Update pyproject.toml

.agents/skills/cross-repo-testing/SKILL.md

@@ -1,202 +0,0 @@
----
-name: cross-repo-testing
-description: This skill should be used when the user asks to "test a cross-repo feature", "deploy a feature branch to staging", "test SDK against OH Cloud", "e2e test a cloud workspace feature", "test provider tokens", "test secrets inheritance", or when changes span the SDK and OpenHands server repos and need end-to-end validation against a staging deployment.
-triggers:
-- cross-repo
-- staging deployment
-- feature branch deploy
-- test against cloud
-- e2e cloud
----
-
-# Cross-Repo Testing: SDK ↔ OpenHands Cloud
-
-How to end-to-end test features that span `OpenHands/software-agent-sdk` and `OpenHands/OpenHands` (the Cloud backend).
-
-## Repository Map
-
-| Repo | Role | What lives here |
-|------|------|-----------------|
-| [`software-agent-sdk`](https://github.com/OpenHands/software-agent-sdk) | Agent core | `openhands-sdk`, `openhands-workspace`, `openhands-tools` packages. `OpenHandsCloudWorkspace` lives here. |
-| [`OpenHands`](https://github.com/OpenHands/OpenHands) | Cloud backend | FastAPI server (`openhands/app_server/`), sandbox management, auth, enterprise integrations. Deployed as OH Cloud. |
-| [`deploy`](https://github.com/OpenHands/deploy) | Infrastructure | Helm charts + GitHub Actions that build the enterprise Docker image and deploy to staging/production. |
-
-**Data flow:** SDK client → OH Cloud API (`/api/v1/...`) → sandbox agent-server (inside runtime container)
-
-## When You Need This
-
-There are **two flows** depending on which direction the dependency goes:
-
-| Flow | When | Example |
-|------|------|---------|
-| **A — SDK client → new Cloud API** | The SDK calls an API that doesn't exist yet on production | `workspace.get_llm()` calling `GET /api/v1/users/me?expose_secrets=true` |
-| **B — OH server → new SDK code** | The Cloud server needs unreleased SDK packages or a new agent-server image | Server consumes a new tool, agent behavior, or workspace method from the SDK |
-
-Flow A only requires deploying the server PR. Flow B requires pinning the SDK to an unreleased commit in the server PR **and** using the SDK PR's agent-server image. Both flows may apply simultaneously.
-
----
-
-## Flow A: SDK Client Tests Against New Cloud API
-
-Use this when the SDK calls an endpoint that only exists on the server PR branch.
-
-### A1. Write and test the server-side changes
-
-In the `OpenHands` repo, implement the new API endpoint(s). Run unit tests:
-
-```bash
-cd OpenHands
-poetry run pytest tests/unit/app_server/test_<relevant>.py -v
-```
-
-Push a PR. Wait for the **"Push Enterprise Image" (Docker) CI job** to succeed — this builds `ghcr.io/openhands/enterprise-server:sha-<COMMIT>`.
-
-### A2. Write the SDK-side changes
-
-In `software-agent-sdk`, implement the client code (e.g., new methods on `OpenHandsCloudWorkspace`). Run SDK unit tests:
-
-```bash
-cd software-agent-sdk
-pip install -e openhands-sdk -e openhands-workspace
-pytest tests/ -v
-```
-
-Push a PR. SDK CI is independent — it doesn't need the server changes to pass unit tests.
-
-### A3. Deploy the server PR to staging
-
-See [Deploying to a Staging Feature Environment](#deploying-to-a-staging-feature-environment) below.
-
-### A4. Run the SDK e2e test against staging
-
-See [Running E2E Tests Against Staging](#running-e2e-tests-against-staging) below.
-
----
-
-## Flow B: OH Server Needs Unreleased SDK Code
-
-Use this when the Cloud server depends on SDK changes that haven't been released to PyPI yet. The server's runtime containers run the `agent-server` image built from the SDK repo, so the server PR must be configured to use the SDK PR's image and packages.
-
-### B1. Get the SDK PR merged (or identify the commit)
-
-The SDK PR must have CI pass so its agent-server Docker image is built. The image is tagged with the **merge-commit SHA** from GitHub Actions — NOT the head-commit SHA shown in the PR.
-
-Find the correct image tag:
-- Check the SDK PR description for an `AGENT_SERVER_IMAGES` section
-- Or check the "Consolidate Build Information" CI job for `"short_sha": "<tag>"`
-
-### B2. Pin SDK packages to the commit in the OpenHands PR
-
-In the `OpenHands` repo PR, pin all 3 SDK packages (`openhands-sdk`, `openhands-agent-server`, `openhands-tools`) to the unreleased commit and update the agent-server image tag. This involves editing 3 files and regenerating 3 lock files.
-
-Follow the **`update-sdk` skill** → "Development: Pin SDK to an Unreleased Commit" section for the full procedure and file-by-file instructions.
-
-### B3. Wait for the OpenHands enterprise image to build
-
-Push the pinned changes. The OpenHands CI will build a new enterprise Docker image (`ghcr.io/openhands/enterprise-server:sha-<OH_COMMIT>`) that bundles the unreleased SDK. Wait for the "Push Enterprise Image" job to succeed.
-
-### B4. Deploy and test
-
-Follow [Deploying to a Staging Feature Environment](#deploying-to-a-staging-feature-environment) using the new OpenHands commit SHA.
-
-### B5. Before merging: remove the pin
-
-**CI guard:** `check-package-versions.yml` blocks merge to `main` if `[tool.poetry.dependencies]` contains `rev` fields. Before the OpenHands PR can merge, the SDK PR must be merged and released to PyPI, then the pin must be replaced with the released version number.
-
----
-
-## Deploying to a Staging Feature Environment
-
-The `deploy` repo creates preview environments from OpenHands PRs.
-
-**Option A — GitHub Actions UI (preferred):**
-Go to `OpenHands/deploy` → Actions → "Create OpenHands preview PR" → enter the OpenHands PR number. This creates a branch `ohpr-<PR>-<random>` and opens a deploy PR.
-
-**Option B — Update an existing feature branch:**
-```bash
-cd deploy
-git checkout ohpr-<PR>-<random>
-# In .github/workflows/deploy.yaml, update BOTH:
-#   OPENHANDS_SHA: "<full-40-char-commit>"
-#   OPENHANDS_RUNTIME_IMAGE_TAG: "<same-commit>-nikolaik"
-git commit -am "Update OPENHANDS_SHA to <commit>" && git push
-```
-
-**Before updating the SHA**, verify the enterprise Docker image exists:
-```bash
-gh api repos/OpenHands/OpenHands/actions/runs \
-  --jq '.workflow_runs[] | select(.head_sha=="<COMMIT>") | "\(.name): \(.conclusion)"' \
-  | grep Docker
-# Must show: "Docker: success"
-```
-
-The deploy CI auto-triggers and creates the environment at:
-```
-https://ohpr-<PR>-<random>.staging.all-hands.dev
-```
-
-**Wait for it to be live:**
-```bash
-curl -s -o /dev/null -w "%{http_code}" https://ohpr-<PR>-<random>.staging.all-hands.dev/api/v1/health
-# 401 = server is up (auth required). DNS may take 1-2 min on first deploy.
-```
-
-## Running E2E Tests Against Staging
-
-**Critical: Feature deployments have their own Keycloak instance.** API keys from `app.all-hands.dev` or `$OPENHANDS_API_KEY` will NOT work. You need a test API key issued by the specific feature deployment's Keycloak.
-
-**You (the agent) cannot obtain this key yourself** — the feature environment requires interactive browser login with credentials you do not have. You must **ask the user** to:
-1. Log in to the feature deployment at `https://ohpr-<PR>-<random>.staging.all-hands.dev` in their browser
-2. Generate a test API key from the UI
-3. Provide the key to you so you can proceed with e2e testing
-
-Do **not** attempt to log in via the browser or guess credentials. Wait for the user to supply the key before running any e2e tests.
-
-```python
-from openhands.workspace import OpenHandsCloudWorkspace
-
-STAGING = "https://ohpr-<PR>-<random>.staging.all-hands.dev"
-
-with OpenHandsCloudWorkspace(
-    cloud_api_url=STAGING,
-    cloud_api_key="<test-api-key-for-this-deployment>",
-) as workspace:
-    # Test the new feature
-    llm = workspace.get_llm()
-    secrets = workspace.get_secrets()
-    print(f"LLM: {llm.model}, secrets: {list(secrets.keys())}")
-```
-
-Or run an example script:
-```bash
-OPENHANDS_CLOUD_API_KEY="<key>" \
-OPENHANDS_CLOUD_API_URL="https://ohpr-<PR>-<random>.staging.all-hands.dev" \
-python examples/02_remote_agent_server/10_cloud_workspace_saas_credentials.py
-```
-
-### Recording results
-
-Both repos support a `.pr/` directory for temporary PR artifacts (design docs, test logs, scripts). These files are automatically removed when the PR is approved — see `.github/workflows/pr-artifacts.yml` and the "PR-Specific Artifacts" section in each repo's `AGENTS.md`.
-
-Push test output to the `.pr/logs/` directory of whichever repo you're working in:
-```bash
-mkdir -p .pr/logs
-python test_script.py 2>&1 | tee .pr/logs/<test_name>.log
-git add -f .pr/logs/
-git commit -m "docs: add e2e test results" && git push
-```
-
-Comment on **both PRs** with pass/fail summary and link to logs.
-
-## Key Gotchas
-
-| Gotcha | Details |
-|--------|---------|
-| **Feature env auth is isolated** | Each `ohpr-*` deployment has its own Keycloak. Production API keys don't work. Agents cannot log in — you must ask the user to provide a test API key from the feature deployment's UI. |
-| **Two SHAs in deploy.yaml** | `OPENHANDS_SHA` and `OPENHANDS_RUNTIME_IMAGE_TAG` must both be updated. The runtime tag is `<sha>-nikolaik`. |
-| **Enterprise image must exist** | The Docker CI job on the OpenHands PR must succeed before you can deploy. If it hasn't run, push an empty commit to trigger it. |
-| **DNS propagation** | First deployment of a new branch takes 1-2 min for DNS. Subsequent deploys are instant. |
-| **Merge-commit SHA ≠ head SHA** | SDK CI tags Docker images with GitHub Actions' merge-commit SHA, not the PR head SHA. Check the SDK PR description or CI logs for the correct tag. |
-| **SDK pin blocks merge** | `check-package-versions.yml` prevents merging an OpenHands PR that has `rev` fields in `[tool.poetry.dependencies]`. The SDK must be released to PyPI first. |
-| **Flow A: stock agent-server is fine** | When only the Cloud API changes, `OpenHandsCloudWorkspace` talks to the Cloud server, not the agent-server. No custom image needed. |
-| **Flow B: agent-server image is required** | When the server needs new SDK code inside runtime containers, you must pin to the SDK PR's agent-server image. |

