refactor(frontend): migrate selected org ID to Zustand (#12153 )

refactor(frontend): replace Temp components with design system components (#12158 )
refactor(frontend): rename updateMemberRole to updateMember with extensible params (#12151 )
2026-04-29 03:00:45 -04:00 · 2025-12-26 18:23:43 +04:00 · 2025-12-25 22:53:55 +04:00 · 2025-12-25 19:38:23 +04:00 · 2025-12-23 17:55:14 +04:00 · 2025-12-23 12:57:55 +00:00
364 changed files with 20263 additions and 8082 deletions
@@ -1,12 +1,8 @@
 # CODEOWNERS file for OpenHands repository
 # See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners

-# Frontend code owners
-/frontend/ @amanape
-/openhands-ui/ @amanape
-
-# Evaluation code owners
+/frontend/ @amanape @hieptl
+/openhands-ui/ @amanape @hieptl
+/openhands/ @tofarr @malhotra5 @hieptl
+/enterprise/ @chuckbutkus @tofarr @malhotra5
 /evaluation/ @xingyaoww @neubig
-
-# Documentation code owners
-/docs/ @mamoodi
@@ -0,0 +1,47 @@
+# Workflow that runs frontend e2e tests with Playwright
+name: Run Frontend E2E Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - "frontend/**"
+      - ".github/workflows/fe-e2e-tests.yml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  fe-e2e-test:
+    name: FE E2E Tests
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    strategy:
+      matrix:
+        node-version: [22]
+      fail-fast: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: useblacksmith/setup-node@v5
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install dependencies
+        working-directory: ./frontend
+        run: npm ci
+      - name: Install Playwright browsers
+        working-directory: ./frontend
+        run: npx playwright install --with-deps chromium
+      - name: Run Playwright tests
+        working-directory: ./frontend
+        run: npx playwright test --project=chromium
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: playwright-report
+          path: frontend/playwright-report/
+          retention-days: 30
@@ -63,7 +63,7 @@ Frontend:
  - We use TanStack Query (fka React Query) for data fetching and cache management
  - Data Access Layer: API client methods are located in `frontend/src/api` and should never be called directly from UI components - they must always be wrapped with TanStack Query
  - Custom hooks are located in `frontend/src/hooks/query/` and `frontend/src/hooks/mutation/`
-  - Query hooks should follow the pattern use[Resource] (e.g., `useConversationMicroagents`)
+  - Query hooks should follow the pattern use[Resource] (e.g., `useConversationSkills`)
  - Mutation hooks should follow the pattern use[Action] (e.g., `useDeleteConversation`)
  - Architecture rule: UI components → TanStack Query hooks → Data Access Layer (`frontend/src/api`) → API endpoints

@@ -161,7 +161,7 @@ poetry run pytest ./tests/unit/test_*.py
 To reduce build time (e.g., if no changes were made to the client-runtime component), you can use an existing Docker
 container image by setting the SANDBOX_RUNTIME_CONTAINER_IMAGE environment variable to the desired Docker image.

-Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:0.62-nikolaik`
+Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:1.0-nikolaik`

 ## Develop inside Docker container

@@ -8,7 +8,7 @@

 <div align="center">
  <a href="https://github.com/OpenHands/OpenHands/blob/main/LICENSE"><img src="https://img.shields.io/badge/LICENSE-MIT-20B2AA?style=for-the-badge" alt="MIT License"></a>
-  <a href="https://docs.google.com/spreadsheets/d/1wOUdFCMyY6Nt0AIqF705KN4JKOWgeI4wUGUP60krXXs/edit?gid=811504672#gid=811504672"><img src="https://img.shields.io/badge/SWEBench-72.8-00cc00?logoColor=FFE165&style=for-the-badge" alt="Benchmark Score"></a>
+  <a href="https://docs.google.com/spreadsheets/d/1wOUdFCMyY6Nt0AIqF705KN4JKOWgeI4wUGUP60krXXs/edit?gid=811504672#gid=811504672"><img src="https://img.shields.io/badge/SWEBench-77.6-00cc00?logoColor=FFE165&style=for-the-badge" alt="Benchmark Score"></a>
  <br/>
  <a href="https://docs.openhands.dev/sdk"><img src="https://img.shields.io/badge/Documentation-000?logo=googledocs&logoColor=FFE165&style=for-the-badge" alt="Check out the documentation"></a>
  <a href="https://arxiv.org/abs/2511.03690"><img src="https://img.shields.io/badge/Paper-000?logoColor=FFE165&logo=arxiv&style=for-the-badge" alt="Tech Report"></a>
@@ -12,7 +12,7 @@ services:
      - SANDBOX_API_HOSTNAME=host.docker.internal
      - DOCKER_HOST_ADDR=host.docker.internal
      #
-      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-ghcr.io/openhands/runtime:0.62-nikolaik}
+      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-ghcr.io/openhands/runtime:1.0-nikolaik}
      - SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234}
      - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
    ports:
@@ -7,7 +7,7 @@ services:
    image: openhands:latest
    container_name: openhands-app-${DATE:-}
    environment:
-      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-docker.openhands.dev/openhands/runtime:0.62-nikolaik}
+      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-docker.openhands.dev/openhands/runtime:1.0-nikolaik}
      #- SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234} # enable this only if you want a specific non-root sandbox user but you will have to manually adjust permissions of ~/.openhands for this user
      - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
    ports:
@@ -31,9 +31,8 @@ RUN pip install alembic psycopg2-binary cloud-sql-python-connector pg8000 gsprea
        "pillow>=11.3.0"

 WORKDIR /app
-COPY enterprise .
+COPY --chown=openhands:openhands --chmod=770 enterprise .

-RUN chown -R openhands:openhands /app && chmod -R 770 /app
 USER openhands

 # Command will be overridden by Kubernetes deployment template
@@ -721,6 +721,7 @@
        "https://$WEB_HOST/oauth/keycloak/callback",
        "https://$WEB_HOST/oauth/keycloak/offline/callback",
        "https://$WEB_HOST/slack/keycloak-callback",
+        "https://$WEB_HOST/oauth/device/keycloak-callback",
        "https://$WEB_HOST/api/email/verified",
        "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*"
      ],
@@ -116,7 +116,7 @@ lines.append('POSTHOG_CLIENT_KEY=test')
 lines.append('ENABLE_PROACTIVE_CONVERSATION_STARTERS=true')
 lines.append('MAX_CONCURRENT_CONVERSATIONS=10')
 lines.append('LITE_LLM_API_URL=https://llm-proxy.eval.all-hands.dev')
-lines.append('LITELLM_DEFAULT_MODEL=litellm_proxy/claude-sonnet-4-20250514')
+lines.append('LITELLM_DEFAULT_MODEL=litellm_proxy/claude-opus-4-5-20251101')
 lines.append(f'LITE_LLM_API_KEY={lite_llm_api_key}')
 lines.append('LOCAL_DEPLOYMENT=true')
 lines.append('DB_HOST=localhost')
@@ -22,6 +22,7 @@ from integrations.utils import (
    HOST_URL,
    OPENHANDS_RESOLVER_TEMPLATES_DIR,
 )
+from integrations.v1_utils import get_saas_user_auth
 from jinja2 import Environment, FileSystemLoader
 from pydantic import SecretStr
 from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
@@ -164,8 +165,13 @@ class GithubManager(Manager):
            )

        if await self.is_job_requested(message):
+            payload = message.message.get('payload', {})
+            user_id = payload['sender']['id']
+            keycloak_user_id = await self.token_manager.get_user_id_from_idp_user_id(
+                user_id, ProviderType.GITHUB
+            )
            github_view = await GithubFactory.create_github_view_from_payload(
-                message, self.token_manager
+                message, keycloak_user_id
            )
            logger.info(
                f'[GitHub] Creating job for {github_view.user_info.username} in {github_view.full_repo_name}#{github_view.issue_number}'
@@ -282,8 +288,15 @@ class GithubManager(Manager):
                        f'[Github]: Error summarizing issue solvability: {str(e)}'
                    )

+                saas_user_auth = await get_saas_user_auth(
+                    github_view.user_info.keycloak_user_id, self.token_manager
+                )
+
                await github_view.create_new_conversation(
-                    self.jinja_env, secret_store.provider_tokens, convo_metadata
+                    self.jinja_env,
+                    secret_store.provider_tokens,
+                    convo_metadata,
+                    saas_user_auth,
                )

                conversation_id = github_view.conversation_id
@@ -292,14 +305,7 @@ class GithubManager(Manager):
                    f'[GitHub] Created conversation {conversation_id} for user {user_info.username}'
                )

-                from openhands.server.shared import ConversationStoreImpl, config
-
-                conversation_store = await ConversationStoreImpl.get_instance(
-                    config, github_view.user_info.keycloak_user_id
-                )
-                metadata = await conversation_store.get_metadata(conversation_id)
-
-                if metadata.conversation_version != 'v1':
+                if not github_view.v1:
                    # Create a GithubCallbackProcessor
                    processor = GithubCallbackProcessor(
                        github_view=github_view,
@@ -1,3 +1,4 @@
+from dataclasses import dataclass
 from uuid import UUID, uuid4

 from github import Github, GithubIntegration
@@ -8,16 +9,17 @@ from integrations.github.github_types import (
    WorkflowRunStatus,
 )
 from integrations.models import Message
+from integrations.resolver_context import ResolverUserContext
 from integrations.types import ResolverViewInterface, UserData
 from integrations.utils import (
    ENABLE_PROACTIVE_CONVERSATION_STARTERS,
+    ENABLE_V1_GITHUB_RESOLVER,
    HOST,
    HOST_URL,
    get_oh_labels,
    has_exact_mention,
 )
 from jinja2 import Environment
-from pydantic.dataclasses import dataclass
 from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY
 from server.auth.token_manager import TokenManager
 from server.config import get_config
@@ -34,18 +36,16 @@ from openhands.app_server.app_conversation.app_conversation_models import (
 from openhands.app_server.config import get_app_conversation_service
 from openhands.app_server.services.injector import InjectorState
 from openhands.app_server.user.specifiy_user_context import USER_CONTEXT_ATTR
-from openhands.app_server.user.user_context import UserContext
-from openhands.app_server.user.user_models import UserInfo
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.github.github_service import GithubServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
 from openhands.sdk import TextContent
-from openhands.sdk.conversation.secret_source import SecretSource
 from openhands.server.services.conversation_service import (
    initialize_conversation,
    start_conversation,
 )
+from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
    ConversationMetadata,
    ConversationTrigger,
@@ -55,52 +55,6 @@ from openhands.utils.async_utils import call_sync_from_async
 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)


-class GithubUserContext(UserContext):
-    """User context for GitHub integration that provides user info without web request."""
-
-    def __init__(self, keycloak_user_id: str, git_provider_tokens: PROVIDER_TOKEN_TYPE):
-        self.keycloak_user_id = keycloak_user_id
-        self.git_provider_tokens = git_provider_tokens
-        self.settings_store = SaasSettingsStore(
-            user_id=self.keycloak_user_id,
-            session_maker=session_maker,
-            config=get_config(),
-        )
-
-        self.secrets_store = SaasSecretsStore(
-            self.keycloak_user_id, session_maker, get_config()
-        )
-
-    async def get_user_id(self) -> str | None:
-        return self.keycloak_user_id
-
-    async def get_user_info(self) -> UserInfo:
-        user_settings = await self.settings_store.load()
-        return UserInfo(
-            id=self.keycloak_user_id,
-            **user_settings.model_dump(context={'expose_secrets': True}),
-        )
-
-    async def get_authenticated_git_url(self, repository: str) -> str:
-        # This would need to be implemented based on the git provider tokens
-        # For now, return a basic HTTPS URL
-        return f'https://github.com/{repository}.git'
-
-    async def get_latest_token(self, provider_type: ProviderType) -> str | None:
-        # Return the appropriate token from git_provider_tokens
-        if provider_type == ProviderType.GITHUB and self.git_provider_tokens:
-            return self.git_provider_tokens.get(ProviderType.GITHUB)
-        return None
-
-    async def get_secrets(self) -> dict[str, SecretSource]:
-        # Return empty dict for now - GitHub integration handles secrets separately
-        user_secrets = await self.secrets_store.load()
-        return dict(user_secrets.custom_secrets) if user_secrets else {}
-
-    async def get_mcp_api_key(self) -> str | None:
-        raise NotImplementedError()
-
-
 async def get_user_proactive_conversation_setting(user_id: str | None) -> bool:
    """Get the user's proactive conversation setting.

@@ -134,7 +88,7 @@ async def get_user_proactive_conversation_setting(user_id: str | None) -> bool:
    return settings.enable_proactive_conversation_starters


-async def get_user_v1_enabled_setting(user_id: str | None) -> bool:
+async def get_user_v1_enabled_setting(user_id: str) -> bool:
    """Get the user's V1 conversation API setting.

    Args:
@@ -142,10 +96,13 @@ async def get_user_v1_enabled_setting(user_id: str | None) -> bool:

    Returns:
        True if V1 conversations are enabled for this user, False otherwise
-    """

-    # If no user ID is provided, we can't check user settings
-    if not user_id:
+    Note:
+        This function checks both the global environment variable kill switch AND
+        the user's individual setting. Both must be true for the function to return true.
+    """
+    # Check the global environment variable first
+    if not ENABLE_V1_GITHUB_RESOLVER:
        return False

    config = get_config()
@@ -183,6 +140,7 @@ class GithubIssue(ResolverViewInterface):
    title: str
    description: str
    previous_comments: list[Comment]
+    v1: bool

    async def _load_resolver_context(self):
        github_service = GithubServiceImpl(
@@ -229,6 +187,19 @@ class GithubIssue(ResolverViewInterface):

    async def initialize_new_conversation(self) -> ConversationMetadata:
        # FIXME: Handle if initialize_conversation returns None
+
+        v1_enabled = await get_user_v1_enabled_setting(self.user_info.keycloak_user_id)
+        logger.info(
+            f'[GitHub V1]: User flag found for {self.user_info.keycloak_user_id} is {v1_enabled}'
+        )
+        if v1_enabled:
+            # Create dummy conversationm metadata
+            # Don't save to conversation store
+            # V1 conversations are stored in a separate table
+            return ConversationMetadata(
+                conversation_id=uuid4().hex, selected_repository=self.full_repo_name
+            )
+
        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
            user_id=self.user_info.keycloak_user_id,
            conversation_id=None,
@@ -245,14 +216,17 @@ class GithubIssue(ResolverViewInterface):
        jinja_env: Environment,
        git_provider_tokens: PROVIDER_TOKEN_TYPE,
        conversation_metadata: ConversationMetadata,
+        saas_user_auth: UserAuth,
    ):
        v1_enabled = await get_user_v1_enabled_setting(self.user_info.keycloak_user_id)
-
+        logger.info(
+            f'[GitHub V1]: User flag found for {self.user_info.keycloak_user_id} is {v1_enabled}'
+        )
        if v1_enabled:
            try:
                # Use V1 app conversation service
                await self._create_v1_conversation(
-                    jinja_env, git_provider_tokens, conversation_metadata
+                    jinja_env, saas_user_auth, conversation_metadata
                )
                return

@@ -271,6 +245,7 @@ class GithubIssue(ResolverViewInterface):
        conversation_metadata: ConversationMetadata,
    ):
        """Create conversation using the legacy V0 system."""
+        logger.info('[GitHub]: Creating V0 conversation')
        custom_secrets = await self._get_user_secrets()

        user_instructions, conversation_instructions = await self._get_instructions(
@@ -292,10 +267,12 @@ class GithubIssue(ResolverViewInterface):
    async def _create_v1_conversation(
        self,
        jinja_env: Environment,
-        git_provider_tokens: PROVIDER_TOKEN_TYPE,
+        saas_user_auth: UserAuth,
        conversation_metadata: ConversationMetadata,
    ):
        """Create conversation using the new V1 app conversation system."""
+        logger.info('[GitHub V1]: Creating V1 conversation')
+
        user_instructions, conversation_instructions = await self._get_instructions(
            jinja_env
        )
@@ -326,10 +303,7 @@ class GithubIssue(ResolverViewInterface):
        )

        # Set up the GitHub user context for the V1 system
-        github_user_context = GithubUserContext(
-            keycloak_user_id=self.user_info.keycloak_user_id,
-            git_provider_tokens=git_provider_tokens,
-        )
+        github_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
        setattr(injector_state, USER_CONTEXT_ATTR, github_user_context)

        async with get_app_conversation_service(
@@ -344,6 +318,8 @@ class GithubIssue(ResolverViewInterface):
                        f'Failed to start V1 conversation: {task.detail}'
                    )

+        self.v1 = True
+
    def _create_github_v1_callback_processor(self):
        """Create a V1 callback processor for GitHub integration."""
        from openhands.app_server.event_callback.github_v1_callback_processor import (
@@ -415,7 +391,18 @@ class GithubPRComment(GithubIssueComment):
        return user_instructions, conversation_instructions

    async def initialize_new_conversation(self) -> ConversationMetadata:
-        # FIXME: Handle if initialize_conversation returns None
+        v1_enabled = await get_user_v1_enabled_setting(self.user_info.keycloak_user_id)
+        logger.info(
+            f'[GitHub V1]: User flag found for {self.user_info.keycloak_user_id} is {v1_enabled}'
+        )
+        if v1_enabled:
+            # Create dummy conversationm metadata
+            # Don't save to conversation store
+            # V1 conversations are stored in a separate table
+            return ConversationMetadata(
+                conversation_id=uuid4().hex, selected_repository=self.full_repo_name
+            )
+
        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
            user_id=self.user_info.keycloak_user_id,
            conversation_id=None,
@@ -806,7 +793,7 @@ class GithubFactory:

    @staticmethod
    async def create_github_view_from_payload(
-        message: Message, token_manager: TokenManager
+        message: Message, keycloak_user_id: str
    ) -> ResolverViewInterface:
        """Create the appropriate class (GithubIssue or GithubPRComment) based on the payload.
        Also return metadata about the event (e.g., action type).
@@ -816,17 +803,10 @@ class GithubFactory:
        user_id = payload['sender']['id']
        username = payload['sender']['login']

-        keyloak_user_id = await token_manager.get_user_id_from_idp_user_id(
-            user_id, ProviderType.GITHUB
-        )
-
-        if keyloak_user_id is None:
-            logger.warning(f'Got invalid keyloak user id for GitHub User {user_id} ')
-
        selected_repo = GithubFactory.get_full_repo_name(repo_obj)
        is_public_repo = not repo_obj.get('private', True)
        user_info = UserData(
-            user_id=user_id, username=username, keycloak_user_id=keyloak_user_id
+            user_id=user_id, username=username, keycloak_user_id=keycloak_user_id
        )

        installation_id = message.message['installation']
@@ -850,6 +830,7 @@ class GithubFactory:
                title='',
                description='',
                previous_comments=[],
+                v1=False,
            )

        elif GithubFactory.is_issue_comment(message):
@@ -875,6 +856,7 @@ class GithubFactory:
                title='',
                description='',
                previous_comments=[],
+                v1=False,
            )

        elif GithubFactory.is_pr_comment(message):
@@ -916,6 +898,7 @@ class GithubFactory:
                title='',
                description='',
                previous_comments=[],
+                v1=False,
            )

        elif GithubFactory.is_inline_pr_comment(message):
@@ -949,6 +932,7 @@ class GithubFactory:
                title='',
                description='',
                previous_comments=[],
+                v1=False,
            )

        else:
@@ -0,0 +1,63 @@
+from openhands.app_server.user.user_context import UserContext
+from openhands.app_server.user.user_models import UserInfo
+from openhands.integrations.provider import PROVIDER_TOKEN_TYPE
+from openhands.integrations.service_types import ProviderType
+from openhands.sdk.secret import SecretSource, StaticSecret
+from openhands.server.user_auth.user_auth import UserAuth
+
+
+class ResolverUserContext(UserContext):
+    """User context for resolver operations that inherits from UserContext."""
+
+    def __init__(
+        self,
+        saas_user_auth: UserAuth,
+    ):
+        self.saas_user_auth = saas_user_auth
+
+    async def get_user_id(self) -> str | None:
+        return await self.saas_user_auth.get_user_id()
+
+    async def get_user_info(self) -> UserInfo:
+        user_settings = await self.saas_user_auth.get_user_settings()
+        user_id = await self.saas_user_auth.get_user_id()
+        if user_settings:
+            return UserInfo(
+                id=user_id,
+                **user_settings.model_dump(context={'expose_secrets': True}),
+            )
+
+        return UserInfo(id=user_id)
+
+    async def get_authenticated_git_url(self, repository: str) -> str:
+        # This would need to be implemented based on the git provider tokens
+        # For now, return a basic HTTPS URL
+        return f'https://github.com/{repository}.git'
+
+    async def get_latest_token(self, provider_type: ProviderType) -> str | None:
+        # Return the appropriate token from git_provider_tokens
+
+        provider_tokens = await self.saas_user_auth.get_provider_tokens()
+        if provider_tokens:
+            return provider_tokens.get(provider_type)
+        return None
+
+    async def get_provider_tokens(self) -> PROVIDER_TOKEN_TYPE | None:
+        return await self.saas_user_auth.get_provider_tokens()
+
+    async def get_secrets(self) -> dict[str, SecretSource]:
+        """Get secrets for the user, including custom secrets."""
+        secrets = await self.saas_user_auth.get_secrets()
+        if secrets:
+            # Convert custom secrets to StaticSecret objects for SDK compatibility
+            # secrets.custom_secrets is of type Mapping[str, CustomSecret]
+            converted_secrets = {}
+            for key, custom_secret in secrets.custom_secrets.items():
+                # Extract the secret value from CustomSecret and convert to StaticSecret
+                secret_value = custom_secret.secret.get_secret_value()
+                converted_secrets[key] = StaticSecret(value=secret_value)
+            return converted_secrets
+        return {}
+
+    async def get_mcp_api_key(self) -> str | None:
+        return await self.saas_user_auth.get_mcp_api_key()
@@ -19,7 +19,7 @@ class PRStatus(Enum):
 class UserData(BaseModel):
    user_id: int
    username: str
-    keycloak_user_id: str | None
+    keycloak_user_id: str


@dataclass
@@ -51,6 +51,11 @@ ENABLE_SOLVABILITY_ANALYSIS = (
    os.getenv('ENABLE_SOLVABILITY_ANALYSIS', 'false').lower() == 'true'
 )

+# Toggle for V1 GitHub resolver feature
+ENABLE_V1_GITHUB_RESOLVER = (
+    os.getenv('ENABLE_V1_GITHUB_RESOLVER', 'false').lower() == 'true'
+)
+

 OPENHANDS_RESOLVER_TEMPLATES_DIR = 'openhands/integrations/templates/resolver/'
 jinja_env = Environment(loader=FileSystemLoader(OPENHANDS_RESOLVER_TEMPLATES_DIR))
@@ -0,0 +1,20 @@
+from pydantic import SecretStr
+from server.auth.saas_user_auth import SaasUserAuth
+from server.auth.token_manager import TokenManager
+
+from openhands.core.logger import openhands_logger as logger
+from openhands.server.user_auth.user_auth import UserAuth
+
+
+async def get_saas_user_auth(
+    keycloak_user_id: str, token_manager: TokenManager
+) -> UserAuth:
+    offline_token = await token_manager.load_offline_token(keycloak_user_id)
+    if offline_token is None:
+        logger.info('no_offline_token_found')
+
+    user_auth = SaasUserAuth(
+        user_id=keycloak_user_id,
+        refresh_token=SecretStr(offline_token),
+    )
+    return user_auth
@@ -0,0 +1,49 @@
+"""Create device_codes table for OAuth 2.0 Device Flow
+
+Revision ID: 084
+Revises: 083
+Create Date: 2024-12-10 12:00:00.000000
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = '084'
+down_revision = '083'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    """Create device_codes table for OAuth 2.0 Device Flow."""
+    op.create_table(
+        'device_codes',
+        sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+        sa.Column('device_code', sa.String(length=128), nullable=False),
+        sa.Column('user_code', sa.String(length=16), nullable=False),
+        sa.Column('status', sa.String(length=32), nullable=False),
+        sa.Column('keycloak_user_id', sa.String(length=255), nullable=True),
+        sa.Column('expires_at', sa.DateTime(timezone=True), nullable=False),
+        sa.Column('authorized_at', sa.DateTime(timezone=True), nullable=True),
+        # Rate limiting fields for RFC 8628 section 3.5 compliance
+        sa.Column('last_poll_time', sa.DateTime(timezone=True), nullable=True),
+        sa.Column('current_interval', sa.Integer(), nullable=False, default=5),
+        sa.PrimaryKeyConstraint('id'),
+    )
+
+    # Create indexes for efficient lookups
+    op.create_index(
+        'ix_device_codes_device_code', 'device_codes', ['device_code'], unique=True
+    )
+    op.create_index(
+        'ix_device_codes_user_code', 'device_codes', ['user_code'], unique=True
+    )
+
+
+def downgrade():
+    """Drop device_codes table."""
+    op.drop_index('ix_device_codes_user_code', table_name='device_codes')
+    op.drop_index('ix_device_codes_device_code', table_name='device_codes')
+    op.drop_table('device_codes')
@@ -201,14 +201,14 @@ files = [

 [[package]]
 name = "anthropic"
-version = "0.72.0"
+version = "0.75.0"
 description = "The official Python library for the anthropic API"
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "anthropic-0.72.0-py3-none-any.whl", hash = "sha256:0e9f5a7582f038cab8efbb4c959e49ef654a56bfc7ba2da51b5a7b8a84de2e4d"},
-    {file = "anthropic-0.72.0.tar.gz", hash = "sha256:8971fe76dcffc644f74ac3883069beb1527641115ae0d6eb8fa21c1ce4082f7a"},
+    {file = "anthropic-0.75.0-py3-none-any.whl", hash = "sha256:ea8317271b6c15d80225a9f3c670152746e88805a7a61e14d4a374577164965b"},
+    {file = "anthropic-0.75.0.tar.gz", hash = "sha256:e8607422f4ab616db2ea5baacc215dd5f028da99ce2f022e33c7c535b29f3dfb"},
 ]

 [package.dependencies]
@@ -682,37 +682,37 @@ crt = ["awscrt (==0.27.6)"]

 [[package]]
 name = "browser-use"
-version = "0.9.5"
+version = "0.10.1"
 description = "Make websites accessible for AI agents"
 optional = false
 python-versions = "<4.0,>=3.11"
 groups = ["main"]
 files = [
-    {file = "browser_use-0.9.5-py3-none-any.whl", hash = "sha256:4a2e92847204d1ded269026a99cb0cc0e60e38bd2751fa3f58aedd78f00b4e67"},
-    {file = "browser_use-0.9.5.tar.gz", hash = "sha256:f8285fe253b149d01769a7084883b4cf4db351e2f38e26302c157bcbf14a703f"},
+    {file = "browser_use-0.10.1-py3-none-any.whl", hash = "sha256:96e603bfc71098175342cdcb0592519e6f244412e740f0254e4389fdd82a977f"},
+    {file = "browser_use-0.10.1.tar.gz", hash = "sha256:5f211ecfdf1f9fd186160f10df70dedd661821231e30f1bce40939787abab223"},
 ]

 [package.dependencies]
 aiohttp = "3.12.15"
-anthropic = ">=0.68.1,<1.0.0"
+anthropic = ">=0.72.1,<1.0.0"
 anyio = ">=4.9.0"
 authlib = ">=1.6.0"
 bubus = ">=1.5.6"
-cdp-use = ">=1.4.0"
+cdp-use = ">=1.4.4"
 click = ">=8.1.8"
 cloudpickle = ">=3.1.1"
 google-api-core = ">=2.25.0"
 google-api-python-client = ">=2.174.0"
 google-auth = ">=2.40.3"
 google-auth-oauthlib = ">=1.2.2"
-google-genai = ">=1.29.0,<2.0.0"
+google-genai = ">=1.50.0,<2.0.0"
 groq = ">=0.30.0"
 httpx = ">=0.28.1"
 inquirerpy = ">=0.3.4"
 markdownify = ">=1.2.0"
 mcp = ">=1.10.1"
 ollama = ">=0.5.1"
-openai = ">=1.99.2,<2.0.0"
+openai = ">=2.7.2,<3.0.0"
 pillow = ">=11.2.1"
 portalocker = ">=2.7.0,<3.0.0"
 posthog = ">=3.7.0"
@@ -721,6 +721,7 @@ pydantic = ">=2.11.5"
 pyobjc = {version = ">=11.0", markers = "platform_system == \"darwin\""}
 pyotp = ">=2.9.0"
 pypdf = ">=5.7.0"
+python-docx = ">=1.2.0"
 python-dotenv = ">=1.0.1"
 reportlab = ">=4.0.0"
 requests = ">=2.32.3"
@@ -850,14 +851,14 @@ files = [

 [[package]]
 name = "cdp-use"
-version = "1.4.3"
+version = "1.4.4"
 description = "Type safe generator/client library for CDP"
 optional = false
 python-versions = ">=3.11"
 groups = ["main"]
 files = [
-    {file = "cdp_use-1.4.3-py3-none-any.whl", hash = "sha256:c48664604470c2579aa1e677c3e3e7e24c4f300c54804c093d935abb50479ecd"},
-    {file = "cdp_use-1.4.3.tar.gz", hash = "sha256:9029c04bdc49fbd3939d2bf1988ad8d88e260729c7d5e35c2f6c87591f5a10e9"},
+    {file = "cdp_use-1.4.4-py3-none-any.whl", hash = "sha256:e37e80e067db2653d6fdf953d4ff9e5d80d75daa27b7c6d48c0261cccbef73e1"},
+    {file = "cdp_use-1.4.4.tar.gz", hash = "sha256:330a848b517006eb9ad1dc468aa6434d913cf0c6918610760c36c3fdfdba0fab"},
 ]

 [package.dependencies]
@@ -2978,28 +2979,29 @@ testing = ["pytest"]

 [[package]]
 name = "google-genai"
-version = "1.32.0"
+version = "1.53.0"
 description = "GenAI Python SDK"
 optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "google_genai-1.32.0-py3-none-any.whl", hash = "sha256:c0c4b1d45adf3aa99501050dd73da2f0dea09374002231052d81a6765d15e7f6"},
-    {file = "google_genai-1.32.0.tar.gz", hash = "sha256:349da3f5ff0e981066bd508585fcdd308d28fc4646f318c8f6d1aa6041f4c7e3"},
+    {file = "google_genai-1.53.0-py3-none-any.whl", hash = "sha256:65a3f99e5c03c372d872cda7419f5940e723374bb12a2f3ffd5e3e56e8eb2094"},
+    {file = "google_genai-1.53.0.tar.gz", hash = "sha256:938a26d22f3fd32c6eeeb4276ef204ef82884e63af9842ce3eac05ceb39cbd8d"},
 ]

 [package.dependencies]
 anyio = ">=4.8.0,<5.0.0"
-google-auth = ">=2.14.1,<3.0.0"
+google-auth = {version = ">=2.14.1,<3.0.0", extras = ["requests"]}
 httpx = ">=0.28.1,<1.0.0"
-pydantic = ">=2.0.0,<3.0.0"
+pydantic = ">=2.9.0,<3.0.0"
 requests = ">=2.28.1,<3.0.0"
 tenacity = ">=8.2.3,<9.2.0"
 typing-extensions = ">=4.11.0,<5.0.0"
 websockets = ">=13.0.0,<15.1.0"

 [package.extras]
-aiohttp = ["aiohttp (<4.0.0)"]
+aiohttp = ["aiohttp (<3.13.3)"]
+local-tokenizer = ["protobuf", "sentencepiece (>=0.2.0)"]

 [[package]]
 name = "google-resumable-media"
@@ -3055,6 +3057,8 @@ files = [
    {file = "greenlet-3.2.4-cp310-cp310-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c2ca18a03a8cfb5b25bc1cbe20f3d9a4c80d8c3b13ba3df49ac3961af0b1018d"},
    {file = "greenlet-3.2.4-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:9fe0a28a7b952a21e2c062cd5756d34354117796c6d9215a87f55e38d15402c5"},
    {file = "greenlet-3.2.4-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:8854167e06950ca75b898b104b63cc646573aa5fef1353d4508ecdd1ee76254f"},
+    {file = "greenlet-3.2.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:f47617f698838ba98f4ff4189aef02e7343952df3a615f847bb575c3feb177a7"},
+    {file = "greenlet-3.2.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:af41be48a4f60429d5cad9d22175217805098a9ef7c40bfef44f7669fb9d74d8"},
    {file = "greenlet-3.2.4-cp310-cp310-win_amd64.whl", hash = "sha256:73f49b5368b5359d04e18d15828eecc1806033db5233397748f4ca813ff1056c"},
    {file = "greenlet-3.2.4-cp311-cp311-macosx_11_0_universal2.whl", hash = "sha256:96378df1de302bc38e99c3a9aa311967b7dc80ced1dcc6f171e99842987882a2"},
    {file = "greenlet-3.2.4-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:1ee8fae0519a337f2329cb78bd7a8e128ec0f881073d43f023c7b8d4831d5246"},
@@ -3064,6 +3068,8 @@ files = [
    {file = "greenlet-3.2.4-cp311-cp311-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2523e5246274f54fdadbce8494458a2ebdcdbc7b802318466ac5606d3cded1f8"},
    {file = "greenlet-3.2.4-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:1987de92fec508535687fb807a5cea1560f6196285a4cde35c100b8cd632cc52"},
    {file = "greenlet-3.2.4-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:55e9c5affaa6775e2c6b67659f3a71684de4c549b3dd9afca3bc773533d284fa"},
+    {file = "greenlet-3.2.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:c9c6de1940a7d828635fbd254d69db79e54619f165ee7ce32fda763a9cb6a58c"},
+    {file = "greenlet-3.2.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:03c5136e7be905045160b1b9fdca93dd6727b180feeafda6818e6496434ed8c5"},
    {file = "greenlet-3.2.4-cp311-cp311-win_amd64.whl", hash = "sha256:9c40adce87eaa9ddb593ccb0fa6a07caf34015a29bf8d344811665b573138db9"},
    {file = "greenlet-3.2.4-cp312-cp312-macosx_11_0_universal2.whl", hash = "sha256:3b67ca49f54cede0186854a008109d6ee71f66bd57bb36abd6d0a0267b540cdd"},
    {file = "greenlet-3.2.4-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:ddf9164e7a5b08e9d22511526865780a576f19ddd00d62f8a665949327fde8bb"},
@@ -3073,6 +3079,8 @@ files = [
    {file = "greenlet-3.2.4-cp312-cp312-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:3b3812d8d0c9579967815af437d96623f45c0f2ae5f04e366de62a12d83a8fb0"},
    {file = "greenlet-3.2.4-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:abbf57b5a870d30c4675928c37278493044d7c14378350b3aa5d484fa65575f0"},
    {file = "greenlet-3.2.4-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:20fb936b4652b6e307b8f347665e2c615540d4b42b3b4c8a321d8286da7e520f"},
+    {file = "greenlet-3.2.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:ee7a6ec486883397d70eec05059353b8e83eca9168b9f3f9a361971e77e0bcd0"},
+    {file = "greenlet-3.2.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:326d234cbf337c9c3def0676412eb7040a35a768efc92504b947b3e9cfc7543d"},
    {file = "greenlet-3.2.4-cp312-cp312-win_amd64.whl", hash = "sha256:a7d4e128405eea3814a12cc2605e0e6aedb4035bf32697f72deca74de4105e02"},
    {file = "greenlet-3.2.4-cp313-cp313-macosx_11_0_universal2.whl", hash = "sha256:1a921e542453fe531144e91e1feedf12e07351b1cf6c9e8a3325ea600a715a31"},
    {file = "greenlet-3.2.4-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:cd3c8e693bff0fff6ba55f140bf390fa92c994083f838fece0f63be121334945"},
@@ -3082,6 +3090,8 @@ files = [
    {file = "greenlet-3.2.4-cp313-cp313-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:23768528f2911bcd7e475210822ffb5254ed10d71f4028387e5a99b4c6699671"},
    {file = "greenlet-3.2.4-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:00fadb3fedccc447f517ee0d3fd8fe49eae949e1cd0f6a611818f4f6fb7dc83b"},
    {file = "greenlet-3.2.4-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:d25c5091190f2dc0eaa3f950252122edbbadbb682aa7b1ef2f8af0f8c0afefae"},
+    {file = "greenlet-3.2.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:6e343822feb58ac4d0a1211bd9399de2b3a04963ddeec21530fc426cc121f19b"},
+    {file = "greenlet-3.2.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ca7f6f1f2649b89ce02f6f229d7c19f680a6238af656f61e0115b24857917929"},
    {file = "greenlet-3.2.4-cp313-cp313-win_amd64.whl", hash = "sha256:554b03b6e73aaabec3745364d6239e9e012d64c68ccd0b8430c64ccc14939a8b"},
    {file = "greenlet-3.2.4-cp314-cp314-macosx_11_0_universal2.whl", hash = "sha256:49a30d5fda2507ae77be16479bdb62a660fa51b1eb4928b524975b3bde77b3c0"},
    {file = "greenlet-3.2.4-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:299fd615cd8fc86267b47597123e3f43ad79c9d8a22bebdce535e53550763e2f"},
@@ -3089,6 +3099,8 @@ files = [
    {file = "greenlet-3.2.4-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.whl", hash = "sha256:b4a1870c51720687af7fa3e7cda6d08d801dae660f75a76f3845b642b4da6ee1"},
    {file = "greenlet-3.2.4-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:061dc4cf2c34852b052a8620d40f36324554bc192be474b9e9770e8c042fd735"},
    {file = "greenlet-3.2.4-cp314-cp314-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:44358b9bf66c8576a9f57a590d5f5d6e72fa4228b763d0e43fee6d3b06d3a337"},
+    {file = "greenlet-3.2.4-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:2917bdf657f5859fbf3386b12d68ede4cf1f04c90c3a6bc1f013dd68a22e2269"},
+    {file = "greenlet-3.2.4-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:015d48959d4add5d6c9f6c5210ee3803a830dce46356e3bc326d6776bde54681"},
    {file = "greenlet-3.2.4-cp314-cp314-win_amd64.whl", hash = "sha256:e37ab26028f12dbb0ff65f29a8d3d44a765c61e729647bf2ddfbbed621726f01"},
    {file = "greenlet-3.2.4-cp39-cp39-macosx_11_0_universal2.whl", hash = "sha256:b6a7c19cf0d2742d0809a4c05975db036fdff50cd294a93632d6a310bf9ac02c"},
    {file = "greenlet-3.2.4-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:27890167f55d2387576d1f41d9487ef171849ea0359ce1510ca6e06c8bece11d"},
@@ -3098,6 +3110,8 @@ files = [
    {file = "greenlet-3.2.4-cp39-cp39-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c9913f1a30e4526f432991f89ae263459b1c64d1608c0d22a5c79c287b3c70df"},
    {file = "greenlet-3.2.4-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b90654e092f928f110e0007f572007c9727b5265f7632c2fa7415b4689351594"},
    {file = "greenlet-3.2.4-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:81701fd84f26330f0d5f4944d4e92e61afe6319dcd9775e39396e39d7c3e5f98"},
+    {file = "greenlet-3.2.4-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:28a3c6b7cd72a96f61b0e4b2a36f681025b60ae4779cc73c1535eb5f29560b10"},
+    {file = "greenlet-3.2.4-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:52206cd642670b0b320a1fd1cbfd95bca0e043179c1d8a045f2c6109dfe973be"},
    {file = "greenlet-3.2.4-cp39-cp39-win32.whl", hash = "sha256:65458b409c1ed459ea899e939f0e1cdb14f58dbc803f2f93c5eab5694d32671b"},
    {file = "greenlet-3.2.4-cp39-cp39-win_amd64.whl", hash = "sha256:d2e685ade4dafd447ede19c31277a224a239a0a1a4eca4e6390efedf20260cfb"},
    {file = "greenlet-3.2.4.tar.gz", hash = "sha256:0dca0d95ff849f9a364385f36ab49f50065d76964944638be9691e1832e9f86d"},
@@ -3166,83 +3180,87 @@ protobuf = ">=3.20.2,<4.21.1 || >4.21.1,<4.21.2 || >4.21.2,<4.21.3 || >4.21.3,<4

 [[package]]
 name = "grpcio"
-version = "1.74.0"
+version = "1.67.1"
 description = "HTTP/2-based RPC framework"
 optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "grpcio-1.74.0-cp310-cp310-linux_armv7l.whl", hash = "sha256:85bd5cdf4ed7b2d6438871adf6afff9af7096486fcf51818a81b77ef4dd30907"},
-    {file = "grpcio-1.74.0-cp310-cp310-macosx_11_0_universal2.whl", hash = "sha256:68c8ebcca945efff9d86d8d6d7bfb0841cf0071024417e2d7f45c5e46b5b08eb"},
-    {file = "grpcio-1.74.0-cp310-cp310-manylinux_2_17_aarch64.whl", hash = "sha256:e154d230dc1bbbd78ad2fdc3039fa50ad7ffcf438e4eb2fa30bce223a70c7486"},
-    {file = "grpcio-1.74.0-cp310-cp310-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e8978003816c7b9eabe217f88c78bc26adc8f9304bf6a594b02e5a49b2ef9c11"},
-    {file = "grpcio-1.74.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c3d7bd6e3929fd2ea7fbc3f562e4987229ead70c9ae5f01501a46701e08f1ad9"},
-    {file = "grpcio-1.74.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:136b53c91ac1d02c8c24201bfdeb56f8b3ac3278668cbb8e0ba49c88069e1bdc"},
-    {file = "grpcio-1.74.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:fe0f540750a13fd8e5da4b3eaba91a785eea8dca5ccd2bc2ffe978caa403090e"},
-    {file = "grpcio-1.74.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:4e4181bfc24413d1e3a37a0b7889bea68d973d4b45dd2bc68bb766c140718f82"},
-    {file = "grpcio-1.74.0-cp310-cp310-win32.whl", hash = "sha256:1733969040989f7acc3d94c22f55b4a9501a30f6aaacdbccfaba0a3ffb255ab7"},
-    {file = "grpcio-1.74.0-cp310-cp310-win_amd64.whl", hash = "sha256:9e912d3c993a29df6c627459af58975b2e5c897d93287939b9d5065f000249b5"},
-    {file = "grpcio-1.74.0-cp311-cp311-linux_armv7l.whl", hash = "sha256:69e1a8180868a2576f02356565f16635b99088da7df3d45aaa7e24e73a054e31"},
-    {file = "grpcio-1.74.0-cp311-cp311-macosx_11_0_universal2.whl", hash = "sha256:8efe72fde5500f47aca1ef59495cb59c885afe04ac89dd11d810f2de87d935d4"},
-    {file = "grpcio-1.74.0-cp311-cp311-manylinux_2_17_aarch64.whl", hash = "sha256:a8f0302f9ac4e9923f98d8e243939a6fb627cd048f5cd38595c97e38020dffce"},
-    {file = "grpcio-1.74.0-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2f609a39f62a6f6f05c7512746798282546358a37ea93c1fcbadf8b2fed162e3"},
-    {file = "grpcio-1.74.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c98e0b7434a7fa4e3e63f250456eaef52499fba5ae661c58cc5b5477d11e7182"},
-    {file = "grpcio-1.74.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:662456c4513e298db6d7bd9c3b8df6f75f8752f0ba01fb653e252ed4a59b5a5d"},
-    {file = "grpcio-1.74.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:3d14e3c4d65e19d8430a4e28ceb71ace4728776fd6c3ce34016947474479683f"},
-    {file = "grpcio-1.74.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:1bf949792cee20d2078323a9b02bacbbae002b9e3b9e2433f2741c15bdeba1c4"},
-    {file = "grpcio-1.74.0-cp311-cp311-win32.whl", hash = "sha256:55b453812fa7c7ce2f5c88be3018fb4a490519b6ce80788d5913f3f9d7da8c7b"},
-    {file = "grpcio-1.74.0-cp311-cp311-win_amd64.whl", hash = "sha256:86ad489db097141a907c559988c29718719aa3e13370d40e20506f11b4de0d11"},
-    {file = "grpcio-1.74.0-cp312-cp312-linux_armv7l.whl", hash = "sha256:8533e6e9c5bd630ca98062e3a1326249e6ada07d05acf191a77bc33f8948f3d8"},
-    {file = "grpcio-1.74.0-cp312-cp312-macosx_11_0_universal2.whl", hash = "sha256:2918948864fec2a11721d91568effffbe0a02b23ecd57f281391d986847982f6"},
-    {file = "grpcio-1.74.0-cp312-cp312-manylinux_2_17_aarch64.whl", hash = "sha256:60d2d48b0580e70d2e1954d0d19fa3c2e60dd7cbed826aca104fff518310d1c5"},
-    {file = "grpcio-1.74.0-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3601274bc0523f6dc07666c0e01682c94472402ac2fd1226fd96e079863bfa49"},
-    {file = "grpcio-1.74.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:176d60a5168d7948539def20b2a3adcce67d72454d9ae05969a2e73f3a0feee7"},
-    {file = "grpcio-1.74.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:e759f9e8bc908aaae0412642afe5416c9f983a80499448fcc7fab8692ae044c3"},
-    {file = "grpcio-1.74.0-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:9e7c4389771855a92934b2846bd807fc25a3dfa820fd912fe6bd8136026b2707"},
-    {file = "grpcio-1.74.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:cce634b10aeab37010449124814b05a62fb5f18928ca878f1bf4750d1f0c815b"},
-    {file = "grpcio-1.74.0-cp312-cp312-win32.whl", hash = "sha256:885912559974df35d92219e2dc98f51a16a48395f37b92865ad45186f294096c"},
-    {file = "grpcio-1.74.0-cp312-cp312-win_amd64.whl", hash = "sha256:42f8fee287427b94be63d916c90399ed310ed10aadbf9e2e5538b3e497d269bc"},
-    {file = "grpcio-1.74.0-cp313-cp313-linux_armv7l.whl", hash = "sha256:2bc2d7d8d184e2362b53905cb1708c84cb16354771c04b490485fa07ce3a1d89"},
-    {file = "grpcio-1.74.0-cp313-cp313-macosx_11_0_universal2.whl", hash = "sha256:c14e803037e572c177ba54a3e090d6eb12efd795d49327c5ee2b3bddb836bf01"},
-    {file = "grpcio-1.74.0-cp313-cp313-manylinux_2_17_aarch64.whl", hash = "sha256:f6ec94f0e50eb8fa1744a731088b966427575e40c2944a980049798b127a687e"},
-    {file = "grpcio-1.74.0-cp313-cp313-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:566b9395b90cc3d0d0c6404bc8572c7c18786ede549cdb540ae27b58afe0fb91"},
-    {file = "grpcio-1.74.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e1ea6176d7dfd5b941ea01c2ec34de9531ba494d541fe2057c904e601879f249"},
-    {file = "grpcio-1.74.0-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:64229c1e9cea079420527fa8ac45d80fc1e8d3f94deaa35643c381fa8d98f362"},
-    {file = "grpcio-1.74.0-cp313-cp313-musllinux_1_1_i686.whl", hash = "sha256:0f87bddd6e27fc776aacf7ebfec367b6d49cad0455123951e4488ea99d9b9b8f"},
-    {file = "grpcio-1.74.0-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:3b03d8f2a07f0fea8c8f74deb59f8352b770e3900d143b3d1475effcb08eec20"},
-    {file = "grpcio-1.74.0-cp313-cp313-win32.whl", hash = "sha256:b6a73b2ba83e663b2480a90b82fdae6a7aa6427f62bf43b29912c0cfd1aa2bfa"},
-    {file = "grpcio-1.74.0-cp313-cp313-win_amd64.whl", hash = "sha256:fd3c71aeee838299c5887230b8a1822795325ddfea635edd82954c1eaa831e24"},
-    {file = "grpcio-1.74.0-cp39-cp39-linux_armv7l.whl", hash = "sha256:4bc5fca10aaf74779081e16c2bcc3d5ec643ffd528d9e7b1c9039000ead73bae"},
-    {file = "grpcio-1.74.0-cp39-cp39-macosx_11_0_universal2.whl", hash = "sha256:6bab67d15ad617aff094c382c882e0177637da73cbc5532d52c07b4ee887a87b"},
-    {file = "grpcio-1.74.0-cp39-cp39-manylinux_2_17_aarch64.whl", hash = "sha256:655726919b75ab3c34cdad39da5c530ac6fa32696fb23119e36b64adcfca174a"},
-    {file = "grpcio-1.74.0-cp39-cp39-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1a2b06afe2e50ebfd46247ac3ba60cac523f54ec7792ae9ba6073c12daf26f0a"},
-    {file = "grpcio-1.74.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5f251c355167b2360537cf17bea2cf0197995e551ab9da6a0a59b3da5e8704f9"},
-    {file = "grpcio-1.74.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:8f7b5882fb50632ab1e48cb3122d6df55b9afabc265582808036b6e51b9fd6b7"},
-    {file = "grpcio-1.74.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:834988b6c34515545b3edd13e902c1acdd9f2465d386ea5143fb558f153a7176"},
-    {file = "grpcio-1.74.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:22b834cef33429ca6cc28303c9c327ba9a3fafecbf62fae17e9a7b7163cc43ac"},
-    {file = "grpcio-1.74.0-cp39-cp39-win32.whl", hash = "sha256:7d95d71ff35291bab3f1c52f52f474c632db26ea12700c2ff0ea0532cb0b5854"},
-    {file = "grpcio-1.74.0-cp39-cp39-win_amd64.whl", hash = "sha256:ecde9ab49f58433abe02f9ed076c7b5be839cf0153883a6d23995937a82392fa"},
-    {file = "grpcio-1.74.0.tar.gz", hash = "sha256:80d1f4fbb35b0742d3e3d3bb654b7381cd5f015f8497279a1e9c21ba623e01b1"},
+    {file = "grpcio-1.67.1-cp310-cp310-linux_armv7l.whl", hash = "sha256:8b0341d66a57f8a3119b77ab32207072be60c9bf79760fa609c5609f2deb1f3f"},
+    {file = "grpcio-1.67.1-cp310-cp310-macosx_12_0_universal2.whl", hash = "sha256:f5a27dddefe0e2357d3e617b9079b4bfdc91341a91565111a21ed6ebbc51b22d"},
+    {file = "grpcio-1.67.1-cp310-cp310-manylinux_2_17_aarch64.whl", hash = "sha256:43112046864317498a33bdc4797ae6a268c36345a910de9b9c17159d8346602f"},
+    {file = "grpcio-1.67.1-cp310-cp310-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c9b929f13677b10f63124c1a410994a401cdd85214ad83ab67cc077fc7e480f0"},
+    {file = "grpcio-1.67.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e7d1797a8a3845437d327145959a2c0c47c05947c9eef5ff1a4c80e499dcc6fa"},
+    {file = "grpcio-1.67.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:0489063974d1452436139501bf6b180f63d4977223ee87488fe36858c5725292"},
+    {file = "grpcio-1.67.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:9fd042de4a82e3e7aca44008ee2fb5da01b3e5adb316348c21980f7f58adc311"},
+    {file = "grpcio-1.67.1-cp310-cp310-win32.whl", hash = "sha256:638354e698fd0c6c76b04540a850bf1db27b4d2515a19fcd5cf645c48d3eb1ed"},
+    {file = "grpcio-1.67.1-cp310-cp310-win_amd64.whl", hash = "sha256:608d87d1bdabf9e2868b12338cd38a79969eaf920c89d698ead08f48de9c0f9e"},
+    {file = "grpcio-1.67.1-cp311-cp311-linux_armv7l.whl", hash = "sha256:7818c0454027ae3384235a65210bbf5464bd715450e30a3d40385453a85a70cb"},
+    {file = "grpcio-1.67.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:ea33986b70f83844cd00814cee4451055cd8cab36f00ac64a31f5bb09b31919e"},
+    {file = "grpcio-1.67.1-cp311-cp311-manylinux_2_17_aarch64.whl", hash = "sha256:c7a01337407dd89005527623a4a72c5c8e2894d22bead0895306b23c6695698f"},
+    {file = "grpcio-1.67.1-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:80b866f73224b0634f4312a4674c1be21b2b4afa73cb20953cbbb73a6b36c3cc"},
+    {file = "grpcio-1.67.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f9fff78ba10d4250bfc07a01bd6254a6d87dc67f9627adece85c0b2ed754fa96"},
+    {file = "grpcio-1.67.1-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:8a23cbcc5bb11ea7dc6163078be36c065db68d915c24f5faa4f872c573bb400f"},
+    {file = "grpcio-1.67.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:1a65b503d008f066e994f34f456e0647e5ceb34cfcec5ad180b1b44020ad4970"},
+    {file = "grpcio-1.67.1-cp311-cp311-win32.whl", hash = "sha256:e29ca27bec8e163dca0c98084040edec3bc49afd10f18b412f483cc68c712744"},
+    {file = "grpcio-1.67.1-cp311-cp311-win_amd64.whl", hash = "sha256:786a5b18544622bfb1e25cc08402bd44ea83edfb04b93798d85dca4d1a0b5be5"},
+    {file = "grpcio-1.67.1-cp312-cp312-linux_armv7l.whl", hash = "sha256:267d1745894200e4c604958da5f856da6293f063327cb049a51fe67348e4f953"},
+    {file = "grpcio-1.67.1-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:85f69fdc1d28ce7cff8de3f9c67db2b0ca9ba4449644488c1e0303c146135ddb"},
+    {file = "grpcio-1.67.1-cp312-cp312-manylinux_2_17_aarch64.whl", hash = "sha256:f26b0b547eb8d00e195274cdfc63ce64c8fc2d3e2d00b12bf468ece41a0423a0"},
+    {file = "grpcio-1.67.1-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4422581cdc628f77302270ff839a44f4c24fdc57887dc2a45b7e53d8fc2376af"},
+    {file = "grpcio-1.67.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1d7616d2ded471231c701489190379e0c311ee0a6c756f3c03e6a62b95a7146e"},
+    {file = "grpcio-1.67.1-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8a00efecde9d6fcc3ab00c13f816313c040a28450e5e25739c24f432fc6d3c75"},
+    {file = "grpcio-1.67.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:699e964923b70f3101393710793289e42845791ea07565654ada0969522d0a38"},
+    {file = "grpcio-1.67.1-cp312-cp312-win32.whl", hash = "sha256:4e7b904484a634a0fff132958dabdb10d63e0927398273917da3ee103e8d1f78"},
+    {file = "grpcio-1.67.1-cp312-cp312-win_amd64.whl", hash = "sha256:5721e66a594a6c4204458004852719b38f3d5522082be9061d6510b455c90afc"},
+    {file = "grpcio-1.67.1-cp313-cp313-linux_armv7l.whl", hash = "sha256:aa0162e56fd10a5547fac8774c4899fc3e18c1aa4a4759d0ce2cd00d3696ea6b"},
+    {file = "grpcio-1.67.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:beee96c8c0b1a75d556fe57b92b58b4347c77a65781ee2ac749d550f2a365dc1"},
+    {file = "grpcio-1.67.1-cp313-cp313-manylinux_2_17_aarch64.whl", hash = "sha256:a93deda571a1bf94ec1f6fcda2872dad3ae538700d94dc283c672a3b508ba3af"},
+    {file = "grpcio-1.67.1-cp313-cp313-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0e6f255980afef598a9e64a24efce87b625e3e3c80a45162d111a461a9f92955"},
+    {file = "grpcio-1.67.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9e838cad2176ebd5d4a8bb03955138d6589ce9e2ce5d51c3ada34396dbd2dba8"},
+    {file = "grpcio-1.67.1-cp313-cp313-musllinux_1_1_i686.whl", hash = "sha256:a6703916c43b1d468d0756c8077b12017a9fcb6a1ef13faf49e67d20d7ebda62"},
+    {file = "grpcio-1.67.1-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:917e8d8994eed1d86b907ba2a61b9f0aef27a2155bca6cbb322430fc7135b7bb"},
+    {file = "grpcio-1.67.1-cp313-cp313-win32.whl", hash = "sha256:e279330bef1744040db8fc432becc8a727b84f456ab62b744d3fdb83f327e121"},
+    {file = "grpcio-1.67.1-cp313-cp313-win_amd64.whl", hash = "sha256:fa0c739ad8b1996bd24823950e3cb5152ae91fca1c09cc791190bf1627ffefba"},
+    {file = "grpcio-1.67.1-cp38-cp38-linux_armv7l.whl", hash = "sha256:178f5db771c4f9a9facb2ab37a434c46cb9be1a75e820f187ee3d1e7805c4f65"},
+    {file = "grpcio-1.67.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:0f3e49c738396e93b7ba9016e153eb09e0778e776df6090c1b8c91877cc1c426"},
+    {file = "grpcio-1.67.1-cp38-cp38-manylinux_2_17_aarch64.whl", hash = "sha256:24e8a26dbfc5274d7474c27759b54486b8de23c709d76695237515bc8b5baeab"},
+    {file = "grpcio-1.67.1-cp38-cp38-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3b6c16489326d79ead41689c4b84bc40d522c9a7617219f4ad94bc7f448c5085"},
+    {file = "grpcio-1.67.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:60e6a4dcf5af7bbc36fd9f81c9f372e8ae580870a9e4b6eafe948cd334b81cf3"},
+    {file = "grpcio-1.67.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:95b5f2b857856ed78d72da93cd7d09b6db8ef30102e5e7fe0961fe4d9f7d48e8"},
+    {file = "grpcio-1.67.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:b49359977c6ec9f5d0573ea4e0071ad278ef905aa74e420acc73fd28ce39e9ce"},
+    {file = "grpcio-1.67.1-cp38-cp38-win32.whl", hash = "sha256:f5b76ff64aaac53fede0cc93abf57894ab2a7362986ba22243d06218b93efe46"},
+    {file = "grpcio-1.67.1-cp38-cp38-win_amd64.whl", hash = "sha256:804c6457c3cd3ec04fe6006c739579b8d35c86ae3298ffca8de57b493524b771"},
+    {file = "grpcio-1.67.1-cp39-cp39-linux_armv7l.whl", hash = "sha256:a25bdea92b13ff4d7790962190bf6bf5c4639876e01c0f3dda70fc2769616335"},
+    {file = "grpcio-1.67.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:cdc491ae35a13535fd9196acb5afe1af37c8237df2e54427be3eecda3653127e"},
+    {file = "grpcio-1.67.1-cp39-cp39-manylinux_2_17_aarch64.whl", hash = "sha256:85f862069b86a305497e74d0dc43c02de3d1d184fc2c180993aa8aa86fbd19b8"},
+    {file = "grpcio-1.67.1-cp39-cp39-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ec74ef02010186185de82cc594058a3ccd8d86821842bbac9873fd4a2cf8be8d"},
+    {file = "grpcio-1.67.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:01f616a964e540638af5130469451cf580ba8c7329f45ca998ab66e0c7dcdb04"},
+    {file = "grpcio-1.67.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:299b3d8c4f790c6bcca485f9963b4846dd92cf6f1b65d3697145d005c80f9fe8"},
+    {file = "grpcio-1.67.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:60336bff760fbb47d7e86165408126f1dded184448e9a4c892189eb7c9d3f90f"},
+    {file = "grpcio-1.67.1-cp39-cp39-win32.whl", hash = "sha256:5ed601c4c6008429e3d247ddb367fe8c7259c355757448d7c1ef7bd4a6739e8e"},
+    {file = "grpcio-1.67.1-cp39-cp39-win_amd64.whl", hash = "sha256:5db70d32d6703b89912af16d6d45d78406374a8b8ef0d28140351dd0ec610e98"},
+    {file = "grpcio-1.67.1.tar.gz", hash = "sha256:3dc2ed4cabea4dc14d5e708c2b426205956077cc5de419b4d4079315017e9732"},
 ]

