ async def invoke_conversation_callbacks(
        conversation_id: The conversation ID to process callbacks for
        observation: The AgentStateChangedObservation that triggered the callback
    """
-    with session_maker() as session:
-        callbacks = (
-            session.query(ConversationCallback)
-            .filter(
-                ConversationCallback.conversation_id == conversation_id,
-                ConversationCallback.status == CallbackStatus.ACTIVE,
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(ConversationCallback).filter(
+                and_(
+                    ConversationCallback.conversation_id == conversation_id,
+                    ConversationCallback.status == CallbackStatus.ACTIVE,
+                )
            )
-            .all()
        )
+        callbacks = result.scalars().all()

        for callback in callbacks:
            try:
@@ -115,7 +117,7 @@ async def invoke_conversation_callbacks(
                callback.status = CallbackStatus.ERROR
                callback.updated_at = datetime.now()

-        session.commit()
+        await session.commit()


 def update_conversation_metadata(conversation_id: str, content: dict):
--- a/enterprise/server/utils/saas_app_conversation_info_injector.py
+++ b/enterprise/server/utils/saas_app_conversation_info_injector.py
@@ -24,6 +24,7 @@ from openhands.app_server.app_conversation.sql_app_conversation_info_service imp
 )
 from openhands.app_server.errors import AuthError
 from openhands.app_server.services.injector import InjectorState
+from openhands.app_server.user.specifiy_user_context import ADMIN