.agents/skills/custom-codereview-guide.md

@@ -1,47 +0,0 @@
----
-name: custom-codereview-guide
-description: Repo-specific code review guidelines for All-Hands-AI/OpenHands. Provides frontend and backend review rules in addition to the default code review skill.
-triggers:
-- /codereview
----
-
-# All-Hands-AI/OpenHands Code Review Guidelines
-
-You are an expert code reviewer for the **All-Hands-AI/OpenHands** repository. This skill provides repo-specific review guidelines.
-
-## Frontend: i18n / Translation Key Usage
-
-**Never dynamically construct i18n keys via string interpolation or template literals.**
-
-All translation keys must come from the `I18nKey` enum (`frontend/src/i18n/declaration.ts`) or from canonical mapping objects like `AGENT_STATUS_MAP` (`frontend/src/utils/status.ts`). Dynamically constructed keys (e.g., `` t(`STATUS$${value.toUpperCase()}`) ``) will silently fall back to the raw key string at runtime because `i18next` returns the key itself when a translation is missing — this produces broken UI text with no build-time or test-time error.
-
-### What to flag
-
-- Any call to `t(...)` or `i18next.t(...)` where the key is built at runtime via template literals, string concatenation, or helper functions rather than referencing `I18nKey` or a known mapping
-- Any new i18n key referenced in code that does not exist in `frontend/src/i18n/translation.json`
-
-### Correct pattern
-
-```ts
-import { AGENT_STATUS_MAP } from "#/utils/status";
-
-const i18nKey = AGENT_STATUS_MAP[agentState];
-const message = i18nKey ? t(i18nKey) : fallback;
-```
-
-### Incorrect pattern
-
-```ts
-// BAD: constructs a key that may not exist in translation.json
-const message = t(`STATUS$${agentState.toUpperCase()}`);
-```
-
-## Frontend: Data Fetching Architecture
-
-UI components must never call API client methods (`frontend/src/api/`) directly. All data access must go through TanStack Query hooks:
-
-```
-UI components → TanStack Query hooks (frontend/src/hooks/query/ or mutation/) → API client (frontend/src/api/) → API endpoints
-```
-
-Flag any component that imports directly from `#/api/` and calls fetch/mutation functions without a TanStack Query wrapper.

.agents/skills/upcoming-release/SKILL.md

@@ -1,37 +0,0 @@
----
-name: upcoming-release
-description: This skill should be used when the user asks to "generate release notes", "list upcoming release PRs", "summarize upcoming release", "/upcoming-release", or needs to know what changes are part of an upcoming release.
----
-
-# Upcoming Release Summary
-
-Generate a concise summary of PRs included in the upcoming release.
-
-## Prerequisites
-
-Two commit SHAs are required:
-- **First SHA**: The older commit (current release)
-- **Second SHA**: The newer commit (what's being released)
-
-If the user does not provide both SHAs, ask for them before proceeding.
-
-## Workflow
-
-1. Run the script from the repository root with the `--json` flag:
-   ```bash
-   .github/scripts/find_prs_between_commits.py <older-sha> <newer-sha> --json
-   ```
-
-2. Filter out PRs that are:
-   - Chores
-   - Dependency updates
-   - Adding logs
-   - Refactors
-
-3. Categorize the remaining PRs:
-   - **Features** - New functionality
-   - **Bug fixes** - Corrections to existing behavior
-   - **Security/CVE fixes** - Security-related changes
-   - **Other** - Everything else
-
-4. Format the output with PRs listed under their category, including the PR number and a brief description.

.agents/skills/update-sdk/SKILL.md

@@ -1,123 +0,0 @@
----
-name: update-sdk
-description: This skill should be used when the user asks to "update SDK", "bump SDK version", "pin SDK to a commit", "test unreleased SDK", "update agent-server image", "bump the version", "prepare a release", "what files change for a release", or needs to know how SDK packages are managed in the OpenHands repository. For detailed reference material, see references/docker-image-locations.md and references/sdk-pinning-examples.md in this skill directory.
----
-
-# Update SDK
-
-Bump SDK packages (`openhands-sdk`, `openhands-agent-server`, `openhands-tools`), pin them to unreleased commits for testing, and cut an OpenHands release.
-
-## Quick Summary — How Many Files Change?
-
-| Activity | Manual edits | Auto-regenerated | Total |
-|----------|:------------:|:----------------:|:-----:|
-| **SDK bump** (released PyPI version) | 2 | 3 | **5** |
-| **SDK pin** (unreleased git commit) | 3 | 3 | **6** |
-| **Release commit** (version bump) | 3 | 0 | **3** |
-
-The 3 auto-regenerated files are always: `poetry.lock`, `uv.lock`, `enterprise/poetry.lock`.
-
-## SDK Package Bump — 2 Files + 3 Lock Files
-
-Land as a separate PR before the release. Examples: `929dcc3` (SDK 1.11.5), `cd235cc` (SDK 1.11.4).
-
-| File | What to change |
-|------|----------------|
-| `pyproject.toml` | `openhands-sdk`, `openhands-agent-server`, `openhands-tools` in **two** sections: the `dependencies` array (PEP 508) **and** `[tool.poetry.dependencies]` |
-| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE` constant — set to `ghcr.io/openhands/agent-server:<version>-python` |
-
-Then regenerate lock files:
-```bash
-poetry lock && uv lock && cd enterprise && poetry lock && cd ..
-```
-
-## Docker Image Locations — All Hardcoded References
-
-For the complete inventory of every file containing a hardcoded Docker image tag or repository, see `references/docker-image-locations.md`. Key files that must stay in sync during an SDK bump:
-
-| File | Image reference | Updated during SDK bump? |
-|------|----------------|:------------------------:|
-| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<tag>-python'` | ✅ Yes |
-| `docker-compose.yml` | `AGENT_SERVER_IMAGE_TAG` default | ✅ Should be |
-| `containers/dev/compose.yml` | `AGENT_SERVER_IMAGE_REPOSITORY` + `_TAG` defaults | ✅ Should be |
-
-> **CI enforcement:** `.github/workflows/check-version-consistency.yml` validates version consistency and compose file image references on every PR and push to main.
-
-### ⚠️ Docker Image Tag Gotcha (merge-commit SHA)
-
-The SDK CI in `software-agent-sdk` repo tags Docker images with the **GitHub Actions merge-commit SHA**, NOT the PR head-commit SHA. When pinning to an SDK PR branch:
-
-1. Check the SDK PR description for the actual image tag (look for the `AGENT_SERVER_IMAGES` section)
-2. Or query the CI logs: the "Consolidate Build Information" job prints `"short_sha": "<tag>"`
-3. The merge-commit SHA differs from the head SHA shown in the PR
-
-For released SDK versions, images use a version tag (e.g., `1.12.0-python`) — no merge-commit ambiguity.
-
-## Cutting a Release — 3 Files
-
-A release commit updates the version string across 3 files. Gold-standard examples: 1.3.0 (`d063c8c`), 1.4.0 (`495f48b`).
-
-| File | What to change |
-|------|----------------|
-| `pyproject.toml` | `version = "X.Y.Z"` under `[tool.poetry]` |
-| `frontend/package.json` | `"version": "X.Y.Z"` |
-| `frontend/package-lock.json` | `"version": "X.Y.Z"` in **two** places (root object and `packages[""]`) |
-
-> **Note:** `openhands/version.py` reads the version from `pyproject.toml` at runtime — no manual edit needed there.
-
-### Compose Files (2 files)
-
-Both compose files should use `ghcr.io/openhands/agent-server` with the current SDK version tag.
-
-| File | What to verify |
-|------|----------------|
-| `docker-compose.yml` | `AGENT_SERVER_IMAGE_REPOSITORY` defaults to agent-server, `AGENT_SERVER_IMAGE_TAG` is current |
-| `containers/dev/compose.yml` | Same — must use agent-server, not runtime |
-
-### Release Workflow
-
-#### Step 1: Verify the SDK bump has landed
-
-```bash
-grep -n "openhands-sdk\|openhands-agent-server\|openhands-tools" pyproject.toml
-grep -n "AGENT_SERVER_IMAGE" openhands/app_server/sandbox/sandbox_spec_service.py
-grep "AGENT_SERVER_IMAGE_TAG" docker-compose.yml containers/dev/compose.yml
-```
-
-#### Step 2: Bump version numbers
-
-```bash
-# Edit pyproject.toml, frontend/package.json, frontend/package-lock.json
-git add pyproject.toml frontend/package.json frontend/package-lock.json
-git commit -m "Release X.Y.Z"
-git tag X.Y.Z
-```
-
-Create a `saas-rel-X.Y.Z` branch from the tagged commit for the SaaS deployment pipeline.
-
-#### Step 3: Images get tagged automatically
-
-Every push to `main` / `saas-rel-*` / `oss-rel-*` builds and publishes `ghcr.io/openhands/openhands` and `ghcr.io/openhands/enterprise-server` images for that commit (tagged by SHA, short SHA, and branch name).
-
-Pushing a git tag `X.Y.Z` then tags the images for that commit with `X.Y.Z`, `X.Y`, `X`, and `latest`. Non-semver tags just get their literal name applied.
-
-Requires the commit to already be built. If you push the tag too early, the retag CI job fails loudly — re-run it from the Actions UI once the build completes.
-
-## Development: Pin SDK to an Unreleased Commit
-
-For detailed examples of all pinning formats (commit, branch, uv-only), see `references/sdk-pinning-examples.md`.
-
-### Files to change (3 manual + 3 lock files)
-
-| File | What to change |
-|------|----------------|
-| `pyproject.toml` | Pin all 3 SDK packages in **both** `dependencies` and `[tool.poetry.dependencies]` |
-| `openhands/app_server/sandbox/sandbox_spec_service.py` | `AGENT_SERVER_IMAGE` — use the merge-commit SHA tag, NOT the head-commit SHA |
-| `docker-compose.yml` | `AGENT_SERVER_IMAGE_TAG` default (for local development) |
-| `poetry.lock` | Auto-regenerated via `poetry lock` |
-| `uv.lock` | Auto-regenerated via `uv lock` |
-| `enterprise/poetry.lock` | Auto-regenerated via `cd enterprise && poetry lock` |
-
-### CI guard
-
-The `check-package-versions.yml` workflow blocks merging to `main` if `[tool.poetry.dependencies]` contains any `rev` fields. This ensures unreleased SDK pins do not accidentally ship in a release.