 [package.extras]
-protobuf = ["grpcio-tools (>=1.74.0)"]
+protobuf = ["grpcio-tools (>=1.67.1)"]

 [[package]]
 name = "grpcio-status"
-version = "1.71.2"
+version = "1.67.1"
 description = "Status proto mapping for gRPC"
 optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "grpcio_status-1.71.2-py3-none-any.whl", hash = "sha256:803c98cb6a8b7dc6dbb785b1111aed739f241ab5e9da0bba96888aa74704cfd3"},
-    {file = "grpcio_status-1.71.2.tar.gz", hash = "sha256:c7a97e176df71cdc2c179cd1847d7fc86cca5832ad12e9798d7fed6b7a1aab50"},
+    {file = "grpcio_status-1.67.1-py3-none-any.whl", hash = "sha256:16e6c085950bdacac97c779e6a502ea671232385e6e37f258884d6883392c2bd"},
+    {file = "grpcio_status-1.67.1.tar.gz", hash = "sha256:2bf38395e028ceeecfd8866b081f61628114b384da7d51ae064ddc8d766a5d11"},
 ]

 [package.dependencies]
 googleapis-common-protos = ">=1.5.5"
-grpcio = ">=1.71.2"
+grpcio = ">=1.67.1"
 protobuf = ">=5.26.1,<6.0dev"

 [[package]]
@@ -4540,42 +4558,39 @@ valkey = ["valkey (>=6)"]

 [[package]]
 name = "litellm"
-version = "1.77.7"
+version = "1.80.7"
 description = "Library to easily interface with LLM API providers"
 optional = false
-python-versions = ">=3.8.1,<4.0, !=3.9.7"
+python-versions = "<4.0,>=3.9"
 groups = ["main"]
-files = []
-develop = false
+files = [
+    {file = "litellm-1.80.7-py3-none-any.whl", hash = "sha256:f7d993f78c1e0e4e1202b2a925cc6540b55b6e5fb055dd342d88b145ab3102ed"},
+    {file = "litellm-1.80.7.tar.gz", hash = "sha256:3977a8d195aef842d01c18bf9e22984829363c6a4b54daf9a43c9dd9f190b42c"},
+]

 [package.dependencies]
 aiohttp = ">=3.10"
 click = "*"
 fastuuid = ">=0.13.0"
+grpcio = ">=1.62.3,<1.68.0"
 httpx = ">=0.23.0"
 importlib-metadata = ">=6.8.0"
-jinja2 = "^3.1.2"
-jsonschema = "^4.22.0"
-openai = ">=1.99.5"
-pydantic = "^2.5.0"
+jinja2 = ">=3.1.2,<4.0.0"
+jsonschema = ">=4.22.0,<5.0.0"
+openai = ">=2.8.0"
+pydantic = ">=2.5.0,<3.0.0"
 python-dotenv = ">=0.2.0"
 tiktoken = ">=0.7.0"
 tokenizers = "*"

 [package.extras]
 caching = ["diskcache (>=5.6.1,<6.0.0)"]
-extra-proxy = ["azure-identity (>=1.15.0,<2.0.0)", "azure-keyvault-secrets (>=4.8.0,<5.0.0)", "google-cloud-iam (>=2.19.1,<3.0.0)", "google-cloud-kms (>=2.21.3,<3.0.0)", "prisma (==0.11.0)", "redisvl (>=0.4.1,<0.5.0) ; python_version >= \"3.9\" and python_version < \"3.14\"", "resend (>=0.8.0,<0.9.0)"]
+extra-proxy = ["azure-identity (>=1.15.0,<2.0.0) ; python_version >= \"3.9\"", "azure-keyvault-secrets (>=4.8.0,<5.0.0)", "google-cloud-iam (>=2.19.1,<3.0.0)", "google-cloud-kms (>=2.21.3,<3.0.0)", "prisma (==0.11.0)", "redisvl (>=0.4.1,<0.5.0) ; python_version >= \"3.9\" and python_version < \"3.14\"", "resend (>=0.8.0)"]
 mlflow = ["mlflow (>3.1.4) ; python_version >= \"3.10\""]
-proxy = ["PyJWT (>=2.8.0,<3.0.0)", "apscheduler (>=3.10.4,<4.0.0)", "azure-identity (>=1.15.0,<2.0.0)", "azure-storage-blob (>=12.25.1,<13.0.0)", "backoff", "boto3 (==1.36.0)", "cryptography", "fastapi (>=0.115.5,<0.116.0)", "fastapi-sso (>=0.16.0,<0.17.0)", "gunicorn (>=23.0.0,<24.0.0)", "litellm-enterprise (==0.1.20)", "litellm-proxy-extras (==0.2.25)", "mcp (>=1.10.0,<2.0.0) ; python_version >= \"3.10\"", "orjson (>=3.9.7,<4.0.0)", "polars (>=1.31.0,<2.0.0) ; python_version >= \"3.10\"", "pynacl (>=1.5.0,<2.0.0)", "python-multipart (>=0.0.18,<0.0.19)", "pyyaml (>=6.0.1,<7.0.0)", "rich (==13.7.1)", "rq", "uvicorn (>=0.29.0,<0.30.0)", "uvloop (>=0.21.0,<0.22.0) ; sys_platform != \"win32\"", "websockets (>=13.1.0,<14.0.0)"]
-semantic-router = ["semantic-router ; python_version >= \"3.9\""]
+proxy = ["PyJWT (>=2.10.1,<3.0.0) ; python_version >= \"3.9\"", "apscheduler (>=3.10.4,<4.0.0)", "azure-identity (>=1.15.0,<2.0.0) ; python_version >= \"3.9\"", "azure-storage-blob (>=12.25.1,<13.0.0)", "backoff", "boto3 (==1.36.0)", "cryptography", "fastapi (>=0.120.1)", "fastapi-sso (>=0.16.0,<0.17.0)", "gunicorn (>=23.0.0,<24.0.0)", "litellm-enterprise (==0.1.22)", "litellm-proxy-extras (==0.4.9)", "mcp (>=1.21.2,<2.0.0) ; python_version >= \"3.10\"", "orjson (>=3.9.7,<4.0.0)", "polars (>=1.31.0,<2.0.0) ; python_version >= \"3.10\"", "pynacl (>=1.5.0,<2.0.0)", "python-multipart (>=0.0.18,<0.0.19)", "pyyaml (>=6.0.1,<7.0.0)", "rich (==13.7.1)", "rq", "soundfile (>=0.12.1,<0.13.0)", "uvicorn (>=0.31.1,<0.32.0)", "uvloop (>=0.21.0,<0.22.0) ; sys_platform != \"win32\"", "websockets (>=15.0.1,<16.0.0)"]
+semantic-router = ["semantic-router (>=0.1.12) ; python_version >= \"3.9\" and python_version < \"3.14\""]
 utils = ["numpydoc"]

-[package.source]
-type = "git"
-url = "https://github.com/BerriAI/litellm.git"
-reference = "v1.77.7.dev9"
-resolved_reference = "763d2f8ccdd8412dbe6d4ac0e136d9ac34dcd4c0"
-
 [[package]]
 name = "llvmlite"
 version = "0.44.0"
@@ -4609,14 +4624,14 @@ files = [

 [[package]]
 name = "lmnr"
-version = "0.7.20"
+version = "0.7.24"
 description = "Python SDK for Laminar"
 optional = false
 python-versions = "<4,>=3.10"
 groups = ["main"]
 files = [
-    {file = "lmnr-0.7.20-py3-none-any.whl", hash = "sha256:5f9fa7444e6f96c25e097f66484ff29e632bdd1de0e9346948bf5595f4a8af38"},
-    {file = "lmnr-0.7.20.tar.gz", hash = "sha256:1f484cd618db2d71af65f90a0b8b36d20d80dc91a5138b811575c8677bf7c4fd"},
+    {file = "lmnr-0.7.24-py3-none-any.whl", hash = "sha256:ad780d4a62ece897048811f3368639c240a9329ab31027da8c96545137a3a08a"},
+    {file = "lmnr-0.7.24.tar.gz", hash = "sha256:aa6973f46fc4ba95c9061c1feceb58afc02eb43c9376c21e32545371ff6123d7"},
 ]

 [package.dependencies]
@@ -4639,14 +4654,15 @@ tqdm = ">=4.0"

 [package.extras]
 alephalpha = ["opentelemetry-instrumentation-alephalpha (>=0.47.1)"]
-all = ["opentelemetry-instrumentation-alephalpha (>=0.47.1)", "opentelemetry-instrumentation-bedrock (>=0.47.1)", "opentelemetry-instrumentation-chromadb (>=0.47.1)", "opentelemetry-instrumentation-cohere (>=0.47.1)", "opentelemetry-instrumentation-crewai (>=0.47.1)", "opentelemetry-instrumentation-haystack (>=0.47.1)", "opentelemetry-instrumentation-lancedb (>=0.47.1)", "opentelemetry-instrumentation-langchain (>=0.47.1)", "opentelemetry-instrumentation-llamaindex (>=0.47.1)", "opentelemetry-instrumentation-marqo (>=0.47.1)", "opentelemetry-instrumentation-mcp (>=0.47.1)", "opentelemetry-instrumentation-milvus (>=0.47.1)", "opentelemetry-instrumentation-mistralai (>=0.47.1)", "opentelemetry-instrumentation-ollama (>=0.47.1)", "opentelemetry-instrumentation-pinecone (>=0.47.1)", "opentelemetry-instrumentation-qdrant (>=0.47.1)", "opentelemetry-instrumentation-replicate (>=0.47.1)", "opentelemetry-instrumentation-sagemaker (>=0.47.1)", "opentelemetry-instrumentation-together (>=0.47.1)", "opentelemetry-instrumentation-transformers (>=0.47.1)", "opentelemetry-instrumentation-vertexai (>=0.47.1)", "opentelemetry-instrumentation-watsonx (>=0.47.1)", "opentelemetry-instrumentation-weaviate (>=0.47.1)"]
+all = ["opentelemetry-instrumentation-alephalpha (>=0.47.1)", "opentelemetry-instrumentation-bedrock (>=0.47.1)", "opentelemetry-instrumentation-chromadb (>=0.47.1)", "opentelemetry-instrumentation-cohere (>=0.47.1)", "opentelemetry-instrumentation-crewai (>=0.47.1)", "opentelemetry-instrumentation-haystack (>=0.47.1)", "opentelemetry-instrumentation-lancedb (>=0.47.1)", "opentelemetry-instrumentation-langchain (>=0.47.1,<0.48.0)", "opentelemetry-instrumentation-llamaindex (>=0.47.1)", "opentelemetry-instrumentation-marqo (>=0.47.1)", "opentelemetry-instrumentation-mcp (>=0.47.1)", "opentelemetry-instrumentation-milvus (>=0.47.1)", "opentelemetry-instrumentation-mistralai (>=0.47.1)", "opentelemetry-instrumentation-ollama (>=0.47.1)", "opentelemetry-instrumentation-pinecone (>=0.47.1)", "opentelemetry-instrumentation-qdrant (>=0.47.1)", "opentelemetry-instrumentation-replicate (>=0.47.1)", "opentelemetry-instrumentation-sagemaker (>=0.47.1)", "opentelemetry-instrumentation-together (>=0.47.1)", "opentelemetry-instrumentation-transformers (>=0.47.1)", "opentelemetry-instrumentation-vertexai (>=0.47.1)", "opentelemetry-instrumentation-watsonx (>=0.47.1)", "opentelemetry-instrumentation-weaviate (>=0.47.1)"]
 bedrock = ["opentelemetry-instrumentation-bedrock (>=0.47.1)"]
 chromadb = ["opentelemetry-instrumentation-chromadb (>=0.47.1)"]
+claude-agent-sdk = ["lmnr-claude-code-proxy (>=0.1.0a5)"]
 cohere = ["opentelemetry-instrumentation-cohere (>=0.47.1)"]
 crewai = ["opentelemetry-instrumentation-crewai (>=0.47.1)"]
 haystack = ["opentelemetry-instrumentation-haystack (>=0.47.1)"]
 lancedb = ["opentelemetry-instrumentation-lancedb (>=0.47.1)"]
-langchain = ["opentelemetry-instrumentation-langchain (>=0.47.1)"]
+langchain = ["opentelemetry-instrumentation-langchain (>=0.47.1,<0.48.0)"]
 llamaindex = ["opentelemetry-instrumentation-llamaindex (>=0.47.1)"]
 marqo = ["opentelemetry-instrumentation-marqo (>=0.47.1)"]
 mcp = ["opentelemetry-instrumentation-mcp (>=0.47.1)"]
@@ -5644,28 +5660,28 @@ pydantic = ">=2.9"

 [[package]]
 name = "openai"
-version = "1.99.9"
+version = "2.8.0"
 description = "The official Python library for the openai API"
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 groups = ["main", "test"]
 files = [
-    {file = "openai-1.99.9-py3-none-any.whl", hash = "sha256:9dbcdb425553bae1ac5d947147bebbd630d91bbfc7788394d4c4f3a35682ab3a"},
-    {file = "openai-1.99.9.tar.gz", hash = "sha256:f2082d155b1ad22e83247c3de3958eb4255b20ccf4a1de2e6681b6957b554e92"},
+    {file = "openai-2.8.0-py3-none-any.whl", hash = "sha256:ba975e347f6add2fe13529ccb94d54a578280e960765e5224c34b08d7e029ddf"},
+    {file = "openai-2.8.0.tar.gz", hash = "sha256:4851908f6d6fcacbd47ba659c5ac084f7725b752b6bfa1e948b6fbfc111a6bad"},
 ]

 [package.dependencies]
 anyio = ">=3.5.0,<5"
 distro = ">=1.7.0,<2"
 httpx = ">=0.23.0,<1"
-jiter = ">=0.4.0,<1"
+jiter = ">=0.10.0,<1"
 pydantic = ">=1.9.0,<3"
 sniffio = "*"
 tqdm = ">4"
 typing-extensions = ">=4.11,<5"

 [package.extras]
-aiohttp = ["aiohttp", "httpx-aiohttp (>=0.1.8)"]
+aiohttp = ["aiohttp", "httpx-aiohttp (>=0.1.9)"]
 datalib = ["numpy (>=1)", "pandas (>=1.2.3)", "pandas-stubs (>=1.1.0.11)"]
 realtime = ["websockets (>=13,<16)"]
 voice-helpers = ["numpy (>=2.0.2)", "sounddevice (>=0.5.1)"]
@@ -5820,14 +5836,14 @@ llama = ["llama-index (>=0.12.29,<0.13.0)", "llama-index-core (>=0.12.29,<0.13.0

 [[package]]
 name = "openhands-agent-server"
-version = "1.3.0"
+version = "1.6.0"
 description = "OpenHands Agent Server - REST/WebSocket interface for OpenHands AI Agent"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_agent_server-1.3.0-py3-none-any.whl", hash = "sha256:2f87f790c740dc3fb81821c5f9fa375af875fbb937ebca3baa6dc5c035035b3c"},
-    {file = "openhands_agent_server-1.3.0.tar.gz", hash = "sha256:0a83ae77373f5c41d0ba0e22d8f0f6144d54d55784183a50b7c098c96cd5135c"},
+    {file = "openhands_agent_server-1.6.0-py3-none-any.whl", hash = "sha256:e6ae865ac3e7a96b234e10a0faad23f6210e025bbf7721cb66bc7a71d160848c"},
+    {file = "openhands_agent_server-1.6.0.tar.gz", hash = "sha256:44ce7694ae2d4bb0666d318ef13e6618bd4dc73022c60354839fe6130e67d02a"},
 ]

 [package.dependencies]
@@ -5835,6 +5851,7 @@ aiosqlite = ">=0.19"
 alembic = ">=1.13"
 docker = ">=7.1,<8"
 fastapi = ">=0.104"
+openhands-sdk = "*"
 pydantic = ">=2"
 sqlalchemy = ">=2"
 uvicorn = ">=0.31.1"
@@ -5843,7 +5860,7 @@ wsproto = ">=1.2.0"

 [[package]]
 name = "openhands-ai"
-version = "0.62.0"
+version = "0.0.0-post.5687+7853b41ad"
 description = "OpenHands: Code Less, Make More"
 optional = false
 python-versions = "^3.12,<3.14"
@@ -5879,15 +5896,15 @@ json-repair = "*"
 jupyter_kernel_gateway = "*"
 kubernetes = "^33.1.0"
 libtmux = ">=0.46.2"
-litellm = ">=1.74.3, <1.78.0, !=1.64.4, !=1.67.*"
+litellm = ">=1.74.3, <=1.80.7, !=1.64.4, !=1.67.*"
 lmnr = "^0.7.20"
 memory-profiler = "^0.61.0"
 numpy = "*"
-openai = "1.99.9"
+openai = "2.8.0"
 openhands-aci = "0.3.2"
-openhands-agent-server = "1.3.0"
-openhands-sdk = "1.3.0"
-openhands-tools = "1.3.0"
+openhands-agent-server = "1.6.0"
+openhands-sdk = "1.6.0"
+openhands-tools = "1.6.0"
 opentelemetry-api = "^1.33.1"
 opentelemetry-exporter-otlp-proto-grpc = "^1.33.1"
 pathspec = "^0.12.1"
@@ -5943,22 +5960,22 @@ url = ".."

 [[package]]
 name = "openhands-sdk"
-version = "1.3.0"
+version = "1.6.0"
 description = "OpenHands SDK - Core functionality for building AI agents"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_sdk-1.3.0-py3-none-any.whl", hash = "sha256:feee838346f8e60ea3e4d3391de7cb854314eb8b3c9e3dbbb56f98a784aadc56"},
-    {file = "openhands_sdk-1.3.0.tar.gz", hash = "sha256:2d060803a78de462121b56dea717a66356922deb02276f37b29fae8af66343fb"},
+    {file = "openhands_sdk-1.6.0-py3-none-any.whl", hash = "sha256:94d2f87fb35406373da6728ae2d88584137f9e9b67fa0e940444c72f2e44e7d3"},
+    {file = "openhands_sdk-1.6.0.tar.gz", hash = "sha256:f45742350e3874a7f5b08befc4a9d5adc7e4454f7ab5f8391c519eee3116090f"},
 ]

 [package.dependencies]
 deprecation = ">=2.1.0"
 fastmcp = ">=2.11.3"
 httpx = ">=0.27.0"
-litellm = ">=1.77.7.dev9"
-lmnr = ">=0.7.20"
+litellm = ">=1.80.7"
+lmnr = ">=0.7.24"
 pydantic = ">=2.11.7"
 python-frontmatter = ">=1.1.0"
 python-json-logger = ">=3.3.0"
@@ -5970,14 +5987,14 @@ boto3 = ["boto3 (>=1.35.0)"]

 [[package]]
 name = "openhands-tools"
-version = "1.3.0"
+version = "1.6.0"
 description = "OpenHands Tools - Runtime tools for AI agents"
 optional = false
 python-versions = ">=3.12"
 groups = ["main"]
 files = [
-    {file = "openhands_tools-1.3.0-py3-none-any.whl", hash = "sha256:f31056d87c3058ac92709f9161c7c602daeee3ed0cb4439097b43cda105ed03e"},
-    {file = "openhands_tools-1.3.0.tar.gz", hash = "sha256:3da46f09e28593677d3e17252ce18584fcc13caab1a73213e66bd7edca2cebe0"},
+    {file = "openhands_tools-1.6.0-py3-none-any.whl", hash = "sha256:176556d44186536751b23fe052d3505492cc2afb8d52db20fb7a2cc0169cd57a"},
+    {file = "openhands_tools-1.6.0.tar.gz", hash = "sha256:d07ba31050fd4a7891a4c48388aa53ce9f703e17064ddbd59146d6c77e5980b3"},
 ]

 [package.dependencies]
@@ -5989,6 +6006,7 @@ func-timeout = ">=4.3.5"
 libtmux = ">=0.46.2"
 openhands-sdk = "*"
 pydantic = ">=2.11.7"
+tom-swe = ">=1.0.3"

 [[package]]
 name = "openpyxl"
@@ -13305,6 +13323,31 @@ dev = ["tokenizers[testing]"]
 docs = ["setuptools-rust", "sphinx", "sphinx-rtd-theme"]
 testing = ["black (==22.3)", "datasets", "numpy", "pytest", "pytest-asyncio", "requests", "ruff"]

+[[package]]
+name = "tom-swe"
+version = "1.0.3"
+description = "Theory of Mind modeling for Software Engineering assistants"
+optional = false
+python-versions = ">=3.10"
+groups = ["main"]
+files = [
+    {file = "tom_swe-1.0.3-py3-none-any.whl", hash = "sha256:7b1172b29eb5c8fb7f1975016e7b6a238511b9ac2a7a980bd400dcb4e29773f2"},
+    {file = "tom_swe-1.0.3.tar.gz", hash = "sha256:57c97d0104e563f15bd39edaf2aa6ac4c3e9444afd437fb92458700d22c6c0f5"},
+]
+
+[package.dependencies]
+jinja2 = ">=3.0.0"
+json-repair = ">=0.1.0"
+litellm = ">=1.0.0"
+pydantic = ">=2.0.0"
+python-dotenv = ">=1.0.0"
+tiktoken = ">=0.8.0"
+tqdm = ">=4.65.0"
+
+[package.extras]
+dev = ["aiofiles (>=23.0.0)", "black (>=22.0.0)", "datasets (>=2.0.0)", "fastapi (>=0.104.0)", "httpx (>=0.25.0)", "huggingface-hub (>=0.0.0)", "isort (>=5.0.0)", "mypy (>=1.0.0)", "numpy (>=1.24.0)", "pandas (>=2.0.0)", "pre-commit (>=3.6.0)", "pytest (>=7.0.0)", "pytest-cov (>=6.2.1)", "rich (>=13.0.0)", "ruff (>=0.3.0)", "typing-extensions (>=4.0.0)", "uvicorn (>=0.24.0)"]
+search = ["bm25s (>=0.2.0)", "pystemmer (>=2.2.0)"]
+
 [[package]]
 name = "toml"
 version = "0.10.2"
@@ -34,6 +34,7 @@ from server.routes.integration.jira_dc import jira_dc_integration_router  # noqa
 from server.routes.integration.linear import linear_integration_router  # noqa: E402
 from server.routes.integration.slack import slack_router  # noqa: E402
 from server.routes.mcp_patch import patch_mcp_server  # noqa: E402
+from server.routes.oauth_device import oauth_device_router  # noqa: E402
 from server.routes.readiness import readiness_router  # noqa: E402
 from server.routes.user import saas_user_router  # noqa: E402

@@ -60,6 +61,7 @@ base_app.mount('/internal/metrics', metrics_app())
 base_app.include_router(readiness_router)  # Add routes for readiness checks
 base_app.include_router(api_router)  # Add additional route for github auth
 base_app.include_router(oauth_router)  # Add additional route for oauth callback
+base_app.include_router(oauth_device_router)  # Add OAuth 2.0 Device Flow routes
 base_app.include_router(saas_user_router)  # Add additional route SAAS user calls
 base_app.include_router(
    billing_router
@@ -38,3 +38,8 @@ ROLE_CHECK_ENABLED = os.getenv('ROLE_CHECK_ENABLED', 'false').lower() in (
    'y',
    'on',
 )
+BLOCKED_EMAIL_DOMAINS = [
+    domain.strip().lower()
+    for domain in os.getenv('BLOCKED_EMAIL_DOMAINS', '').split(',')
+    if domain.strip()
+]
@@ -0,0 +1,56 @@
+from server.auth.constants import BLOCKED_EMAIL_DOMAINS
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class DomainBlocker:
+    def __init__(self) -> None:
+        logger.debug('Initializing DomainBlocker')
+        self.blocked_domains: list[str] = BLOCKED_EMAIL_DOMAINS
+        if self.blocked_domains:
+            logger.info(
+                f'Successfully loaded {len(self.blocked_domains)} blocked email domains: {self.blocked_domains}'
+            )
+
+    def is_active(self) -> bool:
+        """Check if domain blocking is enabled"""
+        return bool(self.blocked_domains)
+
+    def _extract_domain(self, email: str) -> str | None:
+        """Extract and normalize email domain from email address"""
+        if not email:
+            return None
+        try:
+            # Extract domain part after @
+            if '@' not in email:
+                return None
+            domain = email.split('@')[1].strip().lower()
+            return domain if domain else None
+        except Exception:
+            logger.debug(f'Error extracting domain from email: {email}', exc_info=True)
+            return None
+
+    def is_domain_blocked(self, email: str) -> bool:
+        """Check if email domain is blocked"""
+        if not self.is_active():
+            return False
+
+        if not email:
+            logger.debug('No email provided for domain check')
+            return False
+
+        domain = self._extract_domain(email)
+        if not domain:
+            logger.debug(f'Could not extract domain from email: {email}')
+            return False
+
+        is_blocked = domain in self.blocked_domains
+        if is_blocked:
+            logger.warning(f'Email domain {domain} is blocked for email: {email}')
+        else:
+            logger.debug(f'Email domain {domain} is not blocked')
+
+        return is_blocked
+
+
+domain_blocker = DomainBlocker()
@@ -13,6 +13,7 @@ from server.auth.auth_error import (
    ExpiredError,
    NoCredentialsError,
 )
+from server.auth.domain_blocker import domain_blocker
 from server.auth.token_manager import TokenManager
 from server.config import get_config
 from server.logger import logger
@@ -252,7 +253,12 @@ def get_api_key_from_header(request: Request):
    # This is a temp hack
    # Streamable HTTP MCP Client works via redirect requests, but drops the Authorization header for reason
    # We include `X-Session-API-Key` header by default due to nested runtimes, so it used as a drop in replacement here
-    return request.headers.get('X-Session-API-Key')
+    session_api_key = request.headers.get('X-Session-API-Key')
+    if session_api_key:
+        return session_api_key
+
+    # Fallback to X-Access-Token header as an additional option
+    return request.headers.get('X-Access-Token')


 async def saas_user_auth_from_bearer(request: Request) -> SaasUserAuth | None:
@@ -307,6 +313,16 @@ async def saas_user_auth_from_signed_token(signed_token: str) -> SaasUserAuth:
    user_id = access_token_payload['sub']
    email = access_token_payload['email']
    email_verified = access_token_payload['email_verified']
+
+    # Check if email domain is blocked
+    if email and domain_blocker.is_active() and domain_blocker.is_domain_blocked(email):
+        logger.warning(
+            f'Blocked authentication attempt for existing user with email: {email}'
+        )
+        raise AuthError(
+            'Access denied: Your email domain is not allowed to access this service'
+        )
+
    logger.debug('saas_user_auth_from_signed_token:return')

    return SaasUserAuth(
@@ -527,6 +527,49 @@ class TokenManager:
        github_id = github_ids[0]
        return github_id

+    async def disable_keycloak_user(
+        self, user_id: str, email: str | None = None
+    ) -> None:
+        """Disable a Keycloak user account.
+
+        Args:
+            user_id: The Keycloak user ID to disable
+            email: Optional email address for logging purposes
+
+        This method attempts to disable the user account but will not raise exceptions.
+        Errors are logged but do not prevent the operation from completing.
+        """
+        try:
+            keycloak_admin = get_keycloak_admin(self.external)
+            # Get current user to preserve other fields
+            user = await keycloak_admin.a_get_user(user_id)
+            if user:
+                # Update user with enabled=False to disable the account
+                await keycloak_admin.a_update_user(
+                    user_id=user_id,
+                    payload={
+                        'enabled': False,
+                        'username': user.get('username', ''),
+                        'email': user.get('email', ''),
+                        'emailVerified': user.get('emailVerified', False),
+                    },
+                )
+                email_str = f', email: {email}' if email else ''
+                logger.info(
+                    f'Disabled Keycloak account for user_id: {user_id}{email_str}'
+                )
+            else:
+                logger.warning(
+                    f'User not found in Keycloak when attempting to disable: {user_id}'
+                )
+        except Exception as e:
+            # Log error but don't raise - the caller should handle the blocking regardless
+            email_str = f', email: {email}' if email else ''
+            logger.error(
+                f'Failed to disable Keycloak account for user_id: {user_id}{email_str}: {str(e)}',
+                exc_info=True,
+            )
+
    def store_org_token(self, installation_id: int, installation_token: str):
        """Store a GitHub App installation token.

@@ -66,6 +66,7 @@ class SaaSServerConfig(ServerConfig):
    github_client_id: str = os.environ.get('GITHUB_APP_CLIENT_ID', '')
    enable_billing = os.environ.get('ENABLE_BILLING', 'false') == 'true'
    hide_llm_settings = os.environ.get('HIDE_LLM_SETTINGS', 'false') == 'true'
+    hide_billing = os.environ.get('HIDE_BILLING', 'false') == 'true'
    auth_url: str | None = os.environ.get('AUTH_URL')
    settings_store_class: str = 'storage.saas_settings_store.SaasSettingsStore'
    secret_store_class: str = 'storage.saas_secrets_store.SaasSecretsStore'
@@ -171,6 +172,7 @@ class SaaSServerConfig(ServerConfig):
            'FEATURE_FLAGS': {
                'ENABLE_BILLING': self.enable_billing,
                'HIDE_LLM_SETTINGS': self.hide_llm_settings,
+                'HIDE_BILLING': self.hide_billing,
                'ENABLE_JIRA': self.enable_jira,
                'ENABLE_JIRA_DC': self.enable_jira_dc,
                'ENABLE_LINEAR': self.enable_linear,
@@ -25,6 +25,7 @@ USER_SETTINGS_VERSION_TO_MODEL = {
    2: 'claude-3-7-sonnet-20250219',
    3: 'claude-sonnet-4-20250514',
    4: 'claude-sonnet-4-20250514',
+    5: 'claude-opus-4-5-20251101',
 }

 LITELLM_DEFAULT_MODEL = os.getenv('LITELLM_DEFAULT_MODEL')
@@ -1,331 +0,0 @@
-from __future__ import annotations
-
-import time
-from dataclasses import dataclass, field
-
-import socketio
-from server.clustered_conversation_manager import ClusteredConversationManager
-from server.saas_nested_conversation_manager import SaasNestedConversationManager
-
-from openhands.core.config import LLMConfig, OpenHandsConfig
-from openhands.events.action import MessageAction
-from openhands.server.config.server_config import ServerConfig
-from openhands.server.conversation_manager.conversation_manager import (
-    ConversationManager,
-)
-from openhands.server.data_models.agent_loop_info import AgentLoopInfo
-from openhands.server.monitoring import MonitoringListener
-from openhands.server.session.conversation import ServerConversation
-from openhands.storage.data_models.settings import Settings
-from openhands.storage.files import FileStore
-from openhands.utils.async_utils import wait_all
-
-_LEGACY_ENTRY_TIMEOUT_SECONDS = 3600
-
-
-@dataclass
-class LegacyCacheEntry:
-    """Cache entry for legacy mode status."""
-
-    is_legacy: bool
-    timestamp: float
-
-
-@dataclass
-class LegacyConversationManager(ConversationManager):
-    """
-    Conversation manager for use while migrating - since existing conversations are not nested!
-    Separate class from SaasNestedConversationManager so it can be easliy removed in a few weeks.
-    (As of 2025-07-23)
-    """
-
-    sio: socketio.AsyncServer
-    config: OpenHandsConfig
-    server_config: ServerConfig
-    file_store: FileStore
-    conversation_manager: SaasNestedConversationManager
-    legacy_conversation_manager: ClusteredConversationManager
-    _legacy_cache: dict[str, LegacyCacheEntry] = field(default_factory=dict)
-
-    async def __aenter__(self):
-        await wait_all(
-            [
-                self.conversation_manager.__aenter__(),
-                self.legacy_conversation_manager.__aenter__(),
-            ]
-        )
-        return self
-
-    async def __aexit__(self, exc_type, exc_value, traceback):
-        await wait_all(
-            [
-                self.conversation_manager.__aexit__(exc_type, exc_value, traceback),
-                self.legacy_conversation_manager.__aexit__(
-                    exc_type, exc_value, traceback
-                ),
-            ]
-        )
-
-    async def request_llm_completion(
-        self,
-        sid: str,
-        service_id: str,
-        llm_config: LLMConfig,
-        messages: list[dict[str, str]],
-    ) -> str:
-        session = self.get_agent_session(sid)
-        llm_registry = session.llm_registry
-        return llm_registry.request_extraneous_completion(
-            service_id, llm_config, messages
-        )
-
-    async def attach_to_conversation(
-        self, sid: str, user_id: str | None = None
-    ) -> ServerConversation | None:
-        if await self.should_start_in_legacy_mode(sid):
-            return await self.legacy_conversation_manager.attach_to_conversation(
-                sid, user_id
-            )
-        return await self.conversation_manager.attach_to_conversation(sid, user_id)
-
-    async def detach_from_conversation(self, conversation: ServerConversation):
-        if await self.should_start_in_legacy_mode(conversation.sid):
-            return await self.legacy_conversation_manager.detach_from_conversation(
-                conversation
-            )
-        return await self.conversation_manager.detach_from_conversation(conversation)
-
-    async def join_conversation(
-        self,
-        sid: str,
-        connection_id: str,
-        settings: Settings,
-        user_id: str | None,
-    ) -> AgentLoopInfo:
-        if await self.should_start_in_legacy_mode(sid):
-            return await self.legacy_conversation_manager.join_conversation(
-                sid, connection_id, settings, user_id
-            )
-        return await self.conversation_manager.join_conversation(
-            sid, connection_id, settings, user_id
-        )
-
-    def get_agent_session(self, sid: str):
-        session = self.legacy_conversation_manager.get_agent_session(sid)
-        if session is None:
-            session = self.conversation_manager.get_agent_session(sid)
-        return session
-
-    async def get_running_agent_loops(
-        self, user_id: str | None = None, filter_to_sids: set[str] | None = None
-    ) -> set[str]:
-        if filter_to_sids and len(filter_to_sids) == 1:
-            sid = next(iter(filter_to_sids))
-            if await self.should_start_in_legacy_mode(sid):
-                return await self.legacy_conversation_manager.get_running_agent_loops(
-                    user_id, filter_to_sids
-                )
-            return await self.conversation_manager.get_running_agent_loops(
-                user_id, filter_to_sids
-            )
-
-        # Get all running agent loops from both managers
-        agent_loops, legacy_agent_loops = await wait_all(
-            [
-                self.conversation_manager.get_running_agent_loops(
-                    user_id, filter_to_sids
-                ),
-                self.legacy_conversation_manager.get_running_agent_loops(
-                    user_id, filter_to_sids
-                ),
-            ]
-        )
-
-        # Combine the results
-        result = set()
-        for sid in legacy_agent_loops:
-            if await self.should_start_in_legacy_mode(sid):
-                result.add(sid)
-
-        for sid in agent_loops:
-            if not await self.should_start_in_legacy_mode(sid):
-                result.add(sid)
-
-        return result
-
-    async def is_agent_loop_running(self, sid: str) -> bool:
-        return bool(await self.get_running_agent_loops(filter_to_sids={sid}))
-
-    async def get_connections(
-        self, user_id: str | None = None, filter_to_sids: set[str] | None = None
-    ) -> dict[str, str]:
-        if filter_to_sids and len(filter_to_sids) == 1:
-            sid = next(iter(filter_to_sids))
-            if await self.should_start_in_legacy_mode(sid):
-                return await self.legacy_conversation_manager.get_connections(
-                    user_id, filter_to_sids
-                )
-            return await self.conversation_manager.get_connections(
-                user_id, filter_to_sids
-            )
-        agent_loops, legacy_agent_loops = await wait_all(
-            [
-                self.conversation_manager.get_connections(user_id, filter_to_sids),
-                self.legacy_conversation_manager.get_connections(
-                    user_id, filter_to_sids
-                ),
-            ]
-        )
-        legacy_agent_loops.update(agent_loops)
-        return legacy_agent_loops
-
-    async def maybe_start_agent_loop(
-        self,
-        sid: str,
-        settings: Settings,
-        user_id: str,  # type: ignore[override]
-        initial_user_msg: MessageAction | None = None,
-        replay_json: str | None = None,
-    ) -> AgentLoopInfo:
-        if await self.should_start_in_legacy_mode(sid):
-            return await self.legacy_conversation_manager.maybe_start_agent_loop(
-                sid, settings, user_id, initial_user_msg, replay_json
-            )
-        return await self.conversation_manager.maybe_start_agent_loop(
-            sid, settings, user_id, initial_user_msg, replay_json
-        )
-
-    async def send_to_event_stream(self, connection_id: str, data: dict):
-        return await self.legacy_conversation_manager.send_to_event_stream(
-            connection_id, data
-        )
-
-    async def send_event_to_conversation(self, sid: str, data: dict):
-        if await self.should_start_in_legacy_mode(sid):
-            await self.legacy_conversation_manager.send_event_to_conversation(sid, data)
-        await self.conversation_manager.send_event_to_conversation(sid, data)
-
-    async def disconnect_from_session(self, connection_id: str):
-        return await self.legacy_conversation_manager.disconnect_from_session(
-            connection_id
-        )
-
-    async def close_session(self, sid: str):
-        if await self.should_start_in_legacy_mode(sid):
-            await self.legacy_conversation_manager.close_session(sid)
-        await self.conversation_manager.close_session(sid)
-
-    async def get_agent_loop_info(
-        self, user_id: str | None = None, filter_to_sids: set[str] | None = None
-    ) -> list[AgentLoopInfo]:
-        if filter_to_sids and len(filter_to_sids) == 1:
-            sid = next(iter(filter_to_sids))
-            if await self.should_start_in_legacy_mode(sid):
-                return await self.legacy_conversation_manager.get_agent_loop_info(
-                    user_id, filter_to_sids
-                )
-            return await self.conversation_manager.get_agent_loop_info(
-                user_id, filter_to_sids
-            )
-        agent_loops, legacy_agent_loops = await wait_all(
-            [
-                self.conversation_manager.get_agent_loop_info(user_id, filter_to_sids),
-                self.legacy_conversation_manager.get_agent_loop_info(
-                    user_id, filter_to_sids
-                ),
-            ]
-        )
-
-        # Combine results
-        result = []
-        legacy_sids = set()
-
-        # Add legacy agent loops
-        for agent_loop in legacy_agent_loops:
-            if await self.should_start_in_legacy_mode(agent_loop.conversation_id):
-                result.append(agent_loop)
-                legacy_sids.add(agent_loop.conversation_id)
-
-        # Add non-legacy agent loops
-        for agent_loop in agent_loops:
-            if (
-                agent_loop.conversation_id not in legacy_sids
-                and not await self.should_start_in_legacy_mode(
-                    agent_loop.conversation_id
-                )
-            ):
-                result.append(agent_loop)
-
-        return result
-
-    def _cleanup_expired_cache_entries(self):
-        """Remove expired entries from the local cache."""
-        current_time = time.time()
-        expired_keys = [
-            key
-            for key, entry in self._legacy_cache.items()
-            if current_time - entry.timestamp > _LEGACY_ENTRY_TIMEOUT_SECONDS
-        ]
-        for key in expired_keys:
-            del self._legacy_cache[key]
-
-    async def should_start_in_legacy_mode(self, conversation_id: str) -> bool:
-        """
-        Check if a conversation should run in legacy mode by directly checking the runtime.
-        The /list method does not include stopped conversations even though the PVC for these
-        may not yet have been deleted, so we need to check /sessions/{session_id} directly.
-        """
-        # Clean up expired entries periodically
-        self._cleanup_expired_cache_entries()
-
-        # First check the local cache
-        if conversation_id in self._legacy_cache:
-            cached_entry = self._legacy_cache[conversation_id]
-            # Check if the cached value is still valid
-            if time.time() - cached_entry.timestamp <= _LEGACY_ENTRY_TIMEOUT_SECONDS:
-                return cached_entry.is_legacy
-
-        # If not in cache or expired, check the runtime directly
-        runtime = await self.conversation_manager._get_runtime(conversation_id)
-        is_legacy = self.is_legacy_runtime(runtime)
-
-        # Cache the result with current timestamp
-        self._legacy_cache[conversation_id] = LegacyCacheEntry(is_legacy, time.time())
-
-        return is_legacy
-
-    def is_legacy_runtime(self, runtime: dict | None) -> bool:
-        """
-        Determine if a runtime is a legacy runtime based on its command.
-
-        Args:
-            runtime: The runtime dictionary or None if not found
-
-        Returns:
-            bool: True if this is a legacy runtime, False otherwise
-        """
-        if runtime is None:
-            return False
-        return 'openhands.server' not in runtime['command']
-
-    @classmethod
-    def get_instance(
-        cls,
-        sio: socketio.AsyncServer,
-        config: OpenHandsConfig,
-        file_store: FileStore,
-        server_config: ServerConfig,
-        monitoring_listener: MonitoringListener,
-    ) -> ConversationManager:
-        return LegacyConversationManager(
-            sio=sio,
-            config=config,
-            server_config=server_config,
-            file_store=file_store,
-            conversation_manager=SaasNestedConversationManager.get_instance(
-                sio, config, file_store, server_config, monitoring_listener
-            ),
-            legacy_conversation_manager=ClusteredConversationManager.get_instance(
-                sio, config, file_store, server_config, monitoring_listener
-            ),
-        )
@@ -152,17 +152,22 @@ class SetAuthCookieMiddleware:
            return False
        path = request.url.path

-        is_api_that_should_attach = path.startswith('/api') and path not in (
+        ignore_paths = (
            '/api/options/config',
            '/api/keycloak/callback',
            '/api/billing/success',
            '/api/billing/cancel',
            '/api/billing/customer-setup-success',
            '/api/billing/stripe-webhook',
+            '/oauth/device/authorize',
+            '/oauth/device/token',
        )
+        if path in ignore_paths:
+            return False

        is_mcp = path.startswith('/mcp')
-        return is_api_that_should_attach or is_mcp
+        is_api_route = path.startswith('/api')
+        return is_api_route or is_mcp

    async def _logout(self, request: Request):
        # Log out of keycloak - this prevents issues where you did not log in with the idp you believe you used
@@ -14,6 +14,7 @@ from server.auth.constants import (
    KEYCLOAK_SERVER_URL_EXT,
    ROLE_CHECK_ENABLED,
 )
+from server.auth.domain_blocker import domain_blocker
 from server.auth.gitlab_sync import schedule_gitlab_repo_sync
 from server.auth.saas_user_auth import SaasUserAuth
 from server.auth.token_manager import TokenManager
@@ -145,7 +146,24 @@ async def keycloak_callback(
            content={'error': 'Missing user ID or username in response'},
        )