 class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
@@ -63,6 +64,12 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
        Raises:
            AuthError: If no user_id is available (secure default: deny access)
        """
+        # For internal operations such as getting a conversation by session_api_key
+        # we need a mode that does not have filtering. The dependency `as_admin()`
+        # is used to enable it
+        if self.user_context == ADMIN:
+            return query
+
        user_id_str = await self.user_context.get_user_id()
        if not user_id_str:
            # Secure default: no user means no access, not "show everything"
--- a/enterprise/server/verified_models/verified_model_models.py
+++ b/enterprise/server/verified_models/verified_model_models.py
@@ -0,0 +1,33 @@
+from datetime import datetime
+from typing import Annotated
+
+from pydantic import BaseModel, StringConstraints
+
+
+class VerifiedModelCreate(BaseModel):
+    model_name: Annotated[
+        str,
+        StringConstraints(max_length=255),
+    ]
+    provider: Annotated[
+        str,
+        StringConstraints(max_length=100),
+    ]
+    is_enabled: bool = True
+
+
+class VerifiedModel(VerifiedModelCreate):
+    id: int
+    created_at: datetime
+    updated_at: datetime
+
+
+class VerifiedModelUpdate(BaseModel):
+    is_enabled: bool | None = None
+
+
+class VerifiedModelPage(BaseModel):
+    """Paginated response model for verified model list."""
+
+    items: list[VerifiedModel]
+    next_page_id: str | None = None
--- a/enterprise/server/verified_models/verified_model_router.py
+++ b/enterprise/server/verified_models/verified_model_router.py
@@ -0,0 +1,143 @@
+"""API routes for managing verified LLM models (admin only)."""
+
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException, Query, Request, status
+from server.email_validation import get_admin_user_id
+from server.verified_models.verified_model_models import (
+    VerifiedModel,
+    VerifiedModelCreate,
+    VerifiedModelPage,
+    VerifiedModelUpdate,
+)
+from server.verified_models.verified_model_service import (
+    VerifiedModelService,
+    verified_model_store_dependency,
+)
+
+from openhands.app_server.config import get_db_session
+from openhands.server.routes import public
+from openhands.utils.llm import get_supported_llm_models
+
+api_router = APIRouter(prefix='/api/admin/verified-models', tags=['Verified Models'])
+
+
+@api_router.get('')
+async def search_verified_models(
+    provider: str | None = None,
+    page_id: Annotated[
+        str | None,
+        Query(title='Optional next_page_id from the previously returned page'),
+    ] = None,
+    limit: Annotated[
+        int, Query(title='The max number of results in the page', gt=0, le=100)
+    ] = 100,
+    user_id: str = Depends(get_admin_user_id),
+    verified_model_service: VerifiedModelService = Depends(
+        verified_model_store_dependency
+    ),
+) -> VerifiedModelPage:
+    """List all verified models, optionally filtered by provider."""
+    # Use SQL-level filtering and pagination
+    result = await verified_model_service.search_verified_models(
+        provider=provider,
+        enabled_only=False,  # Admin sees all models including disabled
+        page_id=page_id,
+        limit=limit,
+    )
+    return result
+
+
+@api_router.post('', status_code=201)
+async def create_verified_model(
+    data: VerifiedModelCreate,
+    user_id: str = Depends(get_admin_user_id),
+    verified_model_service: VerifiedModelService = Depends(
+        verified_model_store_dependency
+    ),
+) -> VerifiedModel:
+    """Create a new verified model."""
+    try:
+        model = await verified_model_service.create_verified_model(
+            model_name=data.model_name,
+            provider=data.provider,
+            is_enabled=data.is_enabled,
+        )
+        return model
+    except ValueError as ex:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=str(ex),
+        )
+
+
+@api_router.put('/{provider}/{model_name:path}')
+async def update_verified_model(
+    provider: str,
+    model_name: str,
+    data: VerifiedModelUpdate,
+    user_id: str = Depends(get_admin_user_id),
+    verified_model_service: VerifiedModelService = Depends(
+        verified_model_store_dependency
+    ),
+) -> VerifiedModel:
+    """Update a verified model by provider and model name."""
+    model = await verified_model_service.update_verified_model(
+        model_name=model_name,
+        provider=provider,
+        is_enabled=data.is_enabled,
+    )
+    if not model:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f'Model {provider}/{model_name} not found',
+        )
+    return model
+
+
+@api_router.delete('/{provider}/{model_name:path}')
+async def delete_verified_model(
+    provider: str,
+    model_name: str,
+    user_id: str = Depends(get_admin_user_id),
+    verified_model_service: VerifiedModelService = Depends(
+        verified_model_store_dependency
+    ),
+) -> bool:
+    """Delete a verified model by provider and model name."""
+    try:
+        await verified_model_service.delete_verified_model(
+            model_name=model_name, provider=provider
+        )
+        return True
+    except ValueError as ex:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=str(ex),
+        )
+
+
+async def get_saas_llm_models_dependency(request: Request) -> list[str]:
+    """SaaS implementation for the LLM models endpoint."""
+    async with get_db_session(request.state, request) as db_session:
+        # Prevent circular import
+        from openhands.server.shared import config
+
+        verified_model_service = VerifiedModelService(db_session)
+        page = await verified_model_service.search_verified_models(enabled_only=True)
+        if page.next_page_id:
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail='Too many models defined in database',
+            )
+        verified_models = [f'{m.provider}/{m.model_name}' for m in page.items]
+        return get_supported_llm_models(config, verified_models)
+
+
+# Override the default implementation with SaaS implementation
+# This must be called after the app is created in saas_server.py
+def override_llm_models_dependency(app):
+    """Override the default LLM models implementation with SaaS version."""
+    app.dependency_overrides[public.get_llm_models_dependency] = (
+        get_saas_llm_models_dependency
+    )
--- a/enterprise/server/verified_models/verified_model_service.py
+++ b/enterprise/server/verified_models/verified_model_service.py
@@ -0,0 +1,242 @@
+"""Store for managing verified LLM models in the database."""
+
+from dataclasses import dataclass
+
+from server.verified_models.verified_model_models import (
+    VerifiedModel,
+    VerifiedModelPage,
+)
+from sqlalchemy import (
+    Boolean,
+    Column,
+    DateTime,
+    Identity,
+    Integer,
+    String,
+    UniqueConstraint,
+    and_,
+    func,
+    select,
+    text,
+)
+from sqlalchemy.ext.asyncio import AsyncSession
+from storage.base import Base
+
+from openhands.app_server.config import depends_db_session
+from openhands.core.logger import openhands_logger as logger
+
+
+class StoredVerifiedModel(Base):  # type: ignore
+    """A verified LLM model available in the model selector.
+
+    The composite unique constraint on (model_name, provider) allows the same
+    model name to exist under different providers (e.g. 'claude-sonnet' under
+    both 'openhands' and 'anthropic').
+    """
+
+    __tablename__ = 'verified_models'
+    __table_args__ = (
+        UniqueConstraint('model_name', 'provider', name='uq_verified_model_provider'),
+    )
+
+    id = Column(Integer, Identity(), primary_key=True)
+    model_name = Column(String(255), nullable=False)
+    provider = Column(String(100), nullable=False, index=True)
+    is_enabled = Column(
+        Boolean, nullable=False, default=True, server_default=text('true')
+    )
+    created_at = Column(DateTime, nullable=False, server_default=func.now())
+    updated_at = Column(
+        DateTime, nullable=False, server_default=func.now(), onupdate=func.now()
+    )
+
+
+def verified_model(result: StoredVerifiedModel) -> VerifiedModel:
+    return VerifiedModel(
+        id=result.id,
+        model_name=result.model_name,
+        provider=result.provider,
+        is_enabled=result.is_enabled,
+        created_at=result.created_at,
+        updated_at=result.updated_at,
+    )
+
+
+@dataclass
+class VerifiedModelService:
+    """Store for CRUD operations on verified models.
+
+    Follows the async pattern with db_session as an attribute.
+    """
+
+    db_session: AsyncSession
+
+    async def search_verified_models(
+        self,
+        provider: str | None = None,
+        enabled_only: bool = True,
+        page_id: str | None = None,
+        limit: int = 100,
+    ) -> VerifiedModelPage:
+        """Search for verified models with optional filtering and pagination.
+
+        Args:
+            provider: Optional provider name to filter by (e.g., 'openhands', 'anthropic')
+            enabled_only: If True, only return enabled models (default: True)
+            page_id: Page id for pagination
+            limit: Maximum number of records to return
+
+        Returns:
+            SearchModelsResult containing items list and has_more flag
+        """
+        query = select(StoredVerifiedModel)
+
+        # Build filters
+        filters = []
+        if provider:
+            filters.append(StoredVerifiedModel.provider == provider)
+        if enabled_only:
+            filters.append(StoredVerifiedModel.is_enabled.is_(True))
+
+        if filters:
+            query = query.where(and_(*filters))
+
+        # Order by provider, then model_name
+        query = query.order_by(
+            StoredVerifiedModel.provider, StoredVerifiedModel.model_name
+        )
+
+        # Fetch limit + 1 to check if there are more results
+        offset = int(page_id or '0')
+        query = query.offset(offset).limit(limit + 1)
+
+        result = await self.db_session.execute(query)
+        results = list(result.scalars().all())
+        has_more = len(results) > limit
+        next_page_id = None
+
+        # Return only the requested number of results
+        if has_more:
+            next_page_id = str(offset + limit)
+            results.pop()
+
+        items = [verified_model(result) for result in results]
+        return VerifiedModelPage(items=items, next_page_id=next_page_id)
+
+    async def get_model(self, model_name: str, provider: str) -> VerifiedModel | None:
+        """Get a model by its composite key (model_name, provider).
+
+        Args:
+            model_name: The model identifier
+            provider: The provider name
+        """
+        query = select(StoredVerifiedModel).where(
+            and_(
+                StoredVerifiedModel.model_name == model_name,
+                StoredVerifiedModel.provider == provider,
+            )
+        )
+        result = await self.db_session.execute(query)
+        return result.scalars().first()
+
+    async def create_verified_model(
+        self,
+        model_name: str,
+        provider: str,
+        is_enabled: bool = True,
+    ) -> VerifiedModel:
+        """Create a new verified model.
+
+        Args:
+            model_name: The model identifier
+            provider: The provider name
+            is_enabled: Whether the model is enabled (default True)
+
+        Raises:
+            ValueError: If a model with the same (model_name, provider) already exists
+        """
+        existing_query = select(StoredVerifiedModel).where(
+            and_(
+                StoredVerifiedModel.model_name == model_name,
+                StoredVerifiedModel.provider == provider,
+            )
+        )
+        result = await self.db_session.execute(existing_query)
+        existing = result.scalars().first()
+        if existing:
+            raise ValueError(f'Model {provider}/{model_name} already exists')
+
+        model = StoredVerifiedModel(
+            model_name=model_name,
+            provider=provider,
+            is_enabled=is_enabled,
+        )
+        self.db_session.add(model)
+        await self.db_session.commit()
+        await self.db_session.refresh(model)
+        logger.info(f'Created verified model: {provider}/{model_name}')
+        return verified_model(model)
+
+    async def update_verified_model(
+        self,
+        model_name: str,
+        provider: str,
+        is_enabled: bool | None = None,
+    ) -> VerifiedModel | None:
+        """Update an existing verified model.
+
+        Args:
+            model_name: The model name to update
+            provider: The provider name
+            is_enabled: New enabled state (optional)
+
+        Returns:
+            The updated model if found, None otherwise
+        """
+        query = select(StoredVerifiedModel).where(
+            and_(
+                StoredVerifiedModel.model_name == model_name,
+                StoredVerifiedModel.provider == provider,
+            )
+        )
+        result = await self.db_session.execute(query)
+        model = result.scalars().first()
+        if not model:
+            return None
+
+        if is_enabled is not None:
+            model.is_enabled = is_enabled
+
+        await self.db_session.commit()
+        await self.db_session.refresh(model)
+        logger.info(f'Updated verified model: {provider}/{model_name}')
+        return verified_model(model)
+
+    async def delete_verified_model(self, model_name: str, provider: str):
+        """Delete a verified model.
+
+        Args:
+            model_name: The model name to delete
+            provider: The provider name
+
+        Returns:
+            True if deleted, False if not found
+        """
+        query = select(StoredVerifiedModel).where(
+            and_(
+                StoredVerifiedModel.model_name == model_name,
+                StoredVerifiedModel.provider == provider,
+            )
+        )
+        result = await self.db_session.execute(query)
+        model = result.scalars().first()
+        if not model:
+            raise ValueError('Unknown model')
+
+        await self.db_session.delete(model)
+        await self.db_session.commit()
+        logger.info(f'Deleted verified model: {provider}/{model_name}')
+
+
+def verified_model_store_dependency(db_session: AsyncSession = depends_db_session()):
+    return VerifiedModelService(db_session)
--- a/enterprise/storage/api_key_store.py
+++ b/enterprise/storage/api_key_store.py
@@ -5,20 +5,16 @@ import string
 from dataclasses import dataclass
 from datetime import UTC, datetime