.agents/skills/update-sdk/references/docker-image-locations.md

@@ -1,61 +0,0 @@
-# Docker Image Locations — Complete Inventory
-
-Every file in the OpenHands repository containing a hardcoded Docker image tag, repository, or version-pinned image reference. Organized by update cadence.
-
-## Updated During SDK Bump (must change)
-
-These files contain image tags that **must** be updated whenever the SDK version or pinned commit changes.
-
-### `openhands/app_server/sandbox/sandbox_spec_service.py`
-- **Line:** `AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<tag>-python'`
-- **Format:** `<sdk-version>-python` for releases (e.g., `1.12.0-python`), `<7-char-commit-hash>-python` for dev pins
-- **Source of truth** for which agent-server image the app server pulls at runtime
-- **⚠️ Gotcha:** When pinning to an SDK PR, the image tag is the **merge-commit SHA** from GitHub Actions, not the PR head-commit SHA. Check the SDK PR description or CI logs for the correct tag.
-
-### `docker-compose.yml`
-- **Lines:**
-  ```yaml
-  - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-  - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-<tag>-python}
-  ```
-- Used by `docker compose up` for local development
-
-### `containers/dev/compose.yml`
-- **Lines:**
-  ```yaml
-  - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-  - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-<tag>-python}
-  ```
-- Used by the dev container setup
-- **Known issue:** On main as of 1.4.0, this file still points to `ghcr.io/openhands/runtime` instead of `agent-server`, and the tag is `1.2-nikolaik` (stale from the V0 era). The `check-version-consistency.yml` CI workflow catches this.
-
-## Updated During Release Commit (version string only)
-
-### `pyproject.toml`
-- **Line:** `version = "X.Y.Z"` under `[tool.poetry]`
-- The Python version is derived from this at runtime via `openhands/version.py`
-
-### `frontend/package.json`
-- **Line:** `"version": "X.Y.Z"`
-
-### `frontend/package-lock.json`
-- **Two places:** root `"version": "X.Y.Z"` and `packages[""].version`
-
-## Dynamic References (auto-derived, no manual update)
-
-### `openhands/version.py`
-- Reads version from `pyproject.toml` at runtime → `openhands.__version__`
-
-### `.github/scripts/update_pr_description.sh`
-- Uses `${SHORT_SHA}` variable at CI runtime, not hardcoded
-
-### `enterprise/Dockerfile`
-- `ARG BASE="ghcr.io/openhands/openhands"` — base image, version supplied at build time
-
-## Image Registries
-
-| Registry | Usage |
-|----------|-------|
-| `ghcr.io/openhands/agent-server` | V1 agent-server (sandbox) — built by SDK repo CI |
-| `ghcr.io/openhands/openhands` | Main app image — built by `ghcr-build.yml` |
-| `docker.openhands.dev/openhands/*` | Mirror/CDN for the above images |

.agents/skills/update-sdk/references/sdk-pinning-examples.md

@@ -1,103 +0,0 @@
-# SDK Pinning Examples
-
-Examples from real commits showing how to pin SDK packages to unreleased commits, branches, or released versions.
-
-## Pin to a Specific Commit
-
-Example from commit `169fb76` (pinning all 3 packages to SDK commit `100e9af`):
-
-### `dependencies` array (PEP 508 format)
-
-```toml
-"openhands-agent-server @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-agent-server",
-"openhands-sdk @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-sdk",
-"openhands-tools @ git+https://github.com/OpenHands/software-agent-sdk.git@100e9af#subdirectory=openhands-tools",
-```
-
-### `[tool.poetry.dependencies]` (Poetry format)
-
-```toml
-openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-sdk" }
-openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-agent-server" }
-openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", rev = "100e9af", subdirectory = "openhands-tools" }
-```
-
-### `openhands/app_server/sandbox/sandbox_spec_service.py`
-
-```python
-AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:<merge-commit-sha>-python'
-```
-
-**⚠️ Important:** The image tag is the **merge-commit SHA** from the SDK CI, not the commit hash used in `pyproject.toml`. Look up the correct tag from the SDK PR description or CI logs.
-
-## Pin to a Branch
-
-Example from commit `430ee1c` (pinning to branch `openhands/issue-2228-sdk-settings-schema`):
-
-### `[tool.poetry.dependencies]`
-
-```toml
-openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-sdk" }
-openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-agent-server" }
-openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", branch = "openhands/issue-2228-sdk-settings-schema", subdirectory = "openhands-tools" }
-```
-
-## Using `[tool.uv.sources]` Override
-
-When only `uv` needs the override (keep PyPI versions in the main arrays), add a `[tool.uv.sources]` section. Example from commit `1daca49`:
-
-```toml
-[tool.uv.sources]
-openhands-sdk = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-sdk", rev = "4170cca" }
-openhands-agent-server = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-agent-server", rev = "4170cca" }
-openhands-tools = { git = "https://github.com/OpenHands/software-agent-sdk.git", subdirectory = "openhands-tools", rev = "4170cca" }
-```
-
-## Released PyPI Version (standard release)
-
-Example from commit `929dcc3` (SDK 1.11.5):
-
-### `dependencies` array
-
-```toml
-"openhands-agent-server==1.11.5",
-"openhands-sdk==1.11.5",
-"openhands-tools==1.11.5",
-```
-
-### `[tool.poetry.dependencies]`
-
-```toml
-openhands-sdk = "1.11.5"
-openhands-agent-server = "1.11.5"
-openhands-tools = "1.11.5"
-```
-
-### `openhands/app_server/sandbox/sandbox_spec_service.py`
-
-For released versions, the image tag uses the version number:
-
-```python
-AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:1.11.5-python'
-```
-
-However, **some releases use a commit-hash tag** even for the released version. Check which tag format exists on GHCR. Example from `929dcc3`:
-
-```python
-AGENT_SERVER_IMAGE = 'ghcr.io/openhands/agent-server:010e847-python'
-```
-
-## Regenerate Lock Files
-
-After any change to `pyproject.toml`, always regenerate:
-
-```bash
-poetry lock
-uv lock
-cd enterprise && poetry lock && cd ..
-```
-
-## CI Guards
-
-- **`check-package-versions.yml`**: Blocks merge to `main` if `[tool.poetry.dependencies]` contains `rev` fields (prevents shipping unreleased SDK pins)
-- **`check-version-consistency.yml`**: Validates version strings match across `pyproject.toml`, `package.json`, `package-lock.json`, and verifies compose files use `agent-server` images

.devcontainer/README.md

@@ -1 +0,0 @@
-This way of running OpenHands is not officially supported. It is maintained by the community.

.devcontainer/setup.sh

@@ -7,8 +7,5 @@ git config --global --add safe.directory "$(realpath .)"
 # Install `nc`
 sudo apt update && sudo apt install netcat -y
 
-# Install `uv` and `uvx`
-wget -qO- https://astral.sh/uv/install.sh | sh
-
 # Do common setup tasks
 source .openhands/setup.sh

.gitattributes

@@ -4,5 +4,4 @@
 * text eol=lf
 # Git incorrectly thinks some media is text
 *.png -text
-*.gif -text
 *.mp4 -text

.github/CODEOWNERS

@@ -0,0 +1,12 @@
+# CODEOWNERS file for OpenHands repository
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Frontend code owners
+/frontend/ @amanape
+/openhands-ui/ @amanape
+
+# Evaluation code owners
+/evaluation/ @xingyaoww @neubig
+
+# Documentation code owners
+/docs/ @mamoodi

.github/ISSUE_TEMPLATE/bug_template.yml

@@ -5,113 +5,52 @@ labels: ['bug']
 body:
   - type: markdown
     attributes:
-      value: |
-        ## Thank you for reporting a bug! 🐛
-
-        **Please fill out all required fields.** Issues missing critical information (version, installation method, reproduction steps, etc.) will be delayed or closed until complete details are provided.
-
-        Clear, detailed reports help us resolve issues faster.
+      value: Thank you for taking the time to fill out this bug report. Please provide as much information as possible
+       to help us understand and address the issue effectively.
 