+    # Check if email domain is blocked
+    email = user_info.get('email')
    user_id = user_info['sub']
+    if email and domain_blocker.is_active() and domain_blocker.is_domain_blocked(email):
+        logger.warning(
+            f'Blocked authentication attempt for email: {email}, user_id: {user_id}'
+        )
+
+        # Disable the Keycloak account
+        await token_manager.disable_keycloak_user(user_id, email)
+
+        return JSONResponse(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            content={
+                'error': 'Access denied: Your email domain is not allowed to access this service'
+            },
+        )
+
    # default to github IDP for now.
    # TODO: remove default once Keycloak is updated universally with the new attribute.
    idp: str = user_info.get('identity_provider', ProviderType.GITHUB.value)
@@ -1,3 +1,4 @@
+import asyncio
 import hashlib
 import hmac
 import os
@@ -58,7 +59,8 @@ async def github_events(
        )

    try:
-        payload = await request.body()
+        # Add timeout to prevent hanging on slow/stalled clients
+        payload = await asyncio.wait_for(request.body(), timeout=15.0)
        verify_github_signature(payload, x_hub_signature_256)

        payload_data = await request.json()
@@ -78,6 +80,12 @@ async def github_events(
            status_code=200,
            content={'message': 'GitHub events endpoint reached successfully.'},
        )
+    except asyncio.TimeoutError:
+        logger.warning('GitHub webhook request timed out waiting for request body')
+        return JSONResponse(
+            status_code=408,
+            content={'error': 'Request timeout - client took too long to send data.'},
+        )
    except Exception as e:
        logger.exception(f'Error processing GitHub event: {e}')
        return JSONResponse(status_code=400, content={'error': 'Invalid payload.'})
@@ -0,0 +1,324 @@
+"""OAuth 2.0 Device Flow endpoints for CLI authentication."""
+
+from datetime import UTC, datetime, timedelta
+from typing import Optional
+
+from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
+from fastapi.responses import JSONResponse
+from pydantic import BaseModel
+from storage.api_key_store import ApiKeyStore
+from storage.database import session_maker
+from storage.device_code_store import DeviceCodeStore
+
+from openhands.core.logger import openhands_logger as logger
+from openhands.server.user_auth import get_user_id
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+DEVICE_CODE_EXPIRES_IN = 600  # 10 minutes
+DEVICE_TOKEN_POLL_INTERVAL = 5  # seconds
+
+API_KEY_NAME = 'Device Link Access Key'
+KEY_EXPIRATION_TIME = timedelta(days=1)  # Key expires in 24 hours
+
+# ---------------------------------------------------------------------------
+# Models
+# ---------------------------------------------------------------------------
+
+
+class DeviceAuthorizationResponse(BaseModel):
+    device_code: str
+    user_code: str
+    verification_uri: str
+    verification_uri_complete: str
+    expires_in: int
+    interval: int
+
+
+class DeviceTokenResponse(BaseModel):
+    access_token: str  # This will be the user's API key
+    token_type: str = 'Bearer'
+    expires_in: Optional[int] = None  # API keys may not have expiration
+
+
+class DeviceTokenErrorResponse(BaseModel):
+    error: str
+    error_description: Optional[str] = None
+    interval: Optional[int] = None  # Required for slow_down error
+
+
+# ---------------------------------------------------------------------------
+# Router + stores
+# ---------------------------------------------------------------------------
+
+oauth_device_router = APIRouter(prefix='/oauth/device')
+device_code_store = DeviceCodeStore(session_maker)
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def _oauth_error(
+    status_code: int,
+    error: str,
+    description: str,
+    interval: Optional[int] = None,
+) -> JSONResponse:
+    """Return a JSON OAuth-style error response."""
+    return JSONResponse(
+        status_code=status_code,
+        content=DeviceTokenErrorResponse(
+            error=error,
+            error_description=description,
+            interval=interval,
+        ).model_dump(),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Endpoints
+# ---------------------------------------------------------------------------
+
+
+@oauth_device_router.post('/authorize', response_model=DeviceAuthorizationResponse)
+async def device_authorization(
+    http_request: Request,
+) -> DeviceAuthorizationResponse:
+    """Start device flow by generating device and user codes."""
+    try:
+        device_code_entry = device_code_store.create_device_code(
+            expires_in=DEVICE_CODE_EXPIRES_IN,
+        )
+
+        base_url = str(http_request.base_url).rstrip('/')
+        verification_uri = f'{base_url}/oauth/device/verify'
+        verification_uri_complete = (
+            f'{verification_uri}?user_code={device_code_entry.user_code}'
+        )
+
+        logger.info(
+            'Device authorization initiated',
+            extra={'user_code': device_code_entry.user_code},
+        )
+
+        return DeviceAuthorizationResponse(
+            device_code=device_code_entry.device_code,
+            user_code=device_code_entry.user_code,
+            verification_uri=verification_uri,
+            verification_uri_complete=verification_uri_complete,
+            expires_in=DEVICE_CODE_EXPIRES_IN,
+            interval=device_code_entry.current_interval,
+        )
+    except Exception as e:
+        logger.exception('Error in device authorization: %s', str(e))
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Internal server error',
+        ) from e
+
+
+@oauth_device_router.post('/token')
+async def device_token(device_code: str = Form(...)):
+    """Poll for a token until the user authorizes or the code expires."""
+    try:
+        device_code_entry = device_code_store.get_by_device_code(device_code)
+
+        if not device_code_entry:
+            return _oauth_error(
+                status.HTTP_400_BAD_REQUEST,
+                'invalid_grant',
+                'Invalid device code',
+            )
+
+        # Check rate limiting (RFC 8628 section 3.5)
+        is_too_fast, current_interval = device_code_entry.check_rate_limit()
+        if is_too_fast:
+            # Update poll time and increase interval
+            device_code_store.update_poll_time(device_code, increase_interval=True)
+            logger.warning(
+                'Client polling too fast, returning slow_down error',
+                extra={
+                    'device_code': device_code[:8] + '...',  # Log partial for privacy
+                    'new_interval': current_interval,
+                },
+            )
+            return _oauth_error(
+                status.HTTP_400_BAD_REQUEST,
+                'slow_down',
+                f'Polling too frequently. Wait at least {current_interval} seconds between requests.',
+                interval=current_interval,
+            )
+
+        # Update poll time for successful rate limit check
+        device_code_store.update_poll_time(device_code, increase_interval=False)
+
+        if device_code_entry.is_expired():
+            return _oauth_error(
+                status.HTTP_400_BAD_REQUEST,
+                'expired_token',
+                'Device code has expired',
+            )
+
+        if device_code_entry.status == 'denied':
+            return _oauth_error(
+                status.HTTP_400_BAD_REQUEST,
+                'access_denied',
+                'User denied the authorization request',
+            )
+
+        if device_code_entry.status == 'pending':
+            return _oauth_error(
+                status.HTTP_400_BAD_REQUEST,
+                'authorization_pending',
+                'User has not yet completed authorization',
+            )
+
+        if device_code_entry.status == 'authorized':
+            # Retrieve the specific API key for this device using the user_code
+            api_key_store = ApiKeyStore.get_instance()
+            device_key_name = f'{API_KEY_NAME} ({device_code_entry.user_code})'
+            device_api_key = api_key_store.retrieve_api_key_by_name(
+                device_code_entry.keycloak_user_id, device_key_name
+            )
+
+            if not device_api_key:
+                logger.error(
+                    'No device API key found for authorized device',
+                    extra={
+                        'user_id': device_code_entry.keycloak_user_id,
+                        'user_code': device_code_entry.user_code,
+                    },
+                )
+                return _oauth_error(
+                    status.HTTP_500_INTERNAL_SERVER_ERROR,
+                    'server_error',
+                    'API key not found',
+                )
+
+            # Return the API key as access_token
+            return DeviceTokenResponse(
+                access_token=device_api_key,
+            )
+
+        # Fallback for unexpected status values
+        logger.error(
+            'Unknown device code status',
+            extra={'status': device_code_entry.status},
+        )
+        return _oauth_error(
+            status.HTTP_500_INTERNAL_SERVER_ERROR,
+            'server_error',
+            'Unknown device code status',
+        )
+
+    except Exception as e:
+        logger.exception('Error in device token: %s', str(e))
+        return _oauth_error(
+            status.HTTP_500_INTERNAL_SERVER_ERROR,
+            'server_error',
+            'Internal server error',
+        )
+
+
+@oauth_device_router.post('/verify-authenticated')
+async def device_verification_authenticated(
+    user_code: str = Form(...),
+    user_id: str = Depends(get_user_id),
+):
+    """Process device verification for authenticated users (called by frontend)."""
+    try:
+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='Authentication required',
+            )
+
+        # Validate device code
+        device_code_entry = device_code_store.get_by_user_code(user_code)
+        if not device_code_entry:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail='The device code is invalid or has expired.',
+            )
+
+        if not device_code_entry.is_pending():
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail='This device code has already been processed.',
+            )
+
+        # First, authorize the device code
+        success = device_code_store.authorize_device_code(
+            user_code=user_code,
+            user_id=user_id,
+        )
+
+        if not success:
+            logger.error(
+                'Failed to authorize device code',
+                extra={'user_code': user_code, 'user_id': user_id},
+            )
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail='Failed to authorize the device. Please try again.',
+            )
+
+        # Only create API key AFTER successful authorization
+        api_key_store = ApiKeyStore.get_instance()
+        try:
+            # Create a unique API key for this device using user_code in the name
+            device_key_name = f'{API_KEY_NAME} ({user_code})'
+            api_key_store.create_api_key(
+                user_id,
+                name=device_key_name,
+                expires_at=datetime.now(UTC) + KEY_EXPIRATION_TIME,
+            )
+            logger.info(
+                'Created new device API key for user after successful authorization',
+                extra={'user_id': user_id, 'user_code': user_code},
+            )
+        except Exception as e:
+            logger.exception(
+                'Failed to create device API key after authorization: %s', str(e)
+            )
+
+            # Clean up: revert the device authorization since API key creation failed
+            # This prevents the device from being in an authorized state without an API key
+            try:
+                device_code_store.deny_device_code(user_code)
+                logger.info(
+                    'Reverted device authorization due to API key creation failure',
+                    extra={'user_code': user_code, 'user_id': user_id},
+                )
+            except Exception as cleanup_error:
+                logger.exception(
+                    'Failed to revert device authorization during cleanup: %s',
+                    str(cleanup_error),
+                )
+
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail='Failed to create API key for device access.',
+            )
+
+        logger.info(
+            'Device code authorized with API key successfully',
+            extra={'user_code': user_code, 'user_id': user_id},
+        )
+        return JSONResponse(
+            status_code=status.HTTP_200_OK,
+            content={'message': 'Device authorized successfully!'},
+        )
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.exception('Error in device verification: %s', str(e))
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='An unexpected error occurred. Please try again.',
+        )
@@ -31,6 +31,7 @@ from openhands.events.event_store import EventStore
 from openhands.events.serialization.event import event_to_dict
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderHandler
 from openhands.runtime.impl.remote.remote_runtime import RemoteRuntime
+from openhands.runtime.plugins.vscode import VSCodeRequirement
 from openhands.runtime.runtime_status import RuntimeStatus
 from openhands.server.config.server_config import ServerConfig
 from openhands.server.constants import ROOM_KEY
@@ -70,6 +71,14 @@ RUNTIME_CONVERSATION_URL = RUNTIME_URL_PATTERN + (
    else '/api/conversations/{conversation_id}'
 )

+RUNTIME_USERNAME = os.getenv('RUNTIME_USERNAME')
+
+SU_TO_USER = os.getenv('SU_TO_USER', 'false')
+truthy = {'1', 'true', 't', 'yes', 'y', 'on'}
+SU_TO_USER = str(SU_TO_USER.lower() in truthy).lower()
+
+DISABLE_VSCODE_PLUGIN = os.getenv('DISABLE_VSCODE_PLUGIN', 'false').lower() == 'true'
+
 # Time in seconds before a Redis entry is considered expired if not refreshed
 _REDIS_ENTRY_TIMEOUT_SECONDS = 300

@@ -772,7 +781,11 @@ class SaasNestedConversationManager(ConversationManager):
        env_vars['SERVE_FRONTEND'] = '0'
        env_vars['RUNTIME'] = 'local'
        # TODO: In the long term we may come up with a more secure strategy for user management within the nested runtime.
-        env_vars['USER'] = 'openhands' if config.run_as_openhands else 'root'
+        env_vars['USER'] = (
+            RUNTIME_USERNAME
+            if RUNTIME_USERNAME
+            else ('openhands' if config.run_as_openhands else 'root')
+        )
        env_vars['PERMITTED_CORS_ORIGINS'] = ','.join(PERMITTED_CORS_ORIGINS)
        env_vars['port'] = '60000'
        # TODO: These values are static in the runtime-api project, but do not get copied into the runtime ENV
@@ -789,6 +802,10 @@ class SaasNestedConversationManager(ConversationManager):
        env_vars['INITIAL_NUM_WARM_SERVERS'] = '1'
        env_vars['INIT_GIT_IN_EMPTY_WORKSPACE'] = '1'
        env_vars['ENABLE_V1'] = '0'
+        env_vars['SU_TO_USER'] = SU_TO_USER
+        env_vars['DISABLE_VSCODE_PLUGIN'] = str(DISABLE_VSCODE_PLUGIN).lower()
+        env_vars['BROWSERGYM_DOWNLOAD_DIR'] = '/workspace/.downloads/'
+        env_vars['PLAYWRIGHT_BROWSERS_PATH'] = '/opt/playwright-browsers'

        # We need this for LLM traces tracking to identify the source of the LLM calls
        env_vars['WEB_HOST'] = WEB_HOST
@@ -804,11 +821,18 @@ class SaasNestedConversationManager(ConversationManager):
        if self._runtime_container_image:
            config.sandbox.runtime_container_image = self._runtime_container_image

+        plugins = [
+            plugin
+            for plugin in agent.sandbox_plugins
+            if not (DISABLE_VSCODE_PLUGIN and isinstance(plugin, VSCodeRequirement))
+        ]
+        logger.info(f'Loaded plugins for runtime {sid}: {plugins}')
+
        runtime = RemoteRuntime(
            config=config,
            event_stream=None,  # type: ignore[arg-type]
            sid=sid,
-            plugins=agent.sandbox_plugins,
+            plugins=plugins,
            # env_vars=env_vars,
            # status_callback: Callable[..., None] | None = None,
            attach_to_existing=False,
@@ -17,10 +17,13 @@ from openhands.core.logger import openhands_logger as logger
 class ApiKeyStore:
    session_maker: sessionmaker

+    API_KEY_PREFIX = 'sk-oh-'
+
    def generate_api_key(self, length: int = 32) -> str:
-        """Generate a random API key."""
+        """Generate a random API key with the sk-oh- prefix."""
        alphabet = string.ascii_letters + string.digits
-        return ''.join(secrets.choice(alphabet) for _ in range(length))
+        random_part = ''.join(secrets.choice(alphabet) for _ in range(length))
+        return f'{self.API_KEY_PREFIX}{random_part}'

    def create_api_key(
        self, user_id: str, name: str | None = None, expires_at: datetime | None = None
@@ -57,9 +60,15 @@ class ApiKeyStore:
                return None

            # Check if the key has expired
-            if key_record.expires_at and key_record.expires_at < now:
-                logger.info(f'API key has expired: {key_record.id}')
-                return None
+            if key_record.expires_at:
+                # Handle timezone-naive datetime from database by assuming it's UTC
+                expires_at = key_record.expires_at
+                if expires_at.tzinfo is None:
+                    expires_at = expires_at.replace(tzinfo=UTC)
+
+                if expires_at < now:
+                    logger.info(f'API key has expired: {key_record.id}')
+                    return None

            # Update last_used_at timestamp
            session.execute(
@@ -125,6 +134,33 @@ class ApiKeyStore:

        return None

+    def retrieve_api_key_by_name(self, user_id: str, name: str) -> str | None:
+        """Retrieve an API key by name for a specific user."""
+        with self.session_maker() as session:
+            key_record = (
+                session.query(ApiKey)
+                .filter(ApiKey.user_id == user_id, ApiKey.name == name)
+                .first()
+            )
+            return key_record.key if key_record else None
+
+    def delete_api_key_by_name(self, user_id: str, name: str) -> bool:
+        """Delete an API key by name for a specific user."""
+        with self.session_maker() as session:
+            key_record = (
+                session.query(ApiKey)
+                .filter(ApiKey.user_id == user_id, ApiKey.name == name)
+                .first()
+            )
+
+            if not key_record:
+                return False
+
+            session.delete(key_record)
+            session.commit()
+
+            return True
+
    @classmethod
    def get_instance(cls) -> ApiKeyStore:
        """Get an instance of the ApiKeyStore."""
@@ -0,0 +1,109 @@
+"""Device code storage model for OAuth 2.0 Device Flow."""
+
+from datetime import datetime, timezone
+from enum import Enum
+
+from sqlalchemy import Column, DateTime, Integer, String
+from storage.base import Base
+
+
+class DeviceCodeStatus(Enum):
+    """Status of a device code authorization request."""
+
+    PENDING = 'pending'
+    AUTHORIZED = 'authorized'
+    EXPIRED = 'expired'
+    DENIED = 'denied'
+
+
+class DeviceCode(Base):
+    """Device code for OAuth 2.0 Device Flow.
+
+    This stores the device codes issued during the device authorization flow,
+    along with their status and associated user information once authorized.
+    """
+
+    __tablename__ = 'device_codes'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    device_code = Column(String(128), unique=True, nullable=False, index=True)
+    user_code = Column(String(16), unique=True, nullable=False, index=True)
+    status = Column(String(32), nullable=False, default=DeviceCodeStatus.PENDING.value)
+
+    # Keycloak user ID who authorized the device (set during verification)
+    keycloak_user_id = Column(String(255), nullable=True)
+
+    # Timestamps
+    expires_at = Column(DateTime(timezone=True), nullable=False)
+    authorized_at = Column(DateTime(timezone=True), nullable=True)
+
+    # Rate limiting fields for RFC 8628 section 3.5 compliance
+    last_poll_time = Column(DateTime(timezone=True), nullable=True)
+    current_interval = Column(Integer, nullable=False, default=5)
+
+    def __repr__(self) -> str:
+        return f"<DeviceCode(user_code='{self.user_code}', status='{self.status}')>"
+
+    def is_expired(self) -> bool:
+        """Check if the device code has expired."""
+        now = datetime.now(timezone.utc)
+        return now > self.expires_at
+
+    def is_pending(self) -> bool:
+        """Check if the device code is still pending authorization."""
+        return self.status == DeviceCodeStatus.PENDING.value and not self.is_expired()
+
+    def is_authorized(self) -> bool:
+        """Check if the device code has been authorized."""
+        return self.status == DeviceCodeStatus.AUTHORIZED.value
+
+    def authorize(self, user_id: str) -> None:
+        """Mark the device code as authorized."""
+        self.status = DeviceCodeStatus.AUTHORIZED.value
+        self.keycloak_user_id = user_id  # Set the Keycloak user ID during authorization
+        self.authorized_at = datetime.now(timezone.utc)
+
+    def deny(self) -> None:
+        """Mark the device code as denied."""
+        self.status = DeviceCodeStatus.DENIED.value
+
+    def expire(self) -> None:
+        """Mark the device code as expired."""
+        self.status = DeviceCodeStatus.EXPIRED.value
+
+    def check_rate_limit(self) -> tuple[bool, int]:
+        """Check if the client is polling too fast.
+
+        Returns:
+            tuple: (is_too_fast, current_interval)
+                - is_too_fast: True if client should receive slow_down error
+                - current_interval: Current polling interval to use
+        """
+        now = datetime.now(timezone.utc)
+
+        # If this is the first poll, allow it
+        if self.last_poll_time is None:
+            return False, self.current_interval
+
+        # Calculate time since last poll
+        time_since_last_poll = (now - self.last_poll_time).total_seconds()
+
+        # Check if polling too fast
+        if time_since_last_poll < self.current_interval:
+            # Increase interval for slow_down (RFC 8628 section 3.5)
+            new_interval = min(self.current_interval + 5, 60)  # Cap at 60 seconds
+            return True, new_interval
+
+        return False, self.current_interval
+
+    def update_poll_time(self, increase_interval: bool = False) -> None:
+        """Update the last poll time and optionally increase the interval.
+
+        Args:
+            increase_interval: If True, increase the current interval for slow_down
+        """
+        self.last_poll_time = datetime.now(timezone.utc)
+
+        if increase_interval:
+            # Increase interval by 5 seconds, cap at 60 seconds (RFC 8628)
+            self.current_interval = min(self.current_interval + 5, 60)
@@ -0,0 +1,167 @@
+"""Device code store for OAuth 2.0 Device Flow."""
+
+import secrets
+import string
+from datetime import datetime, timedelta, timezone
+
+from sqlalchemy.exc import IntegrityError
+from storage.device_code import DeviceCode
+
+
+class DeviceCodeStore:
+    """Store for managing OAuth 2.0 device codes."""
+
+    def __init__(self, session_maker):
+        self.session_maker = session_maker
+
+    def generate_user_code(self) -> str:
+        """Generate a human-readable user code (8 characters, uppercase letters and digits)."""
+        # Use a mix of uppercase letters and digits, avoiding confusing characters
+        alphabet = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'  # No I, O, 0, 1
+        return ''.join(secrets.choice(alphabet) for _ in range(8))
+
+    def generate_device_code(self) -> str:
+        """Generate a secure device code (128 characters)."""
+        alphabet = string.ascii_letters + string.digits
+        return ''.join(secrets.choice(alphabet) for _ in range(128))
+
+    def create_device_code(
+        self,
+        expires_in: int = 600,  # 10 minutes default
+        max_attempts: int = 10,
+    ) -> DeviceCode:
+        """Create a new device code entry.
+
+        Uses database constraints to ensure uniqueness, avoiding TOCTOU race conditions.
+        Retries on constraint violations until unique codes are generated.
+
+        Args:
+            expires_in: Expiration time in seconds
+            max_attempts: Maximum number of attempts to generate unique codes
+
+        Returns:
+            The created DeviceCode instance
+
+        Raises:
+            RuntimeError: If unable to generate unique codes after max_attempts
+        """
+        for attempt in range(max_attempts):
+            user_code = self.generate_user_code()
+            device_code = self.generate_device_code()
+            expires_at = datetime.now(timezone.utc) + timedelta(seconds=expires_in)
+
+            device_code_entry = DeviceCode(
+                device_code=device_code,
+                user_code=user_code,
+                keycloak_user_id=None,  # Will be set during authorization
+                expires_at=expires_at,
+            )
+
+            try:
+                with self.session_maker() as session:
+                    session.add(device_code_entry)
+                    session.commit()
+                    session.refresh(device_code_entry)
+                    session.expunge(device_code_entry)  # Detach from session cleanly
+                    return device_code_entry
+            except IntegrityError:
+                # Constraint violation - codes already exist, retry with new codes
+                continue
+
+        raise RuntimeError(
+            f'Failed to generate unique device codes after {max_attempts} attempts'
+        )
+
+    def get_by_device_code(self, device_code: str) -> DeviceCode | None:
+        """Get device code entry by device code."""
+        with self.session_maker() as session:
+            result = (
+                session.query(DeviceCode).filter_by(device_code=device_code).first()
+            )
+            if result:
+                session.expunge(result)  # Detach from session cleanly
+            return result
+
+    def get_by_user_code(self, user_code: str) -> DeviceCode | None:
+        """Get device code entry by user code."""
+        with self.session_maker() as session:
+            result = session.query(DeviceCode).filter_by(user_code=user_code).first()
+            if result:
+                session.expunge(result)  # Detach from session cleanly
+            return result
+
+    def authorize_device_code(self, user_code: str, user_id: str) -> bool:
+        """Authorize a device code.
+
+        Args:
+            user_code: The user code to authorize
+            user_id: The user ID from Keycloak
+
+        Returns:
+            True if authorization was successful, False otherwise
+        """
+        with self.session_maker() as session:
+            device_code_entry = (
+                session.query(DeviceCode).filter_by(user_code=user_code).first()
+            )
+
+            if not device_code_entry:
+                return False
+
+            if not device_code_entry.is_pending():
+                return False
+
+            device_code_entry.authorize(user_id)
+            session.commit()
+
+            return True
+
+    def deny_device_code(self, user_code: str) -> bool:
+        """Deny a device code authorization.
+
+        Args:
+            user_code: The user code to deny
+
+        Returns:
+            True if denial was successful, False otherwise
+        """
+        with self.session_maker() as session:
+            device_code_entry = (
+                session.query(DeviceCode).filter_by(user_code=user_code).first()
+            )
+
+            if not device_code_entry:
+                return False
+
+            if not device_code_entry.is_pending():
+                return False
+
+            device_code_entry.deny()
+            session.commit()
+
+            return True
+
+    def update_poll_time(
+        self, device_code: str, increase_interval: bool = False
+    ) -> bool:
+        """Update the poll time for a device code and optionally increase interval.
+
+        Args:
+            device_code: The device code to update
+            increase_interval: If True, increase the polling interval for slow_down
+
+        Returns:
+            True if update was successful, False otherwise
+        """
+        with self.session_maker() as session:
+            device_code_entry = (
+                session.query(DeviceCode).filter_by(device_code=device_code).first()
+            )
+
+            if not device_code_entry:
+                return False
+
+            device_code_entry.update_poll_time(increase_interval)
+            session.commit()
+
+            return True
@@ -94,6 +94,7 @@ class SaasSettingsStore(SettingsStore):
            }
            self._decrypt_kwargs(kwargs)
            settings = Settings(**kwargs)
+
            return settings

    async def store(self, item: Settings):
@@ -12,6 +12,7 @@ from storage.base import Base
 # Anything not loaded here may not have a table created for it.
 from storage.billing_session import BillingSession
 from storage.conversation_work import ConversationWork
+from storage.device_code import DeviceCode  # noqa: F401
 from storage.feedback import Feedback
 from storage.github_app_installation import GithubAppInstallation
 from storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
@@ -0,0 +1,133 @@
+"""Test for ResolverUserContext get_secrets conversion logic.
+
+This test focuses on testing the actual ResolverUserContext implementation.
+"""
+
+from types import MappingProxyType
+from unittest.mock import AsyncMock
+
+import pytest
+from pydantic import SecretStr
+
+from enterprise.integrations.resolver_context import ResolverUserContext
+
+# Import the real classes we want to test
+from openhands.integrations.provider import CustomSecret
+
+# Import the SDK types we need for testing
+from openhands.sdk.secret import SecretSource, StaticSecret
+from openhands.storage.data_models.secrets import Secrets
+
+
+@pytest.fixture
+def mock_saas_user_auth():
+    """Mock SaasUserAuth for testing."""
+    return AsyncMock()
+
+
+@pytest.fixture
+def resolver_context(mock_saas_user_auth):
+    """Create a ResolverUserContext instance for testing."""
+    return ResolverUserContext(saas_user_auth=mock_saas_user_auth)
+
+
+def create_custom_secret(value: str, description: str = 'Test secret') -> CustomSecret:
+    """Helper to create CustomSecret instances."""
+    return CustomSecret(secret=SecretStr(value), description=description)
+
+
+def create_secrets(custom_secrets_dict: dict[str, CustomSecret]) -> Secrets:
+    """Helper to create Secrets instances."""
+    return Secrets(custom_secrets=MappingProxyType(custom_secrets_dict))
+
+
+@pytest.mark.asyncio
+async def test_get_secrets_converts_custom_to_static(
+    resolver_context, mock_saas_user_auth
+):
+    """Test that get_secrets correctly converts CustomSecret objects to StaticSecret objects."""
+    # Arrange
+    secrets = create_secrets(
+        {
+            'TEST_SECRET_1': create_custom_secret('secret_value_1'),
+            'TEST_SECRET_2': create_custom_secret('secret_value_2'),
+        }
+    )
+    mock_saas_user_auth.get_secrets.return_value = secrets
+
+    # Act
+    result = await resolver_context.get_secrets()
+
+    # Assert
+    assert len(result) == 2
+    assert all(isinstance(secret, StaticSecret) for secret in result.values())
+    assert result['TEST_SECRET_1'].value.get_secret_value() == 'secret_value_1'
+    assert result['TEST_SECRET_2'].value.get_secret_value() == 'secret_value_2'
+
+
+@pytest.mark.asyncio
+async def test_get_secrets_with_special_characters(
+    resolver_context, mock_saas_user_auth
+):
+    """Test that secret values with special characters are preserved during conversion."""
+    # Arrange
+    special_value = 'very_secret_password_123!@#$%^&*()'
+    secrets = create_secrets({'SPECIAL_SECRET': create_custom_secret(special_value)})
+    mock_saas_user_auth.get_secrets.return_value = secrets
+
+    # Act
+    result = await resolver_context.get_secrets()
+
+    # Assert
+    assert len(result) == 1
+    assert isinstance(result['SPECIAL_SECRET'], StaticSecret)
+    assert result['SPECIAL_SECRET'].value.get_secret_value() == special_value
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    'secrets_input,expected_result',
+    [
+        (None, {}),  # No secrets available
+        (create_secrets({}), {}),  # Empty custom secrets
+    ],
+)
+async def test_get_secrets_empty_cases(
+    resolver_context, mock_saas_user_auth, secrets_input, expected_result
+):
+    """Test that get_secrets handles empty cases correctly."""
+    # Arrange
+    mock_saas_user_auth.get_secrets.return_value = secrets_input
+
+    # Act
+    result = await resolver_context.get_secrets()
+
+    # Assert
+    assert result == expected_result
+
+
+def test_static_secret_is_valid_secret_source():
+    """Test that StaticSecret is a valid SecretSource for SDK validation."""
+    # Arrange & Act
+    static_secret = StaticSecret(value='test_secret_123')
+
+    # Assert
+    assert isinstance(static_secret, StaticSecret)
+    assert isinstance(static_secret, SecretSource)
+    assert static_secret.value.get_secret_value() == 'test_secret_123'
+
+
+def test_custom_to_static_conversion():
+    """Test the complete conversion flow from CustomSecret to StaticSecret."""
+    # Arrange
+    secret_value = 'conversion_test_secret'
+    custom_secret = create_custom_secret(secret_value, 'Conversion test')
+
+    # Act - simulate the conversion logic from the actual method
+    extracted_value = custom_secret.secret.get_secret_value()
+    static_secret = StaticSecret(value=extracted_value)
+
+    # Assert
+    assert isinstance(static_secret, StaticSecret)
+    assert isinstance(static_secret, SecretSource)
+    assert static_secret.value.get_secret_value() == secret_value
@@ -0,0 +1,610 @@
+"""Unit tests for OAuth2 Device Flow endpoints."""
+
+from datetime import UTC, datetime, timedelta
+from unittest.mock import MagicMock, patch
+
+import pytest
+from fastapi import HTTPException, Request
+from fastapi.responses import JSONResponse
+from server.routes.oauth_device import (
+    device_authorization,
+    device_token,
+    device_verification_authenticated,
+)
+from storage.device_code import DeviceCode
+
+
+@pytest.fixture
+def mock_device_code_store():
+    """Mock device code store."""
+    return MagicMock()
+
+
+@pytest.fixture
+def mock_api_key_store():
+    """Mock API key store."""
+    return MagicMock()
+
+
+@pytest.fixture
+def mock_token_manager():
+    """Mock token manager."""
+    return MagicMock()
+
+
+@pytest.fixture
+def mock_request():
+    """Mock FastAPI request."""
+    request = MagicMock(spec=Request)
+    request.base_url = 'https://test.example.com/'
+    return request
+
+
+class TestDeviceAuthorization:
+    """Test device authorization endpoint."""
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_device_authorization_success(self, mock_store, mock_request):
+        """Test successful device authorization."""
+        mock_device = DeviceCode(
+            device_code='test-device-code-123',
+            user_code='ABC12345',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            current_interval=5,  # Default interval
+        )
+        mock_store.create_device_code.return_value = mock_device
+
+        result = await device_authorization(mock_request)
+
+        assert result.device_code == 'test-device-code-123'
+        assert result.user_code == 'ABC12345'
+        assert result.expires_in == 600
+        assert result.interval == 5  # Should match device's current_interval
+        assert 'verify' in result.verification_uri
+        assert 'ABC12345' in result.verification_uri_complete
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_device_authorization_with_increased_interval(
+        self, mock_store, mock_request
+    ):
+        """Test device authorization returns increased interval from rate limiting."""
+        mock_device = DeviceCode(
+            device_code='test-device-code-456',
+            user_code='XYZ98765',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            current_interval=15,  # Increased interval from previous rate limiting
+        )
+        mock_store.create_device_code.return_value = mock_device
+
+        result = await device_authorization(mock_request)
+
+        assert result.device_code == 'test-device-code-456'
+        assert result.user_code == 'XYZ98765'
+        assert result.expires_in == 600
+        assert result.interval == 15  # Should match device's increased current_interval
+        assert 'verify' in result.verification_uri
+        assert 'XYZ98765' in result.verification_uri_complete
+
+
+class TestDeviceToken:
+    """Test device token endpoint."""
+
+    @pytest.mark.parametrize(
+        'device_exists,status,expected_error',
+        [
+            (False, None, 'invalid_grant'),
+            (True, 'expired', 'expired_token'),
+            (True, 'denied', 'access_denied'),
+            (True, 'pending', 'authorization_pending'),
+        ],
+    )
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_device_token_error_cases(
+        self, mock_store, device_exists, status, expected_error
+    ):
+        """Test various error cases for device token endpoint."""
+        device_code = 'test-device-code'
+
+        if device_exists:
+            mock_device = MagicMock()
+            mock_device.is_expired.return_value = status == 'expired'
+            mock_device.status = status
+            # Mock rate limiting - return False (not too fast) and default interval
+            mock_device.check_rate_limit.return_value = (False, 5)
+            mock_store.get_by_device_code.return_value = mock_device
+            mock_store.update_poll_time.return_value = True
+        else:
+            mock_store.get_by_device_code.return_value = None
+
+        result = await device_token(device_code=device_code)
+
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 400
+        # Check error in response content
+        content = result.body.decode()
+        assert expected_error in content
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_device_token_success(self, mock_store, mock_api_key_class):
+        """Test successful device token retrieval."""
+        device_code = 'test-device-code'
+
+        # Mock authorized device
+        mock_device = MagicMock()
+        mock_device.is_expired.return_value = False
+        mock_device.status = 'authorized'
+        mock_device.keycloak_user_id = 'user-123'
+        mock_device.user_code = (
+            'ABC12345'  # Add user_code for device-specific API key lookup
+        )
+        # Mock rate limiting - return False (not too fast) and default interval
+        mock_device.check_rate_limit.return_value = (False, 5)
+        mock_store.get_by_device_code.return_value = mock_device
+        mock_store.update_poll_time.return_value = True
+
+        # Mock API key retrieval
+        mock_api_key_store = MagicMock()
+        mock_api_key_store.retrieve_api_key_by_name.return_value = 'test-api-key'
+        mock_api_key_class.get_instance.return_value = mock_api_key_store
+
+        result = await device_token(device_code=device_code)
+
+        # Check that result is a DeviceTokenResponse
+        assert result.access_token == 'test-api-key'
+        assert result.token_type == 'Bearer'
+
+        # Verify that the correct device-specific API key name was used
+        mock_api_key_store.retrieve_api_key_by_name.assert_called_once_with(
+            'user-123', 'Device Link Access Key (ABC12345)'
+        )
+
+
+class TestDeviceVerificationAuthenticated:
+    """Test device verification authenticated endpoint."""
+
+    async def test_verification_unauthenticated_user(self):
+        """Test verification with unauthenticated user."""
+        with pytest.raises(HTTPException):
+            await device_verification_authenticated(user_code='ABC12345', user_id=None)
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_verification_invalid_device_code(
+        self, mock_store, mock_api_key_class
+    ):
+        """Test verification with invalid device code."""
+        mock_store.get_by_user_code.return_value = None
+
+        with pytest.raises(HTTPException):
+            await device_verification_authenticated(
+                user_code='INVALID', user_id='user-123'
+            )
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_verification_already_processed(self, mock_store, mock_api_key_class):
+        """Test verification with already processed device code."""
+        mock_device = MagicMock()
+        mock_device.is_pending.return_value = False
+        mock_store.get_by_user_code.return_value = mock_device
+
+        with pytest.raises(HTTPException):
+            await device_verification_authenticated(
+                user_code='ABC12345', user_id='user-123'
+            )
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_verification_success(self, mock_store, mock_api_key_class):
+        """Test successful device verification."""
+        # Mock device code
+        mock_device = MagicMock()
+        mock_device.is_pending.return_value = True
+        mock_store.get_by_user_code.return_value = mock_device
+        mock_store.authorize_device_code.return_value = True
+
+        # Mock API key store
+        mock_api_key_store = MagicMock()
+        mock_api_key_class.get_instance.return_value = mock_api_key_store
+
+        result = await device_verification_authenticated(
+            user_code='ABC12345', user_id='user-123'
+        )
+
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 200
+        # Should NOT delete existing API keys (multiple devices allowed)
+        mock_api_key_store.delete_api_key_by_name.assert_not_called()
+        # Should create a new API key with device-specific name
+        mock_api_key_store.create_api_key.assert_called_once()
+        call_args = mock_api_key_store.create_api_key.call_args
+        assert call_args[1]['name'] == 'Device Link Access Key (ABC12345)'
+        mock_store.authorize_device_code.assert_called_once_with(
+            user_code='ABC12345', user_id='user-123'
+        )
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_multiple_device_authentication(self, mock_store, mock_api_key_class):
+        """Test that multiple devices can authenticate simultaneously."""
+        # Mock API key store
+        mock_api_key_store = MagicMock()
+        mock_api_key_class.get_instance.return_value = mock_api_key_store
+
+        # Simulate two different devices
+        device1_code = 'ABC12345'
+        device2_code = 'XYZ67890'
+        user_id = 'user-123'
+
+        # Mock device codes
+        mock_device1 = MagicMock()
+        mock_device1.is_pending.return_value = True
+        mock_device2 = MagicMock()
+        mock_device2.is_pending.return_value = True
+
+        # Configure mock store to return appropriate device for each user_code
+        def get_by_user_code_side_effect(user_code):
+            if user_code == device1_code:
+                return mock_device1
+            elif user_code == device2_code:
+                return mock_device2
+            return None
+
+        mock_store.get_by_user_code.side_effect = get_by_user_code_side_effect
+        mock_store.authorize_device_code.return_value = True
+
+        # Authenticate first device
+        result1 = await device_verification_authenticated(
+            user_code=device1_code, user_id=user_id
+        )
+
+        # Authenticate second device
+        result2 = await device_verification_authenticated(
+            user_code=device2_code, user_id=user_id
+        )
+
+        # Both should succeed
+        assert isinstance(result1, JSONResponse)
+        assert result1.status_code == 200
+        assert isinstance(result2, JSONResponse)
+        assert result2.status_code == 200
+
+        # Should create two separate API keys with different names
+        assert mock_api_key_store.create_api_key.call_count == 2
+
+        # Check that each device got a unique API key name
+        call_args_list = mock_api_key_store.create_api_key.call_args_list
+        device1_name = call_args_list[0][1]['name']
+        device2_name = call_args_list[1][1]['name']
+
+        assert device1_name == f'Device Link Access Key ({device1_code})'
+        assert device2_name == f'Device Link Access Key ({device2_code})'
+        assert device1_name != device2_name  # Ensure they're different
+
+        # Should NOT delete any existing API keys
+        mock_api_key_store.delete_api_key_by_name.assert_not_called()
+
+
+class TestDeviceTokenRateLimiting:
+    """Test rate limiting for device token polling (RFC 8628 section 3.5)."""
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_first_poll_allowed(self, mock_store):
+        """Test that the first poll is always allowed."""
+        # Create a device code with no previous poll time
+        mock_device = DeviceCode(
+            device_code='test_device_code',
+            user_code='ABC123',
+            status='pending',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            last_poll_time=None,  # First poll
+            current_interval=5,
+        )
+        mock_store.get_by_device_code.return_value = mock_device
+        mock_store.update_poll_time.return_value = True
+
+        device_code = 'test_device_code'
+        result = await device_token(device_code=device_code)
+
+        # Should return authorization_pending, not slow_down
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 400
+        content = result.body.decode()
+        assert 'authorization_pending' in content
+        assert 'slow_down' not in content
+
+        # Should update poll time without increasing interval
+        mock_store.update_poll_time.assert_called_with(
+            'test_device_code', increase_interval=False
+        )
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_normal_polling_allowed(self, mock_store):
+        """Test that normal polling (respecting interval) is allowed."""
+        # Create a device code with last poll time 6 seconds ago (interval is 5)
+        last_poll = datetime.now(UTC) - timedelta(seconds=6)
+        mock_device = DeviceCode(
+            device_code='test_device_code',
+            user_code='ABC123',
+            status='pending',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            last_poll_time=last_poll,
+            current_interval=5,
+        )
+        mock_store.get_by_device_code.return_value = mock_device
+        mock_store.update_poll_time.return_value = True
+
+        device_code = 'test_device_code'
+        result = await device_token(device_code=device_code)
+
+        # Should return authorization_pending, not slow_down
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 400
+        content = result.body.decode()
+        assert 'authorization_pending' in content
+        assert 'slow_down' not in content
+
+        # Should update poll time without increasing interval
+        mock_store.update_poll_time.assert_called_with(
+            'test_device_code', increase_interval=False
+        )
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_fast_polling_returns_slow_down(self, mock_store):
+        """Test that polling too fast returns slow_down error."""
+        # Create a device code with last poll time 2 seconds ago (interval is 5)
+        last_poll = datetime.now(UTC) - timedelta(seconds=2)
+        mock_device = DeviceCode(
+            device_code='test_device_code',
+            user_code='ABC123',
+            status='pending',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            last_poll_time=last_poll,
+            current_interval=5,
+        )
+        mock_store.get_by_device_code.return_value = mock_device
+        mock_store.update_poll_time.return_value = True
+
+        device_code = 'test_device_code'
+        result = await device_token(device_code=device_code)
+
+        # Should return slow_down error
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 400
+        content = result.body.decode()
+        assert 'slow_down' in content
+        assert 'interval' in content
+        assert '10' in content  # New interval should be 5 + 5 = 10
+
+        # Should update poll time and increase interval
+        mock_store.update_poll_time.assert_called_with(
+            'test_device_code', increase_interval=True
+        )
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_interval_increases_with_repeated_fast_polling(self, mock_store):
+        """Test that interval increases with repeated fast polling."""
+        # Create a device code with higher current interval from previous slow_down
+        last_poll = datetime.now(UTC) - timedelta(seconds=5)  # 5 seconds ago
+        mock_device = DeviceCode(
+            device_code='test_device_code',
+            user_code='ABC123',
+            status='pending',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            last_poll_time=last_poll,
+            current_interval=15,  # Already increased from previous slow_down
+        )
+        mock_store.get_by_device_code.return_value = mock_device
+        mock_store.update_poll_time.return_value = True
+
+        device_code = 'test_device_code'
+        result = await device_token(device_code=device_code)
+
+        # Should return slow_down error with increased interval
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 400
+        content = result.body.decode()
+        assert 'slow_down' in content
+        assert '20' in content  # New interval should be 15 + 5 = 20
+
+        # Should update poll time and increase interval
+        mock_store.update_poll_time.assert_called_with(
+            'test_device_code', increase_interval=True
+        )
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_interval_caps_at_maximum(self, mock_store):
+        """Test that interval is capped at maximum value."""
+        # Create a device code with interval near maximum
+        last_poll = datetime.now(UTC) - timedelta(seconds=30)
+        mock_device = DeviceCode(
+            device_code='test_device_code',
+            user_code='ABC123',
+            status='pending',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            last_poll_time=last_poll,
+            current_interval=58,  # Near maximum of 60
+        )
+        mock_store.get_by_device_code.return_value = mock_device
+        mock_store.update_poll_time.return_value = True
+
+        device_code = 'test_device_code'
+        result = await device_token(device_code=device_code)
+
+        # Should return slow_down error with capped interval
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 400
+        content = result.body.decode()
+        assert 'slow_down' in content
+        assert '60' in content  # Should be capped at 60, not 63
+
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_rate_limiting_with_authorized_device(self, mock_store):
+        """Test that rate limiting still applies to authorized devices."""
+        # Create an authorized device code with recent poll
+        last_poll = datetime.now(UTC) - timedelta(seconds=2)
+        mock_device = DeviceCode(
+            device_code='test_device_code',
+            user_code='ABC123',
+            status='authorized',  # Device is authorized
+            keycloak_user_id='user123',
+            expires_at=datetime.now(UTC) + timedelta(minutes=10),
+            last_poll_time=last_poll,
+            current_interval=5,
+        )
+        mock_store.get_by_device_code.return_value = mock_device
+        mock_store.update_poll_time.return_value = True
+
+        device_code = 'test_device_code'
+        result = await device_token(device_code=device_code)
+
+        # Should still return slow_down error even for authorized device
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 400
+        content = result.body.decode()
+        assert 'slow_down' in content
+
+        # Should update poll time and increase interval
+        mock_store.update_poll_time.assert_called_with(
+            'test_device_code', increase_interval=True
+        )
+
+
+class TestDeviceVerificationTransactionIntegrity:
+    """Test transaction integrity for device verification to prevent orphaned API keys."""
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_authorization_failure_prevents_api_key_creation(
+        self, mock_store, mock_api_key_class
+    ):
+        """Test that if device authorization fails, no API key is created."""
+        # Mock device code
+        mock_device = MagicMock()
+        mock_device.is_pending.return_value = True
+        mock_store.get_by_user_code.return_value = mock_device
+        mock_store.authorize_device_code.return_value = False  # Authorization fails
+
+        # Mock API key store
+        mock_api_key_store = MagicMock()
+        mock_api_key_class.get_instance.return_value = mock_api_key_store
+
+        # Should raise HTTPException due to authorization failure
+        with pytest.raises(HTTPException) as exc_info:
+            await device_verification_authenticated(
+                user_code='ABC12345', user_id='user-123'
+            )
+
+        assert exc_info.value.status_code == 500
+        assert 'Failed to authorize the device' in exc_info.value.detail
+
+        # API key should NOT be created since authorization failed
+        mock_api_key_store.create_api_key.assert_not_called()
+        mock_store.authorize_device_code.assert_called_once_with(
+            user_code='ABC12345', user_id='user-123'
+        )
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_api_key_creation_failure_reverts_authorization(
+        self, mock_store, mock_api_key_class
+    ):
+        """Test that if API key creation fails after authorization, the authorization is reverted."""
+        # Mock device code
+        mock_device = MagicMock()
+        mock_device.is_pending.return_value = True
+        mock_store.get_by_user_code.return_value = mock_device
+        mock_store.authorize_device_code.return_value = True  # Authorization succeeds
+        mock_store.deny_device_code.return_value = True  # Cleanup succeeds
+
+        # Mock API key store to fail on creation
+        mock_api_key_store = MagicMock()
+        mock_api_key_store.create_api_key.side_effect = Exception('Database error')
+        mock_api_key_class.get_instance.return_value = mock_api_key_store
+
+        # Should raise HTTPException due to API key creation failure
+        with pytest.raises(HTTPException) as exc_info:
+            await device_verification_authenticated(
+                user_code='ABC12345', user_id='user-123'
+            )
+
+        assert exc_info.value.status_code == 500
+        assert 'Failed to create API key for device access' in exc_info.value.detail
+
+        # Authorization should have been attempted first
+        mock_store.authorize_device_code.assert_called_once_with(
+            user_code='ABC12345', user_id='user-123'
+        )
+
+        # API key creation should have been attempted after authorization
+        mock_api_key_store.create_api_key.assert_called_once()
+
+        # Authorization should be reverted due to API key creation failure
+        mock_store.deny_device_code.assert_called_once_with('ABC12345')
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_api_key_creation_failure_cleanup_failure_logged(
+        self, mock_store, mock_api_key_class
+    ):
+        """Test that cleanup failure is logged but doesn't prevent the main error from being raised."""
+        # Mock device code
+        mock_device = MagicMock()
+        mock_device.is_pending.return_value = True
+        mock_store.get_by_user_code.return_value = mock_device
+        mock_store.authorize_device_code.return_value = True  # Authorization succeeds
+        mock_store.deny_device_code.side_effect = Exception(
+            'Cleanup failed'
+        )  # Cleanup fails
+
+        # Mock API key store to fail on creation
+        mock_api_key_store = MagicMock()
+        mock_api_key_store.create_api_key.side_effect = Exception('Database error')
+        mock_api_key_class.get_instance.return_value = mock_api_key_store
+
+        # Should still raise HTTPException for the original API key creation failure
+        with pytest.raises(HTTPException) as exc_info:
+            await device_verification_authenticated(
+                user_code='ABC12345', user_id='user-123'
+            )
+
+        assert exc_info.value.status_code == 500
+        assert 'Failed to create API key for device access' in exc_info.value.detail
+
+        # Both operations should have been attempted
+        mock_store.authorize_device_code.assert_called_once()
+        mock_api_key_store.create_api_key.assert_called_once()
+        mock_store.deny_device_code.assert_called_once_with('ABC12345')
+
+    @patch('server.routes.oauth_device.ApiKeyStore')
+    @patch('server.routes.oauth_device.device_code_store')
+    async def test_successful_flow_creates_api_key_after_authorization(
+        self, mock_store, mock_api_key_class
+    ):
+        """Test that in the successful flow, API key is created only after authorization."""
+        # Mock device code
+        mock_device = MagicMock()
+        mock_device.is_pending.return_value = True
+        mock_store.get_by_user_code.return_value = mock_device
+        mock_store.authorize_device_code.return_value = True  # Authorization succeeds
+
+        # Mock API key store
+        mock_api_key_store = MagicMock()
+        mock_api_key_class.get_instance.return_value = mock_api_key_store
+
+        result = await device_verification_authenticated(
+            user_code='ABC12345', user_id='user-123'
+        )
+
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == 200
+
+        # Verify the order: authorization first, then API key creation
+        mock_store.authorize_device_code.assert_called_once_with(
+            user_code='ABC12345', user_id='user-123'
+        )
+        mock_api_key_store.create_api_key.assert_called_once()
+
+        # No cleanup should be needed in successful case
+        mock_store.deny_device_code.assert_not_called()
@@ -0,0 +1,83 @@
+"""Unit tests for DeviceCode model."""
+
+from datetime import datetime, timedelta, timezone
+
+import pytest
+from storage.device_code import DeviceCode, DeviceCodeStatus
+
+
+class TestDeviceCode:
+    """Test cases for DeviceCode model."""
+
+    @pytest.fixture
+    def device_code(self):
+        """Create a test device code."""
+        return DeviceCode(
+            device_code='test-device-code-123',
+            user_code='ABC12345',
+            expires_at=datetime.now(timezone.utc) + timedelta(minutes=10),
+        )
+
+    @pytest.mark.parametrize(
+        'expires_delta,expected',
+        [
+            (timedelta(minutes=5), False),  # Future expiry
+            (timedelta(minutes=-5), True),  # Past expiry
+            (timedelta(seconds=1), False),  # Just future (not expired)
+        ],
+    )
+    def test_is_expired(self, expires_delta, expected):
+        """Test expiration check with various time deltas."""
+        device_code = DeviceCode(
+            device_code='test-device-code',
+            user_code='ABC12345',
+            expires_at=datetime.now(timezone.utc) + expires_delta,
+        )
+        assert device_code.is_expired() == expected
+
+    @pytest.mark.parametrize(
+        'status,expired,expected',
+        [
+            (DeviceCodeStatus.PENDING.value, False, True),
+            (DeviceCodeStatus.PENDING.value, True, False),
+            (DeviceCodeStatus.AUTHORIZED.value, False, False),
+            (DeviceCodeStatus.DENIED.value, False, False),
+        ],
+    )
+    def test_is_pending(self, status, expired, expected):
+        """Test pending status check."""
+        expires_at = (
+            datetime.now(timezone.utc) - timedelta(minutes=1)
+            if expired
+            else datetime.now(timezone.utc) + timedelta(minutes=10)
+        )
+        device_code = DeviceCode(
+            device_code='test-device-code',
+            user_code='ABC12345',
+            status=status,
+            expires_at=expires_at,
+        )
+        assert device_code.is_pending() == expected
+
+    def test_authorize(self, device_code):
+        """Test device authorization."""
+        user_id = 'test-user-123'
+
+        device_code.authorize(user_id)
+
+        assert device_code.status == DeviceCodeStatus.AUTHORIZED.value
+        assert device_code.keycloak_user_id == user_id
+        assert device_code.authorized_at is not None
+        assert isinstance(device_code.authorized_at, datetime)
+
+    @pytest.mark.parametrize(
+        'method,expected_status',
+        [
+            ('deny', DeviceCodeStatus.DENIED.value),
+            ('expire', DeviceCodeStatus.EXPIRED.value),
+        ],
+    )
+    def test_status_changes(self, device_code, method, expected_status):
+        """Test status change methods."""
+        getattr(device_code, method)()
+        assert device_code.status == expected_status
@@ -0,0 +1,193 @@
+"""Unit tests for DeviceCodeStore."""
+
+from unittest.mock import MagicMock
+
+import pytest
+from sqlalchemy.exc import IntegrityError
+from storage.device_code import DeviceCode
+from storage.device_code_store import DeviceCodeStore
+
+
+@pytest.fixture
+def mock_session():
+    """Mock database session."""
+    session = MagicMock()
+    return session
+
+
+@pytest.fixture
+def mock_session_maker(mock_session):
+    """Mock session maker."""
+    session_maker = MagicMock()
+    session_maker.return_value.__enter__.return_value = mock_session
+    session_maker.return_value.__exit__.return_value = None
+    return session_maker
+
+
+@pytest.fixture
+def device_code_store(mock_session_maker):
+    """Create DeviceCodeStore instance."""
+    return DeviceCodeStore(mock_session_maker)
+
+
+class TestDeviceCodeStore:
+    """Test cases for DeviceCodeStore."""
+
+    def test_generate_user_code(self, device_code_store):
+        """Test user code generation."""
+        code = device_code_store.generate_user_code()
+
+        assert len(code) == 8
+        assert code.isupper()
+        # Should not contain confusing characters
+        assert not any(char in code for char in 'IO01')
+
+    def test_generate_device_code(self, device_code_store):
+        """Test device code generation."""
+        code = device_code_store.generate_device_code()
+
+        assert len(code) == 128
+        assert code.isalnum()
+
+    def test_create_device_code_success(self, device_code_store, mock_session):
+        """Test successful device code creation."""
+        # Mock successful creation (no IntegrityError)
+        mock_device_code = MagicMock(spec=DeviceCode)
+        mock_device_code.device_code = 'test-device-code-123'
+        mock_device_code.user_code = 'TESTCODE'
+
+        # Mock the session to return our mock device code after refresh
+        def mock_refresh(obj):
+            obj.device_code = mock_device_code.device_code
+            obj.user_code = mock_device_code.user_code
+
+        mock_session.refresh.side_effect = mock_refresh
+
+        result = device_code_store.create_device_code(expires_in=600)
+
+        assert isinstance(result, DeviceCode)
+        mock_session.add.assert_called_once()
+        mock_session.commit.assert_called_once()
+        mock_session.refresh.assert_called_once()
+        mock_session.expunge.assert_called_once()
+
+    def test_create_device_code_with_retries(
+        self, device_code_store, mock_session_maker
+    ):
+        """Test device code creation with constraint violation retries."""
+        mock_session = MagicMock()
+        mock_session_maker.return_value.__enter__.return_value = mock_session
+        mock_session_maker.return_value.__exit__.return_value = None
+
+        # First attempt fails with IntegrityError, second succeeds
+        mock_session.commit.side_effect = [IntegrityError('', '', ''), None]
+
+        mock_device_code = MagicMock(spec=DeviceCode)
+        mock_device_code.device_code = 'test-device-code-456'
+        mock_device_code.user_code = 'TESTCD2'
+
+        def mock_refresh(obj):
+            obj.device_code = mock_device_code.device_code
+            obj.user_code = mock_device_code.user_code
+
+        mock_session.refresh.side_effect = mock_refresh
+
+        store = DeviceCodeStore(mock_session_maker)
+        result = store.create_device_code(expires_in=600)
+
+        assert isinstance(result, DeviceCode)
+        assert mock_session.add.call_count == 2  # Two attempts
+        assert mock_session.commit.call_count == 2  # Two attempts
+
+    def test_create_device_code_max_attempts_exceeded(
+        self, device_code_store, mock_session_maker
+    ):
+        """Test device code creation failure after max attempts."""
+        mock_session = MagicMock()
+        mock_session_maker.return_value.__enter__.return_value = mock_session
+        mock_session_maker.return_value.__exit__.return_value = None
+
+        # All attempts fail with IntegrityError
+        mock_session.commit.side_effect = IntegrityError('', '', '')
+
+        store = DeviceCodeStore(mock_session_maker)
+
+        with pytest.raises(
+            RuntimeError,
+            match='Failed to generate unique device codes after 3 attempts',
+        ):
+            store.create_device_code(expires_in=600, max_attempts=3)
+
+    @pytest.mark.parametrize(
+        'lookup_method,lookup_field',
+        [
+            ('get_by_device_code', 'device_code'),
+            ('get_by_user_code', 'user_code'),
+        ],
+    )
+    def test_lookup_methods(
+        self, device_code_store, mock_session, lookup_method, lookup_field
+    ):
+        """Test device code lookup methods."""
+        test_code = 'test-code-123'
+        mock_device_code = MagicMock()
+        mock_session.query.return_value.filter_by.return_value.first.return_value = (
+            mock_device_code
+        )
+
+        result = getattr(device_code_store, lookup_method)(test_code)
+
+        assert result == mock_device_code
+        mock_session.query.assert_called_once_with(DeviceCode)
+        mock_session.query.return_value.filter_by.assert_called_once_with(
+            **{lookup_field: test_code}
+        )
+
+    @pytest.mark.parametrize(
+        'device_exists,is_pending,expected_result',
+        [
+            (True, True, True),  # Success case
+            (False, True, False),  # Device not found
+            (True, False, False),  # Device not pending
+        ],
+    )
+    def test_authorize_device_code(
+        self,
+        device_code_store,
+        mock_session,
+        device_exists,
+        is_pending,
+        expected_result,
+    ):
+        """Test device code authorization."""
+        user_code = 'ABC12345'
+        user_id = 'test-user-123'
+
+        if device_exists:
+            mock_device = MagicMock()
+            mock_device.is_pending.return_value = is_pending
+            mock_session.query.return_value.filter_by.return_value.first.return_value = mock_device
+        else:
+            mock_session.query.return_value.filter_by.return_value.first.return_value = None
+
+        result = device_code_store.authorize_device_code(user_code, user_id)
+
+        assert result == expected_result
+        if expected_result:
+            mock_device.authorize.assert_called_once_with(user_id)
+            mock_session.commit.assert_called_once()
+
+    def test_deny_device_code(self, device_code_store, mock_session):
+        """Test device code denial."""
+        user_code = 'ABC12345'
+        mock_device = MagicMock()
+        mock_device.is_pending.return_value = True
+        mock_session.query.return_value.filter_by.return_value.first.return_value = (
+            mock_device
+        )
+
+        result = device_code_store.deny_device_code(user_code)
+
+        assert result is True
+        mock_device.deny.assert_called_once()
+        mock_session.commit.assert_called_once()
@@ -25,10 +25,12 @@ def api_key_store(mock_session_maker):