-from sqlalchemy import update
-from sqlalchemy.orm import sessionmaker
+from sqlalchemy import select, update
 from storage.api_key import ApiKey
-from storage.database import session_maker
+from storage.database import a_session_maker
 from storage.user_store import UserStore

 from openhands.core.logger import openhands_logger as logger
-from openhands.utils.async_utils import call_sync_from_async


@dataclass
 class ApiKeyStore:
-    session_maker: sessionmaker
-
    API_KEY_PREFIX = 'sk-oh-'

    def generate_api_key(self, length: int = 32) -> str:
@@ -41,24 +37,12 @@ class ApiKeyStore:
            The generated API key
        """
        api_key = self.generate_api_key()
-        user = await UserStore.get_user_by_id_async(user_id)
+        user = await UserStore.get_user_by_id(user_id)
+        if user is None:
+            raise ValueError(f'User not found: {user_id}')
        org_id = user.current_org_id
-        await call_sync_from_async(
-            self._store_api_key, user_id, org_id, api_key, name, expires_at
-        )

-        return api_key
-
-    def _store_api_key(
-        self,
-        user_id: str,
-        org_id: str,
-        api_key: str,
-        name: str | None,
-        expires_at: datetime | None = None,
-    ) -> None:
-        """Store an existing API key in the database."""
-        with self.session_maker() as session:
+        async with a_session_maker() as session:
            key_record = ApiKey(
                key=api_key,
                user_id=user_id,
@@ -67,14 +51,17 @@ class ApiKeyStore:
                expires_at=expires_at,
            )
            session.add(key_record)
-            session.commit()
+            await session.commit()

-    def validate_api_key(self, api_key: str) -> str | None:
+        return api_key
+
+    async def validate_api_key(self, api_key: str) -> str | None:
        """Validate an API key and return the associated user_id if valid."""
        now = datetime.now(UTC)

-        with self.session_maker() as session:
-            key_record = session.query(ApiKey).filter(ApiKey.key == api_key).first()
+        async with a_session_maker() as session:
+            result = await session.execute(select(ApiKey).filter(ApiKey.key == api_key))
+            key_record = result.scalars().first()

            if not key_record:
                return None
@@ -91,103 +78,100 @@ class ApiKeyStore:
                    return None