   - type: checkboxes
     attributes:
-      label: Is there an existing issue for the same bug?
-      description: Please search existing issues before creating a new one. If found, react or comment to the duplicate issue instead of making a new one.
+      label: Is there an existing issue for the same bug? (If one exists, thumbs up or comment on the issue instead).
+      description: Please check if an issue already exists for the bug you encountered.
       options:
-      - label: I have searched existing issues and this is not a duplicate.
+      - label: I have checked the existing issues.
         required: true
 
   - type: textarea
     id: bug-description
     attributes:
-      label: Bug Description
-      description: Clearly describe what went wrong. Be specific and concise.
-      placeholder: Example - "When I run a Python task, OpenHands crashes after 30 seconds with a connection timeout error."
+      label: Describe the bug and reproduction steps
+      description: Provide a description of the issue along with any reproduction steps.
     validations:
       required: true
 
-  - type: textarea
-    id: expected-behavior
-    attributes:
-      label: Expected Behavior
-      description: What did you expect to happen?
-      placeholder: Example - "OpenHands should execute the Python script and return results."
-    validations:
-      required: false
-
-  - type: textarea
-    id: actual-behavior
-    attributes:
-      label: Actual Behavior
-      description: What actually happened?
-      placeholder: Example - "Connection timed out after 30 seconds, task failed with error code 500."
-    validations:
-      required: false
-
-  - type: textarea
-    id: reproduction-steps
-    attributes:
-      label: Steps to Reproduce
-      description: Provide clear, step-by-step instructions to reproduce the bug.
-      placeholder: |
-        1. Install OpenHands using Docker
-        2. Configure with Claude 3.5 Sonnet
-        3. Run command: `openhands run "write a python script"`
-        4. Wait 30 seconds
-        5. Error appears
-    validations:
-      required: false
-
   - type: dropdown
     id: installation
     attributes:
-      label: OpenHands Installation Method
+      label: OpenHands Installation
       description: How are you running OpenHands?
       options:
-        - CLI (uv tool install)
-        - CLI (executable binary)
-        - CLI (Docker)
-        - Local GUI (Docker web interface)
-        - OpenHands Cloud (app.all-hands.dev)
-        - SDK (Python library)
+        - Docker command in README
+        - GitHub resolver
         - Development workflow
+        - CLI
+        - app.all-hands.dev
         - Other
       default: 0
-    validations:
-      required: false
-
-  - type: input
-    id: installation-other
-    attributes:
-      label: If you selected "Other", please specify
-      description: Describe your installation method
-      placeholder: ex. Custom Kubernetes deployment, pip install from source, etc.
 
   - type: input
     id: openhands-version
     attributes:
       label: OpenHands Version
-      description: What version are you using? Find this in settings or by running `openhands --version`
-      placeholder: ex. 0.9.8, main, commit hash, etc.
-    validations:
-      required: false
-
-  - type: checkboxes
-    id: version-confirmation
-    attributes:
-      label: Version Confirmation
-      description: Bugs on older versions may already be fixed. Please upgrade before submitting.
-      options:
-        - label: "I have confirmed this bug exists on the LATEST version of OpenHands"
-          required: false
+      description: What version of OpenHands are you using?
+      placeholder: ex. 0.9.8, main, etc.
 
   - type: input
     id: model-name
     attributes:
       label: Model Name
-      description: Which LLM model are you using?
-      placeholder: ex. gpt-4o, claude-3-5-sonnet-20241022, openrouter/deepseek-r1, etc.
-    validations:
-      required: false
+      description: What model are you using?
+      placeholder: ex. gpt-4o, claude-3-5-sonnet, openrouter/deepseek-r1, etc.
 
   - type: dropdown
     id: os
@@ -121,46 +60,12 @@ body:
         - MacOS
         - Linux
         - WSL on Windows
-        - Windows (Docker Desktop)
-        - Other
-    validations:
-      required: false
-
-  - type: input
-    id: browser
-    attributes:
-      label: Browser (if using web UI)
-      description: |
-        If applicable, which browser and version?
-
-      placeholder: ex. Chrome 131, Firefox 133, Safari 17.2
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: Logs and Error Messages
-      description: |
-        **Paste relevant logs, error messages, or stack traces.** Use code blocks (```) for formatting.
-
-        LLM logs are in `logs/llm/default/`. Include timestamps if errors occurred at a specific time.
-      placeholder: |
-        ```
-        Paste error logs here
-        ```
 
   - type: textarea
     id: additional-context
     attributes:
-      label: Screenshots and Additional Context
-      description: |
-        Add screenshots, videos, runtime environment, or other context that helps explain the issue.
-
-        💡 **Share conversation history:** In the OpenHands chat UI, click the 👎 or 👍 button (above the message input) to generate a shareable link to your conversation.
-
-      placeholder: Drag and drop screenshots here, paste links, or add additional context.
-
-  - type: markdown
-    attributes:
-      value: |
-        ---
-        **Note:** Issues with incomplete information may be closed or deprioritized. Maintainers and community members have limited bandwidth and prioritize well-documented bugs that are easier to reproduce and fix. Thank you for your understanding!
+      label: Logs, Errors, Screenshots, and Additional Context
+      description: Please provide any additional information you think might help. If you want to share the chat history
+        you can click the thumbs-down (👎) button above the input field and you will get a shareable link
+        (you can also click thumbs up when things are going well of course!). LLM logs will be stored in the
+        `logs/llm/default` folder. Please add any additional context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -1,2 +0,0 @@
-# disable blank issue creation
-blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: Feature Request or Enhancement
+about: Suggest an idea for an OpenHands feature or enhancement
+title: ''
+labels: 'enhancement'
+assignees: ''
+
+---
+
+**What problem or use case are you trying to solve?**
+
+**Describe the UX or technical implementation you have in mind**
+
+**Additional context**
+
+
+### If you find this feature request or enhancement useful, make sure to add a 👍 to the issue

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,105 +0,0 @@
-name: Feature Request or Enhancement
-description: Suggest a new feature or improvement for OpenHands
-title: '[Feature]: '
-labels: ['enhancement']
-body:
-  - type: markdown
-    attributes:
-      value: |
-        ## Thank you for suggesting a feature! 💡
-
-        **Please provide detailed information.** Vague or low-effort requests may be closed. Well-documented feature requests with strong community support are more likely to be added to the roadmap.
-
-  - type: checkboxes
-    attributes:
-      label: Is there an existing feature request for this?
-      description: Please search existing issues and feature requests before creating a new one. If found, react or comment to the duplicate issue instead of making a new one.
-      options:
-      - label: I have searched existing issues and feature requests, and this is not a duplicate.
-        required: true
-
-  - type: textarea
-    id: problem-statement
-    attributes:
-      label: Problem or Use Case
-      description: What problem are you trying to solve? What use case would this feature enable?
-      placeholder: |
-        Example - "As a developer working on large codebases, I need to search across multiple files simultaneously. Currently, I have to search file-by-file which is time-consuming and inefficient."
-    validations:
-      required: true
-
-  - type: textarea
-    id: proposed-solution
-    attributes:
-      label: Proposed Solution
-      description: Describe your ideal solution. What should this feature do? How should it work?
-      placeholder: |
-        Example - "Add a global search feature that allows searching across all files in the workspace. Results should show file name, line number, and context around matches. Include regex support and filtering options."
-    validations:
-      required: true
-
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Alternatives Considered
-      description: Have you considered any alternative solutions or workarounds? What are their limitations?
-      placeholder: Example - "I tried using grep in the terminal, but it's not integrated with the UI and doesn't provide click-to-navigate functionality."
-
-  - type: dropdown
-    id: priority
-    attributes:
-      label: Priority / Severity
-      description: How important is this feature to your workflow?
-      options:
-        - "Critical - Blocking my work, no workaround available"
-        - "High - Significant impact on productivity"
-        - "Medium - Would improve experience"
-        - "Low - Nice to have"
-      default: 2
-    validations:
-      required: true
-
-  - type: dropdown
-    id: scope
-    attributes:
-      label: Estimated Scope
-      description: To the best of your knowledge, how complex do you think this feature would be to implement?
-      options:
-        - "Small - UI tweak, config option, or minor change"
-        - "Medium - New feature with moderate complexity"
-        - "Large - Significant feature requiring architecture changes"
-        - "Unknown - Not sure about the technical complexity"
-      default: 3
-
-  - type: dropdown
-    id: feature-area
-    attributes:
-      label: Feature Area
-      description: Which part of OpenHands does this feature relate to? If you select "Other", please specify the area in the Additional Context section below.
-      options:
-        - "Agent / AI behavior"
-        - "User Interface / UX"
-        - "CLI / Command-line interface"
-        - "File system / Workspace management"
-        - "Configuration / Settings"
-        - "Integrations (GitHub, GitLab, etc.)"
-        - "Performance / Optimization"
-        - "Documentation"
-        - "Other"
-    validations:
-      required: true
-
-  - type: textarea
-    id: technical-details
-    attributes:
-      label: Technical Implementation Ideas (Optional)
-      description: If you have technical expertise, share implementation ideas, API suggestions, or relevant technical details.
-      placeholder: |
-        Example - "Could use ripgrep library for fast search. Expose results via /api/search endpoint. Frontend can use virtualized list for rendering large result sets."
-
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional Context
-      description: Add any other context, screenshots, mockups, or examples that help illustrate this feature request.
-      placeholder: Drag and drop screenshots, mockups, or links here.