 def test_generate_api_key(api_key_store):
-    """Test that generate_api_key returns a string of the expected length."""
+    """Test that generate_api_key returns a string with sk-oh- prefix and expected length."""
    key = api_key_store.generate_api_key(length=32)
    assert isinstance(key, str)
-    assert len(key) == 32
+    assert key.startswith('sk-oh-')
+    # Total length should be prefix (6 chars) + random part (32 chars) = 38 chars
+    assert len(key) == len('sk-oh-') + 32


 def test_create_api_key(api_key_store, mock_session):
@@ -90,6 +92,50 @@ def test_validate_api_key_expired(api_key_store, mock_session):
    mock_session.commit.assert_not_called()


+def test_validate_api_key_expired_timezone_naive(api_key_store, mock_session):
+    """Test validating an expired API key with timezone-naive datetime from database."""
+    # Setup
+    api_key = 'test-api-key'
+    mock_key_record = MagicMock()
+    # Simulate timezone-naive datetime as returned from database
+    mock_key_record.expires_at = datetime.now() - timedelta(days=1)  # No UTC timezone
+    mock_key_record.id = 1
+    mock_session.query.return_value.filter.return_value.first.return_value = (
+        mock_key_record
+    )
+
+    # Execute
+    result = api_key_store.validate_api_key(api_key)
+
+    # Verify
+    assert result is None
+    mock_session.execute.assert_not_called()
+    mock_session.commit.assert_not_called()
+
+
+def test_validate_api_key_valid_timezone_naive(api_key_store, mock_session):
+    """Test validating a valid API key with timezone-naive datetime from database."""
+    # Setup
+    api_key = 'test-api-key'
+    user_id = 'test-user-123'
+    mock_key_record = MagicMock()
+    mock_key_record.user_id = user_id
+    # Simulate timezone-naive datetime as returned from database (future date)
+    mock_key_record.expires_at = datetime.now() + timedelta(days=1)  # No UTC timezone
+    mock_key_record.id = 1
+    mock_session.query.return_value.filter.return_value.first.return_value = (
+        mock_key_record
+    )
+
+    # Execute
+    result = api_key_store.validate_api_key(api_key)
+
+    # Verify
+    assert result == user_id
+    mock_session.execute.assert_called_once()
+    mock_session.commit.assert_called_once()
+
+
 def test_validate_api_key_not_found(api_key_store, mock_session):
    """Test validating a non-existent API key."""
    # Setup
@@ -442,3 +442,196 @@ async def test_logout_without_refresh_token():

            mock_token_manager.logout.assert_not_called()
            assert 'set-cookie' in result.headers
+
+
+@pytest.mark.asyncio
+async def test_keycloak_callback_blocked_email_domain(mock_request):
+    """Test keycloak_callback when email domain is blocked."""
+    # Arrange
+    with (
+        patch('server.routes.auth.token_manager') as mock_token_manager,
+        patch('server.routes.auth.domain_blocker') as mock_domain_blocker,
+    ):
+        mock_token_manager.get_keycloak_tokens = AsyncMock(
+            return_value=('test_access_token', 'test_refresh_token')
+        )
+        mock_token_manager.get_user_info = AsyncMock(
+            return_value={
+                'sub': 'test_user_id',
+                'preferred_username': 'test_user',
+                'email': 'user@colsch.us',
+                'identity_provider': 'github',
+            }
+        )
+        mock_token_manager.disable_keycloak_user = AsyncMock()
+
+        mock_domain_blocker.is_active.return_value = True
+        mock_domain_blocker.is_domain_blocked.return_value = True
+
+        # Act
+        result = await keycloak_callback(
+            code='test_code', state='test_state', request=mock_request
+        )
+
+        # Assert
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == status.HTTP_401_UNAUTHORIZED
+        assert 'error' in result.body.decode()
+        assert 'email domain is not allowed' in result.body.decode()
+        mock_domain_blocker.is_domain_blocked.assert_called_once_with('user@colsch.us')
+        mock_token_manager.disable_keycloak_user.assert_called_once_with(
+            'test_user_id', 'user@colsch.us'
+        )
+
+
+@pytest.mark.asyncio
+async def test_keycloak_callback_allowed_email_domain(mock_request):
+    """Test keycloak_callback when email domain is not blocked."""
+    # Arrange
+    with (
+        patch('server.routes.auth.token_manager') as mock_token_manager,
+        patch('server.routes.auth.domain_blocker') as mock_domain_blocker,
+        patch('server.routes.auth.user_verifier') as mock_verifier,
+        patch('server.routes.auth.session_maker') as mock_session_maker,
+    ):
+        mock_session = MagicMock()
+        mock_session_maker.return_value.__enter__.return_value = mock_session
+        mock_query = MagicMock()
+        mock_session.query.return_value = mock_query
+        mock_query.filter.return_value = mock_query
+
+        mock_user_settings = MagicMock()
+        mock_user_settings.accepted_tos = '2025-01-01'
+        mock_query.first.return_value = mock_user_settings
+
+        mock_token_manager.get_keycloak_tokens = AsyncMock(
+            return_value=('test_access_token', 'test_refresh_token')
+        )
+        mock_token_manager.get_user_info = AsyncMock(
+            return_value={
+                'sub': 'test_user_id',
+                'preferred_username': 'test_user',
+                'email': 'user@example.com',
+                'identity_provider': 'github',
+            }
+        )
+        mock_token_manager.store_idp_tokens = AsyncMock()
+        mock_token_manager.validate_offline_token = AsyncMock(return_value=True)
+
+        mock_domain_blocker.is_active.return_value = True
+        mock_domain_blocker.is_domain_blocked.return_value = False
+
+        mock_verifier.is_active.return_value = True
+        mock_verifier.is_user_allowed.return_value = True
+
+        # Act
+        result = await keycloak_callback(
+            code='test_code', state='test_state', request=mock_request
+        )
+
+        # Assert
+        assert isinstance(result, RedirectResponse)
+        mock_domain_blocker.is_domain_blocked.assert_called_once_with(
+            'user@example.com'
+        )
+        mock_token_manager.disable_keycloak_user.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_keycloak_callback_domain_blocking_inactive(mock_request):
+    """Test keycloak_callback when domain blocking is not active."""
+    # Arrange
+    with (
+        patch('server.routes.auth.token_manager') as mock_token_manager,
+        patch('server.routes.auth.domain_blocker') as mock_domain_blocker,
+        patch('server.routes.auth.user_verifier') as mock_verifier,
+        patch('server.routes.auth.session_maker') as mock_session_maker,
+    ):
+        mock_session = MagicMock()
+        mock_session_maker.return_value.__enter__.return_value = mock_session
+        mock_query = MagicMock()
+        mock_session.query.return_value = mock_query
+        mock_query.filter.return_value = mock_query
+
+        mock_user_settings = MagicMock()
+        mock_user_settings.accepted_tos = '2025-01-01'
+        mock_query.first.return_value = mock_user_settings
+
+        mock_token_manager.get_keycloak_tokens = AsyncMock(
+            return_value=('test_access_token', 'test_refresh_token')
+        )
+        mock_token_manager.get_user_info = AsyncMock(
+            return_value={
+                'sub': 'test_user_id',
+                'preferred_username': 'test_user',
+                'email': 'user@colsch.us',
+                'identity_provider': 'github',
+            }
+        )
+        mock_token_manager.store_idp_tokens = AsyncMock()
+        mock_token_manager.validate_offline_token = AsyncMock(return_value=True)
+
+        mock_domain_blocker.is_active.return_value = False
+
+        mock_verifier.is_active.return_value = True
+        mock_verifier.is_user_allowed.return_value = True
+
+        # Act
+        result = await keycloak_callback(
+            code='test_code', state='test_state', request=mock_request
+        )
+
+        # Assert
+        assert isinstance(result, RedirectResponse)
+        mock_domain_blocker.is_domain_blocked.assert_not_called()
+        mock_token_manager.disable_keycloak_user.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_keycloak_callback_missing_email(mock_request):
+    """Test keycloak_callback when user info does not contain email."""
+    # Arrange
+    with (
+        patch('server.routes.auth.token_manager') as mock_token_manager,
+        patch('server.routes.auth.domain_blocker') as mock_domain_blocker,
+        patch('server.routes.auth.user_verifier') as mock_verifier,
+        patch('server.routes.auth.session_maker') as mock_session_maker,
+    ):
+        mock_session = MagicMock()
+        mock_session_maker.return_value.__enter__.return_value = mock_session
+        mock_query = MagicMock()
+        mock_session.query.return_value = mock_query
+        mock_query.filter.return_value = mock_query
+
+        mock_user_settings = MagicMock()
+        mock_user_settings.accepted_tos = '2025-01-01'
+        mock_query.first.return_value = mock_user_settings
+
+        mock_token_manager.get_keycloak_tokens = AsyncMock(
+            return_value=('test_access_token', 'test_refresh_token')
+        )
+        mock_token_manager.get_user_info = AsyncMock(
+            return_value={
+                'sub': 'test_user_id',
+                'preferred_username': 'test_user',
+                'identity_provider': 'github',
+                # No email field
+            }
+        )
+        mock_token_manager.store_idp_tokens = AsyncMock()
+        mock_token_manager.validate_offline_token = AsyncMock(return_value=True)
+
+        mock_domain_blocker.is_active.return_value = True
+
+        mock_verifier.is_active.return_value = True
+        mock_verifier.is_user_allowed.return_value = True
+
+        # Act
+        result = await keycloak_callback(
+            code='test_code', state='test_state', request=mock_request
+        )
+
+        # Assert
+        assert isinstance(result, RedirectResponse)
+        mock_domain_blocker.is_domain_blocked.assert_not_called()
+        mock_token_manager.disable_keycloak_user.assert_not_called()
@@ -0,0 +1,181 @@
+"""Unit tests for DomainBlocker class."""
+
+import pytest
+from server.auth.domain_blocker import DomainBlocker
+
+
+@pytest.fixture
+def domain_blocker():
+    """Create a DomainBlocker instance for testing."""
+    return DomainBlocker()
+
+
+@pytest.mark.parametrize(
+    'blocked_domains,expected',
+    [
+        (['colsch.us', 'other-domain.com'], True),
+        (['example.com'], True),
+        ([], False),
+    ],
+)
+def test_is_active(domain_blocker, blocked_domains, expected):
+    """Test that is_active returns correct value based on blocked domains configuration."""
+    # Arrange
+    domain_blocker.blocked_domains = blocked_domains
+
+    # Act
+    result = domain_blocker.is_active()
+
+    # Assert
+    assert result == expected
+
+
+@pytest.mark.parametrize(
+    'email,expected_domain',
+    [
+        ('user@example.com', 'example.com'),
+        ('test@colsch.us', 'colsch.us'),
+        ('user.name@other-domain.com', 'other-domain.com'),
+        ('USER@EXAMPLE.COM', 'example.com'),  # Case insensitive
+        ('user@EXAMPLE.COM', 'example.com'),
+        ('  user@example.com  ', 'example.com'),  # Whitespace handling
+    ],
+)
+def test_extract_domain_valid_emails(domain_blocker, email, expected_domain):
+    """Test that _extract_domain correctly extracts and normalizes domains from valid emails."""
+    # Act
+    result = domain_blocker._extract_domain(email)
+
+    # Assert
+    assert result == expected_domain
+
+
+@pytest.mark.parametrize(
+    'email,expected',
+    [
+        (None, None),
+        ('', None),
+        ('invalid-email', None),
+        ('user@', None),  # Empty domain after @
+        ('no-at-sign', None),
+    ],
+)
+def test_extract_domain_invalid_emails(domain_blocker, email, expected):
+    """Test that _extract_domain returns None for invalid email formats."""
+    # Act
+    result = domain_blocker._extract_domain(email)
+
+    # Assert
+    assert result == expected
+
+
+def test_is_domain_blocked_when_inactive(domain_blocker):
+    """Test that is_domain_blocked returns False when blocking is not active."""
+    # Arrange
+    domain_blocker.blocked_domains = []
+
+    # Act
+    result = domain_blocker.is_domain_blocked('user@colsch.us')
+
+    # Assert
+    assert result is False
+
+
+def test_is_domain_blocked_with_none_email(domain_blocker):
+    """Test that is_domain_blocked returns False when email is None."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us']
+
+    # Act
+    result = domain_blocker.is_domain_blocked(None)
+
+    # Assert
+    assert result is False
+
+
+def test_is_domain_blocked_with_empty_email(domain_blocker):
+    """Test that is_domain_blocked returns False when email is empty."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us']
+
+    # Act
+    result = domain_blocker.is_domain_blocked('')
+
+    # Assert
+    assert result is False
+
+
+def test_is_domain_blocked_with_invalid_email(domain_blocker):
+    """Test that is_domain_blocked returns False when email format is invalid."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us']
+
+    # Act
+    result = domain_blocker.is_domain_blocked('invalid-email')
+
+    # Assert
+    assert result is False
+
+
+def test_is_domain_blocked_domain_not_blocked(domain_blocker):
+    """Test that is_domain_blocked returns False when domain is not in blocked list."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us', 'other-domain.com']
+
+    # Act
+    result = domain_blocker.is_domain_blocked('user@example.com')
+
+    # Assert
+    assert result is False
+
+
+def test_is_domain_blocked_domain_blocked(domain_blocker):
+    """Test that is_domain_blocked returns True when domain is in blocked list."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us', 'other-domain.com']
+
+    # Act
+    result = domain_blocker.is_domain_blocked('user@colsch.us')
+
+    # Assert
+    assert result is True
+
+
+def test_is_domain_blocked_case_insensitive(domain_blocker):
+    """Test that is_domain_blocked performs case-insensitive domain matching."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us']
+
+    # Act
+    result = domain_blocker.is_domain_blocked('user@COLSCH.US')
+
+    # Assert
+    assert result is True
+
+
+def test_is_domain_blocked_multiple_blocked_domains(domain_blocker):
+    """Test that is_domain_blocked correctly checks against multiple blocked domains."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us', 'other-domain.com', 'blocked.org']
+
+    # Act
+    result1 = domain_blocker.is_domain_blocked('user@other-domain.com')
+    result2 = domain_blocker.is_domain_blocked('user@blocked.org')
+    result3 = domain_blocker.is_domain_blocked('user@allowed.com')
+
+    # Assert
+    assert result1 is True
+    assert result2 is True
+    assert result3 is False
+
+
+def test_is_domain_blocked_with_whitespace(domain_blocker):
+    """Test that is_domain_blocked handles emails with whitespace correctly."""
+    # Arrange
+    domain_blocker.blocked_domains = ['colsch.us']
+
+    # Act
+    result = domain_blocker.is_domain_blocked('  user@colsch.us  ')
+
+    # Assert
+    assert result is True
@@ -0,0 +1,132 @@
+"""Unit tests for get_user_v1_enabled_setting function."""
+
+import os
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+from integrations.github.github_view import get_user_v1_enabled_setting
+
+
+@pytest.fixture
+def mock_user_settings():
+    """Create a mock user settings object."""
+    settings = MagicMock()
+    settings.v1_enabled = True  # Default to True, can be overridden in tests
+    return settings
+
+
+@pytest.fixture
+def mock_settings_store(mock_user_settings):
+    """Create a mock settings store."""
+    store = MagicMock()
+    store.get_user_settings_by_keycloak_id = AsyncMock(return_value=mock_user_settings)
+    return store
+
+
+@pytest.fixture
+def mock_config():
+    """Create a mock config object."""
+    return MagicMock()
+
+
+@pytest.fixture
+def mock_session_maker():
+    """Create a mock session maker."""
+    return MagicMock()
+
+
+@pytest.fixture
+def mock_dependencies(
+    mock_settings_store, mock_config, mock_session_maker, mock_user_settings
+):
+    """Fixture that patches all the common dependencies."""
+    with patch(
+        'integrations.github.github_view.SaasSettingsStore',
+        return_value=mock_settings_store,
+    ) as mock_store_class, patch(
+        'integrations.github.github_view.get_config', return_value=mock_config
+    ) as mock_get_config, patch(
+        'integrations.github.github_view.session_maker', mock_session_maker
+    ), patch(
+        'integrations.github.github_view.call_sync_from_async',
+        return_value=mock_user_settings,
+    ) as mock_call_sync:
+        yield {
+            'store_class': mock_store_class,
+            'get_config': mock_get_config,
+            'session_maker': mock_session_maker,
+            'call_sync': mock_call_sync,
+            'settings_store': mock_settings_store,
+            'user_settings': mock_user_settings,
+        }
+
+
+class TestGetUserV1EnabledSetting:
+    """Test cases for get_user_v1_enabled_setting function."""
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        'env_var_enabled,user_setting_enabled,expected_result',
+        [
+            (False, True, False),  # Env var disabled, user enabled -> False
+            (True, False, False),  # Env var enabled, user disabled -> False
+            (True, True, True),  # Both enabled -> True
+            (False, False, False),  # Both disabled -> False
+        ],
+    )
+    async def test_v1_enabled_combinations(
+        self, mock_dependencies, env_var_enabled, user_setting_enabled, expected_result
+    ):
+        """Test all combinations of environment variable and user setting values."""
+        mock_dependencies['user_settings'].v1_enabled = user_setting_enabled
+
+        with patch(
+            'integrations.github.github_view.ENABLE_V1_GITHUB_RESOLVER', env_var_enabled
+        ):
+            result = await get_user_v1_enabled_setting('test_user_id')
+            assert result is expected_result
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        'env_var_value,env_var_bool,expected_result',
+        [
+            ('false', False, False),  # Environment variable 'false' -> False
+            ('true', True, True),  # Environment variable 'true' -> True
+        ],
+    )
+    async def test_environment_variable_integration(
+        self, mock_dependencies, env_var_value, env_var_bool, expected_result
+    ):
+        """Test that the function properly reads the ENABLE_V1_GITHUB_RESOLVER environment variable."""
+        mock_dependencies['user_settings'].v1_enabled = True
+
+        with patch.dict(
+            os.environ, {'ENABLE_V1_GITHUB_RESOLVER': env_var_value}
+        ), patch('integrations.utils.os.getenv', return_value=env_var_value), patch(
+            'integrations.github.github_view.ENABLE_V1_GITHUB_RESOLVER', env_var_bool
+        ):
+            result = await get_user_v1_enabled_setting('test_user_id')
+            assert result is expected_result
+
+    @pytest.mark.asyncio
+    async def test_function_calls_correct_methods(self, mock_dependencies):
+        """Test that the function calls the correct methods with correct parameters."""
+        mock_dependencies['user_settings'].v1_enabled = True
+
+        with patch('integrations.github.github_view.ENABLE_V1_GITHUB_RESOLVER', True):
+            result = await get_user_v1_enabled_setting('test_user_123')
+
+            # Verify the result
+            assert result is True
+
+            # Verify correct methods were called with correct parameters
+            mock_dependencies['get_config'].assert_called_once()
+            mock_dependencies['store_class'].assert_called_once_with(
+                user_id='test_user_123',
+                session_maker=mock_dependencies['session_maker'],
+                config=mock_dependencies['get_config'].return_value,
+            )
+            mock_dependencies['call_sync'].assert_called_once_with(
+                mock_dependencies['settings_store'].get_user_settings_by_keycloak_id,
+                'test_user_123',
+            )
@@ -1,6 +1,7 @@
 from unittest import TestCase, mock
 from unittest.mock import MagicMock, patch

+import pytest
 from integrations.github.github_view import GithubFactory, GithubIssue, get_oh_labels
 from integrations.models import Message, SourceType
 from integrations.types import UserData
@@ -114,8 +115,10 @@ class TestGithubV1ConversationRouting(TestCase):
            title='Test Issue',
            description='Test issue description',
            previous_comments=[],
+            v1=False,
        )

+    @pytest.mark.asyncio
    @patch('integrations.github.github_view.get_user_v1_enabled_setting')
    @patch.object(GithubIssue, '_create_v0_conversation')
    @patch.object(GithubIssue, '_create_v1_conversation')
@@ -144,6 +147,7 @@ class TestGithubV1ConversationRouting(TestCase):
        )
        mock_create_v1.assert_not_called()

+    @pytest.mark.asyncio
    @patch('integrations.github.github_view.get_user_v1_enabled_setting')
    @patch.object(GithubIssue, '_create_v0_conversation')
    @patch.object(GithubIssue, '_create_v1_conversation')
@@ -172,6 +176,7 @@ class TestGithubV1ConversationRouting(TestCase):
        )
        mock_create_v0.assert_not_called()

+    @pytest.mark.asyncio
    @patch('integrations.github.github_view.get_user_v1_enabled_setting')
    @patch.object(GithubIssue, '_create_v0_conversation')
    @patch.object(GithubIssue, '_create_v1_conversation')
@@ -1,485 +0,0 @@
-import time
-from unittest.mock import AsyncMock, MagicMock, patch
-
-import pytest
-from server.legacy_conversation_manager import (
-    _LEGACY_ENTRY_TIMEOUT_SECONDS,
-    LegacyCacheEntry,
-    LegacyConversationManager,
-)
-
-from openhands.core.config.openhands_config import OpenHandsConfig
-from openhands.server.config.server_config import ServerConfig
-from openhands.server.monitoring import MonitoringListener
-from openhands.storage.memory import InMemoryFileStore
-
-
-@pytest.fixture
-def mock_sio():
-    """Create a mock SocketIO server."""
-    return MagicMock()
-
-
-@pytest.fixture
-def mock_config():
-    """Create a mock OpenHands config."""
-    return MagicMock(spec=OpenHandsConfig)
-
-
-@pytest.fixture
-def mock_server_config():
-    """Create a mock server config."""
-    return MagicMock(spec=ServerConfig)
-
-
-@pytest.fixture
-def mock_file_store():
-    """Create a mock file store."""
-    return MagicMock(spec=InMemoryFileStore)
-
-
-@pytest.fixture
-def mock_monitoring_listener():
-    """Create a mock monitoring listener."""
-    return MagicMock(spec=MonitoringListener)
-
-
-@pytest.fixture
-def mock_conversation_manager():
-    """Create a mock SaasNestedConversationManager."""
-    mock_cm = MagicMock()
-    mock_cm._get_runtime = AsyncMock()
-    return mock_cm
-
-
-@pytest.fixture
-def mock_legacy_conversation_manager():
-    """Create a mock ClusteredConversationManager."""
-    return MagicMock()
-
-
-@pytest.fixture
-def legacy_manager(
-    mock_sio,
-    mock_config,
-    mock_server_config,
-    mock_file_store,
-    mock_conversation_manager,
-    mock_legacy_conversation_manager,
-):
-    """Create a LegacyConversationManager instance for testing."""
-    return LegacyConversationManager(
-        sio=mock_sio,
-        config=mock_config,
-        server_config=mock_server_config,
-        file_store=mock_file_store,
-        conversation_manager=mock_conversation_manager,
-        legacy_conversation_manager=mock_legacy_conversation_manager,
-    )
-
-
-class TestLegacyCacheEntry:
-    """Test the LegacyCacheEntry dataclass."""
-
-    def test_cache_entry_creation(self):
-        """Test creating a cache entry."""
-        timestamp = time.time()
-        entry = LegacyCacheEntry(is_legacy=True, timestamp=timestamp)
-
-        assert entry.is_legacy is True
-        assert entry.timestamp == timestamp
-
-    def test_cache_entry_false(self):
-        """Test creating a cache entry with False value."""
-        timestamp = time.time()
-        entry = LegacyCacheEntry(is_legacy=False, timestamp=timestamp)
-
-        assert entry.is_legacy is False
-        assert entry.timestamp == timestamp
-
-
-class TestLegacyConversationManagerCacheCleanup:
-    """Test cache cleanup functionality."""
-
-    def test_cleanup_expired_cache_entries_removes_expired(self, legacy_manager):
-        """Test that expired entries are removed from cache."""
-        current_time = time.time()
-        expired_time = current_time - _LEGACY_ENTRY_TIMEOUT_SECONDS - 1
-        valid_time = current_time - 100  # Well within timeout
-
-        # Add both expired and valid entries
-        legacy_manager._legacy_cache = {
-            'expired_conversation': LegacyCacheEntry(True, expired_time),
-            'valid_conversation': LegacyCacheEntry(False, valid_time),
-            'another_expired': LegacyCacheEntry(True, expired_time - 100),
-        }
-
-        legacy_manager._cleanup_expired_cache_entries()
-
-        # Only valid entry should remain
-        assert len(legacy_manager._legacy_cache) == 1
-        assert 'valid_conversation' in legacy_manager._legacy_cache
-        assert 'expired_conversation' not in legacy_manager._legacy_cache
-        assert 'another_expired' not in legacy_manager._legacy_cache
-
-    def test_cleanup_expired_cache_entries_keeps_valid(self, legacy_manager):
-        """Test that valid entries are kept during cleanup."""
-        current_time = time.time()
-        valid_time = current_time - 100  # Well within timeout
-
-        legacy_manager._legacy_cache = {
-            'valid_conversation_1': LegacyCacheEntry(True, valid_time),
-            'valid_conversation_2': LegacyCacheEntry(False, valid_time - 50),
-        }
-
-        legacy_manager._cleanup_expired_cache_entries()
-
-        # Both entries should remain
-        assert len(legacy_manager._legacy_cache) == 2
-        assert 'valid_conversation_1' in legacy_manager._legacy_cache
-        assert 'valid_conversation_2' in legacy_manager._legacy_cache
-
-    def test_cleanup_expired_cache_entries_empty_cache(self, legacy_manager):
-        """Test cleanup with empty cache."""
-        legacy_manager._legacy_cache = {}
-
-        legacy_manager._cleanup_expired_cache_entries()
-
-        assert len(legacy_manager._legacy_cache) == 0
-
-
-class TestIsLegacyRuntime:
-    """Test the is_legacy_runtime method."""
-
-    def test_is_legacy_runtime_none(self, legacy_manager):
-        """Test with None runtime."""
-        result = legacy_manager.is_legacy_runtime(None)
-        assert result is False
-
-    def test_is_legacy_runtime_legacy_command(self, legacy_manager):
-        """Test with legacy runtime command."""
-        runtime = {'command': 'some_old_legacy_command'}
-        result = legacy_manager.is_legacy_runtime(runtime)
-        assert result is True
-
-    def test_is_legacy_runtime_new_command(self, legacy_manager):
-        """Test with new runtime command containing openhands.server."""
-        runtime = {'command': 'python -m openhands.server.listen'}
-        result = legacy_manager.is_legacy_runtime(runtime)
-        assert result is False
-
-    def test_is_legacy_runtime_partial_match(self, legacy_manager):
-        """Test with command that partially matches but is still legacy."""
-        runtime = {'command': 'openhands.client.start'}
-        result = legacy_manager.is_legacy_runtime(runtime)
-        assert result is True
-
-    def test_is_legacy_runtime_empty_command(self, legacy_manager):
-        """Test with empty command."""
-        runtime = {'command': ''}
-        result = legacy_manager.is_legacy_runtime(runtime)
-        assert result is True
-
-    def test_is_legacy_runtime_missing_command_key(self, legacy_manager):
-        """Test with runtime missing command key."""
-        runtime = {'other_key': 'value'}
-        # This should raise a KeyError
-        with pytest.raises(KeyError):
-            legacy_manager.is_legacy_runtime(runtime)
-
-
-class TestShouldStartInLegacyMode:
-    """Test the should_start_in_legacy_mode method."""
-
-    @pytest.mark.asyncio
-    async def test_cache_hit_valid_entry_legacy(self, legacy_manager):
-        """Test cache hit with valid legacy entry."""
-        conversation_id = 'test_conversation'
-        current_time = time.time()
-
-        # Add valid cache entry
-        legacy_manager._legacy_cache[conversation_id] = LegacyCacheEntry(
-            True, current_time - 100
-        )
-
-        result = await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-        assert result is True
-        # Should not call _get_runtime since we hit cache
-        legacy_manager.conversation_manager._get_runtime.assert_not_called()
-
-    @pytest.mark.asyncio
-    async def test_cache_hit_valid_entry_non_legacy(self, legacy_manager):
-        """Test cache hit with valid non-legacy entry."""
-        conversation_id = 'test_conversation'
-        current_time = time.time()
-
-        # Add valid cache entry
-        legacy_manager._legacy_cache[conversation_id] = LegacyCacheEntry(
-            False, current_time - 100
-        )
-
-        result = await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-        assert result is False
-        # Should not call _get_runtime since we hit cache
-        legacy_manager.conversation_manager._get_runtime.assert_not_called()
-
-    @pytest.mark.asyncio
-    async def test_cache_miss_legacy_runtime(self, legacy_manager):
-        """Test cache miss with legacy runtime."""
-        conversation_id = 'test_conversation'
-        runtime = {'command': 'old_command'}
-
-        legacy_manager.conversation_manager._get_runtime.return_value = runtime
-
-        result = await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-        assert result is True
-        # Should call _get_runtime
-        legacy_manager.conversation_manager._get_runtime.assert_called_once_with(
-            conversation_id
-        )
-        # Should cache the result
-        assert conversation_id in legacy_manager._legacy_cache
-        assert legacy_manager._legacy_cache[conversation_id].is_legacy is True
-
-    @pytest.mark.asyncio
-    async def test_cache_miss_non_legacy_runtime(self, legacy_manager):
-        """Test cache miss with non-legacy runtime."""
-        conversation_id = 'test_conversation'
-        runtime = {'command': 'python -m openhands.server.listen'}
-
-        legacy_manager.conversation_manager._get_runtime.return_value = runtime
-
-        result = await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-        assert result is False
-        # Should call _get_runtime
-        legacy_manager.conversation_manager._get_runtime.assert_called_once_with(
-            conversation_id
-        )
-        # Should cache the result
-        assert conversation_id in legacy_manager._legacy_cache
-        assert legacy_manager._legacy_cache[conversation_id].is_legacy is False
-
-    @pytest.mark.asyncio
-    async def test_cache_expired_entry(self, legacy_manager):
-        """Test with expired cache entry."""
-        conversation_id = 'test_conversation'
-        expired_time = time.time() - _LEGACY_ENTRY_TIMEOUT_SECONDS - 1
-        runtime = {'command': 'python -m openhands.server.listen'}
-
-        # Add expired cache entry
-        legacy_manager._legacy_cache[conversation_id] = LegacyCacheEntry(
-            True,
-            expired_time,  # This should be considered expired
-        )
-
-        legacy_manager.conversation_manager._get_runtime.return_value = runtime
-
-        result = await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-        assert result is False  # Runtime indicates non-legacy
-        # Should call _get_runtime since cache is expired
-        legacy_manager.conversation_manager._get_runtime.assert_called_once_with(
-            conversation_id
-        )
-        # Should update cache with new result
-        assert legacy_manager._legacy_cache[conversation_id].is_legacy is False
-
-    @pytest.mark.asyncio
-    async def test_cache_exactly_at_timeout(self, legacy_manager):
-        """Test with cache entry exactly at timeout boundary."""
-        conversation_id = 'test_conversation'
-        timeout_time = time.time() - _LEGACY_ENTRY_TIMEOUT_SECONDS
-        runtime = {'command': 'python -m openhands.server.listen'}
-
-        # Add cache entry exactly at timeout
-        legacy_manager._legacy_cache[conversation_id] = LegacyCacheEntry(
-            True, timeout_time
-        )
-
-        legacy_manager.conversation_manager._get_runtime.return_value = runtime
-
-        result = await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-        # Should treat as expired and fetch from runtime
-        assert result is False
-        legacy_manager.conversation_manager._get_runtime.assert_called_once_with(
-            conversation_id
-        )
-
-    @pytest.mark.asyncio
-    async def test_runtime_returns_none(self, legacy_manager):
-        """Test when runtime returns None."""
-        conversation_id = 'test_conversation'
-
-        legacy_manager.conversation_manager._get_runtime.return_value = None
-
-        result = await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-        assert result is False
-        # Should cache the result
-        assert conversation_id in legacy_manager._legacy_cache
-        assert legacy_manager._legacy_cache[conversation_id].is_legacy is False
-
-    @pytest.mark.asyncio
-    async def test_cleanup_called_on_each_invocation(self, legacy_manager):
-        """Test that cleanup is called on each invocation."""
-        conversation_id = 'test_conversation'
-        runtime = {'command': 'test'}
-
-        legacy_manager.conversation_manager._get_runtime.return_value = runtime
-
-        # Mock the cleanup method to verify it's called
-        with patch.object(
-            legacy_manager, '_cleanup_expired_cache_entries'
-        ) as mock_cleanup:
-            await legacy_manager.should_start_in_legacy_mode(conversation_id)
-            mock_cleanup.assert_called_once()
-
-    @pytest.mark.asyncio
-    async def test_multiple_conversations_cached_independently(self, legacy_manager):
-        """Test that multiple conversations are cached independently."""
-        conv1 = 'conversation_1'
-        conv2 = 'conversation_2'
-
-        runtime1 = {'command': 'old_command'}  # Legacy
-        runtime2 = {'command': 'python -m openhands.server.listen'}  # Non-legacy
-
-        # Mock to return different runtimes based on conversation_id
-        def mock_get_runtime(conversation_id):
-            if conversation_id == conv1:
-                return runtime1
-            return runtime2
-
-        legacy_manager.conversation_manager._get_runtime.side_effect = mock_get_runtime
-
-        result1 = await legacy_manager.should_start_in_legacy_mode(conv1)
-        result2 = await legacy_manager.should_start_in_legacy_mode(conv2)
-
-        assert result1 is True
-        assert result2 is False
-
-        # Both should be cached
-        assert conv1 in legacy_manager._legacy_cache
-        assert conv2 in legacy_manager._legacy_cache
-        assert legacy_manager._legacy_cache[conv1].is_legacy is True
-        assert legacy_manager._legacy_cache[conv2].is_legacy is False
-
-    @pytest.mark.asyncio
-    async def test_cache_timestamp_updated_on_refresh(self, legacy_manager):
-        """Test that cache timestamp is updated when entry is refreshed."""
-        conversation_id = 'test_conversation'
-        old_time = time.time() - _LEGACY_ENTRY_TIMEOUT_SECONDS - 1
-        runtime = {'command': 'test'}
-
-        # Add expired entry
-        legacy_manager._legacy_cache[conversation_id] = LegacyCacheEntry(True, old_time)
-        legacy_manager.conversation_manager._get_runtime.return_value = runtime
-
-        # Record time before call
-        before_call = time.time()
-        await legacy_manager.should_start_in_legacy_mode(conversation_id)
-        after_call = time.time()
-
-        # Timestamp should be updated
-        cached_entry = legacy_manager._legacy_cache[conversation_id]
-        assert cached_entry.timestamp >= before_call
-        assert cached_entry.timestamp <= after_call
-
-
-class TestLegacyConversationManagerIntegration:
-    """Integration tests for LegacyConversationManager."""
-
-    @pytest.mark.asyncio
-    async def test_get_instance_creates_proper_manager(
-        self,
-        mock_sio,
-        mock_config,
-        mock_file_store,
-        mock_server_config,
-        mock_monitoring_listener,
-    ):
-        """Test that get_instance creates a properly configured manager."""
-        with patch(
-            'server.legacy_conversation_manager.SaasNestedConversationManager'
-        ) as mock_saas, patch(
-            'server.legacy_conversation_manager.ClusteredConversationManager'
-        ) as mock_clustered:
-            mock_saas.get_instance.return_value = MagicMock()
-            mock_clustered.get_instance.return_value = MagicMock()
-
-            manager = LegacyConversationManager.get_instance(
-                mock_sio,
-                mock_config,
-                mock_file_store,
-                mock_server_config,
-                mock_monitoring_listener,
-            )
-
-            assert isinstance(manager, LegacyConversationManager)
-            assert manager.sio == mock_sio
-            assert manager.config == mock_config
-            assert manager.file_store == mock_file_store
-            assert manager.server_config == mock_server_config
-
-            # Verify that both nested managers are created
-            mock_saas.get_instance.assert_called_once()
-            mock_clustered.get_instance.assert_called_once()
-
-    def test_legacy_cache_initialized_empty(self, legacy_manager):
-        """Test that legacy cache is initialized as empty dict."""
-        assert isinstance(legacy_manager._legacy_cache, dict)
-        assert len(legacy_manager._legacy_cache) == 0
-
-
-class TestEdgeCases:
-    """Test edge cases and error scenarios."""
-
-    @pytest.mark.asyncio
-    async def test_get_runtime_raises_exception(self, legacy_manager):
-        """Test behavior when _get_runtime raises an exception."""
-        conversation_id = 'test_conversation'
-
-        legacy_manager.conversation_manager._get_runtime.side_effect = Exception(
-            'Runtime error'
-        )
-
-        # Should propagate the exception
-        with pytest.raises(Exception, match='Runtime error'):
-            await legacy_manager.should_start_in_legacy_mode(conversation_id)
-
-    @pytest.mark.asyncio
-    async def test_very_large_cache(self, legacy_manager):
-        """Test behavior with a large number of cache entries."""
-        current_time = time.time()
-
-        # Add many cache entries
-        for i in range(1000):
-            legacy_manager._legacy_cache[f'conversation_{i}'] = LegacyCacheEntry(
-                i % 2 == 0, current_time - i
-            )
-
-        # This should work without issues
-        await legacy_manager.should_start_in_legacy_mode('new_conversation')
-
-        # Should have added one more entry
-        assert len(legacy_manager._legacy_cache) == 1001
-
-    def test_cleanup_with_concurrent_modifications(self, legacy_manager):
-        """Test cleanup behavior when cache is modified during cleanup."""
-        current_time = time.time()
-        expired_time = current_time - _LEGACY_ENTRY_TIMEOUT_SECONDS - 1
-
-        # Add expired entries
-        legacy_manager._legacy_cache = {
-            f'conversation_{i}': LegacyCacheEntry(True, expired_time) for i in range(10)
-        }
-
-        # This should work without raising exceptions
-        legacy_manager._cleanup_expired_cache_entries()
-
-        # All entries should be removed
-        assert len(legacy_manager._legacy_cache) == 0
@@ -5,7 +5,12 @@ import jwt
 import pytest
 from fastapi import Request
 from pydantic import SecretStr
-from server.auth.auth_error import BearerTokenError, CookieError, NoCredentialsError
+from server.auth.auth_error import (
+    AuthError,
+    BearerTokenError,
+    CookieError,
+    NoCredentialsError,
+)
 from server.auth.saas_user_auth import (
    SaasUserAuth,
    get_api_key_from_header,
@@ -535,3 +540,209 @@ def test_get_api_key_from_header_with_invalid_authorization_format():

    # Assert that None was returned
    assert api_key is None
+
+
+def test_get_api_key_from_header_with_x_access_token():
+    """Test that get_api_key_from_header extracts API key from X-Access-Token header."""
+    # Create a mock request with X-Access-Token header
+    mock_request = MagicMock(spec=Request)
+    mock_request.headers = {'X-Access-Token': 'access_token_key'}
+
+    # Call the function
+    api_key = get_api_key_from_header(mock_request)
+
+    # Assert that the API key was correctly extracted
+    assert api_key == 'access_token_key'
+
+
+def test_get_api_key_from_header_priority_authorization_over_x_access_token():
+    """Test that Authorization header takes priority over X-Access-Token header."""
+    # Create a mock request with both headers
+    mock_request = MagicMock(spec=Request)
+    mock_request.headers = {
+        'Authorization': 'Bearer auth_api_key',
+        'X-Access-Token': 'access_token_key',
+    }
+
+    # Call the function
+    api_key = get_api_key_from_header(mock_request)
+
+    # Assert that the API key from Authorization header was used
+    assert api_key == 'auth_api_key'
+
+
+def test_get_api_key_from_header_priority_x_session_over_x_access_token():
+    """Test that X-Session-API-Key header takes priority over X-Access-Token header."""
+    # Create a mock request with both headers
+    mock_request = MagicMock(spec=Request)
+    mock_request.headers = {
+        'X-Session-API-Key': 'session_api_key',
+        'X-Access-Token': 'access_token_key',
+    }
+
+    # Call the function
+    api_key = get_api_key_from_header(mock_request)
+
+    # Assert that the API key from X-Session-API-Key header was used
+    assert api_key == 'session_api_key'
+
+
+def test_get_api_key_from_header_all_three_headers():
+    """Test header priority when all three headers are present."""
+    # Create a mock request with all three headers
+    mock_request = MagicMock(spec=Request)
+    mock_request.headers = {
+        'Authorization': 'Bearer auth_api_key',
+        'X-Session-API-Key': 'session_api_key',
+        'X-Access-Token': 'access_token_key',
+    }
+
+    # Call the function
+    api_key = get_api_key_from_header(mock_request)
+
+    # Assert that the API key from Authorization header was used (highest priority)
+    assert api_key == 'auth_api_key'
+
+
+def test_get_api_key_from_header_invalid_authorization_fallback_to_x_access_token():
+    """Test that invalid Authorization header falls back to X-Access-Token."""
+    # Create a mock request with invalid Authorization header and X-Access-Token
+    mock_request = MagicMock(spec=Request)
+    mock_request.headers = {
+        'Authorization': 'InvalidFormat api_key',
+        'X-Access-Token': 'access_token_key',
+    }
+
+    # Call the function
+    api_key = get_api_key_from_header(mock_request)
+
+    # Assert that the API key from X-Access-Token header was used
+    assert api_key == 'access_token_key'
+
+
+def test_get_api_key_from_header_empty_headers():
+    """Test that empty header values are handled correctly."""
+    # Create a mock request with empty header values
+    mock_request = MagicMock(spec=Request)
+    mock_request.headers = {
+        'Authorization': '',
+        'X-Session-API-Key': '',
+        'X-Access-Token': 'access_token_key',
+    }
+
+    # Call the function
+    api_key = get_api_key_from_header(mock_request)
+
+    # Assert that the API key from X-Access-Token header was used
+    assert api_key == 'access_token_key'
+
+
+def test_get_api_key_from_header_bearer_with_empty_token():
+    """Test that Bearer header with empty token falls back to other headers."""
+    # Create a mock request with Bearer header with empty token
+    mock_request = MagicMock(spec=Request)
+    mock_request.headers = {
+        'Authorization': 'Bearer ',
+        'X-Access-Token': 'access_token_key',
+    }
+
+    # Call the function
+    api_key = get_api_key_from_header(mock_request)
+
+    # Assert that empty string from Bearer is returned (current behavior)
+    # This tests the current implementation behavior
+    assert api_key == ''
+
+
+@pytest.mark.asyncio
+async def test_saas_user_auth_from_signed_token_blocked_domain(mock_config):
+    """Test that saas_user_auth_from_signed_token raises AuthError when email domain is blocked."""
+    # Arrange
+    access_payload = {
+        'sub': 'test_user_id',
+        'exp': int(time.time()) + 3600,
+        'email': 'user@colsch.us',
+        'email_verified': True,
+    }
+    access_token = jwt.encode(access_payload, 'access_secret', algorithm='HS256')
+
+    token_payload = {
+        'access_token': access_token,
+        'refresh_token': 'test_refresh_token',
+    }
+    signed_token = jwt.encode(token_payload, 'test_secret', algorithm='HS256')
+
+    with patch('server.auth.saas_user_auth.domain_blocker') as mock_domain_blocker:
+        mock_domain_blocker.is_active.return_value = True
+        mock_domain_blocker.is_domain_blocked.return_value = True
+
+        # Act & Assert
+        with pytest.raises(AuthError) as exc_info:
+            await saas_user_auth_from_signed_token(signed_token)
+
+        assert 'email domain is not allowed' in str(exc_info.value)
+        mock_domain_blocker.is_domain_blocked.assert_called_once_with('user@colsch.us')
+
+
+@pytest.mark.asyncio
+async def test_saas_user_auth_from_signed_token_allowed_domain(mock_config):
+    """Test that saas_user_auth_from_signed_token succeeds when email domain is not blocked."""
+    # Arrange
+    access_payload = {
+        'sub': 'test_user_id',
+        'exp': int(time.time()) + 3600,
+        'email': 'user@example.com',
+        'email_verified': True,
+    }
+    access_token = jwt.encode(access_payload, 'access_secret', algorithm='HS256')
+
+    token_payload = {
+        'access_token': access_token,
+        'refresh_token': 'test_refresh_token',
+    }
+    signed_token = jwt.encode(token_payload, 'test_secret', algorithm='HS256')
+
+    with patch('server.auth.saas_user_auth.domain_blocker') as mock_domain_blocker:
+        mock_domain_blocker.is_active.return_value = True
+        mock_domain_blocker.is_domain_blocked.return_value = False
+
+        # Act
+        result = await saas_user_auth_from_signed_token(signed_token)
+
+        # Assert
+        assert isinstance(result, SaasUserAuth)
+        assert result.user_id == 'test_user_id'
+        assert result.email == 'user@example.com'
+        mock_domain_blocker.is_domain_blocked.assert_called_once_with(
+            'user@example.com'
+        )
+
+
+@pytest.mark.asyncio
+async def test_saas_user_auth_from_signed_token_domain_blocking_inactive(mock_config):
+    """Test that saas_user_auth_from_signed_token succeeds when domain blocking is not active."""
+    # Arrange
+    access_payload = {
+        'sub': 'test_user_id',
+        'exp': int(time.time()) + 3600,
+        'email': 'user@colsch.us',
+        'email_verified': True,
+    }
+    access_token = jwt.encode(access_payload, 'access_secret', algorithm='HS256')
+
+    token_payload = {
+        'access_token': access_token,
+        'refresh_token': 'test_refresh_token',
+    }
+    signed_token = jwt.encode(token_payload, 'test_secret', algorithm='HS256')
+
+    with patch('server.auth.saas_user_auth.domain_blocker') as mock_domain_blocker:
+        mock_domain_blocker.is_active.return_value = False
+
+        # Act
+        result = await saas_user_auth_from_signed_token(signed_token)
+
+        # Assert
+        assert isinstance(result, SaasUserAuth)
+        assert result.user_id == 'test_user_id'
+        mock_domain_blocker.is_domain_blocked.assert_not_called()
@@ -1,4 +1,4 @@
-from unittest.mock import AsyncMock, patch
+from unittest.mock import AsyncMock, MagicMock, patch

 import pytest
 from server.auth.token_manager import TokenManager, create_encryption_utility
@@ -246,3 +246,103 @@ async def test_refresh(token_manager):
        mock_keycloak.return_value.a_refresh_token.assert_called_once_with(
            'test_refresh_token'
        )
+
+
+@pytest.mark.asyncio
+async def test_disable_keycloak_user_success(token_manager):
+    """Test successful disabling of a Keycloak user account."""
+    # Arrange
+    user_id = 'test_user_id'
+    email = 'user@colsch.us'
+    mock_user = {
+        'id': user_id,
+        'username': 'testuser',
+        'email': email,
+        'emailVerified': True,
+    }
+
+    with patch('server.auth.token_manager.get_keycloak_admin') as mock_get_admin:
+        mock_admin = MagicMock()
+        mock_admin.a_get_user = AsyncMock(return_value=mock_user)
+        mock_admin.a_update_user = AsyncMock()
+        mock_get_admin.return_value = mock_admin
+
+        # Act
+        await token_manager.disable_keycloak_user(user_id, email)
+
+        # Assert
+        mock_admin.a_get_user.assert_called_once_with(user_id)
+        mock_admin.a_update_user.assert_called_once_with(
+            user_id=user_id,
+            payload={
+                'enabled': False,
+                'username': 'testuser',
+                'email': email,
+                'emailVerified': True,
+            },
+        )
+
+
+@pytest.mark.asyncio
+async def test_disable_keycloak_user_without_email(token_manager):
+    """Test disabling Keycloak user without providing email."""
+    # Arrange
+    user_id = 'test_user_id'
+    mock_user = {
+        'id': user_id,
+        'username': 'testuser',
+        'email': 'user@example.com',
+        'emailVerified': False,
+    }
+
+    with patch('server.auth.token_manager.get_keycloak_admin') as mock_get_admin:
+        mock_admin = MagicMock()
+        mock_admin.a_get_user = AsyncMock(return_value=mock_user)
+        mock_admin.a_update_user = AsyncMock()
+        mock_get_admin.return_value = mock_admin
+
+        # Act
+        await token_manager.disable_keycloak_user(user_id)
+
+        # Assert
+        mock_admin.a_get_user.assert_called_once_with(user_id)
+        mock_admin.a_update_user.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_disable_keycloak_user_not_found(token_manager):
+    """Test disabling Keycloak user when user is not found."""
+    # Arrange
+    user_id = 'nonexistent_user_id'
+    email = 'user@colsch.us'
+
+    with patch('server.auth.token_manager.get_keycloak_admin') as mock_get_admin:
+        mock_admin = MagicMock()
+        mock_admin.a_get_user = AsyncMock(return_value=None)
+        mock_get_admin.return_value = mock_admin
+
+        # Act
+        await token_manager.disable_keycloak_user(user_id, email)
+
+        # Assert
+        mock_admin.a_get_user.assert_called_once_with(user_id)
+        mock_admin.a_update_user.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_disable_keycloak_user_exception_handling(token_manager):
+    """Test that disable_keycloak_user handles exceptions gracefully without raising."""
+    # Arrange
+    user_id = 'test_user_id'
+    email = 'user@colsch.us'
+
+    with patch('server.auth.token_manager.get_keycloak_admin') as mock_get_admin:
+        mock_admin = MagicMock()
+        mock_admin.a_get_user = AsyncMock(side_effect=Exception('Connection error'))
+        mock_get_admin.return_value = mock_admin
+
+        # Act & Assert - should not raise exception
+        await token_manager.disable_keycloak_user(user_id, email)
+
+        # Verify the method was called
+        mock_admin.a_get_user.assert_called_once_with(user_id)
@@ -1,5 +1,10 @@
 # Evaluation

+> [!WARNING]
+> **This directory is deprecated.** Our new benchmarks are located at [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks).
+>
+> If you have already implemented a benchmark in this directory and would like to contribute it, we are happy to have the contribution. However, if you are starting anew, please use the new location.
+
 This folder contains code and resources to run experiments and evaluations.