            # Update last_used_at timestamp
-            session.execute(
+            await session.execute(
                update(ApiKey)
                .where(ApiKey.id == key_record.id)
-                .values(last_used_at=now)
+                .values(last_used_at=now.replace(tzinfo=None))
            )
-            session.commit()
+            await session.commit()

            return key_record.user_id

-    def delete_api_key(self, api_key: str) -> bool:
+    async def delete_api_key(self, api_key: str) -> bool:
        """Delete an API key by the key value."""
-        with self.session_maker() as session:
-            key_record = session.query(ApiKey).filter(ApiKey.key == api_key).first()
+        async with a_session_maker() as session:
+            result = await session.execute(select(ApiKey).filter(ApiKey.key == api_key))
+            key_record = result.scalars().first()

            if not key_record:
                return False

-            session.delete(key_record)
-            session.commit()
+            await session.delete(key_record)
+            await session.commit()

            return True

-    def delete_api_key_by_id(self, key_id: int) -> bool:
+    async def delete_api_key_by_id(self, key_id: int) -> bool:
        """Delete an API key by its ID."""
-        with self.session_maker() as session:
-            key_record = session.query(ApiKey).filter(ApiKey.id == key_id).first()
+        async with a_session_maker() as session:
+            result = await session.execute(select(ApiKey).filter(ApiKey.id == key_id))
+            key_record = result.scalars().first()

            if not key_record:
                return False

-            session.delete(key_record)
-            session.commit()
+            await session.delete(key_record)
+            await session.commit()

            return True

    async def list_api_keys(self, user_id: str) -> list[ApiKey]:
        """List all API keys for a user."""
-        user = await UserStore.get_user_by_id_async(user_id)
+        user = await UserStore.get_user_by_id(user_id)
+        if user is None:
+            raise ValueError(f'User not found: {user_id}')
        org_id = user.current_org_id
-        return await call_sync_from_async(self._list_api_keys_from_db, user_id, org_id)

-    def _list_api_keys_from_db(self, user_id: str, org_id: str) -> list[ApiKey]:
-        with self.session_maker() as session:
-            keys: list[ApiKey] = (
-                session.query(ApiKey)
-                .filter(ApiKey.user_id == user_id)
-                .filter(ApiKey.org_id == org_id)
-                .all()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(ApiKey).filter(
+                    ApiKey.user_id == user_id, ApiKey.org_id == org_id
+                )
            )
-
+            keys = result.scalars().all()
            return [key for key in keys if key.name != 'MCP_API_KEY']

    async def retrieve_mcp_api_key(self, user_id: str) -> str | None:
-        user = await UserStore.get_user_by_id_async(user_id)
+        user = await UserStore.get_user_by_id(user_id)
+        if user is None:
+            raise ValueError(f'User not found: {user_id}')
        org_id = user.current_org_id
-        return await call_sync_from_async(
-            self._retrieve_mcp_api_key_from_db, user_id, org_id
-        )

-    def _retrieve_mcp_api_key_from_db(self, user_id: str, org_id: str) -> str | None:
-        with self.session_maker() as session:
-            keys: list[ApiKey] = (
-                session.query(ApiKey)
-                .filter(ApiKey.user_id == user_id)
-                .filter(ApiKey.org_id == org_id)
-                .all()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(ApiKey).filter(
+                    ApiKey.user_id == user_id, ApiKey.org_id == org_id
+                )
            )
+            keys = result.scalars().all()
            for key in keys:
                if key.name == 'MCP_API_KEY':
                    return key.key

        return None

-    def retrieve_api_key_by_name(self, user_id: str, name: str) -> str | None:
+    async def retrieve_api_key_by_name(self, user_id: str, name: str) -> str | None:
        """Retrieve an API key by name for a specific user."""
-        with self.session_maker() as session:
-            key_record = (
-                session.query(ApiKey)
-                .filter(ApiKey.user_id == user_id, ApiKey.name == name)
-                .first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(ApiKey).filter(ApiKey.user_id == user_id, ApiKey.name == name)
            )
+            key_record = result.scalars().first()
            return key_record.key if key_record else None

-    def delete_api_key_by_name(self, user_id: str, name: str) -> bool:
+    async def delete_api_key_by_name(self, user_id: str, name: str) -> bool:
        """Delete an API key by name for a specific user."""
-        with self.session_maker() as session:
-            key_record = (
-                session.query(ApiKey)
-                .filter(ApiKey.user_id == user_id, ApiKey.name == name)
-                .first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(ApiKey).filter(ApiKey.user_id == user_id, ApiKey.name == name)
            )
+            key_record = result.scalars().first()

            if not key_record:
                return False

-            session.delete(key_record)
-            session.commit()
+            await session.delete(key_record)
+            await session.commit()

            return True

@@ -195,4 +179,4 @@ class ApiKeyStore:
    def get_instance(cls) -> ApiKeyStore:
        """Get an instance of the ApiKeyStore."""
        logger.debug('api_key_store.get_instance')
-        return ApiKeyStore(session_maker)
+        return ApiKeyStore()
--- a/enterprise/storage/auth_token_store.py
+++ b/enterprise/storage/auth_token_store.py
@@ -4,25 +4,58 @@ import time
 from dataclasses import dataclass
 from typing import Awaitable, Callable, Dict

-from sqlalchemy import select, update
-from sqlalchemy.orm import sessionmaker
+from server.auth.auth_error import TokenRefreshError
+from sqlalchemy import select, text, update
+from sqlalchemy.exc import OperationalError
 from storage.auth_tokens import AuthTokens
 from storage.database import a_session_maker

 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.service_types import ProviderType