.github/actions/docker-image-tags/action.yml

@@ -1,51 +0,0 @@
-name: Compute Docker image tags
-description: Produce the canonical OpenHands Docker tag set (ref name, short SHA, full SHA — each in bare and `sha-` prefixed form) for a given image, with optional suffix and extra raw tags.
-
-inputs:
-  image:
-    description: Fully qualified image name (e.g. ghcr.io/owner/openhands).
-    required: true
-  ref-name:
-    description: Git ref name to emit as a tag (e.g. main, pr-123, saas-rel-1.2.3).
-    required: true
-  suffix:
-    description: Suffix appended to every tag (e.g. -amd64, -nikolaik-arm64). Leave empty for base (multi-arch manifest) tags.
-    required: false
-    default: ""
-  extra-tags:
-    description: Additional newline-separated metadata-action tag rules (e.g. extra `type=raw,value=...` lines).
-    required: false
-    default: ""
-
-outputs:
-  tags:
-    description: Newline-separated list of fully qualified image tags.
-    value: ${{ steps.meta.outputs.tags }}
-  labels:
-    description: Image labels emitted by docker/metadata-action.
-    value: ${{ steps.meta.outputs.labels }}
-  version:
-    description: Sanitized version string (ref-name with any suffix applied). Safe to use in docker tags.
-    value: ${{ steps.meta.outputs.version }}
-
-runs:
-  using: composite
-  steps:
-    - name: Compute tags
-      id: meta
-      uses: docker/metadata-action@v6
-      env:
-        # Use the PR head SHA (not the merge SHA) for sha-prefixed tags.
-        DOCKER_METADATA_PR_HEAD_SHA: "true"
-      with:
-        images: ${{ inputs.image }}
-        flavor: |
-          latest=false
-          suffix=${{ inputs.suffix }}
-        tags: |
-          type=raw,value=${{ inputs.ref-name }}
-          type=sha,prefix=sha-
-          type=sha,prefix=
-          type=sha,format=long,prefix=sha-
-          type=sha,format=long,prefix=
-          ${{ inputs.extra-tags }}

.github/actions/docker-merge-manifest/action.yml

@@ -1,43 +0,0 @@
-name: Merge multi-arch Docker manifest
-description: Build a multi-arch manifest from per-arch image tags pushed by an earlier build step.
-
-inputs:
-  base-tags:
-    description: Newline-separated list of base tags (without architecture suffix).
-    required: true
-  archs:
-    description: Space-separated list of architectures (e.g. "amd64 arm64").
-    required: true
-
-runs:
-  using: composite
-  steps:
-    - name: Login to GHCR
-      uses: docker/login-action@v4
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ github.token }}
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
-    - name: Create multi-arch manifests
-      shell: bash
-      env:
-        BASE_TAGS: ${{ inputs.base-tags }}
-        ARCHS: ${{ inputs.archs }}
-      run: |
-        while IFS= read -r tag; do
-          [[ -z "$tag" ]] && continue
-          sources=""
-          for arch in $ARCHS; do
-            if ! docker buildx imagetools inspect "${tag}-${arch}" > /dev/null 2>&1; then
-              echo "::error::Missing image ${tag}-${arch}"
-              exit 1
-            fi
-            sources+=" ${tag}-${arch}"
-          done
-          echo "Creating manifest for $tag from:$sources"
-          docker buildx imagetools create -t "$tag" $sources
-        done <<< "$BASE_TAGS"

.github/dependabot.yml

@@ -4,7 +4,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 1
     groups:
       # put packages in their own group if they have a history of breaking the build or needing to be reverted
       pre-commit:
@@ -29,7 +29,7 @@ updates:
     directory: "/frontend"
     schedule:
       interval: "daily"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 1
     groups:
       docusaurus:
         patterns:
@@ -51,7 +51,7 @@ updates:
     schedule:
       interval: "weekly"
       day: "wednesday"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 1
     groups:
       docusaurus:
         patterns:
@@ -72,11 +72,9 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 5
 
   - package-ecosystem: "docker"
     directories:
       - "containers/*"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 5

.github/pull_request_template.md

@@ -1,46 +1,31 @@
-<!-- Keep this PR as draft until it is ready for review. -->
+## Summary of PR
 
-<!-- AI/LLM agents: be concise and specific. Do not check the box below. -->
+<!-- Summarize what the PR does, explaining any non-trivial design decisions. -->
 
-- [ ] A human has tested these changes.
+## Change Type
 
----
-
-## Why
-
-<!-- Describe problem, motivation, etc.-->
-
-## Summary
-
-<!-- 1-3 bullets describing what changed. -->
--
-
-## Issue Number
-<!-- Required if there is a relevant issue to this PR. -->
-
-## How to Test
-
-<!--
-Required. Share the steps for the reviewer to be able to test your PR. e.g. You can test by running `npm install` then `npm build dev`.
-
-If you could not test this, say why.
--->
-
-## Video/Screenshots
-
-<!--
-Provide a video or screenshots of testing your PR. e.g. you added a new feature to the gui, show us the video of you testing it successfully.
-
--->
-
-## Type
+<!-- Choose the types that apply to your PR and remove the rest. -->
 
 - [ ] Bug fix
-- [ ] Feature
-- [ ] Refactor
+- [ ] New feature
 - [ ] Breaking change
-- [ ] Docs / chore
+- [ ] Refactor
+- [ ] Other (dependency update, docs, typo fixes, etc.)
 
-## Notes
+## Checklist
 
-<!-- Optional: migrations, config changes, rollout concerns, follow-ups, or anything reviewers should know. -->
+- [ ] I have read and reviewed the code and I understand what the code is doing.
+- [ ] I have tested the code to the best of my ability and ensured it works as expected.
+
+## Fixes
+
+<!-- If this resolves an issue, link it here so it will close automatically upon merge. -->
+
+Resolves #(issue)
+
+## Release Notes
+
+<!-- Check the box if this change is worth adding to the release notes. If checked, you must provide an
+end-user friendly description for your change below the checkbox. -->
+
+- [ ] Include this change in the Release Notes.

.github/scripts/check_version_consistency.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+import os
+import re
+import sys
+
+
+def find_version_references(directory: str) -> tuple[set[str], set[str]]:
+    openhands_versions = set()
+    runtime_versions = set()
+
+    version_pattern_openhands = re.compile(r'openhands:(\d{1})\.(\d{2})')
+    version_pattern_runtime = re.compile(r'runtime:(\d{1})\.(\d{2})')
+
+    for root, _, files in os.walk(directory):
+        # Skip .git directory and docs/build directory
+        if '.git' in root or 'docs/build' in root:
+            continue
+
+        for file in files:
+            if file.endswith(
+                ('.md', '.yml', '.yaml', '.txt', '.html', '.py', '.js', '.ts')
+            ):
+                file_path = os.path.join(root, file)
+                try:
+                    with open(file_path, 'r', encoding='utf-8') as f:
+                        content = f.read()
+
+                        # Find all openhands version references
+                        matches = version_pattern_openhands.findall(content)
+                        if matches:
+                            print(f'Found openhands version {matches} in {file_path}')
+                            openhands_versions.update(matches)
+
+                        # Find all runtime version references
+                        matches = version_pattern_runtime.findall(content)
+                        if matches:
+                            print(f'Found runtime version {matches} in {file_path}')
+                            runtime_versions.update(matches)
+                except Exception as e:
+                    print(f'Error reading {file_path}: {e}', file=sys.stderr)
+
+    return openhands_versions, runtime_versions
+
+
+def main():
+    repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..'))
+    print(f'Checking version consistency in {repo_root}')
+    openhands_versions, runtime_versions = find_version_references(repo_root)
+
+    print(f'Found openhands versions: {sorted(openhands_versions)}')
+    print(f'Found runtime versions: {sorted(runtime_versions)}')
+
+    exit_code = 0
+
+    if len(openhands_versions) > 1:
+        print('Error: Multiple openhands versions found:', file=sys.stderr)
+        print('Found versions:', sorted(openhands_versions), file=sys.stderr)
+        exit_code = 1
+    elif len(openhands_versions) == 0:
+        print('Warning: No openhands version references found', file=sys.stderr)
+
+    if len(runtime_versions) > 1:
+        print('Error: Multiple runtime versions found:', file=sys.stderr)
+        print('Found versions:', sorted(runtime_versions), file=sys.stderr)
+        exit_code = 1
+    elif len(runtime_versions) == 0:
+        print('Warning: No runtime version references found', file=sys.stderr)
+
+    sys.exit(exit_code)
+
+
+if __name__ == '__main__':
+    main()