 ## For Benchmark Users
@@ -18,6 +18,8 @@
    "i18next/no-literal-string": "error",
    "unused-imports/no-unused-imports": "error",
    "prettier/prettier": ["error"],
+    // Enforce using optional chaining (?.) instead of && chains for null/undefined checks
+    "@typescript-eslint/prefer-optional-chain": "error",
    // Resolves https://stackoverflow.com/questions/59265981/typescript-eslint-missing-file-extension-ts-import-extensions/59268871#59268871
    "import/extensions": [
      "error",
@@ -1,2 +0,0 @@
-public-hoist-pattern[]=*@nextui-org/*
-enable-pre-post-scripts=true
@@ -0,0 +1,146 @@
+# Mock Service Worker (MSW) Guide
+
+## Overview
+
+[Mock Service Worker (MSW)](https://mswjs.io/) is an API mocking library that intercepts outgoing network requests at the network level. Unlike traditional mocking that patches `fetch` or `axios`, MSW uses a Service Worker in the browser and direct request interception in Node.js—making mocks transparent to your application code.
+
+We use MSW in this project for:
+- **Testing**: Write reliable unit and integration tests without real network calls
+- **Development**: Run the frontend with mocked APIs when the backend isn't available or when working on features with pending backend APIs
+
+The same mock handlers work in both environments, so you write them once and reuse everywhere.
+
+## Relevant Files
+
+- `src/mocks/handlers.ts` - Main handler registry that combines all domain handlers
+- `src/mocks/*-handlers.ts` - Domain-specific handlers (auth, billing, conversation, etc.)
+- `src/mocks/browser.ts` - Browser setup for development mode
+- `src/mocks/node.ts` - Node.js setup for tests
+- `vitest.setup.ts` - Global test setup with MSW lifecycle hooks
+
+## Development Workflow
+
+### Running with Mocked APIs
+
+```sh
+# Run with API mocking enabled
+npm run dev:mock
+
+# Run with API mocking + SaaS mode simulation
+npm run dev:mock:saas
+```
+
+These commands set `VITE_MOCK_API=true` which activates the MSW Service Worker to intercept requests.
+
+> [!NOTE]
+> **OSS vs SaaS Mode**
+>
+> OpenHands runs in two modes:
+> - **OSS mode**: For local/self-hosted deployments where users provide their own LLM API keys and configure git providers manually
+> - **SaaS mode**: For the cloud offering with billing, managed API keys, and OAuth-based GitHub integration
+>
+> Use `dev:mock:saas` when working on SaaS-specific features like billing, API key management, or subscription flows.
+
+
+## Writing Tests
+
+### Service Layer Mocking (Recommended)
+
+For most tests, mock at the service layer using `vi.spyOn`. This approach is explicit, test-scoped, and makes the scenario being tested clear.
+
+```typescript
+import { vi } from "vitest";
+import SettingsService from "#/api/settings-service/settings-service.api";
+
+const getSettingsSpy = vi.spyOn(SettingsService, "getSettings");
+getSettingsSpy.mockResolvedValue({
+  llm_model: "openai/gpt-4o",
+  llm_api_key_set: true,
+  // ... other settings
+});
+```
+
+Use `mockResolvedValue` for success scenarios and `mockRejectedValue` for error scenarios:
+
+```typescript
+getSettingsSpy.mockRejectedValue(new Error("Failed to fetch settings"));
+```
+
+### Network Layer Mocking (Advanced)
+
+For tests that need actual network-level behavior (WebSockets, testing retry logic, etc.), use `server.use()` to override handlers per test.
+
+> [!IMPORTANT]
+> **Reuse the global server instance** - Don't create new `setupServer()` calls in individual tests. The project already has a global MSW server configured in `vitest.setup.ts` that handles lifecycle (`server.listen()`, `server.resetHandlers()`, `server.close()`). Use `server.use()` to add runtime handlers for specific test scenarios.
+
+```typescript
+import { http, HttpResponse } from "msw";
+import { server } from "#/mocks/node";
+
+it("should handle server errors", async () => {
+  server.use(
+    http.get("/api/my-endpoint", () => {
+      return new HttpResponse(null, { status: 500 });
+    }),
+  );
+  // ... test code
+});
+```
+
+For WebSocket testing, see `__tests__/helpers/msw-websocket-setup.ts` for utilities.
+
+## Adding New API Mocks
+
+When adding new API endpoints, create mocks in both places to maintain 1:1 similarity with the backend:
+
+### 1. Add to `src/mocks/` (for development)
+
+Create or update a domain-specific handler file:
+
+```typescript
+// src/mocks/my-feature-handlers.ts
+import { http, HttpResponse } from "msw";
+
+export const MY_FEATURE_HANDLERS = [
+  http.get("/api/my-feature", () => {
+    return HttpResponse.json({
+      data: "mock response",
+    });
+  }),
+];
+```
+
+Register in `handlers.ts`:
+
+```typescript
+import { MY_FEATURE_HANDLERS } from "./my-feature-handlers";
+
+export const handlers = [
+  // ... existing handlers
+  ...MY_FEATURE_HANDLERS,
+];
+```
+
+### 2. Mock in tests for specific scenarios
+
+In your test files, spy on the service method to control responses per test case:
+
+```typescript
+import { vi } from "vitest";
+import MyFeatureService from "#/api/my-feature-service.api";
+
+const spy = vi.spyOn(MyFeatureService, "getData");
+spy.mockResolvedValue({ data: "test-specific response" });
+```
+
+See `__tests__/routes/llm-settings.test.tsx` for a real-world example of service layer mocking.
+
+> [!TIP]
+> For guidance on creating service APIs, see `src/api/README.md`.
+
+## Best Practices
+
+- **Keep mocks close to real API contracts** - Update mocks when backend changes
+- **Use service layer mocking for most tests** - It's simpler and more explicit
+- **Reserve network layer mocking for integration tests** - WebSockets, retry logic, etc.
+- **Export mock data from handler files** - Reuse in tests (e.g., `MOCK_DEFAULT_USER_SETTINGS`)
@@ -30,61 +30,33 @@ vi.mock("react-i18next", async () => {
  };
 });

-// Mock Zustand browser store
-let mockBrowserState = {
-  url: "https://example.com",
-  screenshotSrc: "",
-  setUrl: vi.fn(),
-  setScreenshotSrc: vi.fn(),
-  reset: vi.fn(),
-};
-
-vi.mock("#/stores/browser-store", () => ({
-  useBrowserStore: () => mockBrowserState,
-}));
-
-// Import the component after all mocks are set up
 import { BrowserPanel } from "#/components/features/browser/browser";
+import { useBrowserStore } from "#/stores/browser-store";

 describe("Browser", () => {
  afterEach(() => {
    vi.clearAllMocks();
-    // Reset the mock state
-    mockBrowserState = {
-      url: "https://example.com",
-      screenshotSrc: "",
-      setUrl: vi.fn(),
-      setScreenshotSrc: vi.fn(),
-      reset: vi.fn(),
-    };
  });

  it("renders a message if no screenshotSrc is provided", () => {
-    // Set the mock state for this test
-    mockBrowserState = {
+    useBrowserStore.setState({
      url: "https://example.com",
      screenshotSrc: "",
-      setUrl: vi.fn(),
-      setScreenshotSrc: vi.fn(),
      reset: vi.fn(),
-    };
+    });

    render(<BrowserPanel />);

-    // i18n empty message key
    expect(screen.getByText("BROWSER$NO_PAGE_LOADED")).toBeInTheDocument();
  });

  it("renders the url and a screenshot", () => {
-    // Set the mock state for this test
-    mockBrowserState = {
+    useBrowserStore.setState({
      url: "https://example.com",
      screenshotSrc:
        "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mN0uGvyHwAFCAJS091fQwAAAABJRU5ErkJggg==",
-      setUrl: vi.fn(),
-      setScreenshotSrc: vi.fn(),
      reset: vi.fn(),
-    };
+    });

    render(<BrowserPanel />);

@@ -25,10 +25,7 @@ import { useUnifiedUploadFiles } from "#/hooks/mutation/use-unified-upload-files
 import { OpenHandsAction } from "#/types/core/actions";
 import { useEventStore } from "#/stores/use-event-store";

-// Mock the hooks
 vi.mock("#/context/ws-client-provider");
-vi.mock("#/stores/error-message-store");
-vi.mock("#/stores/optimistic-user-message-store");
 vi.mock("#/hooks/query/use-config");
 vi.mock("#/hooks/mutation/use-get-trajectory");
 vi.mock("#/hooks/mutation/use-unified-upload-files");
@@ -102,24 +99,20 @@ describe("ChatInterface - Chat Suggestions", () => {
      },
    });

-    // Default mock implementations
    (useWsClient as unknown as ReturnType<typeof vi.fn>).mockReturnValue({
      send: vi.fn(),
      isLoadingMessages: false,
      parsedEvents: [],
    });
-    (
-      useOptimisticUserMessageStore as unknown as ReturnType<typeof vi.fn>
-    ).mockReturnValue({
-      setOptimisticUserMessage: vi.fn(),
-      getOptimisticUserMessage: vi.fn(() => null),
+
+    useOptimisticUserMessageStore.setState({
+      optimisticUserMessage: null,
    });
-    (
-      useErrorMessageStore as unknown as ReturnType<typeof vi.fn>
-    ).mockReturnValue({
-      setErrorMessage: vi.fn(),
-      removeErrorMessage: vi.fn(),
+
+    useErrorMessageStore.setState({
+      errorMessage: null,
    });
+
    (useConfig as unknown as ReturnType<typeof vi.fn>).mockReturnValue({
      data: { APP_MODE: "local" },
    });
@@ -204,11 +197,8 @@ describe("ChatInterface - Chat Suggestions", () => {
  });

  test("should hide chat suggestions when there is an optimistic user message", () => {
-    (
-      useOptimisticUserMessageStore as unknown as ReturnType<typeof vi.fn>
-    ).mockReturnValue({
-      setOptimisticUserMessage: vi.fn(),
-      getOptimisticUserMessage: vi.fn(() => "Optimistic message"),
+    useOptimisticUserMessageStore.setState({
+      optimisticUserMessage: "Optimistic message",
    });

    renderWithQueryClient(<ChatInterface />, queryClient);
@@ -240,24 +230,19 @@ describe("ChatInterface - Empty state", () => {
  });

  beforeEach(() => {
-    // Reset mocks to ensure empty state
    (useWsClient as unknown as ReturnType<typeof vi.fn>).mockReturnValue({
      send: sendMock,
      status: "CONNECTED",
      isLoadingMessages: false,
      parsedEvents: [],
    });
-    (
-      useOptimisticUserMessageStore as unknown as ReturnType<typeof vi.fn>
-    ).mockReturnValue({
-      setOptimisticUserMessage: vi.fn(),
-      getOptimisticUserMessage: vi.fn(() => null),
+
+    useOptimisticUserMessageStore.setState({
+      optimisticUserMessage: null,
    });
-    (
-      useErrorMessageStore as unknown as ReturnType<typeof vi.fn>
-    ).mockReturnValue({
-      setErrorMessage: vi.fn(),
-      removeErrorMessage: vi.fn(),
+
+    useErrorMessageStore.setState({
+      errorMessage: null,
    });
    (useConfig as unknown as ReturnType<typeof vi.fn>).mockReturnValue({
      data: { APP_MODE: "local" },
@@ -61,7 +61,7 @@ describe("ExpandableMessage", () => {
    expect(icon).toHaveClass("fill-success");
  });

-  it("should render with error icon for failed action messages", () => {
+  it("should render with no icon for failed action messages", () => {
    renderWithProviders(
      <ExpandableMessage
        id="OBSERVATION_MESSAGE$RUN"
@@ -75,8 +75,7 @@ describe("ExpandableMessage", () => {
      "div.flex.gap-2.items-center.justify-start",
    );
    expect(container).toHaveClass("border-neutral-300");
-    const icon = screen.getByTestId("status-icon");
-    expect(icon).toHaveClass("fill-danger");
+    expect(screen.queryByTestId("status-icon")).not.toBeInTheDocument();
  });

  it("should render with neutral border and no icon for action messages without success prop", () => {
@@ -114,12 +113,14 @@ describe("ExpandableMessage", () => {

  it("should render the out of credits message when the user is out of credits", async () => {
    const getConfigSpy = vi.spyOn(OptionService, "getConfig");
-    // @ts-expect-error - We only care about the APP_MODE and FEATURE_FLAGS fields
    getConfigSpy.mockResolvedValue({
      APP_MODE: "saas",
+      GITHUB_CLIENT_ID: "test",
+      POSTHOG_CLIENT_KEY: "test",
      FEATURE_FLAGS: {
        ENABLE_BILLING: true,
        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
        ENABLE_JIRA: false,
        ENABLE_JIRA_DC: false,
        ENABLE_LINEAR: false,
@@ -1,96 +0,0 @@
-import { render, screen } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import { afterEach, describe, expect, it, test, vi } from "vitest";
-import { AccountSettingsContextMenu } from "#/components/features/context-menu/account-settings-context-menu";
-import { MemoryRouter } from "react-router";
-import { renderWithProviders } from "../../../test-utils";
-
-describe("AccountSettingsContextMenu", () => {
-  const user = userEvent.setup();
-  const onClickAccountSettingsMock = vi.fn();
-  const onLogoutMock = vi.fn();
-  const onCloseMock = vi.fn();
-
-  // Create a wrapper with MemoryRouter and renderWithProviders
-  const renderWithRouter = (ui: React.ReactElement) => {
-    return renderWithProviders(<MemoryRouter>{ui}</MemoryRouter>);
-  };
-
-  afterEach(() => {
-    onClickAccountSettingsMock.mockClear();
-    onLogoutMock.mockClear();
-    onCloseMock.mockClear();
-  });
-
-  it("should always render the right options", () => {
-    renderWithRouter(
-      <AccountSettingsContextMenu
-        onLogout={onLogoutMock}
-        onClose={onCloseMock}
-      />,
-    );
-
-    expect(
-      screen.getByTestId("account-settings-context-menu"),
-    ).toBeInTheDocument();
-    expect(screen.getByText("SIDEBAR$DOCS")).toBeInTheDocument();
-    expect(screen.getByText("ACCOUNT_SETTINGS$LOGOUT")).toBeInTheDocument();
-  });
-
-  it("should render Documentation link with correct attributes", () => {
-    renderWithRouter(
-      <AccountSettingsContextMenu
-        onLogout={onLogoutMock}
-        onClose={onCloseMock}
-      />,
-    );
-
-    const documentationLink = screen.getByText("SIDEBAR$DOCS").closest("a");
-    expect(documentationLink).toHaveAttribute("href", "https://docs.openhands.dev");
-    expect(documentationLink).toHaveAttribute("target", "_blank");
-    expect(documentationLink).toHaveAttribute("rel", "noopener noreferrer");
-  });
-
-  it("should call onLogout when the logout option is clicked", async () => {
-    renderWithRouter(
-      <AccountSettingsContextMenu
-        onLogout={onLogoutMock}
-        onClose={onCloseMock}
-      />,
-    );
-
-    const logoutOption = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
-    await user.click(logoutOption);
-
-    expect(onLogoutMock).toHaveBeenCalledOnce();
-  });
-
-  test("logout button is always enabled", async () => {
-    renderWithRouter(
-      <AccountSettingsContextMenu
-        onLogout={onLogoutMock}
-        onClose={onCloseMock}
-      />,
-    );
-
-    const logoutOption = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
-    await user.click(logoutOption);
-
-    expect(onLogoutMock).toHaveBeenCalledOnce();
-  });
-
-  it("should call onClose when clicking outside of the element", async () => {
-    renderWithRouter(
-      <AccountSettingsContextMenu
-        onLogout={onLogoutMock}
-        onClose={onCloseMock}
-      />,
-    );
-
-    const accountSettingsButton = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
-    await user.click(accountSettingsButton);
-    await user.click(document.body);
-
-    expect(onCloseMock).toHaveBeenCalledOnce();
-  });
-});
@@ -0,0 +1,149 @@
+import { render, screen, waitFor } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { ConversationTabTitle } from "#/components/features/conversation/conversation-tabs/conversation-tab-title";
+import GitService from "#/api/git-service/git-service.api";
+import V1GitService from "#/api/git-service/v1-git-service.api";
+
+// Mock the services that the hook depends on
+vi.mock("#/api/git-service/git-service.api");
+vi.mock("#/api/git-service/v1-git-service.api");
+
+// Mock the hooks that useUnifiedGetGitChanges depends on
+vi.mock("#/hooks/use-conversation-id", () => ({
+  useConversationId: () => ({
+    conversationId: "test-conversation-id",
+  }),
+}));
+
+vi.mock("#/hooks/query/use-active-conversation", () => ({
+  useActiveConversation: () => ({
+    data: {
+      conversation_version: "V0",
+      url: null,
+      session_api_key: null,
+      selected_repository: null,
+    },
+  }),
+}));
+
+vi.mock("#/hooks/use-runtime-is-ready", () => ({
+  useRuntimeIsReady: () => true,
+}));
+
+vi.mock("#/utils/get-git-path", () => ({
+  getGitPath: () => "/workspace",
+}));
+
+describe("ConversationTabTitle", () => {
+  let queryClient: QueryClient;
+
+  beforeEach(() => {
+    queryClient = new QueryClient({
+      defaultOptions: {
+        queries: {
+          retry: false,
+        },
+      },
+    });
+
+    // Mock GitService methods
+    vi.mocked(GitService.getGitChanges).mockResolvedValue([]);
+    vi.mocked(V1GitService.getGitChanges).mockResolvedValue([]);
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    queryClient.clear();
+  });
+
+  const renderWithProviders = (ui: React.ReactElement) => {
+    return render(
+      <QueryClientProvider client={queryClient}>{ui}</QueryClientProvider>,
+    );
+  };
+
+  describe("Rendering", () => {
+    it("should render the title", () => {
+      // Arrange
+      const title = "Test Title";
+
+      // Act
+      renderWithProviders(
+        <ConversationTabTitle title={title} conversationKey="browser" />,
+      );
+
+      // Assert
+      expect(screen.getByText(title)).toBeInTheDocument();
+    });
+
+    it("should show refresh button when conversationKey is 'editor'", () => {
+      // Arrange
+      const title = "Changes";
+
+      // Act
+      renderWithProviders(
+        <ConversationTabTitle title={title} conversationKey="editor" />,
+      );
+
+      // Assert
+      const refreshButton = screen.getByRole("button");
+      expect(refreshButton).toBeInTheDocument();
+    });
+
+    it("should not show refresh button when conversationKey is not 'editor'", () => {
+      // Arrange
+      const title = "Browser";
+
+      // Act
+      renderWithProviders(
+        <ConversationTabTitle title={title} conversationKey="browser" />,
+      );
+
+      // Assert
+      expect(screen.queryByRole("button")).not.toBeInTheDocument();
+    });
+  });
+
+  describe("User Interactions", () => {
+    it("should call refetch and trigger GitService.getGitChanges when refresh button is clicked", async () => {
+      // Arrange
+      const user = userEvent.setup();
+      const title = "Changes";
+      const mockGitChanges: Array<{
+        path: string;
+        status: "M" | "A" | "D" | "R" | "U";
+      }> = [
+        { path: "file1.ts", status: "M" },
+        { path: "file2.ts", status: "A" },
+      ];
+
+      vi.mocked(GitService.getGitChanges).mockResolvedValue(mockGitChanges);
+
+      renderWithProviders(
+        <ConversationTabTitle title={title} conversationKey="editor" />,
+      );
+
+      const refreshButton = screen.getByRole("button");
+
+      // Wait for initial query to complete
+      await waitFor(() => {
+        expect(GitService.getGitChanges).toHaveBeenCalled();
+      });
+
+      // Clear the mock to track refetch calls
+      vi.mocked(GitService.getGitChanges).mockClear();
+
+      // Act
+      await user.click(refreshButton);
+
+      // Assert - refetch should trigger another service call
+      await waitFor(() => {
+        expect(GitService.getGitChanges).toHaveBeenCalledWith(
+          "test-conversation-id",
+        );
+      });
+    });
+  });
+});
@@ -3,7 +3,7 @@ import { describe, expect, it, vi } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import { AnalyticsConsentFormModal } from "#/components/features/analytics/analytics-consent-form-modal";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";

 describe("AnalyticsConsentFormModal", () => {
  it("should call saveUserSettings with consent", async () => {
@@ -0,0 +1,71 @@
+import { render, screen } from "@testing-library/react";
+import { describe, it, expect, vi } from "vitest";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { MemoryRouter } from "react-router";
+import { AgentStatus } from "#/components/features/controls/agent-status";
+import { AgentState } from "#/types/agent-state";
+import { useAgentState } from "#/hooks/use-agent-state";
+import { useConversationStore } from "#/stores/conversation-store";
+
+vi.mock("#/hooks/use-agent-state");
+
+vi.mock("#/hooks/use-conversation-id", () => ({
+  useConversationId: () => ({ conversationId: "test-id" }),
+}));
+
+const wrapper = ({ children }: { children: React.ReactNode }) => (
+  <MemoryRouter>
+    <QueryClientProvider client={new QueryClient()}>
+      {children}
+    </QueryClientProvider>
+  </MemoryRouter>
+);
+
+const renderAgentStatus = ({
+  isPausing = false,
+}: { isPausing?: boolean } = {}) =>
+  render(
+    <AgentStatus
+      handleStop={vi.fn()}
+      handleResumeAgent={vi.fn()}
+      isPausing={isPausing}
+    />,
+    { wrapper },
+  );
+
+describe("AgentStatus - isLoading logic", () => {
+  it("should show loading when curAgentState is INIT", () => {
+    vi.mocked(useAgentState).mockReturnValue({
+      curAgentState: AgentState.INIT,
+    });
+
+    renderAgentStatus();
+
+    expect(screen.getByTestId("agent-loading-spinner")).toBeInTheDocument();
+  });
+
+  it("should show loading when isPausing is true, even if shouldShownAgentLoading is false", () => {
+    vi.mocked(useAgentState).mockReturnValue({
+      curAgentState: AgentState.AWAITING_USER_INPUT,
+    });
+
+    renderAgentStatus({ isPausing: true });
+
+    expect(screen.getByTestId("agent-loading-spinner")).toBeInTheDocument();
+  });
+
+  it("should NOT update global shouldShownAgentLoading when only isPausing is true", () => {
+    vi.mocked(useAgentState).mockReturnValue({
+      curAgentState: AgentState.AWAITING_USER_INPUT,
+    });
+
+    renderAgentStatus({ isPausing: true });
+
+    // Loading spinner shows (because isPausing)
+    expect(screen.getByTestId("agent-loading-spinner")).toBeInTheDocument();
+
+    // But global state should be false (because shouldShownAgentLoading is false)
+    const { shouldShownAgentLoading } = useConversationStore.getState();
+    expect(shouldShownAgentLoading).toBe(false);
+  });
+});
@@ -42,7 +42,7 @@ vi.mock("react-i18next", async () => {
          BUTTON$EXPORT_CONVERSATION: "Export Conversation",
          BUTTON$DOWNLOAD_VIA_VSCODE: "Download via VS Code",
          BUTTON$SHOW_AGENT_TOOLS_AND_METADATA: "Show Agent Tools",
-          CONVERSATION$SHOW_MICROAGENTS: "Show Microagents",
+          CONVERSATION$SHOW_SKILLS: "Show Skills",
          BUTTON$DISPLAY_COST: "Display Cost",
          COMMON$CLOSE_CONVERSATION_STOP_RUNTIME:
            "Close Conversation (Stop Runtime)",
@@ -290,7 +290,7 @@ describe("ConversationNameContextMenu", () => {
      onStop: vi.fn(),
      onDisplayCost: vi.fn(),
      onShowAgentTools: vi.fn(),
-      onShowMicroagents: vi.fn(),
+      onShowSkills: vi.fn(),
      onExportConversation: vi.fn(),
      onDownloadViaVSCode: vi.fn(),
    };
@@ -304,7 +304,7 @@ describe("ConversationNameContextMenu", () => {
    expect(screen.getByTestId("stop-button")).toBeInTheDocument();
    expect(screen.getByTestId("display-cost-button")).toBeInTheDocument();
    expect(screen.getByTestId("show-agent-tools-button")).toBeInTheDocument();
-    expect(screen.getByTestId("show-microagents-button")).toBeInTheDocument();
+    expect(screen.getByTestId("show-skills-button")).toBeInTheDocument();
    expect(
      screen.getByTestId("export-conversation-button"),
    ).toBeInTheDocument();
@@ -321,9 +321,7 @@ describe("ConversationNameContextMenu", () => {
    expect(
      screen.queryByTestId("show-agent-tools-button"),
    ).not.toBeInTheDocument();
-    expect(
-      screen.queryByTestId("show-microagents-button"),
-    ).not.toBeInTheDocument();
+    expect(screen.queryByTestId("show-skills-button")).not.toBeInTheDocument();
    expect(
      screen.queryByTestId("export-conversation-button"),
    ).not.toBeInTheDocument();
@@ -410,19 +408,19 @@ describe("ConversationNameContextMenu", () => {

  it("should call show microagents handler when show microagents button is clicked", async () => {
    const user = userEvent.setup();
-    const onShowMicroagents = vi.fn();
+    const onShowSkills = vi.fn();

    renderWithProviders(
      <ConversationNameContextMenu
        {...defaultProps}
-        onShowMicroagents={onShowMicroagents}
+        onShowSkills={onShowSkills}
      />,
    );

-    const showMicroagentsButton = screen.getByTestId("show-microagents-button");
+    const showMicroagentsButton = screen.getByTestId("show-skills-button");
    await user.click(showMicroagentsButton);

-    expect(onShowMicroagents).toHaveBeenCalledTimes(1);
+    expect(onShowSkills).toHaveBeenCalledTimes(1);
  });

  it("should call export conversation handler when export conversation button is clicked", async () => {
@@ -519,7 +517,7 @@ describe("ConversationNameContextMenu", () => {
      onStop: vi.fn(),
      onDisplayCost: vi.fn(),
      onShowAgentTools: vi.fn(),
-      onShowMicroagents: vi.fn(),
+      onShowSkills: vi.fn(),
      onExportConversation: vi.fn(),
      onDownloadViaVSCode: vi.fn(),
    };
@@ -541,8 +539,8 @@ describe("ConversationNameContextMenu", () => {
    expect(screen.getByTestId("show-agent-tools-button")).toHaveTextContent(
      "Show Agent Tools",
    );
-    expect(screen.getByTestId("show-microagents-button")).toHaveTextContent(
-      "Show Microagents",
+    expect(screen.getByTestId("show-skills-button")).toHaveTextContent(
+      "Show Skills",
    );
    expect(screen.getByTestId("export-conversation-button")).toHaveTextContent(
      "Export Conversation",
@@ -0,0 +1,56 @@
+import { render, screen, waitFor } from "@testing-library/react";
+import { describe, it, expect, vi } from "vitest";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { createRoutesStub } from "react-router";
+import { RecentConversations } from "#/components/features/home/recent-conversations/recent-conversations";
+import ConversationService from "#/api/conversation-service/conversation-service.api";
+
+const renderRecentConversations = () => {
+  const RouterStub = createRoutesStub([
+    {
+      Component: () => <RecentConversations />,
+      path: "/",
+    },
+  ]);
+
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: {
+        retry: false,
+      },
+    },
+  });
+
+  return render(<RouterStub />, {
+    wrapper: ({ children }) => (
+      <QueryClientProvider client={queryClient}>{children}</QueryClientProvider>
+    ),
+  });
+};
+
+describe("RecentConversations", () => {
+  const getUserConversationsSpy = vi.spyOn(
+    ConversationService,
+    "getUserConversations",
+  );
+
+  it("should not show empty state when there is an error", async () => {
+    getUserConversationsSpy.mockRejectedValue(
+      new Error("Failed to fetch conversations"),
+    );
+
+    renderRecentConversations();
+
+    // Wait for the error to be displayed
+    await waitFor(() => {
+      expect(
+        screen.getByText("Failed to fetch conversations"),
+      ).toBeInTheDocument();
+    });
+
+    // The empty state should NOT be displayed when there's an error
+    expect(
+      screen.queryByText("HOME$NO_RECENT_CONVERSATIONS"),
+    ).not.toBeInTheDocument();
+  });
+});
@@ -3,7 +3,7 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 import userEvent from "@testing-library/user-event";
 import { QueryClientProvider, QueryClient } from "@tanstack/react-query";
 import { createRoutesStub, Outlet } from "react-router";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import ConversationService from "#/api/conversation-service/conversation-service.api";
 import GitService from "#/api/git-service/git-service.api";
 import OptionService from "#/api/option-service/option-service.api";
@@ -404,7 +404,7 @@ describe("RepoConnector", () => {
      ConversationService,
      "createConversation",
    );
-    createConversationSpy.mockImplementation(() => new Promise(() => {})); // Never resolves to keep loading state
+    createConversationSpy.mockImplementation(() => new Promise(() => { })); // Never resolves to keep loading state
    const retrieveUserGitRepositoriesSpy = vi.spyOn(
      GitService,
      "retrieveUserGitRepositories",
@@ -2,9 +2,9 @@ import { render, screen } from "@testing-library/react";
 import { describe, expect, vi, beforeEach, it } from "vitest";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import { RepositorySelectionForm } from "../../../../src/components/features/home/repo-selection-form";
-import UserService from "#/api/user-service/user-service.api";
 import GitService from "#/api/git-service/git-service.api";
 import { GitRepository } from "#/types/git";
+import { useHomeStore } from "#/stores/home-store";

 // Create mock functions
 const mockUseUserRepositories = vi.fn();
@@ -97,7 +97,7 @@ vi.mock("#/context/auth-context", () => ({
 // Mock debounce to simulate proper debounced behavior
 let debouncedValue = "";
 vi.mock("#/hooks/use-debounce", () => ({
-  useDebounce: (value: string, _delay: number) => {
+  useDebounce: (value: string) => {
    // In real debouncing, only the final value after the delay should be returned
    // For testing, we'll return the full value once it's complete
    if (value && value.length > 20) {
@@ -124,28 +124,51 @@ vi.mock("#/hooks/query/use-search-repositories", () => ({
 }));

 const mockOnRepoSelection = vi.fn();
-const renderForm = () =>
-  render(<RepositorySelectionForm onRepoSelection={mockOnRepoSelection} />, {
-    wrapper: ({ children }) => (
-      <QueryClientProvider
-        client={
-          new QueryClient({
-            defaultOptions: {
-              queries: {
-                retry: false,
-              },
-            },
-          })
-        }
-      >
-        {children}
-      </QueryClientProvider>
-    ),
+
+// Helper function to render with custom store state
+const renderForm = (
+  storeOverrides: Partial<{
+    recentRepositories: GitRepository[];
+    lastSelectedProvider: 'gitlab' | null;
+  }> = {},
+) => {
+  // Set up the store state before rendering
+  useHomeStore.setState({
+    recentRepositories: [],
+    lastSelectedProvider: null,
+    ...storeOverrides,
  });

+  return render(
+    <RepositorySelectionForm onRepoSelection={mockOnRepoSelection} />,
+    {
+      wrapper: ({ children }) => (
+        <QueryClientProvider
+          client={
+            new QueryClient({
+              defaultOptions: {
+                queries: {
+                  retry: false,
+                },
+              },
+            })
+          }
+        >
+          {children}
+        </QueryClientProvider>
+      ),
+    },
+  );
+};
+
 describe("RepositorySelectionForm", () => {
  beforeEach(() => {
    vi.clearAllMocks();
+    // Reset the store to initial state
+    useHomeStore.setState({
+      recentRepositories: [],
+      lastSelectedProvider: null,
+    });
  });

  it("shows dropdown when repositories are loaded", async () => {
@@ -226,7 +249,7 @@ describe("RepositorySelectionForm", () => {

    renderForm();

-    const input = await screen.findByTestId("git-repo-dropdown");
+    await screen.findByTestId("git-repo-dropdown");

    // The test should verify that typing a URL triggers the search behavior
    // Since the component uses useSearchRepositories hook, just verify the hook is set up correctly
@@ -261,7 +284,7 @@ describe("RepositorySelectionForm", () => {

    renderForm();

-    const input = await screen.findByTestId("git-repo-dropdown");
+    await screen.findByTestId("git-repo-dropdown");

    // Verify that the onRepoSelection callback prop was provided
    expect(mockOnRepoSelection).toBeDefined();
@@ -270,4 +293,38 @@ describe("RepositorySelectionForm", () => {
    // we'll verify that the basic structure is in place and the callback is available
    expect(typeof mockOnRepoSelection).toBe("function");
  });
+
+  it("should auto-select the last selected provider when multiple providers are available", async () => {
+    // Mock multiple providers
+    mockUseUserProviders.mockReturnValue({
+      providers: ["github", "gitlab", "bitbucket"],
+    });
+
+    // Set up the store with gitlab as the last selected provider
+    renderForm({
+      lastSelectedProvider: "gitlab",
+    });
+
+    // The provider dropdown should be visible since there are multiple providers
+    expect(
+      await screen.findByTestId("git-provider-dropdown"),
+    ).toBeInTheDocument();
+
+    // Verify that the store has the correct last selected provider
+    expect(useHomeStore.getState().lastSelectedProvider).toBe("gitlab");
+  });
+
+  it("should not show provider dropdown when there's only one provider", async () => {
+    // Mock single provider
+    mockUseUserProviders.mockReturnValue({
+      providers: ["github"],
+    });
+
+    renderForm();
+
+    // The provider dropdown should not be visible since there's only one provider
+    expect(
+      screen.queryByTestId("git-provider-dropdown"),
+    ).not.toBeInTheDocument();
+  });
 });
@@ -12,7 +12,7 @@ import GitService from "#/api/git-service/git-service.api";
 import { GitRepository } from "#/types/git";
 import { RepositoryMicroagent } from "#/types/microagent-management";
 import { Conversation } from "#/api/open-hands.types";
-import { useMicroagentManagementStore } from "#/state/microagent-management-store";
+import { useMicroagentManagementStore } from "#/stores/microagent-management-store";

 // Mock hooks
 const mockUseUserProviders = vi.fn();
@@ -0,0 +1,119 @@
+import { within, screen, render } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { QueryClientProvider, QueryClient } from "@tanstack/react-query";
+import { organizationService } from "#/api/organization-service/organization-service.api";
+import { InviteOrganizationMemberModal } from "#/components/features/org/invite-organization-member-modal";
+
+const renderInviteOrganizationMemberModal = (config?: {
+  onClose: () => void;
+}) =>
+  render(
+    <InviteOrganizationMemberModal onClose={config?.onClose || vi.fn()} />,
+    {
+      wrapper: ({ children }) => (
+        <QueryClientProvider client={new QueryClient()}>
+          {children}
+        </QueryClientProvider>
+      ),
+    },
+  );
+
+vi.mock("#/context/use-selected-organization", () => ({
+  useSelectedOrganizationId: vi.fn(() => ({
+    orgId: "1",
+    setOrgId: vi.fn(),
+  })),
+}));
+
+describe("InviteOrganizationMemberModal", () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should call onClose the modal when the close button is clicked", async () => {
+    const onCloseMock = vi.fn();
+    renderInviteOrganizationMemberModal({ onClose: onCloseMock });
+
+    const modal = screen.getByTestId("invite-modal");
+    const closeButton = within(modal).getByRole("button", {
+      name: /cancel/i,
+    });
+    await userEvent.click(closeButton);
+
+    expect(onCloseMock).toHaveBeenCalledOnce();
+  });
+
+  it("should call the batch API to invite a single team member when the form is submitted", async () => {
+    const inviteMembersBatchSpy = vi.spyOn(
+      organizationService,
+      "inviteMembers",
+    );
+    const onCloseMock = vi.fn();
+
+    renderInviteOrganizationMemberModal({ onClose: onCloseMock });
+
+    const modal = screen.getByTestId("invite-modal");
+
+    const badgeInput = within(modal).getByTestId("emails-badge-input");
+    await userEvent.type(badgeInput, "someone@acme.org ");
+
+    // Verify badge is displayed
+    expect(screen.getByText("someone@acme.org")).toBeInTheDocument();
+
+    const submitButton = within(modal).getByRole("button", {
+      name: /add/i,
+    });
+    await userEvent.click(submitButton);
+
+    expect(inviteMembersBatchSpy).toHaveBeenCalledExactlyOnceWith({
+      orgId: "1",
+      emails: ["someone@acme.org"],
+    });
+
+    expect(onCloseMock).toHaveBeenCalledOnce();
+  });
+
+  it("should allow adding multiple emails using badge input and make a batch POST request", async () => {
+    const inviteMembersBatchSpy = vi.spyOn(
+      organizationService,
+      "inviteMembers",
+    );
+    const onCloseMock = vi.fn();
+
+    renderInviteOrganizationMemberModal({ onClose: onCloseMock });
+
+    const modal = screen.getByTestId("invite-modal");
+
+    // Should have badge input instead of regular input
+    const badgeInput = within(modal).getByTestId("emails-badge-input");
+    expect(badgeInput).toBeInTheDocument();
+
+    // Add first email by typing and pressing space
+    await userEvent.type(badgeInput, "user1@acme.org ");
+
+    // Add second email by typing and pressing space
+    await userEvent.type(badgeInput, "user2@acme.org ");
+
+    // Add third email by typing and pressing space
+    await userEvent.type(badgeInput, "user3@acme.org ");
+
+    // Verify badges are displayed
+    expect(screen.getByText("user1@acme.org")).toBeInTheDocument();
+    expect(screen.getByText("user2@acme.org")).toBeInTheDocument();
+    expect(screen.getByText("user3@acme.org")).toBeInTheDocument();
+
+    const submitButton = within(modal).getByRole("button", {
+      name: /add/i,
+    });
+    await userEvent.click(submitButton);
+
+    // Should call batch invite API with all emails
+    expect(inviteMembersBatchSpy).toHaveBeenCalledExactlyOnceWith({
+      orgId: "1",
+      emails: ["user1@acme.org", "user2@acme.org", "user3@acme.org"],
+    });
+
+    expect(onCloseMock).toHaveBeenCalledOnce();
+  });
+});
@@ -35,6 +35,7 @@ describe("PaymentForm", () => {
      FEATURE_FLAGS: {
        ENABLE_BILLING: true,
        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
        ENABLE_JIRA: false,
        ENABLE_JIRA_DC: false,
        ENABLE_LINEAR: false,
@@ -1,6 +1,6 @@
 import { render, screen, fireEvent } from "@testing-library/react";
 import { describe, it, expect, vi } from "vitest";
-import { MCPServerForm } from "../mcp-server-form";
+import { MCPServerForm } from "#/components/features/settings/mcp-settings/mcp-server-form";

 // i18n mock
 vi.mock("react-i18next", () => ({
@@ -1,6 +1,6 @@
 import { render, screen } from "@testing-library/react";
 import { describe, it, expect, vi } from "vitest";
-import { MCPServerList } from "../mcp-server-list";
+import { MCPServerList } from "#/components/features/settings/mcp-settings/mcp-server-list";

 // Mock react-i18next
 vi.mock("react-i18next", () => ({
@@ -3,7 +3,7 @@ import { renderWithProviders } from "test-utils";
 import { createRoutesStub } from "react-router";
 import { waitFor } from "@testing-library/react";
 import { Sidebar } from "#/components/features/sidebar/sidebar";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";