+# Time buffer (in seconds) before actual expiration to consider token expired
+# This ensures tokens are refreshed before they actually expire. The
+# github default is 8 hours, so 15 minutes leeway is ~3% of this.
+ACCESS_TOKEN_EXPIRY_BUFFER = 900  # 15 minutes
+
+# Database lock timeout to prevent indefinite blocking
+LOCK_TIMEOUT_SECONDS = 5
+

@dataclass
 class AuthTokenStore:
    keycloak_user_id: str
    idp: ProviderType
-    a_session_maker: sessionmaker

    @property
    def identity_provider_value(self) -> str:
        return self.idp.value

+    def _is_token_expired(
+        self, access_token_expires_at: int, refresh_token_expires_at: int
+    ) -> tuple[bool, bool]:
+        """Check if access and refresh tokens are expired.
+
+        Args:
+            access_token_expires_at: Expiration time for access token (seconds since epoch)
+            refresh_token_expires_at: Expiration time for refresh token (seconds since epoch)
+
+        Returns:
+            Tuple of (access_expired, refresh_expired)
+        """
+        current_time = int(time.time())
+        access_expired = (
+            False
+            if access_token_expires_at == 0
+            else access_token_expires_at < current_time + ACCESS_TOKEN_EXPIRY_BUFFER
+        )
+        refresh_expired = (
+            False
+            if refresh_token_expires_at == 0
+            else refresh_token_expires_at < current_time
+        )
+        return access_expired, refresh_expired
+
    async def store_tokens(
        self,
        access_token: str,
@@ -38,7 +71,7 @@ class AuthTokenStore:
            access_token_expires_at: Expiration time for access token (seconds since epoch)
            refresh_token_expires_at: Expiration time for refresh token (seconds since epoch)
        """
-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            async with session.begin():  # Explicitly start a transaction
                result = await session.execute(
                    select(AuthTokens).where(
@@ -69,91 +102,153 @@ class AuthTokenStore:
    async def load_tokens(
        self,
        check_expiration_and_refresh: Callable[
-            [ProviderType, str, int, int], Awaitable[Dict[str, str | int]]
+            [ProviderType, str, int, int], Awaitable[Dict[str, str | int] | None]
        ]
        | None = None,
    ) -> Dict[str, str | int] | None:
-        """
-        Load authentication tokens from the database and refresh them if necessary.
+        """Load authentication tokens from the database and refresh them if necessary.

-        This method retrieves the current authentication tokens for the user and checks if they have expired.
-        It uses the provided `check_expiration_and_refresh` function to determine if the tokens need
-        to be refreshed and to refresh the tokens if needed.
+        This method uses a double-checked locking pattern to minimize lock contention:
+        1. First, check if the token is valid WITHOUT acquiring a lock (fast path)
+        2. If refresh is needed, acquire a lock with a timeout
+        3. Double-check if refresh is still needed (another request may have refreshed)
+        4. Perform the refresh if still needed

-        The method ensures that only one refresh operation is performed per refresh token by using a
-        row-level lock on the token record.
-
-        The method is designed to handle race conditions where multiple requests might attempt to refresh
-        the same token simultaneously, ensuring that only one refresh call occurs per refresh token.
+        The row-level lock ensures that only one refresh operation is performed per
+        refresh token, which is important because most IDPs invalidate the old refresh
+        token after it's used once.

        Args:
-            check_expiration_and_refresh (Callable, optional): A function that checks if the tokens have expired
-                and attempts to refresh them. It should return a dictionary containing the new access_token, refresh_token,
-                and their respective expiration timestamps. If no refresh is needed, it should return `None`.
+            check_expiration_and_refresh: A function that checks if the tokens have
+                expired and attempts to refresh them. It should return a dictionary
+                containing the new access_token, refresh_token, and their respective
+                expiration timestamps. If no refresh is needed, it should return None.

        Returns:
-            Dict[str, str | int] | None:
-                A dictionary containing the access_token, refresh_token, access_token_expires_at,
-                and refresh_token_expires_at. If no token record is found, returns `None`.
+            A dictionary containing the access_token, refresh_token,
+            access_token_expires_at, and refresh_token_expires_at.
+            If no token record is found, returns None.
+
+        Raises:
+            TokenRefreshError: If the lock cannot be acquired within the timeout
+                period. This typically means another request is holding the lock
+                for an extended period. Callers should handle this by returning
+                a 401 response to prompt the user to re-authenticate.
        """
-        async with self.a_session_maker() as session:
-            async with session.begin():  # Ensures transaction management
-                # Lock the row while we check if we need to refresh the tokens.
-                # There is a race condition where 2 or more calls can load tokens simultaneously.
-                # If it turns out the loaded tokens are expired, then there will be multiple
-                # refresh token calls with the same refresh token. Most IDPs only allow one refresh
-                # per refresh token. This lock ensure that only one refresh call occurs per refresh token
-                result = await session.execute(
-                    select(AuthTokens)
-                    .filter(
-                        AuthTokens.keycloak_user_id == self.keycloak_user_id,
-                        AuthTokens.identity_provider == self.identity_provider_value,
-                    )
-                    .with_for_update()
+        # FAST PATH: Check without lock first to avoid unnecessary lock contention
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(AuthTokens).filter(
+                    AuthTokens.keycloak_user_id == self.keycloak_user_id,
+                    AuthTokens.identity_provider == self.identity_provider_value,
                )
-                token_record = result.scalars().one_or_none()
+            )
+            token_record = result.scalars().one_or_none()

-                if not token_record:
-                    return None
+            if not token_record:
+                return None