.github/scripts/find_prs_between_commits.py

@@ -1,330 +0,0 @@
-#!/usr/bin/env python3
-"""
-Find all PRs that went in between two commits in the OpenHands/OpenHands repository.
-Handles cherry-picks and different merge strategies.
-
-This script is designed to run from within the OpenHands repository under .github/scripts:
-    .github/scripts/find_prs_between_commits.py
-
-Usage: find_prs_between_commits <older_commit> <newer_commit> [--repo <path>]
-"""
-
-import json
-import os
-import re
-import subprocess
-import sys
-from collections import defaultdict
-from pathlib import Path
-from typing import Optional
-
-
-def find_openhands_repo() -> Optional[Path]:
-    """
-    Find the OpenHands repository.
-    Since this script is designed to live in .github/scripts/, it assumes
-    the repository root is two levels up from the script location.
-    Tries:
-    1. Repository root (../../ from script location)
-    2. Current directory
-    3. Environment variable OPENHANDS_REPO
-    """
-    # Check repository root (assuming script is in .github/scripts/)
-    script_dir = Path(__file__).parent.absolute()
-    repo_root = (
-        script_dir.parent.parent
-    )  # Go up two levels: scripts -> .github -> repo root
-    if (repo_root / '.git').exists():
-        return repo_root
-
-    # Check current directory
-    if (Path.cwd() / '.git').exists():
-        return Path.cwd()
-
-    # Check environment variable
-    if 'OPENHANDS_REPO' in os.environ:
-        repo_path = Path(os.environ['OPENHANDS_REPO'])
-        if (repo_path / '.git').exists():
-            return repo_path
-
-    return None
-
-
-def run_git_command(cmd: list[str], repo_path: Path) -> str:
-    """Run a git command in the repository directory and return its output."""
-    try:
-        result = subprocess.run(
-            cmd, capture_output=True, text=True, check=True, cwd=str(repo_path)
-        )
-        return result.stdout.strip()
-    except subprocess.CalledProcessError as e:
-        print(f'Error running git command: {" ".join(cmd)}', file=sys.stderr)
-        print(f'Error: {e.stderr}', file=sys.stderr)
-        sys.exit(1)
-
-
-def extract_pr_numbers_from_message(message: str) -> set[int]:
-    """Extract PR numbers from commit message in any common format."""
-    # Match #12345 anywhere, including in patterns like (#12345) or "Merge pull request #12345"
-    matches = re.findall(r'#(\d+)', message)
-    return set(int(m) for m in matches)
-
-
-def get_commit_info(commit_hash: str, repo_path: Path) -> tuple[str, str, str]:
-    """Get commit subject, body, and author from a commit hash."""
-    subject = run_git_command(
-        ['git', 'log', '-1', '--format=%s', commit_hash], repo_path
-    )
-    body = run_git_command(['git', 'log', '-1', '--format=%b', commit_hash], repo_path)
-    author = run_git_command(
-        ['git', 'log', '-1', '--format=%an <%ae>', commit_hash], repo_path
-    )
-    return subject, body, author
-
-
-def get_commits_between(
-    older_commit: str, newer_commit: str, repo_path: Path
-) -> list[str]:
-    """Get all commit hashes between two commits."""
-    commits_output = run_git_command(
-        ['git', 'rev-list', f'{older_commit}..{newer_commit}'], repo_path
-    )
-
-    if not commits_output:
-        return []
-
-    return commits_output.split('\n')
-
-
-def get_pr_info_from_github(pr_number: int, repo_path: Path) -> Optional[dict]:
-    """Get PR information from GitHub API if GITHUB_TOKEN is available."""
-    try:
-        # Set up environment with GitHub token
-        env = os.environ.copy()
-        if 'GITHUB_TOKEN' in env:
-            env['GH_TOKEN'] = env['GITHUB_TOKEN']
-
-        result = subprocess.run(
-            [
-                'gh',
-                'pr',
-                'view',
-                str(pr_number),
-                '--json',
-                'number,title,author,mergedAt,baseRefName,headRefName,url',
-            ],
-            capture_output=True,
-            text=True,
-            check=True,
-            env=env,
-            cwd=str(repo_path),
-        )
-        return json.loads(result.stdout)
-    except (subprocess.CalledProcessError, FileNotFoundError, json.JSONDecodeError):
-        return None
-
-
-def find_prs_between_commits(
-    older_commit: str, newer_commit: str, repo_path: Path
-) -> dict[int, dict]:
-    """
-    Find all PRs that went in between two commits.
-    Returns a dictionary mapping PR numbers to their information.
-    """
-    print(f'Repository: {repo_path}', file=sys.stderr)
-    print('Finding PRs between commits:', file=sys.stderr)
-    print(f'  Older: {older_commit}', file=sys.stderr)
-    print(f'  Newer: {newer_commit}', file=sys.stderr)
-    print(file=sys.stderr)
-
-    # Verify commits exist
-    try:
-        run_git_command(['git', 'rev-parse', '--verify', older_commit], repo_path)
-        run_git_command(['git', 'rev-parse', '--verify', newer_commit], repo_path)
-    except SystemExit:
-        print('Error: One or both commits not found in repository', file=sys.stderr)
-        sys.exit(1)
-
-    # Extract PRs from the older commit itself (to exclude from results)
-    # These PRs are already included at or before the older commit
-    older_subject, older_body, _ = get_commit_info(older_commit, repo_path)
-    older_message = f'{older_subject}\n{older_body}'
-    excluded_prs = extract_pr_numbers_from_message(older_message)
-
-    if excluded_prs:
-        print(
-            f'Excluding PRs already in older commit: {", ".join(f"#{pr}" for pr in sorted(excluded_prs))}',
-            file=sys.stderr,
-        )
-        print(file=sys.stderr)
-
-    # Get all commits between the two
-    commits = get_commits_between(older_commit, newer_commit, repo_path)
-    print(f'Found {len(commits)} commits to analyze', file=sys.stderr)
-    print(file=sys.stderr)
-
-    # Extract PR numbers from all commits
-    pr_info: dict[int, dict] = {}
-    commits_by_pr: dict[int, list[str]] = defaultdict(list)
-
-    for commit_hash in commits:
-        subject, body, author = get_commit_info(commit_hash, repo_path)
-        full_message = f'{subject}\n{body}'
-
-        pr_numbers = extract_pr_numbers_from_message(full_message)
-
-        for pr_num in pr_numbers:
-            # Skip PRs that are already in the older commit
-            if pr_num in excluded_prs:
-                continue
-
-            commits_by_pr[pr_num].append(commit_hash)
-
-            if pr_num not in pr_info:
-                pr_info[pr_num] = {
-                    'number': pr_num,
-                    'first_commit': commit_hash[:8],
-                    'first_commit_subject': subject,
-                    'commits': [],
-                    'github_info': None,
-                }
-
-            pr_info[pr_num]['commits'].append(
-                {'hash': commit_hash[:8], 'subject': subject, 'author': author}
-            )
-
-    # Try to get additional info from GitHub API
-    print('Fetching additional info from GitHub API...', file=sys.stderr)
-    for pr_num in pr_info.keys():
-        github_info = get_pr_info_from_github(pr_num, repo_path)
-        if github_info:
-            pr_info[pr_num]['github_info'] = github_info
-
-    print(file=sys.stderr)
-
-    return pr_info
-
-
-def print_results(pr_info: dict[int, dict]):
-    """Print the results in a readable format."""
-    sorted_prs = sorted(pr_info.items(), key=lambda x: x[0])
-
-    print(f'{"=" * 80}')
-    print(f'Found {len(sorted_prs)} PRs')
-    print(f'{"=" * 80}')
-    print()
-
-    for pr_num, info in sorted_prs:
-        print(f'PR #{pr_num}')
-
-        if info['github_info']:
-            gh = info['github_info']
-            print(f'  Title: {gh["title"]}')
-            print(f'  Author: {gh["author"]["login"]}')
-            print(f'  URL: {gh["url"]}')
-            if gh.get('mergedAt'):
-                print(f'  Merged: {gh["mergedAt"]}')
-            if gh.get('baseRefName'):
-                print(f'  Base: {gh["baseRefName"]} ← {gh["headRefName"]}')
-        else:
-            print(f'  Subject: {info["first_commit_subject"]}')
-
-        # Show if this PR has multiple commits (cherry-picked or multiple commits)
-        commit_count = len(info['commits'])
-        if commit_count > 1:
-            print(
-                f'  ⚠️  Found {commit_count} commits (possible cherry-pick or multi-commit PR):'
-            )
-            for commit in info['commits'][:3]:  # Show first 3
-                print(f'      {commit["hash"]}: {commit["subject"][:60]}')
-            if commit_count > 3:
-                print(f'      ... and {commit_count - 3} more')
-        else:
-            print(f'  Commit: {info["first_commit"]}')
-
-        print()
-
-
-def main():
-    if len(sys.argv) < 3:
-        print('Usage: find_prs_between_commits <older_commit> <newer_commit> [options]')
-        print()
-        print('Arguments:')
-        print('  <older_commit>  The older commit hash (or ref)')
-        print('  <newer_commit>  The newer commit hash (or ref)')
-        print()
-        print('Options:')
-        print('  --json          Output results in JSON format')
-        print('  --repo <path>   Path to OpenHands repository (default: auto-detect)')
-        print()
-        print('Example:')
-        print(
-            '  find_prs_between_commits c79e0cd3c7a2501a719c9296828d7a31e4030585 35bddb14f15124a3dc448a74651a6592911d99e9'
-        )
-        print()
-        print('Repository Detection:')
-        print('  The script will try to find the OpenHands repository in this order:')
-        print('  1. --repo argument')
-        print('  2. Repository root (../../ from script location)')
-        print('  3. Current directory')
-        print('  4. OPENHANDS_REPO environment variable')
-        print()
-        print('Environment variables:')
-        print(
-            '  GITHUB_TOKEN    Optional. If set, will fetch additional PR info from GitHub API'
-        )
-        print('  OPENHANDS_REPO  Optional. Path to OpenHands repository')
-        sys.exit(1)
-
-    older_commit = sys.argv[1]
-    newer_commit = sys.argv[2]
-    json_output = '--json' in sys.argv
-
-    # Check for --repo argument
-    repo_path = None
-    if '--repo' in sys.argv:
-        repo_idx = sys.argv.index('--repo')
-        if repo_idx + 1 < len(sys.argv):
-            repo_path = Path(sys.argv[repo_idx + 1])
-            if not (repo_path / '.git').exists():
-                print(f'Error: {repo_path} is not a git repository', file=sys.stderr)
-                sys.exit(1)
-
-    # Auto-detect repository if not specified
-    if repo_path is None:
-        repo_path = find_openhands_repo()
-        if repo_path is None:
-            print('Error: Could not find OpenHands repository', file=sys.stderr)
-            print('Please either:', file=sys.stderr)
-            print(
-                '  1. Place this script in .github/scripts/ within the OpenHands repository',
-                file=sys.stderr,
-            )
-            print('  2. Run from the OpenHands repository directory', file=sys.stderr)
-            print(
-                '  3. Use --repo <path> to specify the repository location',
-                file=sys.stderr,
-            )
-            print('  4. Set OPENHANDS_REPO environment variable', file=sys.stderr)
-            sys.exit(1)
-
-    # Find PRs
-    pr_info = find_prs_between_commits(older_commit, newer_commit, repo_path)
-
-    if json_output:
-        # Output as JSON
-        print(json.dumps(pr_info, indent=2))
-    else:
-        # Print results in human-readable format
-        print_results(pr_info)
-
-        # Also print a simple list for easy copying
-        print(f'{"=" * 80}')
-        print('PR Numbers (for easy copying):')
-        print(f'{"=" * 80}')
-        sorted_pr_nums = sorted(pr_info.keys())
-        print(', '.join(f'#{pr}' for pr in sorted_pr_nums))
-
-
-if __name__ == '__main__':
-    main()