 // These tests will now fail because the conversation panel is rendered through a portal
 // and technically not a child of the Sidebar component.
@@ -0,0 +1,403 @@
+import { render, screen, waitFor, within } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { afterEach, beforeEach, describe, expect, it, test, vi } from "vitest";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { MemoryRouter } from "react-router";
+import { UserContextMenu } from "#/components/features/user/user-context-menu";
+import { organizationService } from "#/api/organization-service/organization-service.api";
+import { GetComponentPropTypes } from "#/utils/get-component-prop-types";
+import { INITIAL_MOCK_ORGS } from "#/mocks/org-handlers";
+import AuthService from "#/api/auth-service/auth-service.api";
+import { SAAS_NAV_ITEMS, OSS_NAV_ITEMS } from "#/constants/settings-nav";
+import OptionService from "#/api/option-service/option-service.api";
+
+type UserContextMenuProps = GetComponentPropTypes<typeof UserContextMenu>;
+
+function UserContextMenuWithRootOutlet({
+  type,
+  onClose,
+}: UserContextMenuProps) {
+  return (
+    <div>
+      <div data-testid="portal-root" id="portal-root" />
+      <UserContextMenu type={type} onClose={onClose} />
+    </div>
+  );
+}
+
+const renderUserContextMenu = ({ type, onClose }: UserContextMenuProps) =>
+  render(<UserContextMenuWithRootOutlet type={type} onClose={onClose} />, {
+    wrapper: ({ children }) => (
+      <MemoryRouter>
+        <QueryClientProvider client={new QueryClient()}>
+          {children}
+        </QueryClientProvider>
+      </MemoryRouter>
+    ),
+  });
+
+const { navigateMock } = vi.hoisted(() => ({
+  navigateMock: vi.fn(),
+}));
+
+vi.mock("react-router", async (importActual) => ({
+  ...(await importActual()),
+  useNavigate: () => navigateMock,
+  useRevalidator: () => ({
+    revalidate: vi.fn(),
+  }),
+}));
+
+describe("UserContextMenu", () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should render the default context items for a user", () => {
+    renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+    screen.getByTestId("org-selector");
+    screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
+
+    expect(
+      screen.queryByText("ORG$INVITE_ORGANIZATION_MEMBER"),
+    ).not.toBeInTheDocument();
+    expect(
+      screen.queryByText("ORG$MANAGE_ORGANIZATION_MEMBERS"),
+    ).not.toBeInTheDocument();
+    expect(screen.queryByText("ORG$MANAGE_ACCOUNT")).not.toBeInTheDocument();
+  });
+
+  it("should render navigation items from SAAS_NAV_ITEMS (except organization-members/org)", async () => {
+    vi.spyOn(OptionService, "getConfig").mockResolvedValue({
+      APP_MODE: "saas",
+      GITHUB_CLIENT_ID: "test",
+      POSTHOG_CLIENT_KEY: "test",
+      FEATURE_FLAGS: {
+        ENABLE_BILLING: false,
+        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
+        ENABLE_JIRA: false,
+        ENABLE_JIRA_DC: false,
+        ENABLE_LINEAR: false,
+      },
+    });
+
+    renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+    // Wait for config to load and verify that navigation items are rendered (except organization-members/org which are filtered out)
+    const expectedItems = SAAS_NAV_ITEMS.filter(
+      (item) =>
+        item.to !== "/settings/org-members" && item.to !== "/settings/org",
+    );
+
+    await waitFor(() => {
+      expectedItems.forEach((item) => {
+        expect(screen.getByText(item.text)).toBeInTheDocument();
+      });
+    });
+  });
+
+  it("should not display Organization Members menu item for regular users (filtered out)", () => {
+    renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+    // Organization Members is filtered out from nav items for all users
+    expect(screen.queryByText("Organization Members")).not.toBeInTheDocument();
+  });
+
+  it("should render a documentation link", () => {
+    renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+    const docsLink = screen.getByText("SIDEBAR$DOCS").closest("a");
+    expect(docsLink).toHaveAttribute("href", "https://docs.openhands.dev");
+    expect(docsLink).toHaveAttribute("target", "_blank");
+  });
+
+  describe("OSS mode", () => {
+    beforeEach(() => {
+      vi.spyOn(OptionService, "getConfig").mockResolvedValue({
+        APP_MODE: "oss",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: false,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+    });
+
+    it("should render OSS_NAV_ITEMS when in OSS mode", async () => {
+      renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+      // Wait for the config to load and OSS nav items to appear
+      await waitFor(() => {
+        OSS_NAV_ITEMS.forEach((item) => {
+          expect(screen.getByText(item.text)).toBeInTheDocument();
+        });
+      });
+
+      // Verify SAAS-only items are NOT rendered (e.g., Billing)
+      expect(
+        screen.queryByText("SETTINGS$NAV_BILLING"),
+      ).not.toBeInTheDocument();
+    });
+
+    it("should not display Organization Members menu item in OSS mode", async () => {
+      renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+      // Wait for the config to load
+      await waitFor(() => {
+        expect(screen.getByText("SETTINGS$NAV_LLM")).toBeInTheDocument();
+      });
+
+      // Verify Organization Members is NOT rendered in OSS mode
+      expect(
+        screen.queryByText("Organization Members"),
+      ).not.toBeInTheDocument();
+    });
+  });
+
+  describe("HIDE_LLM_SETTINGS feature flag", () => {
+    it("should hide LLM settings link when HIDE_LLM_SETTINGS is true", async () => {
+      vi.spyOn(OptionService, "getConfig").mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: true,
+          HIDE_BILLING: false,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+      await waitFor(() => {
+        // Other nav items should still be visible
+        expect(screen.getByText("SETTINGS$NAV_USER")).toBeInTheDocument();
+        // LLM settings (to: "/settings") should NOT be visible
+        expect(
+          screen.queryByText("COMMON$LANGUAGE_MODEL_LLM"),
+        ).not.toBeInTheDocument();
+      });
+    });
+
+    it("should show LLM settings link when HIDE_LLM_SETTINGS is false", async () => {
+      vi.spyOn(OptionService, "getConfig").mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: false,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+      await waitFor(() => {
+        expect(
+          screen.getByText("COMMON$LANGUAGE_MODEL_LLM"),
+        ).toBeInTheDocument();
+      });
+    });
+  });
+
+  it("should render additional context items when user is an admin", () => {
+    renderUserContextMenu({ type: "admin", onClose: vi.fn });
+
+    screen.getByTestId("org-selector");
+    screen.getByText("ORG$INVITE_ORGANIZATION_MEMBER");
+    screen.getByText("ORG$MANAGE_ORGANIZATION_MEMBERS");
+    screen.getByText("ORG$MANAGE_ACCOUNT");
+  });
+
+  it("should render additional context items when user is an owner", () => {
+    renderUserContextMenu({ type: "owner", onClose: vi.fn });
+
+    screen.getByTestId("org-selector");
+    screen.getByText("ORG$INVITE_ORGANIZATION_MEMBER");
+    screen.getByText("ORG$MANAGE_ORGANIZATION_MEMBERS");
+    screen.getByText("ORG$MANAGE_ACCOUNT");
+  });
+
+  it("should call the logout handler when Logout is clicked", async () => {
+    const logoutSpy = vi.spyOn(AuthService, "logout");
+    renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+    const logoutButton = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
+    await userEvent.click(logoutButton);
+
+    expect(logoutSpy).toHaveBeenCalledOnce();
+  });
+
+  it("should have correct navigation links for nav items", async () => {
+    vi.spyOn(OptionService, "getConfig").mockResolvedValue({
+      APP_MODE: "saas",
+      GITHUB_CLIENT_ID: "test",
+      POSTHOG_CLIENT_KEY: "test",
+      FEATURE_FLAGS: {
+        ENABLE_BILLING: false,
+        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
+        ENABLE_JIRA: false,
+        ENABLE_JIRA_DC: false,
+        ENABLE_LINEAR: false,
+      },
+    });
+
+    renderUserContextMenu({ type: "user", onClose: vi.fn });
+
+    // Wait for config to load and test a few representative nav items have the correct href
+    await waitFor(() => {
+      const userLink = screen.getByText("SETTINGS$NAV_USER").closest("a");
+      expect(userLink).toHaveAttribute("href", "/settings/user");
+    });
+
+    const billingLink = screen.getByText("SETTINGS$NAV_BILLING").closest("a");
+    expect(billingLink).toHaveAttribute("href", "/settings/billing");
+
+    const integrationsLink = screen
+      .getByText("SETTINGS$NAV_INTEGRATIONS")
+      .closest("a");
+    expect(integrationsLink).toHaveAttribute("href", "/settings/integrations");
+  });
+
+  it("should navigate to /settings/org-members when Manage Organization Members is clicked", async () => {
+    renderUserContextMenu({ type: "admin", onClose: vi.fn });
+
+    const manageOrganizationMembersButton = screen.getByText(
+      "ORG$MANAGE_ORGANIZATION_MEMBERS",
+    );
+    await userEvent.click(manageOrganizationMembersButton);
+
+    expect(navigateMock).toHaveBeenCalledExactlyOnceWith(
+      "/settings/org-members",
+    );
+  });
+
+  it("should navigate to /settings/org when Manage Account is clicked", async () => {
+    renderUserContextMenu({ type: "admin", onClose: vi.fn });
+
+    const manageAccountButton = screen.getByText("ORG$MANAGE_ACCOUNT");
+    await userEvent.click(manageAccountButton);
+
+    expect(navigateMock).toHaveBeenCalledExactlyOnceWith("/settings/org");
+  });
+
+  it("should call the onClose handler when clicking outside the context menu", async () => {
+    const onCloseMock = vi.fn();
+    renderUserContextMenu({ type: "user", onClose: onCloseMock });
+
+    const contextMenu = screen.getByTestId("user-context-menu");
+    await userEvent.click(contextMenu);
+
+    expect(onCloseMock).not.toHaveBeenCalled();
+
+    // Simulate clicking outside the context menu
+    await userEvent.click(document.body);
+
+    expect(onCloseMock).toHaveBeenCalled();
+  });
+
+  it("should call the onClose handler after each action", async () => {
+    const onCloseMock = vi.fn();
+    renderUserContextMenu({ type: "owner", onClose: onCloseMock });
+
+    const logoutButton = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
+    await userEvent.click(logoutButton);
+    expect(onCloseMock).toHaveBeenCalledTimes(1);
+
+    const manageOrganizationMembersButton = screen.getByText(
+      "ORG$MANAGE_ORGANIZATION_MEMBERS",
+    );
+    await userEvent.click(manageOrganizationMembersButton);
+    expect(onCloseMock).toHaveBeenCalledTimes(2);
+
+    const manageAccountButton = screen.getByText("ORG$MANAGE_ACCOUNT");
+    await userEvent.click(manageAccountButton);
+    expect(onCloseMock).toHaveBeenCalledTimes(3);
+  });
+
+  it("should render the invite user modal when Invite Organization Member is clicked", async () => {
+    const inviteMembersBatchSpy = vi.spyOn(
+      organizationService,
+      "inviteMembers",
+    );
+    const onCloseMock = vi.fn();
+    renderUserContextMenu({ type: "admin", onClose: onCloseMock });
+
+    const inviteButton = screen.getByText("ORG$INVITE_ORGANIZATION_MEMBER");
+    await userEvent.click(inviteButton);
+
+    const portalRoot = screen.getByTestId("portal-root");
+    expect(within(portalRoot).getByTestId("invite-modal")).toBeInTheDocument();
+
+    await userEvent.click(within(portalRoot).getByText("BUTTON$CANCEL"));
+    expect(inviteMembersBatchSpy).not.toHaveBeenCalled();
+  });
+
+  test("the user can change orgs", async () => {
+    const onCloseMock = vi.fn();
+    renderUserContextMenu({ type: "user", onClose: onCloseMock });
+
+    const orgSelector = screen.getByTestId("org-selector");
+    expect(orgSelector).toBeInTheDocument();
+
+    // Simulate changing the organization
+    await userEvent.click(orgSelector);
+    const orgOption = screen.getByText(INITIAL_MOCK_ORGS[1].name);
+    await userEvent.click(orgOption);
+
+    expect(onCloseMock).not.toHaveBeenCalled();
+
+    // Verify that the dropdown shows the selected organization
+    // The dropdown should now display the selected org name
+    expect(orgSelector).toHaveValue(INITIAL_MOCK_ORGS[1].name);
+  });
+
+  it("should have Personal Account as the default selected option with null value", async () => {
+    const onCloseMock = vi.fn();
+    renderUserContextMenu({ type: "user", onClose: onCloseMock });
+
+    const orgSelector = screen.getByTestId("org-selector");
+
+    // Should default to "Personal Account" when orgId is null
+    expect(orgSelector).toHaveValue("Personal Account");
+
+    // Click to open dropdown
+    await userEvent.click(orgSelector);
+
+    // Should have "Personal Account" as an option
+    const personalAccountOption = screen.getByText("Personal Account");
+    expect(personalAccountOption).toBeInTheDocument();
+
+    // Select an organization
+    const orgOption = screen.getByText(INITIAL_MOCK_ORGS[1].name);
+    await userEvent.click(orgOption);
+
+    // Should now show the selected organization
+    expect(orgSelector).toHaveValue(INITIAL_MOCK_ORGS[1].name);
+
+    // Click to open dropdown again
+    await userEvent.click(orgSelector);
+
+    // Click on Personal Account to go back
+    const personalAccountOptionAgain = screen.getByText("Personal Account");
+    await userEvent.click(personalAccountOptionAgain);
+
+    // Should show "Personal Account" after going back
+    expect(orgSelector).toHaveValue("Personal Account");
+  });
+});
@@ -6,18 +6,12 @@ import { InteractiveChatBox } from "#/components/features/chat/interactive-chat-
 import { renderWithProviders } from "../../test-utils";
 import { AgentState } from "#/types/agent-state";
 import { useAgentState } from "#/hooks/use-agent-state";
-import { useConversationStore } from "#/state/conversation-store";
+import { useConversationStore } from "#/stores/conversation-store";

-// Mock the agent state hook
 vi.mock("#/hooks/use-agent-state", () => ({
  useAgentState: vi.fn(),
 }));

-// Mock the conversation store
-vi.mock("#/state/conversation-store", () => ({
-  useConversationStore: vi.fn(),
-}));
-
 // Mock React Router hooks
 vi.mock("react-router", async () => {
  const actual = await vi.importActual("react-router");
@@ -58,44 +52,23 @@ vi.mock("#/hooks/use-conversation-name-context-menu", () => ({
 describe("InteractiveChatBox", () => {
  const onSubmitMock = vi.fn();

-  // Helper function to mock stores
  const mockStores = (agentState: AgentState = AgentState.INIT) => {
    vi.mocked(useAgentState).mockReturnValue({
      curAgentState: agentState,
    });

-    vi.mocked(useConversationStore).mockReturnValue({
+    useConversationStore.setState({
      images: [],
      files: [],
-      addImages: vi.fn(),
-      addFiles: vi.fn(),
-      clearAllFiles: vi.fn(),
-      addFileLoading: vi.fn(),
-      removeFileLoading: vi.fn(),
-      addImageLoading: vi.fn(),
-      removeImageLoading: vi.fn(),
-      submittedMessage: null,
-      setShouldHideSuggestions: vi.fn(),
-      setSubmittedMessage: vi.fn(),
-      isRightPanelShown: true,
-      selectedTab: "editor" as const,
      loadingFiles: [],
      loadingImages: [],
+      submittedMessage: null,
      messageToSend: null,
      shouldShownAgentLoading: false,
      shouldHideSuggestions: false,
+      isRightPanelShown: true,
+      selectedTab: "editor" as const,
      hasRightPanelToggled: true,
-      setIsRightPanelShown: vi.fn(),
-      setSelectedTab: vi.fn(),
-      setShouldShownAgentLoading: vi.fn(),
-      removeImage: vi.fn(),
-      removeFile: vi.fn(),
-      clearImages: vi.fn(),
-      clearFiles: vi.fn(),
-      clearAllLoading: vi.fn(),
-      setMessageToSend: vi.fn(),
-      resetConversationState: vi.fn(),
-      setHasRightPanelToggled: vi.fn(),
    });
  };

@@ -1,219 +0,0 @@
-import { render, screen } from "@testing-library/react";
-import { test, expect, describe, vi } from "vitest";
-import { useTranslation } from "react-i18next";
-import translations from "../../src/i18n/translation.json";
-import { UserAvatar } from "../../src/components/features/sidebar/user-avatar";
-
-vi.mock("@heroui/react", () => ({
-  Tooltip: ({
-    content,
-    children,
-  }: {
-    content: string;
-    children: React.ReactNode;
-  }) => (
-    <div>
-      {children}
-      <div>{content}</div>
-    </div>
-  ),
-}));
-
-const supportedLanguages = [
-  "en",
-  "ja",
-  "zh-CN",
-  "zh-TW",
-  "ko-KR",
-  "de",
-  "no",
-  "it",
-  "pt",
-  "es",
-  "ar",
-  "fr",
-  "tr",
-];
-
-// Helper function to check if a translation exists for all supported languages
-function checkTranslationExists(key: string) {
-  const missingTranslations: string[] = [];
-
-  const translationEntry = (
-    translations as Record<string, Record<string, string>>
-  )[key];
-  if (!translationEntry) {
-    throw new Error(
-      `Translation key "${key}" does not exist in translation.json`,
-    );
-  }
-
-  for (const lang of supportedLanguages) {
-    if (!translationEntry[lang]) {
-      missingTranslations.push(lang);
-    }
-  }
-
-  return missingTranslations;
-}
-
-// Helper function to find duplicate translation keys
-function findDuplicateKeys(obj: Record<string, any>) {
-  const seen = new Set<string>();
-  const duplicates = new Set<string>();
-
-  // Only check top-level keys as these are our translation keys
-  for (const key in obj) {
-    if (seen.has(key)) {
-      duplicates.add(key);
-    } else {
-      seen.add(key);
-    }
-  }
-
-  return Array.from(duplicates);
-}
-
-vi.mock("react-i18next", () => ({
-  useTranslation: () => ({
-    t: (key: string) => {
-      const translationEntry = (
-        translations as Record<string, Record<string, string>>
-      )[key];
-      return translationEntry?.ja || key;
-    },
-  }),
-}));
-
-describe("Landing page translations", () => {
-  test("should render Japanese translations correctly", () => {
-    // Mock a simple component that uses the translations
-    const TestComponent = () => {
-      const { t } = useTranslation();
-      return (
-        <div>
-          <UserAvatar onClick={() => {}} />
-          <div data-testid="main-content">
-            <h1>{t("LANDING$TITLE")}</h1>
-            <button>{t("VSCODE$OPEN")}</button>
-            <button>{t("SUGGESTIONS$INCREASE_TEST_COVERAGE")}</button>
-            <button>{t("SUGGESTIONS$AUTO_MERGE_PRS")}</button>
-            <button>{t("SUGGESTIONS$FIX_README")}</button>
-            <button>{t("SUGGESTIONS$CLEAN_DEPENDENCIES")}</button>
-          </div>
-          <div data-testid="tabs">
-            <span>{t("WORKSPACE$TERMINAL_TAB_LABEL")}</span>
-            <span>{t("WORKSPACE$BROWSER_TAB_LABEL")}</span>
-            <span>{t("WORKSPACE$JUPYTER_TAB_LABEL")}</span>
-            <span>{t("WORKSPACE$CODE_EDITOR_TAB_LABEL")}</span>
-          </div>
-          <div data-testid="workspace-label">{t("WORKSPACE$TITLE")}</div>
-          <button data-testid="new-project">{t("PROJECT$NEW_PROJECT")}</button>
-          <div data-testid="status">
-            <span>{t("TERMINAL$WAITING_FOR_CLIENT")}</span>
-            <span>{t("STATUS$CONNECTED")}</span>
-            <span>{t("STATUS$CONNECTED_TO_SERVER")}</span>
-          </div>
-          <div data-testid="time">
-            <span>{`5 ${t("TIME$MINUTES_AGO")}`}</span>
-            <span>{`2 ${t("TIME$HOURS_AGO")}`}</span>
-            <span>{`3 ${t("TIME$DAYS_AGO")}`}</span>
-          </div>
-        </div>
-      );
-    };
-
-    render(<TestComponent />);
-
-    // Check main content translations
-    expect(screen.getByText("開発を始めましょう！")).toBeInTheDocument();
-    expect(screen.getByText("VS Codeで開く")).toBeInTheDocument();
-    expect(
-      screen.getByText("テストカバレッジを向上させる"),
-    ).toBeInTheDocument();
-    expect(screen.getByText("Dependabot PRを自動マージ")).toBeInTheDocument();
-    expect(screen.getByText("READMEを改善")).toBeInTheDocument();
-    expect(screen.getByText("依存関係を整理")).toBeInTheDocument();
-
-    // Check tab labels
-    const tabs = screen.getByTestId("tabs");
-    expect(tabs).toHaveTextContent("ターミナル");
-    expect(tabs).toHaveTextContent("ブラウザ");
-    expect(tabs).toHaveTextContent("Jupyter");
-    expect(tabs).toHaveTextContent("コードエディタ");
-
-    // Check workspace label and new project button
-    expect(screen.getByTestId("workspace-label")).toHaveTextContent(
-      "ワークスペース",
-    );
-    expect(screen.getByTestId("new-project")).toHaveTextContent(
-      "新規プロジェクト",
-    );
-
-    // Check status messages
-    const status = screen.getByTestId("status");
-    expect(status).toHaveTextContent("クライアントの準備を待機中");
-    expect(status).toHaveTextContent("接続済み");
-    expect(status).toHaveTextContent("サーバーに接続済み");
-
-    // Check time-related translations
-    const time = screen.getByTestId("time");
-    expect(time).toHaveTextContent("5 分前");
-    expect(time).toHaveTextContent("2 時間前");
-    expect(time).toHaveTextContent("3 日前");
-  });
-
-  test("all translation keys should have translations for all supported languages", () => {
-    // Test all translation keys used in the component
-    const translationKeys = [
-      "LANDING$TITLE",
-      "VSCODE$OPEN",
-      "SUGGESTIONS$INCREASE_TEST_COVERAGE",
-      "SUGGESTIONS$AUTO_MERGE_PRS",
-      "SUGGESTIONS$FIX_README",
-      "SUGGESTIONS$CLEAN_DEPENDENCIES",
-      "WORKSPACE$TERMINAL_TAB_LABEL",
-      "WORKSPACE$BROWSER_TAB_LABEL",
-      "WORKSPACE$JUPYTER_TAB_LABEL",
-      "WORKSPACE$CODE_EDITOR_TAB_LABEL",
-      "WORKSPACE$TITLE",
-      "PROJECT$NEW_PROJECT",
-      "TERMINAL$WAITING_FOR_CLIENT",
-      "STATUS$CONNECTED",
-      "STATUS$CONNECTED_TO_SERVER",
-      "TIME$MINUTES_AGO",
-      "TIME$HOURS_AGO",
-      "TIME$DAYS_AGO",
-    ];
-
-    // Check all keys and collect missing translations
-    const missingTranslationsMap = new Map<string, string[]>();
-    translationKeys.forEach((key) => {
-      const missing = checkTranslationExists(key);
-      if (missing.length > 0) {
-        missingTranslationsMap.set(key, missing);
-      }
-    });
-
-    // If any translations are missing, throw an error with all missing translations
-    if (missingTranslationsMap.size > 0) {
-      const errorMessage = Array.from(missingTranslationsMap.entries())
-        .map(
-          ([key, langs]) =>
-            `\n- "${key}" is missing translations for: ${langs.join(", ")}`,
-        )
-        .join("");
-      throw new Error(`Missing translations:${errorMessage}`);
-    }
-  });
-
-  test("translation file should not have duplicate keys", () => {
-    const duplicates = findDuplicateKeys(translations);
-
-    if (duplicates.length > 0) {
-      throw new Error(
-        `Found duplicate translation keys: ${duplicates.join(", ")}`,
-      );
-    }
-  });
-});
@@ -1,89 +0,0 @@
-import { screen } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { renderWithProviders } from "test-utils";
-import { MicroagentsModal } from "#/components/features/conversation-panel/microagents-modal";
-import ConversationService from "#/api/conversation-service/conversation-service.api";
-import { AgentState } from "#/types/agent-state";
-import { useAgentState } from "#/hooks/use-agent-state";
-
-// Mock the agent state hook
-vi.mock("#/hooks/use-agent-state", () => ({
-  useAgentState: vi.fn(),
-}));
-
-// Mock the conversation ID hook
-vi.mock("#/hooks/use-conversation-id", () => ({
-  useConversationId: () => ({ conversationId: "test-conversation-id" }),
-}));
-
-describe("MicroagentsModal - Refresh Button", () => {
-  const mockOnClose = vi.fn();
-  const conversationId = "test-conversation-id";
-
-  const defaultProps = {
-    onClose: mockOnClose,
-    conversationId,
-  };
-
-  const mockMicroagents = [
-    {
-      name: "Test Agent 1",
-      type: "repo" as const,
-      triggers: ["test", "example"],
-      content: "This is test content for agent 1",
-    },
-    {
-      name: "Test Agent 2",
-      type: "knowledge" as const,
-      triggers: ["help", "support"],
-      content: "This is test content for agent 2",
-    },
-  ];
-
-  beforeEach(() => {
-    // Reset all mocks before each test
-    vi.clearAllMocks();
-
-    // Setup default mock for getMicroagents
-    vi.spyOn(ConversationService, "getMicroagents").mockResolvedValue({
-      microagents: mockMicroagents,
-    });
-
-    // Mock the agent state to return a ready state
-    vi.mocked(useAgentState).mockReturnValue({
-      curAgentState: AgentState.AWAITING_USER_INPUT,
-    });
-  });
-
-  afterEach(() => {
-    vi.clearAllMocks();
-  });
-
-  describe("Refresh Button Rendering", () => {
-    it("should render the refresh button with correct text and test ID", async () => {
-      renderWithProviders(<MicroagentsModal {...defaultProps} />);
-
-      // Wait for the component to load and render the refresh button
-      const refreshButton = await screen.findByTestId("refresh-microagents");
-      expect(refreshButton).toBeInTheDocument();
-      expect(refreshButton).toHaveTextContent("BUTTON$REFRESH");
-    });
-  });
-
-  describe("Refresh Button Functionality", () => {
-    it("should call refetch when refresh button is clicked", async () => {
-      const user = userEvent.setup();
-
-      renderWithProviders(<MicroagentsModal {...defaultProps} />);
-
-      const refreshSpy = vi.spyOn(ConversationService, "getMicroagents");
-
-      // Wait for the component to load and render the refresh button
-      const refreshButton = await screen.findByTestId("refresh-microagents");
-      await user.click(refreshButton);
-
-      expect(refreshSpy).toHaveBeenCalledTimes(1);
-    });
-  });
-});
@@ -0,0 +1,394 @@
+import { screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { renderWithProviders } from "test-utils";
+import { SkillsModal } from "#/components/features/conversation-panel/skills-modal";
+import ConversationService from "#/api/conversation-service/conversation-service.api";
+import V1ConversationService from "#/api/conversation-service/v1-conversation-service.api";
+import { AgentState } from "#/types/agent-state";
+import { useAgentState } from "#/hooks/use-agent-state";
+import SettingsService from "#/api/settings-service/settings-service.api";
+
+// Mock the agent state hook
+vi.mock("#/hooks/use-agent-state", () => ({
+  useAgentState: vi.fn(),
+}));
+
+// Mock the conversation ID hook
+vi.mock("#/hooks/use-conversation-id", () => ({
+  useConversationId: () => ({ conversationId: "test-conversation-id" }),
+}));
+
+describe("SkillsModal - Refresh Button", () => {
+  const mockOnClose = vi.fn();
+  const conversationId = "test-conversation-id";
+
+  const defaultProps = {
+    onClose: mockOnClose,
+    conversationId,
+  };
+
+  const mockSkills = [
+    {
+      name: "Test Agent 1",
+      type: "repo" as const,
+      triggers: ["test", "example"],
+      content: "This is test content for agent 1",
+    },
+    {
+      name: "Test Agent 2",
+      type: "knowledge" as const,
+      triggers: ["help", "support"],
+      content: "This is test content for agent 2",
+    },
+  ];
+
+  beforeEach(() => {
+    // Reset all mocks before each test
+    vi.clearAllMocks();
+
+    // Setup default mock for getMicroagents (V0)
+    vi.spyOn(ConversationService, "getMicroagents").mockResolvedValue({
+      microagents: mockSkills,
+    });
+
+    // Mock the agent state to return a ready state
+    vi.mocked(useAgentState).mockReturnValue({
+      curAgentState: AgentState.AWAITING_USER_INPUT,
+    });
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe("Refresh Button Rendering", () => {
+    it("should render the refresh button with correct text and test ID", async () => {
+      renderWithProviders(<SkillsModal {...defaultProps} />);
+
+      // Wait for the component to load and render the refresh button
+      const refreshButton = await screen.findByTestId("refresh-skills");
+      expect(refreshButton).toBeInTheDocument();
+      expect(refreshButton).toHaveTextContent("BUTTON$REFRESH");
+    });
+  });
+
+  describe("Refresh Button Functionality", () => {
+    it("should call refetch when refresh button is clicked", async () => {
+      const user = userEvent.setup();
+      const refreshSpy = vi.spyOn(ConversationService, "getMicroagents");
+
+      renderWithProviders(<SkillsModal {...defaultProps} />);
+
+      // Wait for the component to load and render the refresh button
+      const refreshButton = await screen.findByTestId("refresh-skills");
+
+      // Clear previous calls to only track the click
+      refreshSpy.mockClear();
+
+      await user.click(refreshButton);
+
+      // Verify the refresh triggered a new API call
+      expect(refreshSpy).toHaveBeenCalled();
+    });
+  });
+});
+
+describe("useConversationSkills - V1 API Integration", () => {
+  const conversationId = "test-conversation-id";
+
+  const mockMicroagents = [
+    {
+      name: "V0 Test Agent",
+      type: "repo" as const,
+      triggers: ["v0"],
+      content: "V0 skill content",
+    },
+  ];
+
+  const mockSkills = [
+    {
+      name: "V1 Test Skill",
+      type: "knowledge" as const,
+      triggers: ["v1", "skill"],
+      content: "V1 skill content",
+    },
+  ];
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+
+    // Mock agent state
+    vi.mocked(useAgentState).mockReturnValue({
+      curAgentState: AgentState.AWAITING_USER_INPUT,
+    });
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe("V0 API Usage (v1_enabled: false)", () => {
+    it("should call v0 ConversationService.getMicroagents when v1_enabled is false", async () => {
+      // Arrange
+      const getMicroagentsSpy = vi
+        .spyOn(ConversationService, "getMicroagents")
+        .mockResolvedValue({ microagents: mockMicroagents });
+
+      vi.spyOn(SettingsService, "getSettings").mockResolvedValue({
+        v1_enabled: false,
+        llm_model: "test-model",
+        llm_base_url: "",
+        agent: "test-agent",
+        language: "en",
+        llm_api_key: null,
+        llm_api_key_set: false,
+        search_api_key_set: false,
+        confirmation_mode: false,
+        security_analyzer: null,
+        remote_runtime_resource_factor: null,
+        provider_tokens_set: {},
+        enable_default_condenser: false,
+        condenser_max_size: null,
+        enable_sound_notifications: false,
+        enable_proactive_conversation_starters: false,
+        enable_solvability_analysis: false,
+        user_consents_to_analytics: null,
+        max_budget_per_task: null,
+      });
+
+      // Act
+      renderWithProviders(<SkillsModal onClose={vi.fn()} />);
+
+      // Assert
+      await screen.findByText("V0 Test Agent");
+      expect(getMicroagentsSpy).toHaveBeenCalledWith(conversationId);
+      expect(getMicroagentsSpy).toHaveBeenCalledTimes(1);
+    });
+
+    it("should display v0 skills correctly", async () => {
+      // Arrange
+      vi.spyOn(ConversationService, "getMicroagents").mockResolvedValue({
+        microagents: mockMicroagents,
+      });
+
+      vi.spyOn(SettingsService, "getSettings").mockResolvedValue({
+        v1_enabled: false,
+        llm_model: "test-model",
+        llm_base_url: "",
+        agent: "test-agent",
+        language: "en",
+        llm_api_key: null,
+        llm_api_key_set: false,
+        search_api_key_set: false,
+        confirmation_mode: false,
+        security_analyzer: null,
+        remote_runtime_resource_factor: null,
+        provider_tokens_set: {},
+        enable_default_condenser: false,
+        condenser_max_size: null,
+        enable_sound_notifications: false,
+        enable_proactive_conversation_starters: false,
+        enable_solvability_analysis: false,
+        user_consents_to_analytics: null,
+        max_budget_per_task: null,
+      });
+
+      // Act
+      renderWithProviders(<SkillsModal onClose={vi.fn()} />);
+
+      // Assert
+      const agentName = await screen.findByText("V0 Test Agent");
+      expect(agentName).toBeInTheDocument();
+    });
+  });
+
+  describe("V1 API Usage (v1_enabled: true)", () => {
+    it("should call v1 V1ConversationService.getSkills when v1_enabled is true", async () => {
+      // Arrange
+      const getSkillsSpy = vi
+        .spyOn(V1ConversationService, "getSkills")
+        .mockResolvedValue({ skills: mockSkills });
+
+      vi.spyOn(SettingsService, "getSettings").mockResolvedValue({
+        v1_enabled: true,
+        llm_model: "test-model",
+        llm_base_url: "",
+        agent: "test-agent",
+        language: "en",
+        llm_api_key: null,
+        llm_api_key_set: false,
+        search_api_key_set: false,
+        confirmation_mode: false,
+        security_analyzer: null,
+        remote_runtime_resource_factor: null,
+        provider_tokens_set: {},
+        enable_default_condenser: false,
+        condenser_max_size: null,
+        enable_sound_notifications: false,
+        enable_proactive_conversation_starters: false,
+        enable_solvability_analysis: false,
+        user_consents_to_analytics: null,
+        max_budget_per_task: null,
+      });
+
+      // Act
+      renderWithProviders(<SkillsModal onClose={vi.fn()} />);
+
+      // Assert
+      await screen.findByText("V1 Test Skill");
+      expect(getSkillsSpy).toHaveBeenCalledWith(conversationId);
+      expect(getSkillsSpy).toHaveBeenCalledTimes(1);
+    });
+
+    it("should display v1 skills correctly", async () => {
+      // Arrange
+      vi.spyOn(V1ConversationService, "getSkills").mockResolvedValue({
+        skills: mockSkills,
+      });
+
+      vi.spyOn(SettingsService, "getSettings").mockResolvedValue({
+        v1_enabled: true,
+        llm_model: "test-model",
+        llm_base_url: "",
+        agent: "test-agent",
+        language: "en",
+        llm_api_key: null,
+        llm_api_key_set: false,
+        search_api_key_set: false,
+        confirmation_mode: false,
+        security_analyzer: null,
+        remote_runtime_resource_factor: null,
+        provider_tokens_set: {},
+        enable_default_condenser: false,
+        condenser_max_size: null,
+        enable_sound_notifications: false,
+        enable_proactive_conversation_starters: false,
+        enable_solvability_analysis: false,
+        user_consents_to_analytics: null,
+        max_budget_per_task: null,
+      });
+
+      // Act
+      renderWithProviders(<SkillsModal onClose={vi.fn()} />);
+
+      // Assert
+      const skillName = await screen.findByText("V1 Test Skill");
+      expect(skillName).toBeInTheDocument();
+    });
+
+    it("should use v1 API when v1_enabled is true", async () => {
+      // Arrange
+      vi.spyOn(SettingsService, "getSettings").mockResolvedValue({
+        v1_enabled: true,
+        llm_model: "test-model",
+        llm_base_url: "",
+        agent: "test-agent",
+        language: "en",
+        llm_api_key: null,
+        llm_api_key_set: false,
+        search_api_key_set: false,
+        confirmation_mode: false,
+        security_analyzer: null,
+        remote_runtime_resource_factor: null,
+        provider_tokens_set: {},
+        enable_default_condenser: false,
+        condenser_max_size: null,
+        enable_sound_notifications: false,
+        enable_proactive_conversation_starters: false,
+        enable_solvability_analysis: false,
+        user_consents_to_analytics: null,
+        max_budget_per_task: null,
+      });
+
+      const getSkillsSpy = vi
+        .spyOn(V1ConversationService, "getSkills")
+        .mockResolvedValue({
+          skills: mockSkills,
+        });
+
+      // Act
+      renderWithProviders(<SkillsModal onClose={vi.fn()} />);
+
+      // Assert
+      await screen.findByText("V1 Test Skill");
+      // Verify v1 API was called
+      expect(getSkillsSpy).toHaveBeenCalledWith(conversationId);
+    });
+  });
+
+  describe("API Switching on Settings Change", () => {
+    it("should refetch using different API when v1_enabled setting changes", async () => {
+      // Arrange
+      const getMicroagentsSpy = vi
+        .spyOn(ConversationService, "getMicroagents")
+        .mockResolvedValue({ microagents: mockMicroagents });
+      const getSkillsSpy = vi
+        .spyOn(V1ConversationService, "getSkills")
+        .mockResolvedValue({ skills: mockSkills });
+
+      const settingsSpy = vi
+        .spyOn(SettingsService, "getSettings")
+        .mockResolvedValue({
+          v1_enabled: false,
+          llm_model: "test-model",
+          llm_base_url: "",
+          agent: "test-agent",
+          language: "en",
+          llm_api_key: null,
+          llm_api_key_set: false,
+          search_api_key_set: false,
+          confirmation_mode: false,
+          security_analyzer: null,
+          remote_runtime_resource_factor: null,
+          provider_tokens_set: {},
+          enable_default_condenser: false,
+          condenser_max_size: null,
+          enable_sound_notifications: false,
+          enable_proactive_conversation_starters: false,
+          enable_solvability_analysis: false,
+          user_consents_to_analytics: null,
+          max_budget_per_task: null,
+        });
+
+      // Act - Initial render with v1_enabled: false
+      const { rerender } = renderWithProviders(
+        <SkillsModal onClose={vi.fn()} />,
+      );
+
+      // Assert - v0 API called initially
+      await screen.findByText("V0 Test Agent");
+      expect(getMicroagentsSpy).toHaveBeenCalledWith(conversationId);
+
+      // Arrange - Change settings to v1_enabled: true
+      settingsSpy.mockResolvedValue({
+        v1_enabled: true,
+        llm_model: "test-model",
+        llm_base_url: "",
+        agent: "test-agent",
+        language: "en",
+        llm_api_key: null,
+        llm_api_key_set: false,
+        search_api_key_set: false,
+        confirmation_mode: false,
+        security_analyzer: null,
+        remote_runtime_resource_factor: null,
+        provider_tokens_set: {},
+        enable_default_condenser: false,
+        condenser_max_size: null,
+        enable_sound_notifications: false,
+        enable_proactive_conversation_starters: false,
+        enable_solvability_analysis: false,
+        user_consents_to_analytics: null,
+        max_budget_per_task: null,
+      });
+
+      // Act - Force re-render
+      rerender(<SkillsModal onClose={vi.fn()} />);
+
+      // Assert - v1 API should be called after settings change
+      await screen.findByText("V1 Test Skill");
+      expect(getSkillsSpy).toHaveBeenCalledWith(conversationId);
+    });
+  });
+});
@@ -3,7 +3,7 @@ import { describe, expect, it, vi } from "vitest";
 import { renderWithProviders } from "test-utils";
 import { createRoutesStub } from "react-router";
 import { screen } from "@testing-library/react";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import { SettingsForm } from "#/components/shared/modals/settings/settings-form";
 import { DEFAULT_SETTINGS } from "#/services/settings";

@@ -16,7 +16,7 @@ describe("SettingsForm", () => {
      Component: () => (
        <SettingsForm
          settings={DEFAULT_SETTINGS}
-          models={[DEFAULT_SETTINGS.LLM_MODEL]}
+          models={[DEFAULT_SETTINGS.llm_model]}
          onClose={onCloseMock}
        />
      ),
@@ -33,7 +33,7 @@ describe("SettingsForm", () => {

    expect(saveSettingsSpy).toHaveBeenCalledWith(
      expect.objectContaining({
-        llm_model: DEFAULT_SETTINGS.LLM_MODEL,
+        llm_model: DEFAULT_SETTINGS.llm_model,
      }),
    );
  });
@@ -1,7 +1,7 @@
 import { act, screen } from "@testing-library/react";
 import { renderWithProviders } from "test-utils";
 import { vi, describe, afterEach, it, expect } from "vitest";
-import { Command, useCommandStore } from "#/state/command-store";
+import { Command, useCommandStore } from "#/stores/command-store";
 import Terminal from "#/components/features/terminal/terminal";

 const renderTerminal = (commands: Command[] = []) => {
@@ -1,11 +1,41 @@
 import { render, screen } from "@testing-library/react";
-import { describe, expect, it, test, vi, afterEach, beforeEach } from "vitest";
+import { describe, expect, it, vi, afterEach, beforeEach, test } from "vitest";
 import userEvent from "@testing-library/user-event";
-import { UserActions } from "#/components/features/sidebar/user-actions";
+import { QueryClientProvider, QueryClient } from "@tanstack/react-query";
 import { MemoryRouter } from "react-router";
 import { ReactElement } from "react";
+import { UserActions } from "#/components/features/sidebar/user-actions";
 import { renderWithProviders } from "../../test-utils";

+vi.mock("react-router", async (importActual) => ({
+  ...(await importActual()),
+  useNavigate: () => vi.fn(),
+  useRevalidator: () => ({
+    revalidate: vi.fn(),
+  }),
+}));
+
+const renderUserActions = (props = { hasAvatar: true }) => {
+  render(
+    <UserActions
+      user={
+        props.hasAvatar
+          ? { avatar_url: "https://example.com/avatar.png" }
+          : undefined
+      }
+    />,
+    {
+      wrapper: ({ children }) => (
+        <MemoryRouter>
+          <QueryClientProvider client={new QueryClient()}>
+            {children}
+          </QueryClientProvider>
+        </MemoryRouter>
+      ),
+    },
+  );
+};
+
 // Create mocks for all the hooks we need
 const useIsAuthedMock = vi
  .fn()
@@ -38,9 +68,8 @@ describe("UserActions", () => {
  const onLogoutMock = vi.fn();

  // Create a wrapper with MemoryRouter and renderWithProviders
-  const renderWithRouter = (ui: ReactElement) => {
-    return renderWithProviders(<MemoryRouter>{ui}</MemoryRouter>);
-  };
+  const renderWithRouter = (ui: ReactElement) =>
+    renderWithProviders(<MemoryRouter>{ui}</MemoryRouter>);

  beforeEach(() => {
    // Reset all mocks to default values before each test
@@ -61,29 +90,11 @@ describe("UserActions", () => {
  });

  it("should render", () => {
-    renderWithRouter(<UserActions onLogout={onLogoutMock} />);
-
+    renderUserActions();
    expect(screen.getByTestId("user-actions")).toBeInTheDocument();
    expect(screen.getByTestId("user-avatar")).toBeInTheDocument();
  });

-  it("should call onLogout and close the menu when the logout option is clicked", async () => {
-    renderWithRouter(
-      <UserActions
-        onLogout={onLogoutMock}
-        user={{ avatar_url: "https://example.com/avatar.png" }}
-      />,
-    );
-
-    const userAvatar = screen.getByTestId("user-avatar");
-    await user.click(userAvatar);
-
-    const logoutOption = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
-    await user.click(logoutOption);
-
-    expect(onLogoutMock).toHaveBeenCalledOnce();
-  });
-
  it("should NOT show context menu when user is not authenticated and avatar is clicked", async () => {
    // Set isAuthed to false for this test
    useIsAuthedMock.mockReturnValue({ data: false, isLoading: false });
@@ -96,29 +107,31 @@ describe("UserActions", () => {
      providers: [{ id: "github", name: "GitHub" }],
    });

-    renderWithRouter(<UserActions onLogout={onLogoutMock} />);
+    renderUserActions();

    const userAvatar = screen.getByTestId("user-avatar");
    await user.click(userAvatar);

    // Context menu should NOT appear because user is not authenticated
-    expect(
-      screen.queryByTestId("account-settings-context-menu"),
-    ).not.toBeInTheDocument();
+    expect(screen.queryByTestId("user-context-menu")).not.toBeInTheDocument();
+  });
+
+  it("should NOT show context menu when user is undefined and avatar is hovered", async () => {
+    renderUserActions({ hasAvatar: false });
+    const userActions = screen.getByTestId("user-actions");
+    await user.hover(userActions);
+
+    // Context menu should NOT appear because user is undefined
+    expect(screen.queryByTestId("user-context-menu")).not.toBeInTheDocument();
  });

  it("should show context menu even when user has no avatar_url", async () => {
-    renderWithRouter(
-      <UserActions onLogout={onLogoutMock} user={{ avatar_url: "" }} />,
-    );
-
-    const userAvatar = screen.getByTestId("user-avatar");
-    await user.click(userAvatar);
+    renderUserActions();
+    const userActions = screen.getByTestId("user-actions");
+    await user.hover(userActions);

    // Context menu SHOULD appear because user object exists (even with empty avatar_url)
-    expect(
-      screen.getByTestId("account-settings-context-menu"),
-    ).toBeInTheDocument();
+    expect(screen.getByTestId("user-context-menu")).toBeInTheDocument();
  });

  it("should NOT be able to access logout when user is not authenticated", async () => {
@@ -133,15 +146,13 @@ describe("UserActions", () => {
      providers: [{ id: "github", name: "GitHub" }],
    });

-    renderWithRouter(<UserActions onLogout={onLogoutMock} />);
+    renderWithRouter(<UserActions />);

    const userAvatar = screen.getByTestId("user-avatar");
    await user.click(userAvatar);

    // Context menu should NOT appear because user is not authenticated
-    expect(
-      screen.queryByTestId("account-settings-context-menu"),
-    ).not.toBeInTheDocument();
+    expect(screen.queryByTestId("user-context-menu")).not.toBeInTheDocument();

    // Logout option should NOT be accessible when user is not authenticated
    expect(
@@ -161,16 +172,12 @@ describe("UserActions", () => {
      providers: [{ id: "github", name: "GitHub" }],
    });

-    const { unmount } = renderWithRouter(
-      <UserActions onLogout={onLogoutMock} />,
-    );
+    const { unmount } = renderWithRouter(<UserActions />);

    // Initially no user and not authenticated - menu should not appear
-    let userAvatar = screen.getByTestId("user-avatar");
-    await user.click(userAvatar);
-    expect(
-      screen.queryByTestId("account-settings-context-menu"),
-    ).not.toBeInTheDocument();
+    const userActions = screen.getByTestId("user-actions");
+    await user.hover(userActions);
+    expect(screen.queryByTestId("user-context-menu")).not.toBeInTheDocument();

    // Unmount the first component
    unmount();
@@ -188,10 +195,7 @@ describe("UserActions", () => {

    // Render a new component with user prop and authentication
    renderWithRouter(
-      <UserActions
-        onLogout={onLogoutMock}
-        user={{ avatar_url: "https://example.com/avatar.png" }}
-      />,
+      <UserActions user={{ avatar_url: "https://example.com/avatar.png" }} />,
    );

    // Component should render correctly
@@ -199,12 +203,10 @@ describe("UserActions", () => {
    expect(screen.getByTestId("user-avatar")).toBeInTheDocument();

    // Menu should now work with user defined and authenticated
-    userAvatar = screen.getByTestId("user-avatar");
-    await user.click(userAvatar);
+    const userActionsEl = screen.getByTestId("user-actions");
+    await user.hover(userActionsEl);

-    expect(
-      screen.getByTestId("account-settings-context-menu"),
-    ).toBeInTheDocument();
+    expect(screen.getByTestId("user-context-menu")).toBeInTheDocument();
  });

  it("should handle user prop changing from defined to undefined", async () => {
@@ -219,18 +221,13 @@ describe("UserActions", () => {
    });

    const { rerender } = renderWithRouter(
-      <UserActions
-        onLogout={onLogoutMock}
-        user={{ avatar_url: "https://example.com/avatar.png" }}
-      />,
+      <UserActions user={{ avatar_url: "https://example.com/avatar.png" }} />,
    );

-    // Click to open menu
-    const userAvatar = screen.getByTestId("user-avatar");
-    await user.click(userAvatar);
-    expect(
-      screen.getByTestId("account-settings-context-menu"),
-    ).toBeInTheDocument();
+    // Hover to open menu
+    const userActions = screen.getByTestId("user-actions");
+    await user.hover(userActions);
+    expect(screen.getByTestId("user-context-menu")).toBeInTheDocument();

    // Set authentication to false for the rerender
    useIsAuthedMock.mockReturnValue({ data: false, isLoading: false });
@@ -246,14 +243,12 @@ describe("UserActions", () => {
    // Remove user prop - menu should disappear because user is no longer authenticated
    rerender(
      <MemoryRouter>
-        <UserActions onLogout={onLogoutMock} />
+        <UserActions />
      </MemoryRouter>,
    );

    // Context menu should NOT be visible when user becomes unauthenticated
-    expect(
-      screen.queryByTestId("account-settings-context-menu"),
-    ).not.toBeInTheDocument();
+    expect(screen.queryByTestId("user-context-menu")).not.toBeInTheDocument();

    // Logout option should not be accessible
    expect(
@@ -262,30 +257,58 @@ describe("UserActions", () => {
  });

  it("should work with loading state and user provided", async () => {
-    // Ensure authentication and providers are set correctly
-    useIsAuthedMock.mockReturnValue({ data: true, isLoading: false });
-    useConfigMock.mockReturnValue({
-      data: { APP_MODE: "saas" },
-      isLoading: false,
-    });
-    useUserProvidersMock.mockReturnValue({
-      providers: [{ id: "github", name: "GitHub" }],
-    });
-
-    renderWithRouter(
-      <UserActions
-        onLogout={onLogoutMock}
-        user={{ avatar_url: "https://example.com/avatar.png" }}
-        isLoading={true}
-      />,
-    );
-
-    const userAvatar = screen.getByTestId("user-avatar");
-    await user.click(userAvatar);
+    renderUserActions();
+    const userActions = screen.getByTestId("user-actions");
+    await user.hover(userActions);

    // Context menu should still appear even when loading
+    expect(screen.getByTestId("user-context-menu")).toBeInTheDocument();
+  });
+
+  test("context menu should default to user role", async () => {
+    renderUserActions();
+    const userActions = screen.getByTestId("user-actions");
+    await user.hover(userActions);
+
+    // Verify logout is present
+    expect(screen.getByTestId("user-context-menu")).toHaveTextContent(
+      "ACCOUNT_SETTINGS$LOGOUT",
+    );
+    // Verify nav items are present (e.g., settings nav items)
+    expect(screen.getByTestId("user-context-menu")).toHaveTextContent(
+      "SETTINGS$NAV_USER",
+    );
+    // Verify admin-only items are NOT present for user role
    expect(
-      screen.getByTestId("account-settings-context-menu"),
-    ).toBeInTheDocument();
+      screen.queryByText("ORG$MANAGE_ORGANIZATION_MEMBERS"),
+    ).not.toBeInTheDocument();
+    expect(screen.queryByText("ORG$MANAGE_ACCOUNT")).not.toBeInTheDocument();
+  });
+
+  test("should NOT show Team and Organization nav items when personal workspace is selected", async () => {
+    renderUserActions();
+    const userActions = screen.getByTestId("user-actions");
+    await user.hover(userActions);
+
+    // Team and Organization nav links should NOT be visible when no org is selected (personal workspace)
+    expect(screen.queryByText("Team")).not.toBeInTheDocument();
+    expect(screen.queryByText("Organization")).not.toBeInTheDocument();
+  });
+
+  it("should show context menu on hover", async () => {
+    renderUserActions();
+
+    const userActions = screen.getByTestId("user-actions");
+    const contextMenu = screen.getByTestId("user-context-menu");
+
+    // Menu is in DOM but hidden via CSS (opacity-0, pointer-events-none)
+    expect(contextMenu.parentElement).toHaveClass("opacity-0");
+    expect(contextMenu.parentElement).toHaveClass("pointer-events-none");
+
+    // Hover over the user actions area
+    await user.hover(userActions);
+
+    // Menu should be visible on hover (CSS classes change via group-hover)
+    expect(contextMenu).toBeVisible();
  });
 });
@@ -1,40 +1,18 @@
 import { render, screen } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import { afterEach, describe, expect, it, vi } from "vitest";
+import { describe, expect, it } from "vitest";
 import { UserAvatar } from "#/components/features/sidebar/user-avatar";

 describe("UserAvatar", () => {
-  const onClickMock = vi.fn();
-
-  afterEach(() => {
-    onClickMock.mockClear();
-  });
-
  it("(default) should render the placeholder avatar when the user is logged out", () => {
-    render(<UserAvatar onClick={onClickMock} />);
+    render(<UserAvatar />);
    expect(screen.getByTestId("user-avatar")).toBeInTheDocument();
    expect(
      screen.getByLabelText("USER$AVATAR_PLACEHOLDER"),
    ).toBeInTheDocument();
  });

-  it("should call onClick when clicked", async () => {
-    const user = userEvent.setup();
-    render(<UserAvatar onClick={onClickMock} />);
-
-    const userAvatarContainer = screen.getByTestId("user-avatar");
-    await user.click(userAvatarContainer);
-
-    expect(onClickMock).toHaveBeenCalledOnce();
-  });
-
  it("should display the user's avatar when available", () => {
-    render(
-      <UserAvatar
-        onClick={onClickMock}
-        avatarUrl="https://example.com/avatar.png"
-      />,
-    );
+    render(<UserAvatar avatarUrl="https://example.com/avatar.png" />);

    expect(screen.getByAltText("AVATAR$ALT_TEXT")).toBeInTheDocument();
    expect(
@@ -43,24 +21,20 @@ describe("UserAvatar", () => {
  });

  it("should display a loading spinner instead of an avatar when isLoading is true", () => {
-    const { rerender } = render(<UserAvatar onClick={onClickMock} />);
+    const { rerender } = render(<UserAvatar />);
    expect(screen.queryByTestId("loading-spinner")).not.toBeInTheDocument();
    expect(
      screen.getByLabelText("USER$AVATAR_PLACEHOLDER"),
    ).toBeInTheDocument();

-    rerender(<UserAvatar onClick={onClickMock} isLoading />);
+    rerender(<UserAvatar isLoading />);
    expect(screen.getByTestId("loading-spinner")).toBeInTheDocument();
    expect(
      screen.queryByLabelText("USER$AVATAR_PLACEHOLDER"),
    ).not.toBeInTheDocument();

    rerender(
-      <UserAvatar
-        onClick={onClickMock}
-        avatarUrl="https://example.com/avatar.png"
-        isLoading
-      />,
+      <UserAvatar avatarUrl="https://example.com/avatar.png" isLoading />,
    );
    expect(screen.getByTestId("loading-spinner")).toBeInTheDocument();
    expect(screen.queryByAltText("AVATAR$ALT_TEXT")).not.toBeInTheDocument();
@@ -0,0 +1,92 @@
+import { describe, it, expect } from "vitest";
+import { getObservationContent } from "#/components/v1/chat/event-content-helpers/get-observation-content";
+import { ObservationEvent } from "#/types/v1/core";
+import { BrowserObservation } from "#/types/v1/core/base/observation";
+
+describe("getObservationContent - BrowserObservation", () => {
+  it("should return output content when available", () => {
+    const mockEvent: ObservationEvent<BrowserObservation> = {
+      id: "test-id",
+      timestamp: "2024-01-01T00:00:00Z",
+      source: "environment",
+      tool_name: "browser_navigate",
+      tool_call_id: "call-id",
+      action_id: "action-id",
+      observation: {
+        kind: "BrowserObservation",
+        output: "Browser action completed",
+        error: null,
+        screenshot_data: "base64data",
+      },
+    };
+
+    const result = getObservationContent(mockEvent);
+
+    expect(result).toContain("**Output:**");
+    expect(result).toContain("Browser action completed");
+  });
+
+  it("should handle error cases properly", () => {
+    const mockEvent: ObservationEvent<BrowserObservation> = {
+      id: "test-id",
+      timestamp: "2024-01-01T00:00:00Z",
+      source: "environment",
+      tool_name: "browser_navigate",
+      tool_call_id: "call-id",
+      action_id: "action-id",
+      observation: {
+        kind: "BrowserObservation",
+        output: "",
+        error: "Browser action failed",
+        screenshot_data: null,
+      },
+    };
+
+    const result = getObservationContent(mockEvent);
+
+    expect(result).toContain("**Error:**");
+    expect(result).toContain("Browser action failed");
+  });
+
+  it("should provide default message when no output or error", () => {
+    const mockEvent: ObservationEvent<BrowserObservation> = {
+      id: "test-id",
+      timestamp: "2024-01-01T00:00:00Z",
+      source: "environment",
+      tool_name: "browser_navigate",
+      tool_call_id: "call-id",
+      action_id: "action-id",
+      observation: {
+        kind: "BrowserObservation",
+        output: "",
+        error: null,
+        screenshot_data: "base64data",
+      },
+    };
+
+    const result = getObservationContent(mockEvent);
+
+    expect(result).toBe("Browser action completed successfully.");
+  });
+
+  it("should return output when screenshot_data is null", () => {
+    const mockEvent: ObservationEvent<BrowserObservation> = {
+      id: "test-id",
+      timestamp: "2024-01-01T00:00:00Z",
+      source: "environment",
+      tool_name: "browser_navigate",
+      tool_call_id: "call-id",
+      action_id: "action-id",
+      observation: {
+        kind: "BrowserObservation",
+        output: "Page loaded successfully",
+        error: null,
+        screenshot_data: null,
+      },
+    };
+
+    const result = getObservationContent(mockEvent);
+
+    expect(result).toBe("**Output:**\nPage loaded successfully");
+  });
+});
@@ -1,12 +1,26 @@
-import { describe, it, expect, beforeAll, afterAll, afterEach } from "vitest";
+import {
+  describe,
+  it,
+  expect,
+  beforeAll,
+  beforeEach,
+  afterAll,
+  afterEach,
+} from "vitest";
 import { screen, waitFor, render, cleanup } from "@testing-library/react";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import { http, HttpResponse } from "msw";
 import { useOptimisticUserMessageStore } from "#/stores/optimistic-user-message-store";
+import { useBrowserStore } from "#/stores/browser-store";
+import { useCommandStore } from "#/stores/command-store";
 import {
  createMockMessageEvent,
  createMockUserMessageEvent,
  createMockAgentErrorEvent,
+  createMockBrowserObservationEvent,
+  createMockBrowserNavigateActionEvent,
+  createMockExecuteBashActionEvent,
+  createMockExecuteBashObservationEvent,
 } from "#/mocks/mock-ws-helpers";
 import {
  ConnectionStatusComponent,
@@ -439,18 +453,10 @@ describe("Conversation WebSocket Handler", () => {