-                token_refresh = (
-                    await check_expiration_and_refresh(
+            # Check if token needs refresh
+            access_expired, _ = self._is_token_expired(
+                token_record.access_token_expires_at,
+                token_record.refresh_token_expires_at,
+            )
+
+            # If token is still valid, return it without acquiring a lock
+            if not access_expired or check_expiration_and_refresh is None:
+                return {
+                    'access_token': token_record.access_token,
+                    'refresh_token': token_record.refresh_token,
+                    'access_token_expires_at': token_record.access_token_expires_at,
+                    'refresh_token_expires_at': token_record.refresh_token_expires_at,
+                }
+
+        # SLOW PATH: Token needs refresh, acquire lock
+        try:
+            async with a_session_maker() as session:
+                async with session.begin():
+                    # Set a lock timeout to prevent indefinite blocking
+                    # This ensures we don't hold connections forever if something goes wrong
+                    await session.execute(
+                        text(f"SET LOCAL lock_timeout = '{LOCK_TIMEOUT_SECONDS}s'")
+                    )
+
+                    # Acquire row-level lock to prevent concurrent refresh attempts
+                    result = await session.execute(
+                        select(AuthTokens)
+                        .filter(
+                            AuthTokens.keycloak_user_id == self.keycloak_user_id,
+                            AuthTokens.identity_provider
+                            == self.identity_provider_value,
+                        )
+                        .with_for_update()
+                    )
+                    token_record = result.scalars().one_or_none()
+
+                    if not token_record:
+                        return None
+
+                    # Double-check: another request may have refreshed while we waited for the lock
+                    access_expired, _ = self._is_token_expired(
+                        token_record.access_token_expires_at,
+                        token_record.refresh_token_expires_at,
+                    )
+
+                    if not access_expired:
+                        # Token was refreshed by another request while we waited
+                        logger.debug(
+                            'Token was refreshed by another request while waiting for lock'
+                        )
+                        return {
+                            'access_token': token_record.access_token,
+                            'refresh_token': token_record.refresh_token,
+                            'access_token_expires_at': token_record.access_token_expires_at,
+                            'refresh_token_expires_at': token_record.refresh_token_expires_at,
+                        }
+
+                    # We're the one doing the refresh
+                    token_refresh = await check_expiration_and_refresh(
                        self.idp,
                        token_record.refresh_token,
                        token_record.access_token_expires_at,
                        token_record.refresh_token_expires_at,
                    )
-                    if check_expiration_and_refresh
-                    else None
-                )

-                if token_refresh:
-                    await session.execute(
-                        update(AuthTokens)
-                        .where(AuthTokens.id == token_record.id)
-                        .values(
-                            access_token=token_refresh['access_token'],
-                            refresh_token=token_refresh['refresh_token'],
-                            access_token_expires_at=token_refresh[
-                                'access_token_expires_at'
-                            ],
-                            refresh_token_expires_at=token_refresh[
-                                'refresh_token_expires_at'
-                            ],
+                    if token_refresh:
+                        await session.execute(
+                            update(AuthTokens)
+                            .where(AuthTokens.id == token_record.id)
+                            .values(
+                                access_token=token_refresh['access_token'],
+                                refresh_token=token_refresh['refresh_token'],
+                                access_token_expires_at=token_refresh[
+                                    'access_token_expires_at'
+                                ],
+                                refresh_token_expires_at=token_refresh[
+                                    'refresh_token_expires_at'
+                                ],
+                            )
                        )
-                    )
-                    await session.commit()
+                        await session.commit()

-                return (
-                    token_refresh
-                    if token_refresh
-                    else {
-                        'access_token': token_record.access_token,
-                        'refresh_token': token_record.refresh_token,
-                        'access_token_expires_at': token_record.access_token_expires_at,
-                        'refresh_token_expires_at': token_record.refresh_token_expires_at,
-                    }
-                )
+                    return (
+                        token_refresh
+                        if token_refresh
+                        else {
+                            'access_token': token_record.access_token,
+                            'refresh_token': token_record.refresh_token,
+                            'access_token_expires_at': token_record.access_token_expires_at,
+                            'refresh_token_expires_at': token_record.refresh_token_expires_at,
+                        }
+                    )
+        except OperationalError as e:
+            # Lock timeout - another request is holding the lock for too long
+            logger.warning(
+                f'Token refresh lock timeout for user {self.keycloak_user_id}: {e}'
+            )
+            raise TokenRefreshError(
+                'Unable to refresh token due to lock timeout. Please try again.'
+            ) from e

    async def is_access_token_valid(self) -> bool:
        """Check if the access token is still valid.
@@ -194,8 +289,8 @@ class AuthTokenStore:
        """Get an instance of the AuthTokenStore.

        Args:
-            config: The application configuration
            keycloak_user_id: The Keycloak user ID
+            idp: The identity provider type

        Returns:
            An instance of AuthTokenStore
@@ -203,6 +298,4 @@ class AuthTokenStore:
        logger.debug(f'auth_token_store.get_instance::{keycloak_user_id}')
        if keycloak_user_id:
            keycloak_user_id = str(keycloak_user_id)
-        return AuthTokenStore(
-            keycloak_user_id=keycloak_user_id, idp=idp, a_session_maker=a_session_maker
-        )
+        return AuthTokenStore(keycloak_user_id=keycloak_user_id, idp=idp)
--- a/enterprise/storage/blocked_email_domain_store.py
+++ b/enterprise/storage/blocked_email_domain_store.py
@@ -1,14 +1,12 @@
 from dataclasses import dataclass

 from sqlalchemy import text
-from sqlalchemy.orm import sessionmaker
+from storage.database import a_session_maker


@dataclass
 class BlockedEmailDomainStore:
-    session_maker: sessionmaker
-
-    def is_domain_blocked(self, domain: str) -> bool:
+    async def is_domain_blocked(self, domain: str) -> bool:
        """Check if a domain is blocked by querying the database directly.