.github/scripts/update_pr_description.sh

@@ -13,9 +13,13 @@ DOCKER_RUN_COMMAND="docker run -it --rm \
   -p 3000:3000 \
   -v /var/run/docker.sock:/var/run/docker.sock \
   --add-host host.docker.internal:host-gateway \
+  -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.openhands.dev/openhands/runtime:${SHORT_SHA}-nikolaik \
   --name openhands-app-${SHORT_SHA} \
   docker.openhands.dev/openhands/openhands:${SHORT_SHA}"
 
+# Define the uvx command
+UVX_RUN_COMMAND="uvx --python 3.12 --from git+https://github.com/OpenHands/OpenHands@${BRANCH_NAME}#subdirectory=openhands-cli openhands"
+
 # Get the current PR body
 PR_BODY=$(gh pr view "$PR_NUMBER" --json body --jq .body)
 
@@ -33,6 +37,11 @@ GUI with Docker:
 \`\`\`
 ${DOCKER_RUN_COMMAND}
 \`\`\`
+
+CLI with uvx:
+\`\`\`
+${UVX_RUN_COMMAND}
+\`\`\`
 EOF
 )
 else
@@ -48,6 +57,11 @@ GUI with Docker:
 \`\`\`
 ${DOCKER_RUN_COMMAND}
 \`\`\`
+
+CLI with uvx:
+\`\`\`
+${UVX_RUN_COMMAND}
+\`\`\`
 EOF
 )
 fi

.github/workflows/_build-image.yml

@@ -1,116 +0,0 @@
-# Reusable workflow: build a multi-arch Docker image and publish a merged manifest.
-# Called per image from .github/workflows/ghcr-build.yml.
-name: Build and push multi-arch image
-
-on:
-  workflow_call:
-    inputs:
-      image:
-        description: Fully-qualified image name (e.g. "ghcr.io/all-hands-ai/openhands").
-        required: true
-        type: string
-      context:
-        description: Docker build context.
-        required: false
-        type: string
-        default: "."
-      dockerfile:
-        description: Path to the Dockerfile.
-        required: true
-        type: string
-      extra-build-args:
-        description: Additional build-args (newline-separated). OPENHANDS_BUILD_VERSION is added automatically.
-        required: false
-        type: string
-        default: ""
-      provenance:
-        description: Value passed to docker/build-push-action provenance.
-        required: false
-        type: boolean
-        default: false
-      sbom:
-        description: Value passed to docker/build-push-action sbom.
-        required: false
-        type: boolean
-        default: false
-      buildx-driver-opts:
-        description: Extra buildx driver-opts (e.g. "network=host" for enterprise).
-        required: false
-        type: string
-        default: ""
-
-env:
-  RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
-  RELEVANT_REF_NAME: ${{ github.event.pull_request.number && format('pr-{0}', github.event.pull_request.number) || github.ref_name }}
-
-jobs:
-  build:
-    name: Build ${{ inputs.image }} (${{ matrix.arch }})
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-22.04' }}
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        arch: [amd64, arm64]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Login to GHCR
-        uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver-opts: ${{ inputs.buildx-driver-opts }}
-      - name: Compute per-arch tags
-        id: meta
-        uses: ./.github/actions/docker-image-tags
-        with:
-          image: ${{ inputs.image }}
-          ref-name: ${{ env.RELEVANT_REF_NAME }}
-          suffix: -${{ matrix.arch }}
-      - name: Build and push
-        uses: docker/build-push-action@v7
-        with:
-          context: ${{ inputs.context }}
-          file: ${{ inputs.dockerfile }}
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/${{ matrix.arch }}
-          build-args: |
-            OPENHANDS_BUILD_VERSION=${{ env.RELEVANT_REF_NAME }}
-            ${{ inputs.extra-build-args }}
-          cache-from: |
-            type=registry,ref=${{ inputs.image }}:buildcache-${{ steps.meta.outputs.version }}
-            type=registry,ref=${{ inputs.image }}:buildcache-main-${{ matrix.arch }}
-          cache-to: type=registry,ref=${{ inputs.image }}:buildcache-${{ steps.meta.outputs.version }},mode=max
-          provenance: ${{ inputs.provenance }}
-          sbom: ${{ inputs.sbom }}
-
-  merge:
-    name: Merge ${{ inputs.image }} manifest
-    runs-on: ubuntu-22.04
-    needs: build
-    permissions:
-      packages: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Compute base tags
-        id: meta_base
-        uses: ./.github/actions/docker-image-tags
-        with:
-          image: ${{ inputs.image }}
-          ref-name: ${{ env.RELEVANT_REF_NAME }}
-      - name: Merge manifests
-        uses: ./.github/actions/docker-merge-manifest
-        with:
-          base-tags: ${{ steps.meta_base.outputs.tags }}
-          archs: "amd64 arm64"

.github/workflows/check-package-versions.yml

@@ -1,65 +0,0 @@
-name: Check Package Versions
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-  workflow_dispatch:
-
-jobs:
-  check-package-versions:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: "3.12"
-
-      - name: Check for any 'rev' fields in pyproject.toml
-        run: |
-          python - <<'PY'
-          import sys, tomllib, pathlib
-
-          path = pathlib.Path("pyproject.toml")
-          if not path.exists():
-              print("❌ ERROR: pyproject.toml not found")
-              sys.exit(1)
-
-          try:
-              data = tomllib.loads(path.read_text(encoding="utf-8"))
-          except Exception as e:
-              print(f"❌ ERROR: Failed to parse pyproject.toml: {e}")
-              sys.exit(1)
-
-          poetry = data.get("tool", {}).get("poetry", {})
-          sections = {
-              "dependencies": poetry.get("dependencies", {}),
-          }
-
-          errors = []
-
-          print("🔍 Checking for any dependencies with 'rev' fields...\n")
-          for section_name, deps in sections.items():
-              if not isinstance(deps, dict):
-                  continue
-
-              for pkg_name, cfg in deps.items():
-                  if isinstance(cfg, dict) and "rev" in cfg:
-                      msg = f"  ✖ {pkg_name} in [{section_name}] uses rev='{cfg['rev']}' (NOT ALLOWED)"
-                      print(msg)
-                      errors.append(msg)
-                  else:
-                      print(f"  • {pkg_name}: OK")
-
-          if errors:
-              print("\n❌ FAILED: Found dependencies using 'rev' fields:\n" + "\n".join(errors))
-              print("\nPlease use versioned releases instead, e.g.:")
-              print('  my-package = "1.0.0"')
-              sys.exit(1)
-
-          print("\n✅ SUCCESS: No 'rev' fields found. All dependencies are using proper versioned releases.")
-          PY