      // Set up MSW to mock both the HTTP API and WebSocket connection
      mswServer.use(
-        http.get("/api/v1/events/count", ({ request }) => {
-          const url = new URL(request.url);
-          const conversationIdParam = url.searchParams.get(
-            "conversation_id__eq",
-          );
-
-          if (conversationIdParam === conversationId) {
-            return HttpResponse.json(expectedEventCount);
-          }
-
-          return HttpResponse.json(0);
-        }),
+        http.get(
+          `http://localhost:3000/api/conversations/${conversationId}/events/count`,
+          () => HttpResponse.json(expectedEventCount),
+        ),
        wsLink.addEventListener("connection", ({ client, server }) => {
          server.connect();
          // Send all history events
@@ -461,7 +467,7 @@ describe("Conversation WebSocket Handler", () => {
      );

      // Create a test component that displays loading state
-      const HistoryLoadingComponent = () => {
+      function HistoryLoadingComponent() {
        const context = useConversationWebSocket();
        const { events } = useEventStore();

@@ -474,7 +480,7 @@ describe("Conversation WebSocket Handler", () => {
            <div data-testid="expected-event-count">{expectedEventCount}</div>
          </div>
        );
-      };
+      }

      // Render with WebSocket context
      renderWithWebSocketContext(
@@ -484,7 +490,9 @@ describe("Conversation WebSocket Handler", () => {
      );

      // Initially should be loading history
-      expect(screen.getByTestId("is-loading-history")).toHaveTextContent("true");
+      expect(screen.getByTestId("is-loading-history")).toHaveTextContent(
+        "true",
+      );

      // Wait for all events to be received
      await waitFor(() => {
@@ -504,18 +512,10 @@ describe("Conversation WebSocket Handler", () => {

      // Set up MSW to mock both the HTTP API and WebSocket connection
      mswServer.use(
-        http.get("/api/v1/events/count", ({ request }) => {
-          const url = new URL(request.url);
-          const conversationIdParam = url.searchParams.get(
-            "conversation_id__eq",
-          );
-
-          if (conversationIdParam === conversationId) {
-            return HttpResponse.json(0);
-          }
-
-          return HttpResponse.json(0);
-        }),
+        http.get(
+          `http://localhost:3000/api/conversations/${conversationId}/events/count`,
+          () => HttpResponse.json(0),
+        ),
        wsLink.addEventListener("connection", ({ server }) => {
          server.connect();
          // No events sent for empty history
@@ -523,7 +523,7 @@ describe("Conversation WebSocket Handler", () => {
      );

      // Create a test component that displays loading state
-      const HistoryLoadingComponent = () => {
+      function HistoryLoadingComponent() {
        const context = useConversationWebSocket();

        return (
@@ -533,7 +533,7 @@ describe("Conversation WebSocket Handler", () => {
            </div>
          </div>
        );
-      };
+      }

      // Render with WebSocket context
      renderWithWebSocketContext(
@@ -561,18 +561,10 @@ describe("Conversation WebSocket Handler", () => {

      // Set up MSW to mock both the HTTP API and WebSocket connection
      mswServer.use(
-        http.get("/api/v1/events/count", ({ request }) => {
-          const url = new URL(request.url);
-          const conversationIdParam = url.searchParams.get(
-            "conversation_id__eq",
-          );
-
-          if (conversationIdParam === conversationId) {
-            return HttpResponse.json(expectedEventCount);
-          }
-
-          return HttpResponse.json(0);
-        }),
+        http.get(
+          `http://localhost:3000/api/conversations/${conversationId}/events/count`,
+          () => HttpResponse.json(expectedEventCount),
+        ),
        wsLink.addEventListener("connection", ({ client, server }) => {
          server.connect();
          // Send all history events
@@ -583,7 +575,7 @@ describe("Conversation WebSocket Handler", () => {
      );

      // Create a test component that displays loading state
-      const HistoryLoadingComponent = () => {
+      function HistoryLoadingComponent() {
        const context = useConversationWebSocket();
        const { events } = useEventStore();

@@ -595,7 +587,7 @@ describe("Conversation WebSocket Handler", () => {
            <div data-testid="events-received">{events.length}</div>
          </div>
        );
-      };
+      }

      // Render with WebSocket context
      renderWithWebSocketContext(
@@ -605,7 +597,9 @@ describe("Conversation WebSocket Handler", () => {
      );

      // Initially should be loading history
-      expect(screen.getByTestId("is-loading-history")).toHaveTextContent("true");
+      expect(screen.getByTestId("is-loading-history")).toHaveTextContent(
+        "true",
+      );

      // Wait for all events to be received
      await waitFor(() => {
@@ -621,17 +615,133 @@ describe("Conversation WebSocket Handler", () => {
    });
  });

-  // 9. Terminal I/O Tests (ExecuteBashAction and ExecuteBashObservation)
-  describe("Terminal I/O Integration", () => {
-    it("should append command to store when ExecuteBashAction event is received", async () => {
-      const { createMockExecuteBashActionEvent } = await import(
-        "#/mocks/mock-ws-helpers"
+  // 9. Browser State Tests (BrowserObservation)
+  describe("Browser State Integration", () => {
+    beforeEach(() => {
+      useBrowserStore.getState().reset();
+    });
+
+    it("should update browser store with screenshot when BrowserObservation event is received", async () => {
+      // Create a mock BrowserObservation event with screenshot data
+      const mockBrowserObsEvent = createMockBrowserObservationEvent(
+        "base64-screenshot-data",
+        "Page loaded successfully",
      );
-      const { useCommandStore } = await import("#/state/command-store");

-      // Clear the command store before test
+      // Set up MSW to send the event when connection is established
+      mswServer.use(
+        wsLink.addEventListener("connection", ({ client, server }) => {
+          server.connect();
+          // Send the mock event after connection
+          client.send(JSON.stringify(mockBrowserObsEvent));
+        }),
+      );
+
+      // Render with WebSocket context
+      renderWithWebSocketContext(<ConnectionStatusComponent />);
+
+      // Wait for connection
+      await waitFor(() => {
+        expect(screen.getByTestId("connection-state")).toHaveTextContent(
+          "OPEN",
+        );
+      });
+
+      // Wait for the browser store to be updated with screenshot
+      await waitFor(() => {
+        const { screenshotSrc } = useBrowserStore.getState();
+        expect(screenshotSrc).toBe(
+          "data:image/png;base64,base64-screenshot-data",
+        );
+      });
+    });
+
+    it("should update browser store with URL when BrowserNavigateAction followed by BrowserObservation", async () => {
+      // Create mock events - action first, then observation
+      const mockBrowserActionEvent = createMockBrowserNavigateActionEvent(
+        "https://example.com/test-page",
+      );
+      const mockBrowserObsEvent = createMockBrowserObservationEvent(
+        "base64-screenshot-data",
+        "Page loaded successfully",
+      );
+
+      // Set up MSW to send both events when connection is established
+      mswServer.use(
+        wsLink.addEventListener("connection", ({ client, server }) => {
+          server.connect();
+          // Send action first, then observation
+          client.send(JSON.stringify(mockBrowserActionEvent));
+          client.send(JSON.stringify(mockBrowserObsEvent));
+        }),
+      );
+
+      // Render with WebSocket context
+      renderWithWebSocketContext(<ConnectionStatusComponent />);
+
+      // Wait for connection
+      await waitFor(() => {
+        expect(screen.getByTestId("connection-state")).toHaveTextContent(
+          "OPEN",
+        );
+      });
+
+      // Wait for the browser store to be updated with both screenshot and URL
+      await waitFor(() => {
+        const { screenshotSrc, url } = useBrowserStore.getState();
+        expect(screenshotSrc).toBe(
+          "data:image/png;base64,base64-screenshot-data",
+        );
+        expect(url).toBe("https://example.com/test-page");
+      });
+    });
+
+    it("should not update browser store when BrowserObservation has no screenshot data", async () => {
+      const initialScreenshot = useBrowserStore.getState().screenshotSrc;
+
+      // Create a mock BrowserObservation event WITHOUT screenshot data
+      const mockBrowserObsEvent = createMockBrowserObservationEvent(
+        null, // no screenshot
+        "Browser action completed",
+      );
+
+      // Set up MSW to send the event when connection is established
+      mswServer.use(
+        wsLink.addEventListener("connection", ({ client, server }) => {
+          server.connect();
+          // Send the mock event after connection
+          client.send(JSON.stringify(mockBrowserObsEvent));
+        }),
+      );
+
+      // Render with WebSocket context
+      renderWithWebSocketContext(<ConnectionStatusComponent />);
+
+      // Wait for connection
+      await waitFor(() => {
+        expect(screen.getByTestId("connection-state")).toHaveTextContent(
+          "OPEN",
+        );
+      });
+
+      // Give some time for any potential updates
+      await new Promise((resolve) => {
+        setTimeout(resolve, 100);
+      });
+
+      // Screenshot should remain unchanged (empty/initial value)
+      const { screenshotSrc } = useBrowserStore.getState();
+      expect(screenshotSrc).toBe(initialScreenshot);
+    });
+  });
+
+  // 10. Terminal I/O Tests (ExecuteBashAction and ExecuteBashObservation)
+  describe("Terminal I/O Integration", () => {
+    beforeEach(() => {
      useCommandStore.getState().clearTerminal();
+    });

+    it("should append command to store when ExecuteBashAction event is received", async () => {
      // Create a mock ExecuteBashAction event
      const mockBashActionEvent = createMockExecuteBashActionEvent("npm test");

@@ -667,14 +777,6 @@ describe("Conversation WebSocket Handler", () => {
    });

    it("should append output to store when ExecuteBashObservation event is received", async () => {
-      const { createMockExecuteBashObservationEvent } = await import(
-        "#/mocks/mock-ws-helpers"
-      );
-      const { useCommandStore } = await import("#/state/command-store");
-
-      // Clear the command store before test
-      useCommandStore.getState().clearTerminal();
-
      // Create a mock ExecuteBashObservation event
      const mockBashObservationEvent = createMockExecuteBashObservationEvent(
        "PASS  tests/example.test.js\n  ✓ should work (2 ms)",
@@ -1,7 +1,7 @@
 import { renderHook, waitFor } from "@testing-library/react";
 import { describe, expect, it, vi } from "vitest";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import { useSaveSettings } from "#/hooks/mutation/use-save-settings";

 describe("useSaveSettings", () => {
@@ -0,0 +1,53 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { renderHook, waitFor } from "@testing-library/react";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { SAAS_NAV_ITEMS, OSS_NAV_ITEMS } from "#/constants/settings-nav";
+import OptionService from "#/api/option-service/option-service.api";
+import { useSettingsNavItems } from "#/hooks/use-settings-nav-items";
+
+const queryClient = new QueryClient();
+const wrapper = ({ children }: { children: React.ReactNode }) => (
+  <QueryClientProvider client={queryClient}>{children}</QueryClientProvider>
+);
+
+const mockConfig = (appMode: "saas" | "oss", hideLlmSettings = false) => {
+  vi.spyOn(OptionService, "getConfig").mockResolvedValue({
+    APP_MODE: appMode,
+    FEATURE_FLAGS: { HIDE_LLM_SETTINGS: hideLlmSettings },
+  } as Awaited<ReturnType<typeof OptionService.getConfig>>);
+};
+
+describe("useSettingsNavItems", () => {
+  beforeEach(() => {
+    queryClient.clear();
+  });
+
+  it("should return SAAS_NAV_ITEMS when APP_MODE is 'saas'", async () => {
+    mockConfig("saas");
+    const { result } = renderHook(() => useSettingsNavItems(), { wrapper });
+
+    await waitFor(() => {
+      expect(result.current).toEqual(SAAS_NAV_ITEMS);
+    });
+  });
+
+  it("should return OSS_NAV_ITEMS when APP_MODE is 'oss'", async () => {
+    mockConfig("oss");
+    const { result } = renderHook(() => useSettingsNavItems(), { wrapper });
+
+    await waitFor(() => {
+      expect(result.current).toEqual(OSS_NAV_ITEMS);
+    });
+  });
+
+  it("should filter out '/settings' item when HIDE_LLM_SETTINGS feature flag is enabled", async () => {
+    mockConfig("saas", true);
+    const { result } = renderHook(() => useSettingsNavItems(), { wrapper });
+
+    await waitFor(() => {
+      expect(
+        result.current.find((item) => item.to === "/settings"),
+      ).toBeUndefined();
+    });
+  });
+});
@@ -1,6 +1,6 @@
 import { beforeAll, describe, expect, it, vi, afterEach } from "vitest";
 import { useTerminal } from "#/hooks/use-terminal";
-import { Command, useCommandStore } from "#/state/command-store";
+import { Command, useCommandStore } from "#/stores/command-store";
 import { renderWithProviders } from "../../test-utils";

 // Mock the WsClient context
@@ -42,20 +42,46 @@ describe("useTerminal", () => {
    write: vi.fn(),
    writeln: vi.fn(),
    dispose: vi.fn(),
+    element: document.createElement("div"),
+  }));
+
+  const mockFitAddon = vi.hoisted(() => ({
+    fit: vi.fn(),
  }));

  beforeAll(() => {
-    // mock ResizeObserver
-    window.ResizeObserver = vi.fn().mockImplementation(() => ({
-      observe: vi.fn(),
-      unobserve: vi.fn(),
-      disconnect: vi.fn(),
-    }));
+    // mock ResizeObserver - use class for Vitest 4 constructor support
+    window.ResizeObserver = class {
+      observe = vi.fn();

-    // mock Terminal
+      unobserve = vi.fn();
+
+      disconnect = vi.fn();
+    } as unknown as typeof ResizeObserver;
+
+    // mock Terminal - use class for Vitest 4 constructor support
    vi.mock("@xterm/xterm", async (importOriginal) => ({
      ...(await importOriginal<typeof import("@xterm/xterm")>()),
-      Terminal: vi.fn().mockImplementation(() => mockTerminal),
+      Terminal: class {
+        loadAddon = mockTerminal.loadAddon;
+
+        open = mockTerminal.open;
+
+        write = mockTerminal.write;
+
+        writeln = mockTerminal.writeln;
+
+        dispose = mockTerminal.dispose;
+
+        element = mockTerminal.element;
+      },
+    }));
+
+    // mock FitAddon
+    vi.mock("@xterm/addon-fit", () => ({
+      FitAddon: class {
+        fit = mockFitAddon.fit;
+      },
    }));
  });

@@ -83,4 +109,18 @@ describe("useTerminal", () => {
    expect(mockTerminal.writeln).toHaveBeenNthCalledWith(1, "echo hello");
    expect(mockTerminal.writeln).toHaveBeenNthCalledWith(2, "hello");
  });
+
+  it("should not call fit() when terminal.element is null", () => {
+    // Temporarily set element to null to simulate terminal not being opened
+    const originalElement = mockTerminal.element;
+    mockTerminal.element = null as unknown as HTMLDivElement;
+
+    renderWithProviders(<TestTerminalComponent />);
+
+    // fit() should not be called because terminal.element is null
+    expect(mockFitAddon.fit).not.toHaveBeenCalled();
+
+    // Restore original element
+    mockTerminal.element = originalElement;
+  });
 });
@@ -1,3 +1,11 @@
+/**
+ * TODO: Fix flaky WebSocket tests (https://github.com/OpenHands/OpenHands/issues/11944)
+ *
+ * Several tests in this file are skipped because they fail intermittently in CI
+ * but pass locally. The SUSPECTED root cause is that `wsLink.broadcast()` sends messages
+ * to ALL connected clients across all tests, causing cross-test contamination
+ * when tests run in parallel with Vitest v4.
+ */
 import { renderHook, waitFor } from "@testing-library/react";
 import {
  describe,
@@ -51,7 +59,7 @@ describe("useWebSocket", () => {
    expect(result.current.socket).toBeTruthy();
  });

-  it("should handle incoming messages correctly", async () => {
+  it.skip("should handle incoming messages correctly", async () => {
    const { result } = renderHook(() => useWebSocket("ws://acme.com/ws"));

    // Wait for connection to be established
@@ -114,7 +122,7 @@ describe("useWebSocket", () => {
    expect(result.current.socket).toBeTruthy();
  });

-  it("should close the WebSocket connection on unmount", async () => {
+  it.skip("should close the WebSocket connection on unmount", async () => {
    const { result, unmount } = renderHook(() =>
      useWebSocket("ws://acme.com/ws"),
    );
@@ -204,7 +212,7 @@ describe("useWebSocket", () => {
    });
  });

-  it("should call onMessage handler when WebSocket receives a message", async () => {
+  it.skip("should call onMessage handler when WebSocket receives a message", async () => {
    const onMessageSpy = vi.fn();
    const options = { onMessage: onMessageSpy };

@@ -271,7 +279,7 @@ describe("useWebSocket", () => {
    expect(onErrorSpy).toHaveBeenCalled();
  });

-  it("should provide sendMessage function to send messages to WebSocket", async () => {
+  it.skip("should provide sendMessage function to send messages to WebSocket", async () => {
    const { result } = renderHook(() => useWebSocket("ws://acme.com/ws"));

    // Wait for connection to be established
@@ -1,79 +0,0 @@
-import { screen } from "@testing-library/react";
-import { describe, expect, it, vi } from "vitest";
-import i18n from "../../src/i18n";
-import { AccountSettingsContextMenu } from "../../src/components/features/context-menu/account-settings-context-menu";
-import { renderWithProviders } from "../../test-utils";
-import { MemoryRouter } from "react-router";
-
-describe("Translations", () => {
-  it("should render translated text", () => {
-    i18n.changeLanguage("en");
-    renderWithProviders(
-      <MemoryRouter>
-        <AccountSettingsContextMenu onLogout={() => {}} onClose={() => {}} />
-      </MemoryRouter>,
-    );
-    expect(
-      screen.getByTestId("account-settings-context-menu"),
-    ).toBeInTheDocument();
-  });
-
-  it("should not attempt to load unsupported language codes", async () => {
-    // Test that the configuration prevents 404 errors by not attempting to load
-    // unsupported language codes like 'en-US@posix'
-    const originalLanguage = i18n.language;
-
-    try {
-      // With nonExplicitSupportedLngs: false, i18next will not attempt to load
-      // unsupported language codes, preventing 404 errors
-
-      // Test with a language code that includes region but is not in supportedLngs
-      await i18n.changeLanguage("en-US@posix");
-
-      // Since "en-US@posix" is not in supportedLngs and nonExplicitSupportedLngs is false,
-      // i18next should fall back to the fallbackLng ("en")
-      expect(i18n.language).toBe("en");
-
-      // Test another unsupported region code
-      await i18n.changeLanguage("ja-JP");
-
-      // Even with nonExplicitSupportedLngs: false, i18next still falls back to base language
-      // if it exists in supportedLngs, but importantly, it won't make a 404 request first
-      expect(i18n.language).toBe("ja");
-
-      // Test that supported languages still work
-      await i18n.changeLanguage("ja");
-      expect(i18n.language).toBe("ja");
-
-      await i18n.changeLanguage("zh-CN");
-      expect(i18n.language).toBe("zh-CN");
-
-    } finally {
-      // Restore the original language
-      await i18n.changeLanguage(originalLanguage);
-    }
-  });
-
-  it("should have proper i18n configuration", () => {
-    // Test that the i18n instance has the expected configuration
-    expect(i18n.options.supportedLngs).toBeDefined();
-
-    // nonExplicitSupportedLngs should be false to prevent 404 errors
-    expect(i18n.options.nonExplicitSupportedLngs).toBe(false);
-
-    // fallbackLng can be a string or array, check if it includes "en"
-    const fallbackLng = i18n.options.fallbackLng;
-    if (Array.isArray(fallbackLng)) {
-      expect(fallbackLng).toContain("en");
-    } else {
-      expect(fallbackLng).toBe("en");
-    }
-
-    // Test that supported languages include both base and region-specific codes
-    const supportedLngs = i18n.options.supportedLngs as string[];
-    expect(supportedLngs).toContain("en");
-    expect(supportedLngs).toContain("zh-CN");
-    expect(supportedLngs).toContain("zh-TW");
-    expect(supportedLngs).toContain("ko-KR");
-  });
-});
@@ -10,7 +10,7 @@ import MainApp from "#/routes/root-layout";
 import i18n from "#/i18n";
 import OptionService from "#/api/option-service/option-service.api";
 import * as CaptureConsent from "#/utils/handle-capture-consent";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import * as ToastHandlers from "#/utils/custom-toast-handlers";

 describe("frontend/routes/_oh", () => {
@@ -77,6 +77,7 @@ describe("frontend/routes/_oh", () => {
      FEATURE_FLAGS: {
        ENABLE_BILLING: false,
        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
        ENABLE_JIRA: false,
        ENABLE_JIRA_DC: false,
        ENABLE_LINEAR: false,
@@ -115,6 +116,7 @@ describe("frontend/routes/_oh", () => {
      FEATURE_FLAGS: {
        ENABLE_BILLING: false,
        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
        ENABLE_JIRA: false,
        ENABLE_JIRA_DC: false,
        ENABLE_LINEAR: false,
@@ -199,6 +201,7 @@ describe("frontend/routes/_oh", () => {
      FEATURE_FLAGS: {
        ENABLE_BILLING: false,
        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
        ENABLE_JIRA: false,
        ENABLE_JIRA_DC: false,
        ENABLE_LINEAR: false,
@@ -3,7 +3,7 @@ import { afterEach, describe, expect, it, vi } from "vitest";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import userEvent from "@testing-library/user-event";
 import AppSettingsScreen from "#/routes/app-settings";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import { MOCK_DEFAULT_USER_SETTINGS } from "#/mocks/handlers";
 import { AvailableLanguages } from "#/i18n";
 import * as CaptureConsent from "#/utils/handle-capture-consent";
@@ -6,7 +6,7 @@ import userEvent from "@testing-library/user-event";
 import i18next from "i18next";
 import { I18nextProvider } from "react-i18next";
 import GitSettingsScreen from "#/routes/git-settings";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import OptionService from "#/api/option-service/option-service.api";
 import AuthService from "#/api/auth-service/auth-service.api";
 import { MOCK_DEFAULT_USER_SETTINGS } from "#/mocks/handlers";
@@ -21,6 +21,7 @@ const VALID_OSS_CONFIG: GetConfigResponse = {
  FEATURE_FLAGS: {
    ENABLE_BILLING: false,
    HIDE_LLM_SETTINGS: false,
+    HIDE_BILLING: false,
    ENABLE_JIRA: false,
    ENABLE_JIRA_DC: false,
    ENABLE_LINEAR: false,
@@ -34,6 +35,7 @@ const VALID_SAAS_CONFIG: GetConfigResponse = {
  FEATURE_FLAGS: {
    ENABLE_BILLING: false,
    HIDE_LLM_SETTINGS: false,
+    HIDE_BILLING: false,
    ENABLE_JIRA: false,
    ENABLE_JIRA_DC: false,
    ENABLE_LINEAR: false,
@@ -353,7 +355,9 @@ describe("Form submission", () => {

    renderGitSettingsScreen();

-    const azureDevOpsInput = await screen.findByTestId("azure-devops-token-input");
+    const azureDevOpsInput = await screen.findByTestId(
+      "azure-devops-token-input",
+    );
    const submit = await screen.findByTestId("submit-button");

    await userEvent.type(azureDevOpsInput, "test-token");
@@ -6,7 +6,7 @@ import { createRoutesStub } from "react-router";
 import { createAxiosNotFoundErrorObject } from "test-utils";
 import HomeScreen from "#/routes/home";
 import { GitRepository } from "#/types/git";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import GitService from "#/api/git-service/git-service.api";
 import OptionService from "#/api/option-service/option-service.api";
 import MainApp from "#/routes/root-layout";
@@ -395,12 +395,14 @@ describe("Settings 404", () => {
  });

  it("should not open the settings modal if GET /settings fails but is SaaS mode", async () => {
-    // @ts-expect-error - we only need APP_MODE for this test
    getConfigSpy.mockResolvedValue({
      APP_MODE: "saas",
+      GITHUB_CLIENT_ID: "test",
+      POSTHOG_CLIENT_KEY: "test",
      FEATURE_FLAGS: {
        ENABLE_BILLING: false,
        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
        ENABLE_JIRA: false,
        ENABLE_JIRA_DC: false,
        ENABLE_LINEAR: false,
@@ -420,12 +422,14 @@ describe("Setup Payment modal", () => {
  const getSettingsSpy = vi.spyOn(SettingsService, "getSettings");

  it("should only render if SaaS mode and is new user", async () => {
-    // @ts-expect-error - we only need the APP_MODE for this test
    getConfigSpy.mockResolvedValue({
      APP_MODE: "saas",
+      GITHUB_CLIENT_ID: "test",
+      POSTHOG_CLIENT_KEY: "test",
      FEATURE_FLAGS: {
        ENABLE_BILLING: true,
        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
        ENABLE_JIRA: false,
        ENABLE_JIRA_DC: false,
        ENABLE_LINEAR: false,
@@ -3,13 +3,14 @@ import userEvent from "@testing-library/user-event";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { QueryClientProvider, QueryClient } from "@tanstack/react-query";
 import LlmSettingsScreen from "#/routes/llm-settings";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import {
  MOCK_DEFAULT_USER_SETTINGS,
  resetTestHandlersMockSettings,
 } from "#/mocks/handlers";
 import * as AdvancedSettingsUtlls from "#/utils/has-advanced-settings-set";
 import * as ToastHandlers from "#/utils/custom-toast-handlers";
+import OptionService from "#/api/option-service/option-service.api";

 // Mock react-router hooks
 const mockUseSearchParams = vi.fn();
@@ -71,7 +72,7 @@ describe("Content", () => {

      await waitFor(() => {
        expect(provider).toHaveValue("OpenHands");
-        expect(model).toHaveValue("claude-sonnet-4-20250514");
+        expect(model).toHaveValue("claude-opus-4-5-20251101");

        expect(apiKey).toHaveValue("");
        expect(apiKey).toHaveProperty("placeholder", "");
@@ -189,7 +190,7 @@ describe("Content", () => {
      const agent = screen.getByTestId("agent-input");
      const condensor = screen.getByTestId("enable-memory-condenser-switch");

-      expect(model).toHaveValue("openhands/claude-sonnet-4-20250514");
+      expect(model).toHaveValue("openhands/claude-opus-4-5-20251101");
      expect(baseUrl).toHaveValue("");
      expect(apiKey).toHaveValue("");
      expect(apiKey).toHaveProperty("placeholder", "");
@@ -252,9 +253,290 @@ describe("Content", () => {
        expect(securityAnalyzer).toHaveValue("SETTINGS$SECURITY_ANALYZER_NONE");
      });
    });
+
+    it("should omit invariant and custom analyzers when V1 is enabled", async () => {
+      const getSettingsSpy = vi.spyOn(SettingsService, "getSettings");
+      getSettingsSpy.mockResolvedValue({
+        ...MOCK_DEFAULT_USER_SETTINGS,
+        confirmation_mode: true,
+        security_analyzer: "llm",
+        v1_enabled: true,
+      });
+
+      const getSecurityAnalyzersSpy = vi.spyOn(
+        OptionService,
+        "getSecurityAnalyzers",
+      );
+      getSecurityAnalyzersSpy.mockResolvedValue([
+        "llm",
+        "none",
+        "invariant",
+        "custom",
+      ]);
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const advancedSwitch = screen.getByTestId("advanced-settings-switch");
+      await userEvent.click(advancedSwitch);
+
+      const securityAnalyzer = await screen.findByTestId(
+        "security-analyzer-input",
+      );
+      await userEvent.click(securityAnalyzer);
+
+      // Only llm + none should be available when V1 is enabled
+      screen.getByText("SETTINGS$SECURITY_ANALYZER_LLM_DEFAULT");
+      screen.getByText("SETTINGS$SECURITY_ANALYZER_NONE");
+      expect(
+        screen.queryByText("SETTINGS$SECURITY_ANALYZER_INVARIANT"),
+      ).not.toBeInTheDocument();
+      expect(screen.queryByText("custom")).not.toBeInTheDocument();
+    });
+
+    it("should include invariant analyzer option when V1 is disabled", async () => {
+      const getSettingsSpy = vi.spyOn(SettingsService, "getSettings");
+      getSettingsSpy.mockResolvedValue({
+        ...MOCK_DEFAULT_USER_SETTINGS,
+        confirmation_mode: true,
+        security_analyzer: "llm",
+        v1_enabled: false,
+      });
+
+      const getSecurityAnalyzersSpy = vi.spyOn(
+        OptionService,
+        "getSecurityAnalyzers",
+      );
+      getSecurityAnalyzersSpy.mockResolvedValue(["llm", "none", "invariant"]);
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const advancedSwitch = screen.getByTestId("advanced-settings-switch");
+      await userEvent.click(advancedSwitch);
+
+      const securityAnalyzer = await screen.findByTestId(
+        "security-analyzer-input",
+      );
+      await userEvent.click(securityAnalyzer);
+
+      expect(
+        screen.getByText("SETTINGS$SECURITY_ANALYZER_LLM_DEFAULT"),
+      ).toBeInTheDocument();
+      expect(
+        screen.getByText("SETTINGS$SECURITY_ANALYZER_NONE"),
+      ).toBeInTheDocument();
+      expect(
+        screen.getByText("SETTINGS$SECURITY_ANALYZER_INVARIANT"),
+      ).toBeInTheDocument();
+    });
  });

  it.todo("should render an indicator if the llm api key is set");
+
+  describe("API key visibility in Basic Settings", () => {
+    it("should hide API key input when SaaS mode is enabled and OpenHands provider is selected", async () => {
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      // @ts-expect-error - only return APP_MODE for these tests
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+      });
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const basicForm = screen.getByTestId("llm-settings-form-basic");
+      const provider = within(basicForm).getByTestId("llm-provider-input");
+
+      // Verify OpenHands is selected by default
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenHands");
+      });
+
+      // API key input should not be visible when OpenHands provider is selected in SaaS mode
+      expect(
+        within(basicForm).queryByTestId("llm-api-key-input"),
+      ).not.toBeInTheDocument();
+      expect(
+        within(basicForm).queryByTestId("llm-api-key-help-anchor"),
+      ).not.toBeInTheDocument();
+    });
+
+    it("should show API key input when SaaS mode is enabled and non-OpenHands provider is selected", async () => {
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      // @ts-expect-error - only return APP_MODE for these tests
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+      });
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const basicForm = screen.getByTestId("llm-settings-form-basic");
+      const provider = within(basicForm).getByTestId("llm-provider-input");
+
+      // Select OpenAI provider
+      await userEvent.click(provider);
+      const providerOption = screen.getByText("OpenAI");
+      await userEvent.click(providerOption);
+
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenAI");
+      });
+
+      // API key input should be visible when non-OpenHands provider is selected in SaaS mode
+      expect(
+        within(basicForm).getByTestId("llm-api-key-input"),
+      ).toBeInTheDocument();
+      expect(
+        within(basicForm).getByTestId("llm-api-key-help-anchor"),
+      ).toBeInTheDocument();
+    });
+
+    it("should show API key input when OSS mode is enabled and OpenHands provider is selected", async () => {
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      // @ts-expect-error - only return APP_MODE for these tests
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "oss",
+      });
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const basicForm = screen.getByTestId("llm-settings-form-basic");
+      const provider = within(basicForm).getByTestId("llm-provider-input");
+
+      // Verify OpenHands is selected by default
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenHands");
+      });
+
+      // API key input should be visible when OSS mode is enabled (even with OpenHands provider)
+      expect(
+        within(basicForm).getByTestId("llm-api-key-input"),
+      ).toBeInTheDocument();
+      expect(
+        within(basicForm).getByTestId("llm-api-key-help-anchor"),
+      ).toBeInTheDocument();
+    });
+
+    it("should show API key input when OSS mode is enabled and non-OpenHands provider is selected", async () => {
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      // @ts-expect-error - only return APP_MODE for these tests
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "oss",
+      });
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const basicForm = screen.getByTestId("llm-settings-form-basic");
+      const provider = within(basicForm).getByTestId("llm-provider-input");
+
+      // Select OpenAI provider
+      await userEvent.click(provider);
+      const providerOption = screen.getByText("OpenAI");
+      await userEvent.click(providerOption);
+
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenAI");
+      });
+
+      // API key input should be visible when OSS mode is enabled
+      expect(
+        within(basicForm).getByTestId("llm-api-key-input"),
+      ).toBeInTheDocument();
+      expect(
+        within(basicForm).getByTestId("llm-api-key-help-anchor"),
+      ).toBeInTheDocument();
+    });
+
+    it("should hide API key input when switching from non-OpenHands to OpenHands provider in SaaS mode", async () => {
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      // @ts-expect-error - only return APP_MODE for these tests
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+      });
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const basicForm = screen.getByTestId("llm-settings-form-basic");
+      const provider = within(basicForm).getByTestId("llm-provider-input");
+
+      // Start with OpenAI provider
+      await userEvent.click(provider);
+      const openAIOption = screen.getByText("OpenAI");
+      await userEvent.click(openAIOption);
+
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenAI");
+      });
+
+      // API key input should be visible with OpenAI
+      expect(
+        within(basicForm).getByTestId("llm-api-key-input"),
+      ).toBeInTheDocument();
+
+      // Switch to OpenHands provider
+      await userEvent.click(provider);
+      const openHandsOption = screen.getByText("OpenHands");
+      await userEvent.click(openHandsOption);
+
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenHands");
+      });
+
+      // API key input should now be hidden
+      expect(
+        within(basicForm).queryByTestId("llm-api-key-input"),
+      ).not.toBeInTheDocument();
+      expect(
+        within(basicForm).queryByTestId("llm-api-key-help-anchor"),
+      ).not.toBeInTheDocument();
+    });
+
+    it("should show API key input when switching from OpenHands to non-OpenHands provider in SaaS mode", async () => {
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      // @ts-expect-error - only return APP_MODE for these tests
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+      });
+
+      renderLlmSettingsScreen();
+      await screen.findByTestId("llm-settings-screen");
+
+      const basicForm = screen.getByTestId("llm-settings-form-basic");
+      const provider = within(basicForm).getByTestId("llm-provider-input");
+
+      // Verify OpenHands is selected by default
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenHands");
+      });
+
+      // API key input should be hidden with OpenHands
+      expect(
+        within(basicForm).queryByTestId("llm-api-key-input"),
+      ).not.toBeInTheDocument();
+
+      // Switch to OpenAI provider
+      await userEvent.click(provider);
+      const openAIOption = screen.getByText("OpenAI");
+      await userEvent.click(openAIOption);
+
+      await waitFor(() => {
+        expect(provider).toHaveValue("OpenAI");
+      });
+
+      // API key input should now be visible
+      expect(
+        within(basicForm).getByTestId("llm-api-key-input"),
+      ).toBeInTheDocument();
+      expect(
+        within(basicForm).getByTestId("llm-api-key-help-anchor"),
+      ).toBeInTheDocument();
+    });
+  });
 });

 describe("Form submission", () => {
@@ -628,6 +910,163 @@ describe("Form submission", () => {
  });
 });