        This method uses SQL to efficiently check if the domain matches any blocked pattern:
@@ -21,9 +19,9 @@ class BlockedEmailDomainStore:
        Returns:
            True if the domain is blocked, False otherwise
        """
-        with self.session_maker() as session:
+        async with a_session_maker() as session:
            # SQL query that handles both TLD patterns and full domain patterns
-            # TLD patterns (starting with '.'): check if domain ends with the pattern
+            # TLD patterns (starting with '.'): check if domain ends with it (case-insensitive)
            # Full domain patterns: check for exact match or subdomain match
            # All comparisons are case-insensitive using LOWER() to ensure consistent matching
            query = text("""
@@ -41,5 +39,5 @@ class BlockedEmailDomainStore:
                        ))
                )
            """)
-            result = session.execute(query, {'domain': domain}).scalar()
-            return bool(result)
+            result = await session.execute(query, {'domain': domain})
+            return bool(result.scalar())
--- a/enterprise/storage/database.py
+++ b/enterprise/storage/database.py
@@ -18,17 +18,17 @@ def _get_db_session_injector():
    return _config.db_session


-def session_maker():
+def session_maker(**kwargs):
    db_session_injector = _get_db_session_injector()
-    session_maker = db_session_injector.get_session_maker()
-    return session_maker()
+    factory = db_session_injector.get_session_maker()
+    return factory(**kwargs)


@contextlib.asynccontextmanager
-async def a_session_maker():
+async def a_session_maker(**kwargs):
    db_session_injector = _get_db_session_injector()
-    a_session_maker = await db_session_injector.get_async_session_maker()
-    async with a_session_maker() as session:
+    factory = await db_session_injector.get_async_session_maker()
+    async with factory(**kwargs) as session:
        yield session


--- a/enterprise/storage/device_code.py
+++ b/enterprise/storage/device_code.py
@@ -47,7 +47,11 @@ class DeviceCode(Base):
    def is_expired(self) -> bool:
        """Check if the device code has expired."""
        now = datetime.now(timezone.utc)
-        return now > self.expires_at
+        # Handle timezone-naive datetime from database by assuming it's UTC
+        expires_at = self.expires_at
+        if expires_at.tzinfo is None:
+            expires_at = expires_at.replace(tzinfo=timezone.utc)
+        return now > expires_at

    def is_pending(self) -> bool:
        """Check if the device code is still pending authorization."""
@@ -85,8 +89,13 @@ class DeviceCode(Base):
        if self.last_poll_time is None:
            return False, self.current_interval

+        # Handle timezone-naive datetime from database by assuming it's UTC
+        last_poll_time = self.last_poll_time
+        if last_poll_time.tzinfo is None:
+            last_poll_time = last_poll_time.replace(tzinfo=timezone.utc)
+
        # Calculate time since last poll
-        time_since_last_poll = (now - self.last_poll_time).total_seconds()
+        time_since_last_poll = (now - last_poll_time).total_seconds()

        # Check if polling too fast
        if time_since_last_poll < self.current_interval:
--- a/enterprise/storage/device_code_store.py
+++ b/enterprise/storage/device_code_store.py
@@ -1,19 +1,20 @@
 """Device code store for OAuth 2.0 Device Flow."""

+from __future__ import annotations
+
 import secrets
 import string
 from datetime import datetime, timedelta, timezone

+from sqlalchemy import select
 from sqlalchemy.exc import IntegrityError
+from storage.database import a_session_maker
 from storage.device_code import DeviceCode


 class DeviceCodeStore:
    """Store for managing OAuth 2.0 device codes."""

-    def __init__(self, session_maker):
-        self.session_maker = session_maker
-
    def generate_user_code(self) -> str:
        """Generate a human-readable user code (8 characters, uppercase letters and digits)."""
        # Use a mix of uppercase letters and digits, avoiding confusing characters
@@ -25,7 +26,7 @@ class DeviceCodeStore:
        alphabet = string.ascii_letters + string.digits
        return ''.join(secrets.choice(alphabet) for _ in range(128))

-    def create_device_code(
+    async def create_device_code(
        self,
        expires_in: int = 600,  # 10 minutes default
        max_attempts: int = 10,
@@ -58,11 +59,10 @@ class DeviceCodeStore:
            )

            try:
-                with self.session_maker() as session:
+                async with a_session_maker() as session:
                    session.add(device_code_entry)
-                    session.commit()
-                    session.refresh(device_code_entry)
-                    session.expunge(device_code_entry)  # Detach from session cleanly
+                    await session.commit()
+                    await session.refresh(device_code_entry)
                    return device_code_entry
            except IntegrityError:
                # Constraint violation - codes already exist, retry with new codes
@@ -72,25 +72,23 @@ class DeviceCodeStore:
            f'Failed to generate unique device codes after {max_attempts} attempts'
        )

-    def get_by_device_code(self, device_code: str) -> DeviceCode | None:
+    async def get_by_device_code(self, device_code: str) -> DeviceCode | None:
        """Get device code entry by device code."""
-        with self.session_maker() as session:
-            result = (
-                session.query(DeviceCode).filter_by(device_code=device_code).first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(DeviceCode).filter_by(device_code=device_code)
            )
-            if result:
-                session.expunge(result)  # Detach from session cleanly
-            return result
+            return result.scalars().first()

-    def get_by_user_code(self, user_code: str) -> DeviceCode | None:
+    async def get_by_user_code(self, user_code: str) -> DeviceCode | None:
        """Get device code entry by user code."""
-        with self.session_maker() as session:
-            result = session.query(DeviceCode).filter_by(user_code=user_code).first()
-            if result:
-                session.expunge(result)  # Detach from session cleanly
-            return result
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(DeviceCode).filter_by(user_code=user_code)
+            )
+            return result.scalars().first()

-    def authorize_device_code(self, user_code: str, user_id: str) -> bool:
+    async def authorize_device_code(self, user_code: str, user_id: str) -> bool:
        """Authorize a device code.

        Args:
@@ -100,10 +98,11 @@ class DeviceCodeStore:
        Returns:
            True if authorization was successful, False otherwise
        """
-        with self.session_maker() as session:
-            device_code_entry = (
-                session.query(DeviceCode).filter_by(user_code=user_code).first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(DeviceCode).filter_by(user_code=user_code)
            )
+            device_code_entry = result.scalars().first()

            if not device_code_entry:
                return False
@@ -112,11 +111,11 @@ class DeviceCodeStore:
                return False

            device_code_entry.authorize(user_id)
-            session.commit()
+            await session.commit()

            return True

-    def deny_device_code(self, user_code: str) -> bool:
+    async def deny_device_code(self, user_code: str) -> bool:
        """Deny a device code authorization.

        Args:
@@ -125,10 +124,11 @@ class DeviceCodeStore:
        Returns:
            True if denial was successful, False otherwise
        """
-        with self.session_maker() as session:
-            device_code_entry = (
-                session.query(DeviceCode).filter_by(user_code=user_code).first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(DeviceCode).filter_by(user_code=user_code)
            )
+            device_code_entry = result.scalars().first()

            if not device_code_entry:
                return False
@@ -137,11 +137,11 @@ class DeviceCodeStore:
                return False

            device_code_entry.deny()
-            session.commit()
+            await session.commit()

            return True

-    def update_poll_time(
+    async def update_poll_time(
        self, device_code: str, increase_interval: bool = False
    ) -> bool:
        """Update the poll time for a device code and optionally increase interval.
@@ -153,15 +153,16 @@ class DeviceCodeStore:
        Returns:
            True if update was successful, False otherwise
        """
-        with self.session_maker() as session:
-            device_code_entry = (
-                session.query(DeviceCode).filter_by(device_code=device_code).first()
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(DeviceCode).filter_by(device_code=device_code)
            )
+            device_code_entry = result.scalars().first()

            if not device_code_entry:
                return False

            device_code_entry.update_poll_time(increase_interval)
-            session.commit()
+            await session.commit()

            return True
--- a/enterprise/storage/gitlab_webhook_store.py
+++ b/enterprise/storage/gitlab_webhook_store.py
@@ -5,7 +5,6 @@ from dataclasses import dataclass
 from integrations.types import GitLabResourceType
 from sqlalchemy import and_, asc, select, text, update
 from sqlalchemy.dialects.postgresql import insert
-from sqlalchemy.orm import sessionmaker
 from storage.database import a_session_maker
 from storage.gitlab_webhook import GitlabWebhook

@@ -14,8 +13,6 @@ from openhands.core.logger import openhands_logger as logger

@dataclass
 class GitlabWebhookStore:
-    a_session_maker: sessionmaker = a_session_maker
-
    @staticmethod
    def determine_resource_type(
        webhook: GitlabWebhook,
@@ -44,7 +41,7 @@ class GitlabWebhookStore:
        if not project_details:
            return

-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            async with session.begin():
                # Convert GitlabWebhook objects to dictionaries for the insert
                # Using __dict__ and filtering out SQLAlchemy internal attributes and 'id'
@@ -88,7 +85,7 @@ class GitlabWebhookStore:
        """

        resource_type, resource_id = GitlabWebhookStore.determine_resource_type(webhook)
-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            async with session.begin():
                stmt = (
                    update(GitlabWebhook).where(GitlabWebhook.project_id == resource_id)
@@ -122,7 +119,7 @@ class GitlabWebhookStore:
            },
        )

-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            async with session.begin():
                # Create query based on the identifier provided
                if resource_type == GitLabResourceType.PROJECT:
@@ -185,7 +182,7 @@ class GitlabWebhookStore:
            List of GitlabWebhook objects that need processing
        """

-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            query = (
                select(GitlabWebhook)
                .where(GitlabWebhook.webhook_exists.is_(False))
@@ -201,7 +198,7 @@ class GitlabWebhookStore:
        """
        Get's webhook secret given the webhook uuid and admin keycloak user id
        """
-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            query = (
                select(GitlabWebhook)
                .where(
@@ -235,7 +232,7 @@ class GitlabWebhookStore:
        Returns:
            GitlabWebhook object if found, None otherwise
        """
-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            if resource_type == GitLabResourceType.PROJECT:
                query = select(GitlabWebhook).where(
                    GitlabWebhook.project_id == resource_id
@@ -263,7 +260,7 @@ class GitlabWebhookStore:
        Returns:
            Tuple of (project_webhook_map, group_webhook_map)
        """
-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            project_webhook_map = {}
            group_webhook_map = {}

@@ -303,7 +300,7 @@ class GitlabWebhookStore:
        Returns:
            True if webhook was reset, False if not found
        """
-        async with self.a_session_maker() as session:
+        async with a_session_maker() as session:
            async with session.begin():
                if resource_type == GitLabResourceType.PROJECT:
                    update_statement = (
@@ -348,4 +345,4 @@ class GitlabWebhookStore:
        Returns:
            An instance of GitlabWebhookStore
        """
-        return GitlabWebhookStore(a_session_maker)
+        return GitlabWebhookStore()
--- a/Show More
+++ b/Show More