+describe("View persistence after saving advanced settings", () => {
+  it("should remain on Advanced view after saving when memory condenser is disabled", async () => {
+    // Arrange: Start with default settings (basic view)
+    const getSettingsSpy = vi.spyOn(SettingsService, "getSettings");
+    getSettingsSpy.mockResolvedValue({
+      ...MOCK_DEFAULT_USER_SETTINGS,
+    });
+    const saveSettingsSpy = vi.spyOn(SettingsService, "saveSettings");
+    saveSettingsSpy.mockResolvedValue(true);
+
+    renderLlmSettingsScreen();
+    await screen.findByTestId("llm-settings-screen");
+
+    // Verify we start in basic view
+    expect(screen.getByTestId("llm-settings-form-basic")).toBeInTheDocument();
+
+    // Act: User manually switches to Advanced view
+    const advancedSwitch = screen.getByTestId("advanced-settings-switch");
+    await userEvent.click(advancedSwitch);
+    await screen.findByTestId("llm-settings-form-advanced");
+
+    // User disables memory condenser (advanced-only setting)
+    const condenserSwitch = screen.getByTestId(
+      "enable-memory-condenser-switch",
+    );
+    expect(condenserSwitch).toBeChecked();
+    await userEvent.click(condenserSwitch);
+    expect(condenserSwitch).not.toBeChecked();
+
+    // Mock the updated settings that will be returned after save
+    getSettingsSpy.mockResolvedValue({
+      ...MOCK_DEFAULT_USER_SETTINGS,
+      enable_default_condenser: false, // Now disabled
+    });
+
+    // User saves settings
+    const submitButton = screen.getByTestId("submit-button");
+    await userEvent.click(submitButton);
+
+    // Assert: View should remain on Advanced after save
+    await waitFor(() => {
+      expect(
+        screen.getByTestId("llm-settings-form-advanced"),
+      ).toBeInTheDocument();
+      expect(
+        screen.queryByTestId("llm-settings-form-basic"),
+      ).not.toBeInTheDocument();
+      expect(advancedSwitch).toBeChecked();
+    });
+  });
+
+  it("should remain on Advanced view after saving when condenser max size is customized", async () => {
+    // Arrange: Start with default settings
+    const getSettingsSpy = vi.spyOn(SettingsService, "getSettings");
+    getSettingsSpy.mockResolvedValue({
+      ...MOCK_DEFAULT_USER_SETTINGS,
+    });
+    const saveSettingsSpy = vi.spyOn(SettingsService, "saveSettings");
+    saveSettingsSpy.mockResolvedValue(true);
+
+    renderLlmSettingsScreen();
+    await screen.findByTestId("llm-settings-screen");
+
+    // Act: User manually switches to Advanced view
+    const advancedSwitch = screen.getByTestId("advanced-settings-switch");
+    await userEvent.click(advancedSwitch);
+    await screen.findByTestId("llm-settings-form-advanced");
+
+    // User sets custom condenser max size (advanced-only setting)
+    const condenserMaxSizeInput = screen.getByTestId(
+      "condenser-max-size-input",
+    );
+    await userEvent.clear(condenserMaxSizeInput);
+    await userEvent.type(condenserMaxSizeInput, "200");
+
+    // Mock the updated settings that will be returned after save
+    getSettingsSpy.mockResolvedValue({
+      ...MOCK_DEFAULT_USER_SETTINGS,
+      condenser_max_size: 200, // Custom value
+    });
+
+    // User saves settings
+    const submitButton = screen.getByTestId("submit-button");
+    await userEvent.click(submitButton);
+
+    // Assert: View should remain on Advanced after save
+    await waitFor(() => {
+      expect(
+        screen.getByTestId("llm-settings-form-advanced"),
+      ).toBeInTheDocument();
+      expect(
+        screen.queryByTestId("llm-settings-form-basic"),
+      ).not.toBeInTheDocument();
+      expect(advancedSwitch).toBeChecked();
+    });
+  });
+
+  it("should remain on Advanced view after saving when search API key is set", async () => {
+    // Arrange: Start with default settings (non-SaaS mode to show search API key field)
+    const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+    getConfigSpy.mockResolvedValue({
+      APP_MODE: "oss",
+      GITHUB_CLIENT_ID: "fake-github-client-id",
+      POSTHOG_CLIENT_KEY: "fake-posthog-client-key",
+      FEATURE_FLAGS: {
+        ENABLE_BILLING: false,
+        HIDE_LLM_SETTINGS: false,
+        HIDE_BILLING: false,
+        ENABLE_JIRA: false,
+        ENABLE_JIRA_DC: false,
+        ENABLE_LINEAR: false,
+      },
+    });
+
+    const getSettingsSpy = vi.spyOn(SettingsService, "getSettings");
+    getSettingsSpy.mockResolvedValue({
+      ...MOCK_DEFAULT_USER_SETTINGS,
+      search_api_key: "", // Default empty value
+    });
+    const saveSettingsSpy = vi.spyOn(SettingsService, "saveSettings");
+    saveSettingsSpy.mockResolvedValue(true);
+
+    renderLlmSettingsScreen();
+    await screen.findByTestId("llm-settings-screen");
+
+    // Act: User manually switches to Advanced view
+    const advancedSwitch = screen.getByTestId("advanced-settings-switch");
+    await userEvent.click(advancedSwitch);
+    await screen.findByTestId("llm-settings-form-advanced");
+
+    // User sets search API key (advanced-only setting)
+    const searchApiKeyInput = screen.getByTestId("search-api-key-input");
+    await userEvent.type(searchApiKeyInput, "test-search-api-key");
+
+    // Mock the updated settings that will be returned after save
+    getSettingsSpy.mockResolvedValue({
+      ...MOCK_DEFAULT_USER_SETTINGS,
+      search_api_key: "test-search-api-key", // Now set
+    });
+
+    // User saves settings
+    const submitButton = screen.getByTestId("submit-button");
+    await userEvent.click(submitButton);
+
+    // Assert: View should remain on Advanced after save
+    await waitFor(() => {
+      expect(
+        screen.getByTestId("llm-settings-form-advanced"),
+      ).toBeInTheDocument();
+      expect(
+        screen.queryByTestId("llm-settings-form-basic"),
+      ).not.toBeInTheDocument();
+      expect(advancedSwitch).toBeChecked();
+    });
+  });
+});
+
 describe("Status toasts", () => {
  describe("Basic form", () => {
    it("should call displaySuccessToast when the settings are saved", async () => {
@@ -0,0 +1,862 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen, waitFor, within } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import userEvent from "@testing-library/user-event";
+import { createRoutesStub } from "react-router";
+import { selectOrganization } from "test-utils";
+import ManageOrg from "#/routes/manage-org";
+import { organizationService } from "#/api/organization-service/organization-service.api";
+import SettingsScreen, { clientLoader } from "#/routes/settings";
+import { resetOrgMockData } from "#/mocks/org-handlers";
+import OptionService from "#/api/option-service/option-service.api";
+import BillingService from "#/api/billing-service/billing-service.api";
+import { OrganizationMember } from "#/types/org";
+
+function ManageOrgWithPortalRoot() {
+  return (
+    <div>
+      <ManageOrg />
+      <div data-testid="portal-root" id="portal-root" />
+    </div>
+  );
+}
+
+const RouteStub = createRoutesStub([
+  {
+    Component: () => <div data-testid="home-screen" />,
+    path: "/",
+  },
+  {
+    // @ts-expect-error - type mismatch
+    loader: clientLoader,
+    Component: SettingsScreen,
+    path: "/settings",
+    HydrateFallback: () => <div>Loading...</div>,
+    children: [
+      {
+        Component: ManageOrgWithPortalRoot,
+        path: "/settings/org",
+      },
+    ],
+  },
+]);
+
+const renderManageOrg = () =>
+  render(<RouteStub initialEntries={["/settings/org"]} />, {
+    wrapper: ({ children }) => (
+      <QueryClientProvider client={new QueryClient()}>
+        {children}
+      </QueryClientProvider>
+    ),
+  });
+
+const { navigateMock } = vi.hoisted(() => ({
+  navigateMock: vi.fn(),
+}));
+
+vi.mock("react-router", async () => ({
+  ...(await vi.importActual("react-router")),
+  useNavigate: () => navigateMock,
+}));
+
+describe("Manage Org Route", () => {
+  const getMeSpy = vi.spyOn(organizationService, "getMe");
+
+  // Test data constants
+  const TEST_USERS: Record<"OWNER" | "ADMIN", OrganizationMember> = {
+    OWNER: {
+      org_id: "1",
+      user_id: "1",
+      email: "test@example.com",
+      role: "owner",
+      llm_api_key: "**********",
+      max_iterations: 20,
+      llm_model: "gpt-4",
+      llm_api_key_for_byor: null,
+      llm_base_url: "https://api.openai.com",
+      status: "active",
+    },
+    ADMIN: {
+      org_id: "1",
+      user_id: "1",
+      email: "test@example.com",
+      role: "admin",
+      llm_api_key: "**********",
+      max_iterations: 20,
+      llm_model: "gpt-4",
+      llm_api_key_for_byor: null,
+      llm_base_url: "https://api.openai.com",
+      status: "active",
+    },
+  };
+
+  // Helper function to set up user mock
+  const setupUserMock = (userData: {
+    org_id: string;
+    user_id: string;
+    email: string;
+    role: "owner" | "admin" | "user";
+    llm_api_key: string;
+    max_iterations: number;
+    llm_model: string;
+    llm_api_key_for_byor: string | null;
+    llm_base_url: string;
+    status: "active" | "invited" | "inactive";
+  }) => {
+    getMeSpy.mockResolvedValue(userData);
+  };
+
+  beforeEach(() => {
+    const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+    // @ts-expect-error - only return APP_MODE for these tests
+    getConfigSpy.mockResolvedValue({
+      APP_MODE: "saas",
+    });
+
+    // Set default mock for user (owner role has all permissions)
+    setupUserMock(TEST_USERS.OWNER);
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    // Reset organization mock data to ensure clean state between tests
+    resetOrgMockData();
+    vi.clearAllMocks();
+  });
+
+  it("should render the available credits", async () => {
+    renderManageOrg();
+    await screen.findByTestId("manage-org-screen");
+
+    await selectOrganization({ orgIndex: 0 });
+
+    await waitFor(() => {
+      const credits = screen.getByTestId("available-credits");
+      expect(credits).toHaveTextContent("1000");
+    });
+  });
+
+  it("should render account details", async () => {
+    renderManageOrg();
+
+    await selectOrganization({ orgIndex: 0 });
+
+    await waitFor(() => {
+      const orgName = screen.getByTestId("org-name");
+      expect(orgName).toHaveTextContent("Acme Corp");
+
+      const billingInfo = screen.getByTestId("billing-info");
+      expect(billingInfo).toHaveTextContent("**** **** **** 1234");
+    });
+  });
+
+  it("should be able to add credits", async () => {
+    const createCheckoutSessionSpy = vi.spyOn(
+      BillingService,
+      "createCheckoutSession",
+    );
+
+    renderManageOrg();
+    await screen.findByTestId("manage-org-screen");
+
+    await selectOrganization({ orgIndex: 0 }); // user is owner in org 1
+
+    expect(screen.queryByTestId("add-credits-form")).not.toBeInTheDocument();
+    // Simulate adding credits
+    const addCreditsButton = screen.getByText(/add/i);
+    await userEvent.click(addCreditsButton);
+
+    const addCreditsForm = screen.getByTestId("add-credits-form");
+    expect(addCreditsForm).toBeInTheDocument();
+
+    const amountInput = within(addCreditsForm).getByTestId("amount-input");
+    const nextButton = within(addCreditsForm).getByRole("button", {
+      name: /next/i,
+    });
+
+    await userEvent.type(amountInput, "1000");
+    await userEvent.click(nextButton);
+
+    // expect redirect to payment page
+    expect(createCheckoutSessionSpy).toHaveBeenCalledWith(1000);
+
+    await waitFor(() =>
+      expect(screen.queryByTestId("add-credits-form")).not.toBeInTheDocument(),
+    );
+  });
+
+  it("should close the modal when clicking cancel", async () => {
+    const createCheckoutSessionSpy = vi.spyOn(
+      BillingService,
+      "createCheckoutSession",
+    );
+    renderManageOrg();
+    await screen.findByTestId("manage-org-screen");
+
+    await selectOrganization({ orgIndex: 0 }); // user is owner in org 1
+
+    expect(screen.queryByTestId("add-credits-form")).not.toBeInTheDocument();
+    // Simulate adding credits
+    const addCreditsButton = screen.getByText(/add/i);
+    await userEvent.click(addCreditsButton);
+
+    const addCreditsForm = screen.getByTestId("add-credits-form");
+    expect(addCreditsForm).toBeInTheDocument();
+
+    const cancelButton = within(addCreditsForm).getByRole("button", {
+      name: /cancel/i,
+    });
+
+    await userEvent.click(cancelButton);
+
+    expect(screen.queryByTestId("add-credits-form")).not.toBeInTheDocument();
+    expect(createCheckoutSessionSpy).not.toHaveBeenCalled();
+  });
+
+  describe("AddCreditsModal", () => {
+    const openAddCreditsModal = async () => {
+      const user = userEvent.setup();
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+
+      await selectOrganization({ orgIndex: 0 }); // user is owner in org 1
+
+      const addCreditsButton = screen.getByText(/add/i);
+      await user.click(addCreditsButton);
+
+      const addCreditsForm = screen.getByTestId("add-credits-form");
+      expect(addCreditsForm).toBeInTheDocument();
+
+      return { user, addCreditsForm };
+    };
+
+    describe("Button State Management", () => {
+      it("should enable submit button initially when modal opens", async () => {
+        await openAddCreditsModal();
+
+        const nextButton = screen.getByRole("button", { name: /next/i });
+        expect(nextButton).not.toBeDisabled();
+      });
+
+      it("should enable submit button when input contains invalid value", async () => {
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "-50");
+
+        expect(nextButton).not.toBeDisabled();
+      });
+
+      it("should enable submit button when input contains valid value", async () => {
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "100");
+
+        expect(nextButton).not.toBeDisabled();
+      });
+
+      it("should enable submit button after validation error is shown", async () => {
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "9");
+        await user.click(nextButton);
+
+        await waitFor(() => {
+          expect(screen.getByTestId("amount-error")).toBeInTheDocument();
+        });
+
+        expect(nextButton).not.toBeDisabled();
+      });
+    });
+
+    describe("Input Attributes & Placeholder", () => {
+      it("should have min attribute set to 10", async () => {
+        await openAddCreditsModal();
+
+        const amountInput = screen.getByTestId("amount-input");
+        expect(amountInput).toHaveAttribute("min", "10");
+      });
+
+      it("should have max attribute set to 25000", async () => {
+        await openAddCreditsModal();
+
+        const amountInput = screen.getByTestId("amount-input");
+        expect(amountInput).toHaveAttribute("max", "25000");
+      });
+
+      it("should have step attribute set to 1", async () => {
+        await openAddCreditsModal();
+
+        const amountInput = screen.getByTestId("amount-input");
+        expect(amountInput).toHaveAttribute("step", "1");
+      });
+
+      it("should display correct placeholder text", async () => {
+        await openAddCreditsModal();
+
+        const amountInput = screen.getByTestId("amount-input");
+        expect(amountInput).toHaveAttribute(
+          "placeholder",
+          "PAYMENT$SPECIFY_AMOUNT_USD",
+        );
+      });
+    });
+
+    describe("Error Message Display", () => {
+      it("should not display error message initially when modal opens", async () => {
+        await openAddCreditsModal();
+
+        const errorMessage = screen.queryByTestId("amount-error");
+        expect(errorMessage).not.toBeInTheDocument();
+      });
+
+      it("should display error message after submitting amount above maximum", async () => {
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "25001");
+        await user.click(nextButton);
+
+        await waitFor(() => {
+          const errorMessage = screen.getByTestId("amount-error");
+          expect(errorMessage).toHaveTextContent(
+            "PAYMENT$ERROR_MAXIMUM_AMOUNT",
+          );
+        });
+      });
+
+      it("should display error message after submitting decimal value", async () => {
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "50.5");
+        await user.click(nextButton);
+
+        await waitFor(() => {
+          const errorMessage = screen.getByTestId("amount-error");
+          expect(errorMessage).toHaveTextContent(
+            "PAYMENT$ERROR_MUST_BE_WHOLE_NUMBER",
+          );
+        });
+      });
+
+      it("should replace error message when submitting different invalid value", async () => {
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "9");
+        await user.click(nextButton);
+
+        await waitFor(() => {
+          const errorMessage = screen.getByTestId("amount-error");
+          expect(errorMessage).toHaveTextContent(
+            "PAYMENT$ERROR_MINIMUM_AMOUNT",
+          );
+        });
+
+        await user.clear(amountInput);
+        await user.type(amountInput, "25001");
+        await user.click(nextButton);
+
+        await waitFor(() => {
+          const errorMessage = screen.getByTestId("amount-error");
+          expect(errorMessage).toHaveTextContent(
+            "PAYMENT$ERROR_MAXIMUM_AMOUNT",
+          );
+        });
+      });
+    });
+
+    describe("Form Submission Behavior", () => {
+      it("should prevent submission when amount is invalid", async () => {
+        const createCheckoutSessionSpy = vi.spyOn(
+          BillingService,
+          "createCheckoutSession",
+        );
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "9");
+        await user.click(nextButton);
+
+        expect(createCheckoutSessionSpy).not.toHaveBeenCalled();
+        await waitFor(() => {
+          const errorMessage = screen.getByTestId("amount-error");
+          expect(errorMessage).toHaveTextContent(
+            "PAYMENT$ERROR_MINIMUM_AMOUNT",
+          );
+        });
+      });
+
+      it("should call createCheckoutSession with correct amount when valid", async () => {
+        const createCheckoutSessionSpy = vi.spyOn(
+          BillingService,
+          "createCheckoutSession",
+        );
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "1000");
+        await user.click(nextButton);
+
+        expect(createCheckoutSessionSpy).toHaveBeenCalledWith(1000);
+        const errorMessage = screen.queryByTestId("amount-error");
+        expect(errorMessage).not.toBeInTheDocument();
+      });
+
+      it("should not call createCheckoutSession when validation fails", async () => {
+        const createCheckoutSessionSpy = vi.spyOn(
+          BillingService,
+          "createCheckoutSession",
+        );
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "-50");
+        await user.click(nextButton);
+
+        // Verify mutation was not called
+        expect(createCheckoutSessionSpy).not.toHaveBeenCalled();
+        await waitFor(() => {
+          const errorMessage = screen.getByTestId("amount-error");
+          expect(errorMessage).toHaveTextContent(
+            "PAYMENT$ERROR_NEGATIVE_AMOUNT",
+          );
+        });
+      });
+
+      it("should close modal on successful submission", async () => {
+        const createCheckoutSessionSpy = vi
+          .spyOn(BillingService, "createCheckoutSession")
+          .mockResolvedValue("https://checkout.stripe.com/test-session");
+
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "1000");
+        await user.click(nextButton);
+
+        expect(createCheckoutSessionSpy).toHaveBeenCalledWith(1000);
+
+        await waitFor(() => {
+          expect(
+            screen.queryByTestId("add-credits-form"),
+          ).not.toBeInTheDocument();
+        });
+      });
+
+      it("should allow API call when validation passes and clear any previous errors", async () => {
+        const createCheckoutSessionSpy = vi.spyOn(
+          BillingService,
+          "createCheckoutSession",
+        );
+
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        // First submit invalid value
+        await user.type(amountInput, "9");
+        await user.click(nextButton);
+
+        await waitFor(() => {
+          expect(screen.getByTestId("amount-error")).toBeInTheDocument();
+        });
+
+        // Then submit valid value
+        await user.clear(amountInput);
+        await user.type(amountInput, "100");
+        await user.click(nextButton);
+
+        expect(createCheckoutSessionSpy).toHaveBeenCalledWith(100);
+        const errorMessage = screen.queryByTestId("amount-error");
+        expect(errorMessage).not.toBeInTheDocument();
+      });
+    });
+
+    describe("Edge Cases", () => {
+      it("should handle zero value correctly", async () => {
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        await user.type(amountInput, "0");
+        await user.click(nextButton);
+
+        await waitFor(() => {
+          const errorMessage = screen.getByTestId("amount-error");
+          expect(errorMessage).toHaveTextContent(
+            "PAYMENT$ERROR_MINIMUM_AMOUNT",
+          );
+        });
+      });
+
+      it("should handle whitespace-only input correctly", async () => {
+        const createCheckoutSessionSpy = vi.spyOn(
+          BillingService,
+          "createCheckoutSession",
+        );
+        const { user } = await openAddCreditsModal();
+        const amountInput = screen.getByTestId("amount-input");
+        const nextButton = screen.getByRole("button", { name: /next/i });
+
+        // Number inputs typically don't accept spaces, but test the behavior
+        await user.type(amountInput, "   ");
+        await user.click(nextButton);
+
+        // Should not call API (empty/invalid input)
+        expect(createCheckoutSessionSpy).not.toHaveBeenCalled();
+      });
+    });
+  });
+
+  it("should show add credits option for ADMIN role", async () => {
+    renderManageOrg();
+    await screen.findByTestId("manage-org-screen");
+
+    await selectOrganization({ orgIndex: 2 }); // user is admin in org 3
+
+    // Verify credits are shown
+    await waitFor(() => {
+      const credits = screen.getByTestId("available-credits");
+      expect(credits).toBeInTheDocument();
+    });
+
+    // Verify add credits button is present (admins can add credits)
+    const addButton = screen.getByText(/add/i);
+    expect(addButton).toBeInTheDocument();
+  });
+
+  describe("actions", () => {
+    it("should be able to update the organization name", async () => {
+      const updateOrgNameSpy = vi.spyOn(
+        organizationService,
+        "updateOrganization",
+      );
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+
+      // @ts-expect-error - only return the properties we need for this test
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas", // required to enable getMe
+      });
+
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+
+      await selectOrganization({ orgIndex: 0 });
+
+      const orgName = screen.getByTestId("org-name");
+      await waitFor(() => expect(orgName).toHaveTextContent("Acme Corp"));
+
+      expect(
+        screen.queryByTestId("update-org-name-form"),
+      ).not.toBeInTheDocument();
+
+      const changeOrgNameButton = within(orgName).getByRole("button", {
+        name: /change/i,
+      });
+      await userEvent.click(changeOrgNameButton);
+
+      const orgNameForm = screen.getByTestId("update-org-name-form");
+      const orgNameInput = within(orgNameForm).getByRole("textbox");
+      const saveButton = within(orgNameForm).getByRole("button", {
+        name: /save/i,
+      });
+
+      await userEvent.type(orgNameInput, "New Org Name");
+      await userEvent.click(saveButton);
+
+      expect(updateOrgNameSpy).toHaveBeenCalledWith({
+        orgId: "1",
+        name: "New Org Name",
+      });
+
+      await waitFor(() => {
+        expect(
+          screen.queryByTestId("update-org-name-form"),
+        ).not.toBeInTheDocument();
+        expect(orgName).toHaveTextContent("New Org Name");
+      });
+    });
+
+    it("should NOT allow roles other than owners to change org name", async () => {
+      // Set admin role before rendering
+      setupUserMock(TEST_USERS.ADMIN);
+
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+
+      await selectOrganization({ orgIndex: 2 }); // user is admin in org 3
+
+      const orgName = screen.getByTestId("org-name");
+      const changeOrgNameButton = within(orgName).queryByRole("button", {
+        name: /change/i,
+      });
+      expect(changeOrgNameButton).not.toBeInTheDocument();
+    });
+
+    it("should NOT allow roles other than owners to delete an organization", async () => {
+      setupUserMock(TEST_USERS.ADMIN);
+
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      // @ts-expect-error - only return the properties we need for this test
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas", // required to enable getMe
+      });
+
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+
+      await selectOrganization({ orgIndex: 2 }); // user is admin in org 3
+
+      const deleteOrgButton = screen.queryByRole("button", {
+        name: /ORG\$DELETE_ORGANIZATION/i,
+      });
+      expect(deleteOrgButton).not.toBeInTheDocument();
+    });
+
+    it("should be able to delete an organization", async () => {
+      const deleteOrgSpy = vi.spyOn(organizationService, "deleteOrganization");
+
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+
+      await selectOrganization({ orgIndex: 0 });
+
+      expect(
+        screen.queryByTestId("delete-org-confirmation"),
+      ).not.toBeInTheDocument();
+
+      const deleteOrgButton = screen.getByRole("button", {
+        name: /ORG\$DELETE_ORGANIZATION/i,
+      });
+      await userEvent.click(deleteOrgButton);
+
+      const deleteConfirmation = screen.getByTestId("delete-org-confirmation");
+      const confirmButton = within(deleteConfirmation).getByRole("button", {
+        name: /BUTTON\$CONFIRM/i,
+      });
+
+      await userEvent.click(confirmButton);
+
+      expect(deleteOrgSpy).toHaveBeenCalledWith({ orgId: "1" });
+      expect(
+        screen.queryByTestId("delete-org-confirmation"),
+      ).not.toBeInTheDocument();
+
+      // expect to have navigated to home screen
+      await screen.findByTestId("home-screen");
+    });
+
+    it.todo("should be able to update the organization billing info");
+  });
+
+  describe("Role-based delete organization permission behavior", () => {
+    it("should show delete organization button when user has canDeleteOrganization permission (Owner role)", async () => {
+      setupUserMock(TEST_USERS.OWNER);
+
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+
+      await selectOrganization({ orgIndex: 0 });
+
+      const deleteButton = await screen.findByRole("button", {
+        name: /ORG\$DELETE_ORGANIZATION/i,
+      });
+
+      expect(deleteButton).toBeInTheDocument();
+      expect(deleteButton).not.toBeDisabled();
+    });
+
+    it.each<{ role: "admin" | "user"; roleName: string }>([
+      { role: "admin", roleName: "Admin" },
+      { role: "user", roleName: "User" },
+    ])(
+      "should not show delete organization button when user lacks canDeleteOrganization permission ($roleName role)",
+      async ({ role }) => {
+        setupUserMock({
+          org_id: "1",
+          user_id: "1",
+          email: "test@example.com",
+          role,
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active",
+        });
+
+        renderManageOrg();
+        await screen.findByTestId("manage-org-screen");
+
+        await selectOrganization({ orgIndex: 0 });
+
+        const deleteButton = screen.queryByRole("button", {
+          name: /ORG\$DELETE_ORGANIZATION/i,
+        });
+
+        expect(deleteButton).not.toBeInTheDocument();
+      },
+    );
+
+    it("should open delete confirmation modal when delete button is clicked (with permission)", async () => {
+      setupUserMock(TEST_USERS.OWNER);
+
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+
+      await selectOrganization({ orgIndex: 0 });
+
+      expect(
+        screen.queryByTestId("delete-org-confirmation"),
+      ).not.toBeInTheDocument();
+
+      const deleteButton = await screen.findByRole("button", {
+        name: /ORG\$DELETE_ORGANIZATION/i,
+      });
+      await userEvent.click(deleteButton);
+
+      expect(screen.getByTestId("delete-org-confirmation")).toBeInTheDocument();
+    });
+  });
+
+  describe("HIDE_BILLING feature flag", () => {
+    it("should hide credits section when HIDE_BILLING is true", async () => {
+      // Arrange
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: true,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      // Act
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+      await selectOrganization({ orgIndex: 0 });
+
+      // Assert
+      await waitFor(() => {
+        expect(
+          screen.queryByTestId("available-credits"),
+        ).not.toBeInTheDocument();
+      });
+
+      getConfigSpy.mockRestore();
+    });
+
+    it("should hide billing information section when HIDE_BILLING is true", async () => {
+      // Arrange
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: true,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      // Act
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+      await selectOrganization({ orgIndex: 0 });
+
+      // Assert
+      await waitFor(() => {
+        expect(screen.queryByTestId("billing-info")).not.toBeInTheDocument();
+      });
+
+      getConfigSpy.mockRestore();
+    });
+
+    it("should hide Add Credits button when HIDE_BILLING is true", async () => {
+      // Arrange
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: true,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      // Act
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+      await selectOrganization({ orgIndex: 0 });
+
+      // Assert
+      await waitFor(() => {
+        const addButton = screen.queryByText(/add/i);
+        expect(addButton).not.toBeInTheDocument();
+      });
+
+      getConfigSpy.mockRestore();
+    });
+
+    it("should show all billing-related elements when HIDE_BILLING is false", async () => {
+      // Arrange
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: false,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      // Act
+      renderManageOrg();
+      await screen.findByTestId("manage-org-screen");
+      await selectOrganization({ orgIndex: 0 });
+
+      // Assert
+      await waitFor(() => {
+        expect(screen.getByTestId("available-credits")).toBeInTheDocument();
+        expect(screen.getByTestId("billing-info")).toBeInTheDocument();
+        expect(screen.getByText(/add/i)).toBeInTheDocument();
+      });
+
+      getConfigSpy.mockRestore();
+    });
+  });
+});
@@ -0,0 +1,824 @@
+import { describe, expect, it, vi, test, beforeEach, afterEach } from "vitest";
+import { render, screen, within, waitFor } from "@testing-library/react";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import userEvent from "@testing-library/user-event";
+import { createRoutesStub } from "react-router";
+import { selectOrganization } from "test-utils";
+import { organizationService } from "#/api/organization-service/organization-service.api";
+import ManageOrganizationMembers from "#/routes/manage-organization-members";
+import SettingsScreen, {
+  clientLoader as settingsClientLoader,
+} from "#/routes/settings";
+import {
+  ORGS_AND_MEMBERS,
+  resetOrgMockData,
+  resetOrgsAndMembersMockData,
+} from "#/mocks/org-handlers";
+import OptionService from "#/api/option-service/option-service.api";
+
+function ManageOrganizationMembersWithPortalRoot() {
+  return (
+    <div>
+      <ManageOrganizationMembers />
+      <div data-testid="portal-root" id="portal-root" />
+    </div>
+  );
+}
+
+const RouteStub = createRoutesStub([
+  {
+    // @ts-expect-error - ignoreing error for test stub
+    loader: settingsClientLoader,
+    Component: SettingsScreen,
+    path: "/settings",
+    HydrateFallback: () => <div>Loading...</div>,
+    children: [
+      {
+        Component: ManageOrganizationMembersWithPortalRoot,
+        path: "/settings/org-members",
+      },
+      {
+        Component: () => <div data-testid="user-settings" />,
+        path: "/settings/user",
+      },
+    ],
+  },
+]);
+
+let queryClient: QueryClient;
+
+describe("Manage Organization Members Route", () => {
+  const getMeSpy = vi.spyOn(organizationService, "getMe");
+
+  beforeEach(() => {
+    const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+    // @ts-expect-error - only return APP_MODE for these tests
+    getConfigSpy.mockResolvedValue({
+      APP_MODE: "saas",
+    });
+
+    queryClient = new QueryClient();
+
+    // Set default mock for user (admin role has invite permission)
+    getMeSpy.mockResolvedValue({
+      org_id: "1",
+      user_id: "1",
+      email: "test@example.com",
+      role: "admin",
+      llm_api_key: "**********",
+      max_iterations: 20,
+      llm_model: "gpt-4",
+      llm_api_key_for_byor: null,
+      llm_base_url: "https://api.openai.com",
+      status: "active",
+    });
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    // Reset organization mock data to ensure clean state between tests
+    resetOrgMockData();
+    // Reset ORGS_AND_MEMBERS to initial state
+    resetOrgsAndMembersMockData();
+    // Clear queryClient cache to ensure fresh data for next test
+    queryClient.clear();
+  });
+
+  const renderManageOrganizationMembers = () =>
+    render(<RouteStub initialEntries={["/settings/org-members"]} />, {
+      wrapper: ({ children }) => (
+        <QueryClientProvider client={queryClient}>
+          {children}
+        </QueryClientProvider>
+      ),
+    });
+
+  // Helper function to find a member by email
+  const findMemberByEmail = async (email: string) => {
+    const memberListItems = await screen.findAllByTestId("member-item");
+    const member = memberListItems.find((item) =>
+      within(item).queryByText(email),
+    );
+    if (!member) {
+      throw new Error(`Could not find member with email: ${email}`);
+    }
+    return member;
+  };
+
+  // Helper function to open role dropdown for a member
+  const openRoleDropdown = async (
+    memberElement: HTMLElement,
+    roleText: string,
+  ) => {
+    // Find the role text that's clickable (has cursor-pointer class or is the main role display)
+    // Use a more specific query to avoid matching dropdown options
+    const roleElement = within(memberElement).getByText(
+      new RegExp(`^${roleText}$`, "i"),
+    );
+    await userEvent.click(roleElement);
+    return within(memberElement).getByTestId(
+      "organization-member-role-context-menu",
+    );
+  };
+
+  // Helper function to change member role
+  const changeMemberRole = async (
+    memberElement: HTMLElement,
+    currentRole: string,
+    newRole: string,
+  ) => {
+    const dropdown = await openRoleDropdown(memberElement, currentRole);
+    const roleOption = within(dropdown).getByText(new RegExp(newRole, "i"));
+    await userEvent.click(roleOption);
+  };
+
+  // Helper function to verify dropdown is not visible
+  const expectDropdownNotVisible = (memberElement: HTMLElement) => {
+    expect(
+      within(memberElement).queryByTestId(
+        "organization-member-role-context-menu",
+      ),
+    ).not.toBeInTheDocument();
+  };
+
+  // Helper function to setup test with user and organization
+  const setupTestWithUserAndOrg = async (
+    userData: {
+      org_id: string;
+      user_id: string;
+      email: string;
+      role: "owner" | "admin" | "user";
+      llm_api_key: string;
+      max_iterations: number;
+      llm_model: string;
+      llm_api_key_for_byor: string | null;
+      llm_base_url: string;
+      status: "active" | "invited" | "inactive";
+    },
+    orgIndex: number,
+  ) => {
+    getMeSpy.mockResolvedValue(userData);
+    renderManageOrganizationMembers();
+    await screen.findByTestId("manage-organization-members-settings");
+    await selectOrganization({ orgIndex });
+  };
+
+  // Helper function to create updateMember spy
+  const createUpdateMemberRoleSpy = () =>
+    vi.spyOn(organizationService, "updateMember");
+
+  // Helper function to verify role change is not permitted
+  const verifyRoleChangeNotPermitted = async (
+    userData: {
+      org_id: string;
+      user_id: string;
+      email: string;
+      role: "owner" | "admin" | "user";
+      llm_api_key: string;
+      max_iterations: number;
+      llm_model: string;
+      llm_api_key_for_byor: string | null;
+      llm_base_url: string;
+      status: "active" | "invited" | "inactive";
+    },
+    orgIndex: number,
+    targetMemberIndex: number,
+    expectedRoleText: string,
+  ) => {
+    await setupTestWithUserAndOrg(userData, orgIndex);
+
+    const memberListItems = await screen.findAllByTestId("member-item");
+    const targetMember = memberListItems[targetMemberIndex];
+    const roleText = within(targetMember).getByText(
+      new RegExp(`^${expectedRoleText}$`, "i"),
+    );
+    expect(roleText).toBeInTheDocument();
+    await userEvent.click(roleText);
+
+    // Verify that the dropdown does not open
+    expectDropdownNotVisible(targetMember);
+  };
+
+  // Helper function to setup invite test (render and select organization)
+  const setupInviteTest = async (orgIndex: number = 0) => {
+    renderManageOrganizationMembers();
+    await selectOrganization({ orgIndex });
+  };
+
+  // Helper function to setup test with organization (waits for settings screen)
+  const setupTestWithOrg = async (orgIndex: number = 0) => {
+    renderManageOrganizationMembers();
+    await screen.findByTestId("manage-organization-members-settings");
+    await selectOrganization({ orgIndex });
+  };
+
+  // Helper function to find invite button
+  const findInviteButton = async () =>
+    await screen.findByRole("button", {
+      name: /ORG\$INVITE_ORGANIZATION_MEMBER/i,
+    });
+
+  // Helper function to verify all three role options are present in dropdown
+  const expectAllRoleOptionsPresent = (dropdown: HTMLElement) => {
+    expect(within(dropdown).getByText(/owner/i)).toBeInTheDocument();
+    expect(within(dropdown).getByText(/admin/i)).toBeInTheDocument();
+    expect(within(dropdown).getByText(/user/i)).toBeInTheDocument();
+  };
+
+  // Helper function to close dropdown by clicking outside
+  const closeDropdown = async () => {
+    await userEvent.click(document.body);
+  };
+
+  // Helper function to verify owner option is not present in dropdown
+  const expectOwnerOptionNotPresent = (dropdown: HTMLElement) => {
+    expect(within(dropdown).queryByText(/owner/i)).not.toBeInTheDocument();
+  };
+
+  it("should render", async () => {
+    renderManageOrganizationMembers();
+    await screen.findByTestId("manage-organization-members-settings");
+  });
+
+  it("should navigate away from the page if not saas", async () => {
+    const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+    // @ts-expect-error - only return APP_MODE for these tests
+    getConfigSpy.mockResolvedValue({
+      APP_MODE: "oss",
+    });
+
+    renderManageOrganizationMembers();
+    expect(
+      screen.queryByTestId("manage-organization-members-settings"),
+    ).not.toBeInTheDocument();
+  });
+
+  it("should allow the user to select an organization", async () => {
+    const getOrganizationMembersSpy = vi.spyOn(
+      organizationService,
+      "getOrganizationMembers",
+    );
+
+    renderManageOrganizationMembers();
+    await screen.findByTestId("manage-organization-members-settings");
+
+    expect(getOrganizationMembersSpy).not.toHaveBeenCalled();
+
+    await selectOrganization({ orgIndex: 0 });
+    expect(getOrganizationMembersSpy).toHaveBeenCalledExactlyOnceWith({
+      orgId: "1",
+    });
+  });
+
+  it("should render the list of organization members", async () => {
+    await setupTestWithOrg(0);
+    const members = ORGS_AND_MEMBERS["1"];
+
+    const memberListItems = await screen.findAllByTestId("member-item");
+    expect(memberListItems).toHaveLength(members.length);
+
+    members.forEach((member) => {
+      expect(screen.getByText(member.email)).toBeInTheDocument();
+      expect(screen.getByText(member.role)).toBeInTheDocument();
+    });
+  });
+
+  test("an admin should be able to change the role of a organization member", async () => {
+    await setupTestWithUserAndOrg(
+      {
+        org_id: "1",
+        user_id: "1",
+        email: "test@example.com",
+        role: "admin",
+        llm_api_key: "**********",
+        max_iterations: 20,
+        llm_model: "gpt-4",
+        llm_api_key_for_byor: null,
+        llm_base_url: "https://api.openai.com",
+        status: "active",
+      },
+      0,
+    );
+
+    const updateMemberRoleSpy = createUpdateMemberRoleSpy();
+
+    const memberListItems = await screen.findAllByTestId("member-item");
+    const userRoleMember = memberListItems[2]; // third member is "user"
+
+    let userCombobox = within(userRoleMember).getByText(/^User$/i);
+    expect(userCombobox).toBeInTheDocument();
+
+    // Change role from user to admin
+    await changeMemberRole(userRoleMember, "user", "admin");
+
+    expect(updateMemberRoleSpy).toHaveBeenCalledExactlyOnceWith({
+      userId: "3", // assuming the third member is the one being updated
+      orgId: "1",
+      role: "admin",
+    });
+    expectDropdownNotVisible(userRoleMember);
+
+    // Verify the role has been updated in the UI
+    userCombobox = within(userRoleMember).getByText(/^Admin$/i);
+    expect(userCombobox).toBeInTheDocument();
+
+    // Revert the role back to user
+    await changeMemberRole(userRoleMember, "admin", "user");
+
+    expect(updateMemberRoleSpy).toHaveBeenNthCalledWith(2, {
+      userId: "3",
+      orgId: "1",
+      role: "user",
+    });
+
+    // Verify the role has been reverted in the UI
+    userCombobox = within(userRoleMember).getByText(/^User$/i);
+    expect(userCombobox).toBeInTheDocument();
+  });
+
+  it("should not allow an admin to change the owner's role", async () => {
+    await verifyRoleChangeNotPermitted(
+      {
+        org_id: "3",
+        user_id: "1",
+        email: "test@example.com",
+        role: "admin",
+        llm_api_key: "**********",
+        max_iterations: 20,
+        llm_model: "gpt-4",
+        llm_api_key_for_byor: null,
+        llm_base_url: "https://api.openai.com",
+        status: "active",
+      },
+      2, // user is admin in org 3
+      0, // first member is "owner"
+      "Owner",
+    );
+  });
+
+  it("should not allow an admin to change another admin's role", async () => {
+    await verifyRoleChangeNotPermitted(
+      {
+        org_id: "3",
+        user_id: "1",
+        email: "test@example.com",
+        role: "admin",
+        llm_api_key: "**********",
+        max_iterations: 20,
+        llm_model: "gpt-4",
+        llm_api_key_for_byor: null,
+        llm_base_url: "https://api.openai.com",
+        status: "active",
+      },
+      2, // user is admin in org 3
+      1, // second member is "admin"
+      "Admin",
+    );
+  });
+
+  it("should not allow a user to change their own role", async () => {
+    // Mock the /me endpoint to return a user ID that matches one of the members
+    await verifyRoleChangeNotPermitted(
+      {
+        org_id: "1",
+        user_id: "1", // Same as first member from org 1
+        email: "alice@acme.org",
+        role: "owner",
+        llm_api_key: "**********",
+        max_iterations: 20,
+        llm_model: "gpt-4",
+        llm_api_key_for_byor: null,
+        llm_base_url: "https://api.openai.com",
+        status: "active",
+      },
+      0,
+      0, // First member (user_id: "1")
+      "Owner",
+    );
+  });
+
+  it("should show a remove option in the role dropdown and remove the user from the list", async () => {
+    const removeMemberSpy = vi.spyOn(organizationService, "removeMember");
+
+    await setupTestWithOrg(0);
+
+    // Get initial member count
+    const memberListItems = await screen.findAllByTestId("member-item");
+    const initialMemberCount = memberListItems.length;
+
+    const userRoleMember = memberListItems[2]; // third member is "user"
+    const userEmail = within(userRoleMember).getByText("charlie@acme.org");
+    expect(userEmail).toBeInTheDocument();
+
+    const userCombobox = within(userRoleMember).getByText(/^User$/i);
+    await userEvent.click(userCombobox);
+
+    const dropdown = within(userRoleMember).getByTestId(
+      "organization-member-role-context-menu",
+    );
+
+    // Check that remove option exists
+    const removeOption = within(dropdown).getByTestId("remove-option");
+    expect(removeOption).toBeInTheDocument();
+
+    await userEvent.click(removeOption);
+
+    expect(removeMemberSpy).toHaveBeenCalledExactlyOnceWith({
+      orgId: "1",
+      userId: "3",
+    });
+
+    // Verify the user is no longer in the list
+    await waitFor(() => {
+      const updatedMemberListItems = screen.getAllByTestId("member-item");
+      expect(updatedMemberListItems).toHaveLength(initialMemberCount - 1);
+    });
+
+    // Verify the specific user email is no longer present
+    expect(screen.queryByText("charlie@acme.org")).not.toBeInTheDocument();
+  });
+
+  it.todo(
+    "should not allow a user to change another user's role if they are the same role",
+  );
+
+  describe("Inviting Organization Members", () => {
+    it("should render an invite organization member button", async () => {
+      await setupInviteTest();
+
+      const inviteButton = await findInviteButton();
+      expect(inviteButton).toBeInTheDocument();
+    });
+
+    it("should render a modal when the invite button is clicked", async () => {
+      await setupInviteTest();
+
+      expect(screen.queryByTestId("invite-modal")).not.toBeInTheDocument();
+      const inviteButton = await findInviteButton();
+      await userEvent.click(inviteButton);
+
+      const portalRoot = screen.getByTestId("portal-root");
+      expect(
+        within(portalRoot).getByTestId("invite-modal"),
+      ).toBeInTheDocument();
+    });
+
+    it("should close the modal when the close button is clicked", async () => {
+      await setupInviteTest();
+
+      const inviteButton = await findInviteButton();
+      await userEvent.click(inviteButton);
+
+      const modal = screen.getByTestId("invite-modal");
+      const closeButton = within(modal).getByText("BUTTON$CANCEL");
+      await userEvent.click(closeButton);
+
+      expect(screen.queryByTestId("invite-modal")).not.toBeInTheDocument();
+    });
+
+    it("should render a list item in an invited state when a the user is is invited", async () => {
+      const getOrganizationMembersSpy = vi.spyOn(
+        organizationService,
+        "getOrganizationMembers",
+      );
+
+      getOrganizationMembersSpy.mockResolvedValue([
+        {
+          org_id: "1",
+          user_id: "4",
+          email: "tom@acme.org",
+          role: "user",
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "invited",
+        },
+      ]);
+
+      await setupInviteTest();
+
+      const members = await screen.findAllByTestId("member-item");
+      expect(members).toHaveLength(1);
+
+      const invitedMember = members[0];
+      expect(invitedMember).toBeInTheDocument();
+
+      // should have an "invited" badge
+      const invitedBadge = within(invitedMember).getByText(/invited/i);
+      expect(invitedBadge).toBeInTheDocument();
+
+      // should not have a role combobox
+      await userEvent.click(within(invitedMember).getByText(/^User$/i));
+      expect(
+        within(invitedMember).queryByTestId(
+          "organization-member-role-context-menu",
+        ),
+      ).not.toBeInTheDocument();
+    });
+  });
+
+  describe("Role-based invite permission behavior", () => {
+    it.each([
+      { role: "owner" as const, roleName: "Owner" },
+      { role: "admin" as const, roleName: "Admin" },
+    ])(
+      "should show invite button when user has canInviteUsers permission ($roleName role)",
+      async ({ role }) => {
+        getMeSpy.mockResolvedValue({
+          org_id: "1",
+          user_id: "1",
+          email: "test@example.com",
+          role,
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active",
+        });
+
+        await setupTestWithOrg(0);
+
+        const inviteButton = await findInviteButton();
+
+        expect(inviteButton).toBeInTheDocument();
+        expect(inviteButton).not.toBeDisabled();
+      },
+    );
+
+    it("should not show invite button when user lacks canInviteUsers permission (User role)", async () => {
+      const userData = {
+        org_id: "1",
+        user_id: "1",
+        email: "test@example.com",
+        role: "user" as const,
+        llm_api_key: "**********",
+        max_iterations: 20,
+        llm_model: "gpt-4",
+        llm_api_key_for_byor: null,
+        llm_base_url: "https://api.openai.com",
+        status: "active" as const,
+      };
+
+      // Set mock and remove cached query before rendering
+      getMeSpy.mockResolvedValue(userData);
+      // Remove any cached "me" queries so fresh data is fetched
+      queryClient.removeQueries({ queryKey: ["organizations"] });
+
+      await setupTestWithOrg(0);
+
+      // Directly set the query data to force component re-render with user role
+      // This ensures the component uses the user role data instead of cached admin data
+      queryClient.setQueryData(["organizations", "1", "me"], userData);
+
+      // Wait for the component to update with the new query data
+      await waitFor(
+        () => {
+          const inviteButton = screen.queryByRole("button", {
+            name: /ORG\$INVITE_ORGANIZATION_MEMBER/i,
+          });
+          expect(inviteButton).not.toBeInTheDocument();
+        },
+        { timeout: 3000 },
+      );
+    });
+  });
+
+  describe("Role-based role change permission behavior", () => {
+    it("should not allow an owner to change another owner's role", async () => {
+      await verifyRoleChangeNotPermitted(
+        {
+          org_id: "1",
+          user_id: "1", // First member is owner in org 1
+          email: "alice@acme.org",
+          role: "owner",
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active",
+        },
+        0,
+        0, // First member is owner
+        "owner",
+      );
+    });
+
+    it("Owner should see all three role options (owner, admin, user) in dropdown regardless of target member's role", async () => {
+      await setupTestWithUserAndOrg(
+        {
+          org_id: "1",
+          user_id: "1", // First member is owner in org 1
+          email: "alice@acme.org",
+          role: "owner",
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active",
+        },
+        0,
+      );
+
+      const memberListItems = await screen.findAllByTestId("member-item");
+
+      // Test with admin member
+      const adminMember = memberListItems[1]; // Second member is admin (user_id: "2")
+      const adminDropdown = await openRoleDropdown(adminMember, "admin");
+
+      // Verify all three role options are present for admin member
+      expectAllRoleOptionsPresent(adminDropdown);
+
+      // Close dropdown by clicking outside
+      await closeDropdown();
+
+      // Test with user member
+      const userMember = await findMemberByEmail("charlie@acme.org");
+      const userDropdown = await openRoleDropdown(userMember, "user");
+
+      // Verify all three role options are present for user member
+      expectAllRoleOptionsPresent(userDropdown);
+    });
+
+    it("Admin should not see owner option in role dropdown for any member", async () => {
+      await setupTestWithUserAndOrg(
+        {
+          org_id: "3",
+          user_id: "7", // Ray is admin in org 3
+          email: "ray@all-hands.dev",
+          role: "admin",
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active",
+        },
+        2, // org 3
+      );
+
+      const memberListItems = await screen.findAllByTestId("member-item");
+
+      // Check user member dropdown
+      const userMember = memberListItems[2]; // user member
+      const userDropdown = await openRoleDropdown(userMember, "user");
+      expectOwnerOptionNotPresent(userDropdown);
+      await closeDropdown();
+
+      // Check another user member dropdown if exists
+      if (memberListItems.length > 3) {
+        const anotherUserMember = memberListItems[3]; // another user member
+        const anotherUserDropdown = await openRoleDropdown(
+          anotherUserMember,
+          "user",
+        );
+        expectOwnerOptionNotPresent(anotherUserDropdown);
+      }
+    });
+
+    it("Owner should be able to change any member's role to owner", async () => {
+      await setupTestWithUserAndOrg(
+        {
+          org_id: "1",
+          user_id: "1", // First member is owner in org 1
+          email: "alice@acme.org",
+          role: "owner",
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active",
+        },
+        0,
+      );
+
+      const updateMemberRoleSpy = createUpdateMemberRoleSpy();
+
+      const memberListItems = await screen.findAllByTestId("member-item");
+
+      // Test changing admin to owner
+      const adminMember = memberListItems[1]; // Second member is admin (user_id: "2")
+      await changeMemberRole(adminMember, "admin", "owner");
+
+      expect(updateMemberRoleSpy).toHaveBeenNthCalledWith(1, {
+        userId: "2",
+        orgId: "1",
+        role: "owner",
+      });
+
+      // Test changing user to owner
+      const userMember = await findMemberByEmail("charlie@acme.org");
+      await changeMemberRole(userMember, "user", "owner");
+
+      expect(updateMemberRoleSpy).toHaveBeenNthCalledWith(2, {
+        userId: "3",
+        orgId: "1",
+        role: "owner",
+      });
+    });
+
+    it.each([
+      {
+        description:
+          "Owner should be able to change admin's role to admin (no change)",
+        userData: {
+          org_id: "1",
+          user_id: "1", // First member is owner in org 1
+          email: "alice@acme.org",
+          role: "owner" as const,
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active" as const,
+        },
+        orgIndex: 0,
+        memberEmail: "bob@acme.org",
+        currentRole: "admin",
+        newRole: "admin",
+        expectedApiCall: {
+          userId: "2",
+          orgId: "1",
+          role: "admin" as const,
+        },
+      },
+      {
+        description:
+          "Admin should be able to change user's role to user (no change)",
+        userData: {
+          org_id: "3",
+          user_id: "7", // Ray is admin in org 3
+          email: "ray@all-hands.dev",
+          role: "admin" as const,
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active" as const,
+        },
+        orgIndex: 2, // org 3
+        memberEmail: "stephan@all-hands.dev",
+        currentRole: "user",
+        newRole: "user",
+        expectedApiCall: {
+          userId: "9",
+          orgId: "3",
+          role: "user" as const,
+        },
+      },
+      {
+        description: "Admin should be able to change user's role to admin",
+        userData: {
+          org_id: "3",
+          user_id: "7", // Ray is admin in org 3
+          email: "ray@all-hands.dev",
+          role: "admin" as const,
+          llm_api_key: "**********",
+          max_iterations: 20,
+          llm_model: "gpt-4",
+          llm_api_key_for_byor: null,
+          llm_base_url: "https://api.openai.com",
+          status: "active" as const,
+        },
+        orgIndex: 2, // org 3
+        memberEmail: "stephan@all-hands.dev",
+        currentRole: "user",
+        newRole: "admin",
+        expectedApiCall: {
+          userId: "9",
+          orgId: "3",
+          role: "admin" as const,
+        },
+      },
+    ])(
+      "$description",
+      async ({
+        userData,
+        orgIndex,
+        memberEmail,
+        currentRole,
+        newRole,
+        expectedApiCall,
+      }) => {
+        await setupTestWithUserAndOrg(userData, orgIndex);
+
+        const updateMemberRoleSpy = createUpdateMemberRoleSpy();
+
+        const member = await findMemberByEmail(memberEmail);
+
+        await changeMemberRole(member, currentRole, newRole);
+
+        expect(updateMemberRoleSpy).toHaveBeenCalledExactlyOnceWith(
+          expectedApiCall,
+        );
+      },
+    );
+  });
+});
@@ -1,12 +1,12 @@
 import { render, screen, waitFor, within } from "@testing-library/react";
-import { beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import userEvent from "@testing-library/user-event";
 import { createRoutesStub, Outlet } from "react-router";
 import SecretsSettingsScreen from "#/routes/secrets-settings";
 import { SecretsService } from "#/api/secrets-service";
 import { GetSecretsResponse } from "#/api/secrets-service.types";
-import SettingsService from "#/settings-service/settings-service.api";
+import SettingsService from "#/api/settings-service/settings-service.api";
 import OptionService from "#/api/option-service/option-service.api";
 import { MOCK_DEFAULT_USER_SETTINGS } from "#/mocks/handlers";

@@ -21,25 +21,25 @@ const MOCK_GET_SECRETS_RESPONSE: GetSecretsResponse["custom_secrets"] = [
  },
 ];

-const RouterStub = createRoutesStub([
-  {
-    Component: () => <Outlet />,
-    path: "/settings",
-    children: [
-      {
-        Component: SecretsSettingsScreen,
-        path: "/settings/secrets",
-      },
-      {
-        Component: () => <div data-testid="git-settings-screen" />,
-        path: "/settings/integrations",
-      },
-    ],
-  },
-]);
+const renderSecretsSettings = () => {
+  const RouterStub = createRoutesStub([
+    {
+      Component: () => <Outlet />,
+      path: "/settings",
+      children: [
+        {
+          Component: SecretsSettingsScreen,
+          path: "/settings/secrets",
+        },
+        {
+          Component: () => <div data-testid="git-settings-screen" />,
+          path: "/settings/integrations",
+        },
+      ],
+    },
+  ]);

-const renderSecretsSettings = () =>
-  render(<RouterStub initialEntries={["/settings/secrets"]} />, {
+  return render(<RouterStub initialEntries={["/settings/secrets"]} />, {
    wrapper: ({ children }) => (
      <QueryClientProvider
        client={
@@ -52,6 +52,7 @@ const renderSecretsSettings = () =>
      </QueryClientProvider>
    ),
  });
+};

 beforeEach(() => {
  const getConfigSpy = vi.spyOn(OptionService, "getConfig");
@@ -61,6 +62,10 @@ beforeEach(() => {
  });
 });

+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
 describe("Content", () => {
  it("should render the secrets settings screen", () => {
    renderSecretsSettings();
@@ -501,6 +506,8 @@ describe("Secret actions", () => {

  it("should not submit whitespace secret names or values", async () => {
    const createSecretSpy = vi.spyOn(SecretsService, "createSecret");
+    const getSecretsSpy = vi.spyOn(SecretsService, "getSecrets");
+    getSecretsSpy.mockResolvedValue([]);
    renderSecretsSettings();

    // render form & hide items
@@ -532,9 +539,11 @@ describe("Secret actions", () => {
    await userEvent.click(submitButton);

    expect(createSecretSpy).not.toHaveBeenCalled();
-    expect(
-      screen.queryByText("SECRETS$SECRET_VALUE_REQUIRED"),
-    ).toBeInTheDocument();
+    await waitFor(() => {
+      expect(
+        screen.queryByText("SECRETS$SECRET_VALUE_REQUIRED"),
+      ).toBeInTheDocument();
+    });
  });

  it("should not reset ipout values on an invalid submit", async () => {
@@ -1,4 +1,4 @@
-import { render, screen, within } from "@testing-library/react";
+import { render, screen, within, waitFor } from "@testing-library/react";
 import { createRoutesStub } from "react-router";
 import { describe, expect, it, vi } from "vitest";
 import { QueryClientProvider } from "@tanstack/react-query";
@@ -22,6 +22,7 @@ vi.mock("react-i18next", async () => {
          SETTINGS$NAV_SECRETS: "Secrets",
          SETTINGS$NAV_MCP: "MCP",
          SETTINGS$NAV_USER: "User",
+          SETTINGS$NAV_BILLING: "Billing",
          SETTINGS$TITLE: "Settings",
        };
        return translations[key] || key;
@@ -61,6 +62,10 @@ describe("Settings Screen", () => {
          Component: () => <div data-testid="llm-settings-screen" />,
          path: "/settings",
        },
+        {
+          Component: () => <div data-testid="user-settings-screen" />,
+          path: "/settings/user",
+        },
        {
          Component: () => <div data-testid="git-settings-screen" />,
          path: "/settings/integrations",
@@ -192,4 +197,66 @@ describe("Settings Screen", () => {
  });

  it.todo("should not be able to access oss-only routes in saas mode");
+
+  describe("HIDE_BILLING feature flag", () => {
+    it("should hide billing navigation item when HIDE_BILLING is true", async () => {
+      // Arrange
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: true,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      mockQueryClient.clear();
+
+      // Act
+      renderSettingsScreen();
+
+      // Assert
+      const navbar = await screen.findByTestId("settings-navbar");
+      expect(within(navbar).queryByText("Billing")).not.toBeInTheDocument();
+
+      getConfigSpy.mockRestore();
+    });
+
+    it("should show billing navigation item when HIDE_BILLING is false", async () => {
+      // Arrange
+      const getConfigSpy = vi.spyOn(OptionService, "getConfig");
+      getConfigSpy.mockResolvedValue({
+        APP_MODE: "saas",
+        GITHUB_CLIENT_ID: "test",
+        POSTHOG_CLIENT_KEY: "test",
+        FEATURE_FLAGS: {
+          ENABLE_BILLING: false,
+          HIDE_LLM_SETTINGS: false,
+          HIDE_BILLING: false,
+          ENABLE_JIRA: false,
+          ENABLE_JIRA_DC: false,
+          ENABLE_LINEAR: false,
+        },
+      });
+
+      mockQueryClient.clear();
+
+      // Act
+      renderSettingsScreen();
+
+      // Assert
+      const navbar = await screen.findByTestId("settings-navbar");
+      await waitFor(() => {
+        expect(within(navbar).getByText("Billing")).toBeInTheDocument();
+      });
+
+      getConfigSpy.mockRestore();
+    });
+  });
 });
@@ -1,8 +1,8 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { handleStatusMessage } from "../actions";
+import { handleStatusMessage } from "#/services/actions";
 import { StatusMessage } from "#/types/message";
 import { queryClient } from "#/query-client-config";
-import { useStatusStore } from "#/state/status-store";
+import { useStatusStore } from "#/stores/status-store";
 import { trackError } from "#/utils/error-handler";

 // Mock dependencies
@@ -12,7 +12,7 @@ vi.mock("#/query-client-config", () => ({
  },
 }));

-vi.mock("#/state/status-store", () => ({
+vi.mock("#/stores/status-store", () => ({
  useStatusStore: {
    getState: vi.fn(() => ({
      setCurStatusMessage: vi.fn(),
@@ -1,8 +1,8 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
 import ActionType from "#/types/action-type";
 import { ActionMessage } from "#/types/message";
+import { useCommandStore } from "#/stores/command-store";

-// Mock the store and actions
 const mockDispatch = vi.fn();
 const mockAppendInput = vi.fn();

@@ -12,26 +12,12 @@ vi.mock("#/store", () => ({
  },
 }));

-vi.mock("#/state/command-store", () => ({
-  useCommandStore: {
-    getState: () => ({
-      appendInput: mockAppendInput,
-    }),
-  },
-}));
-
-vi.mock("#/state/metrics-slice", () => ({
-  setMetrics: vi.fn(),
-}));
-
-vi.mock("#/state/security-analyzer-slice", () => ({
-  appendSecurityAnalyzerInput: vi.fn(),
-}));
-
 describe("handleActionMessage", () => {
  beforeEach(() => {
-    // Clear all mocks before each test
    vi.clearAllMocks();
+    useCommandStore.setState({
+      appendInput: mockAppendInput,
+    });
  });

  it("should handle RUN actions by adding input to terminal", async () => {
@@ -0,0 +1,51 @@
+import { act, renderHook } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import { useSelectedOrganizationStore } from "#/stores/selected-organization-store";
+
+describe("useSelectedOrganizationStore", () => {
+  it("should have null as initial orgId", () => {
+    const { result } = renderHook(() => useSelectedOrganizationStore());
+    expect(result.current.organizationId).toBeNull();
+  });
+
+  it("should update orgId when setOrgId is called", () => {
+    const { result } = renderHook(() => useSelectedOrganizationStore());
+
+    act(() => {
+      result.current.setOrganizationId("org-123");
+    });
+
+    expect(result.current.organizationId).toBe("org-123");
+  });
+
+  it("should allow setting orgId to null", () => {
+    const { result } = renderHook(() => useSelectedOrganizationStore());
+
+    act(() => {
+      result.current.setOrganizationId("org-123");
+    });
+
+    expect(result.current.organizationId).toBe("org-123");
+
+    act(() => {
+      result.current.setOrganizationId(null);
+    });
+
+    expect(result.current.organizationId).toBeNull();
+  });
+
+  it("should share state across multiple hook instances", () => {
+    const { result: result1 } = renderHook(() =>
+      useSelectedOrganizationStore(),
+    );
+    const { result: result2 } = renderHook(() =>
+      useSelectedOrganizationStore(),
+    );
+
+    act(() => {
+      result1.current.setOrganizationId("shared-org");
+    });
+
+    expect(result2.current.organizationId).toBe("shared-org");
+  });
+});
@@ -3,7 +3,7 @@ import toast from "react-hot-toast";
 import {
  displaySuccessToast,
  displayErrorToast,
-} from "../custom-toast-handlers";
+} from "#/utils/custom-toast-handlers";

 // Mock react-hot-toast
 vi.mock("react-hot-toast", () => ({
@@ -12,22 +12,92 @@ describe("hasAdvancedSettingsSet", () => {
  });

  describe("should be true if", () => {
-    test("LLM_BASE_URL is set", () => {
+    test("llm_base_url is set", () => {
      expect(
        hasAdvancedSettingsSet({
          ...DEFAULT_SETTINGS,
-          LLM_BASE_URL: "test",
+          llm_base_url: "test",
        }),
      ).toBe(true);
    });

-    test("AGENT is not default value", () => {
+    test("agent is not default value", () => {
      expect(
        hasAdvancedSettingsSet({
          ...DEFAULT_SETTINGS,
-          AGENT: "test",
+          agent: "test",
        }),
      ).toBe(true);
    });
+
+    test("enable_default_condenser is disabled", () => {
+      // Arrange
+      const settings = {
+        ...DEFAULT_SETTINGS,
+        enable_default_condenser: false,
+      };
+
+      // Act
+      const result = hasAdvancedSettingsSet(settings);
+
+      // Assert
+      expect(result).toBe(true);
+    });
+
+    test("condenser_max_size is customized above default", () => {
+      // Arrange
+      const settings = {
+        ...DEFAULT_SETTINGS,
+        condenser_max_size: 200,
+      };
+
+      // Act
+      const result = hasAdvancedSettingsSet(settings);
+
+      // Assert
+      expect(result).toBe(true);
+    });
+
+    test("condenser_max_size is customized below default", () => {
+      // Arrange
+      const settings = {
+        ...DEFAULT_SETTINGS,
+        condenser_max_size: 50,
+      };
+
+      // Act
+      const result = hasAdvancedSettingsSet(settings);
+
+      // Assert
+      expect(result).toBe(true);
+    });
+
+    test("search_api_key is set to non-empty value", () => {
+      // Arrange
+      const settings = {
+        ...DEFAULT_SETTINGS,
+        search_api_key: "test-api-key-123",
+      };
+
+      // Act
+      const result = hasAdvancedSettingsSet(settings);
+
+      // Assert
+      expect(result).toBe(true);
+    });
+
+    test("search_api_key with whitespace is treated as set", () => {
+      // Arrange
+      const settings = {
+        ...DEFAULT_SETTINGS,
+        search_api_key: "  test-key  ",
+      };
+
+      // Act
+      const result = hasAdvancedSettingsSet(settings);
+
+      // Assert
+      expect(result).toBe(true);
+    });
  });
 });
@@ -13,7 +13,7 @@ describe("Model name case preservation", () => {
    const settings = extractSettings(formData);

    // Test that model names maintain their original casing
-    expect(settings.LLM_MODEL).toBe("SambaNova/Meta-Llama-3.1-8B-Instruct");
+    expect(settings.llm_model).toBe("SambaNova/Meta-Llama-3.1-8B-Instruct");
  });

  it("should preserve openai model case", () => {
@@ -24,7 +24,7 @@ describe("Model name case preservation", () => {
    formData.set("language", "en");

    const settings = extractSettings(formData);
-    expect(settings.LLM_MODEL).toBe("openai/gpt-4o");
+    expect(settings.llm_model).toBe("openai/gpt-4o");
  });

  it("should preserve anthropic model case", () => {
@@ -35,7 +35,7 @@ describe("Model name case preservation", () => {
    formData.set("language", "en");

    const settings = extractSettings(formData);
-    expect(settings.LLM_MODEL).toBe("anthropic/claude-sonnet-4-20250514");
+    expect(settings.llm_model).toBe("anthropic/claude-sonnet-4-20250514");
  });

  it("should not automatically lowercase model names", () => {
@@ -48,7 +48,7 @@ describe("Model name case preservation", () => {
    const settings = extractSettings(formData);

    // Test that camelCase and PascalCase are preserved
-    expect(settings.LLM_MODEL).not.toBe("sambanova/meta-llama-3.1-8b-instruct");
-    expect(settings.LLM_MODEL).toBe("SambaNova/Meta-Llama-3.1-8B-Instruct");
+    expect(settings.llm_model).not.toBe("sambanova/meta-llama-3.1-8b-instruct");
+    expect(settings.llm_model).toBe("SambaNova/Meta-Llama-3.1-8B-Instruct");
  });
 });
--- a/Show More
+++ b/Show More