.github/workflows/check-version-consistency.yml

@@ -1,122 +0,0 @@
-name: Check Version Consistency
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-  workflow_dispatch:
-
-jobs:
-  check-version-consistency:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: "3.12"
-
-      - name: Check version and Docker image tag consistency
-        run: |
-          python - <<'PY'
-          import json
-          import re
-          import sys
-          import tomllib
-
-          errors = []
-          warnings = []
-
-          # ── 1. Extract the canonical version from pyproject.toml ──────────
-          with open("pyproject.toml", "rb") as f:
-              pyproject = tomllib.load(f)
-          version = pyproject["tool"]["poetry"]["version"]
-          major_minor = ".".join(version.split(".")[:2])
-          print(f"📦 pyproject.toml version: {version} (major.minor: {major_minor})")
-
-          # ── 2. Check frontend/package.json ────────────────────────────────
-          with open("frontend/package.json") as f:
-              pkg = json.load(f)
-          if pkg["version"] != version:
-              errors.append(
-                  f"frontend/package.json version is '{pkg['version']}', expected '{version}'"
-              )
-          else:
-              print(f"  ✔ frontend/package.json: {pkg['version']}")
-
-          # ── 3. Check frontend/package-lock.json (2 places) ───────────────
-          with open("frontend/package-lock.json") as f:
-              lock = json.load(f)
-          for key, val in [
-              ("root.version", lock.get("version")),
-              ('packages[""].version', lock.get("packages", {}).get("", {}).get("version")),
-          ]:
-              if val != version:
-                  errors.append(
-                      f"frontend/package-lock.json {key} is '{val}', expected '{version}'"
-                  )
-              else:
-                  print(f"  ✔ frontend/package-lock.json {key}: {val}")
-
-          # ── 4. Check compose files use agent-server images ─────────────────
-          # Both compose files should use ghcr.io/.../agent-server (not runtime).
-          # Agent-server tags use SDK version (e.g. "1.12.0-python") or commit
-          # hashes (e.g. "31536c8-python") — both are acceptable.
-          repo_pattern = re.compile(r"AGENT_SERVER_IMAGE_REPOSITORY[^}]*:-([^}]+)")
-          tag_pattern = re.compile(r"AGENT_SERVER_IMAGE_TAG:-([^}]+)")
-
-          for filepath in ["docker-compose.yml", "containers/dev/compose.yml"]:
-              try:
-                  with open(filepath) as f:
-                      content = f.read()
-              except FileNotFoundError:
-                  warnings.append(f"{filepath}: file not found")
-                  continue
-
-              repos = repo_pattern.findall(content)
-              tags = tag_pattern.findall(content)
-
-              if not repos:
-                  warnings.append(f"{filepath}: no AGENT_SERVER_IMAGE_REPOSITORY default found")
-              else:
-                  repo = repos[0]
-                  if "agent-server" not in repo:
-                      errors.append(
-                          f"{filepath}: AGENT_SERVER_IMAGE_REPOSITORY defaults to '{repo}', "
-                          f"expected an agent-server image (not runtime)"
-                      )
-                  else:
-                      print(f"  ✔ {filepath} image repository: {repo}")
-
-              if not tags:
-                  warnings.append(f"{filepath}: no AGENT_SERVER_IMAGE_TAG default found")
-              else:
-                  tag = tags[0]
-                  if not tag:
-                      errors.append(f"{filepath}: AGENT_SERVER_IMAGE_TAG default is empty")
-                  else:
-                      print(f"  ✔ {filepath} image tag: {tag}")
-
-          # ── 5. Report ─────────────────────────────────────────────────────
-          print()
-          if warnings:
-              print("⚠ Warnings:")
-              for w in warnings:
-                  print(f"  {w}")
-              print()
-
-          if errors:
-              print("❌ FAILED: Version inconsistencies found:\n")
-              for e in errors:
-                  print(f"  ✖ {e}")
-              print(
-                  "\nAll version numbers and Docker image tags must be consistent."
-                  "\nSee .agents/skills/update-sdk/SKILL.md for the full checklist."
-              )
-              sys.exit(1)
-          else:
-              print("✅ All version numbers and Docker image tags are consistent.")
-          PY

.github/workflows/clean-up.yml

@@ -0,0 +1,69 @@
+# Workflow that cleans up outdated and old workflows to prevent out of disk issues
+name: Delete old workflow runs
+
+# This workflow is currently only triggered manually
+on:
+  workflow_dispatch:
+    inputs:
+      days:
+        description: 'Days-worth of runs to keep for each workflow'
+        required: true
+        default: '30'
+      minimum_runs:
+        description: 'Minimum runs to keep for each workflow'
+        required: true
+        default: '10'
+      delete_workflow_pattern:
+        description: 'Name or filename of the workflow (if not set, all workflows are targeted)'
+        required: false
+      delete_workflow_by_state_pattern:
+        description: 'Filter workflows by state: active, deleted, disabled_fork, disabled_inactivity, disabled_manually'
+        required: true
+        default: "ALL"
+        type: choice
+        options:
+          - "ALL"
+          - active
+          - deleted
+          - disabled_inactivity
+          - disabled_manually
+      delete_run_by_conclusion_pattern:
+        description: 'Remove runs based on conclusion: action_required, cancelled, failure, skipped, success'
+        required: true
+        default: 'ALL'
+        type: choice
+        options:
+          - 'ALL'
+          - 'Unsuccessful: action_required,cancelled,failure,skipped'
+          - action_required
+          - cancelled
+          - failure
+          - skipped
+          - success
+      dry_run:
+        description: 'Logs simulated changes, no deletions are performed'
+        required: false
+
+jobs:
+  del_runs:
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    permissions:
+      actions: write
+      contents: read
+    steps:
+      - name: Delete workflow runs
+        uses: Mattraks/delete-workflow-runs@v2
+        with:
+          token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          retain_days: ${{ github.event.inputs.days }}
+          keep_minimum_runs: ${{ github.event.inputs.minimum_runs }}
+          delete_workflow_pattern: ${{ github.event.inputs.delete_workflow_pattern }}
+          delete_workflow_by_state_pattern: ${{ github.event.inputs.delete_workflow_by_state_pattern }}
+          delete_run_by_conclusion_pattern: >-
+            ${{
+              startsWith(github.event.inputs.delete_run_by_conclusion_pattern, 'Unsuccessful:')
+              && 'action_required,cancelled,failure,skipped'
+              || github.event.inputs.delete_run_by_conclusion_pattern
+            }}
+          dry_run: ${{ github.event.inputs.dry_run }}

.github/workflows/cli-build-binary-and-optionally-release.yml

@@ -0,0 +1,114 @@
+# Workflow that builds and tests the CLI binary executable
+name: CLI - Build binary and optionally release
+
+# Run on pushes to main branch and CLI tags, and on pull requests when CLI files change
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*-cli"
+  pull_request:
+    paths:
+      - "openhands-cli/**"
+
+permissions:
+  contents: write       # needed to create releases or upload assets
+
+# Cancel previous runs if a new commit is pushed
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build-binary:
+    name: Build binary executable
+    strategy:
+      matrix:
+        include:
+          # Build on Ubuntu 22.04 for maximum GLIBC compatibility (GLIBC 2.31)
+          - os: ubuntu-22.04
+            platform: linux
+            artifact_name: openhands-cli-linux
+          # Build on macOS for macOS users
+          - os: macos-15
+            platform: macos
+            artifact_name: openhands-cli-macos
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+        with:
+          version: "latest"
+
+      - name: Install dependencies
+        working-directory: openhands-cli
+        run: |
+          uv sync
+
+      - name: Build binary executable
+        working-directory: openhands-cli
+        run: |
+          ./build.sh --install-pyinstaller | tee output.log
+          echo "Full output:"
+          cat output.log
+
+          if grep -q "❌" output.log; then
+            echo "❌ Found failure marker in output"
+            exit 1
+          fi
+
+          echo "✅ Build & test finished without ❌ markers"
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: openhands-cli/dist/openhands*
+          retention-days: 30
+
+  create-github-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    needs: build-binary
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Prepare release assets
+        run: |
+          mkdir -p release-assets
+          # Copy binaries with appropriate names for release
+          if [ -f artifacts/openhands-cli-linux/openhands ]; then
+            cp artifacts/openhands-cli-linux/openhands release-assets/openhands-linux
+          fi
+          if [ -f artifacts/openhands-cli-macos/openhands ]; then
+            cp artifacts/openhands-cli-macos/openhands release-assets/openhands-macos
+          fi
+          ls -la release-assets/
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: release-assets/*
+          draft: true
+          prerelease: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dispatch-to-docs.yml

@@ -0,0 +1,23 @@
+name: Dispatch to docs repo
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'docs/**'
+  workflow_dispatch:
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        repo: ["OpenHands/docs"]
+    steps:
+      - name: Push to docs repo
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+          repository: ${{ matrix.repo }}
+          event-type: update
+          client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "module": "openhands", "branch": "main"}'

.github/workflows/e2e-tests.yml

@@ -0,0 +1,228 @@
+name: End-to-End Tests
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled]
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+jobs:
+  e2e-tests:
+    if: contains(github.event.pull_request.labels.*.name, 'end-to-end') || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    env:
+      GITHUB_REPO_NAME: ${{ github.repository }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install poetry via pipx
+        uses: abatilo/actions-poetry@v4
+        with:
+          poetry-version: 2.1.3
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'poetry'
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libgtk-3-0 libnotify4 libnss3 libxss1 libxtst6 xauth xvfb libgbm1 libasound2t64 netcat-openbsd
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: 'frontend/package-lock.json'
+
+      - name: Setup environment for end-to-end tests
+        run: |
+          # Create test results directory
+          mkdir -p test-results
+
+          # Create downloads directory for OpenHands (use a directory in the home folder)
+          mkdir -p $HOME/downloads
+          sudo chown -R $USER:$USER $HOME/downloads
+          sudo chmod -R 755 $HOME/downloads
+
+      - name: Build OpenHands
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LLM_MODEL: ${{ secrets.LLM_MODEL || 'gpt-4o' }}
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY || 'test-key' }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          INSTALL_DOCKER: 1
+          RUNTIME: docker
+          FRONTEND_PORT: 12000
+          FRONTEND_HOST: 0.0.0.0
+          BACKEND_HOST: 0.0.0.0
+          BACKEND_PORT: 3000
+          ENABLE_BROWSER: true
+          INSTALL_PLAYWRIGHT: 1
+        run: |
+          # Fix poetry.lock file if needed
+          echo "Fixing poetry.lock file if needed..."
+          poetry lock
+
+          # Build OpenHands using make build
+          echo "Running make build..."
+          make build
+
+          # Install Chromium Headless Shell for Playwright (needed for pytest-playwright)
+          echo "Installing Chromium Headless Shell for Playwright..."
+          poetry run playwright install chromium-headless-shell
+
+          # Verify Playwright browsers are installed (for e2e tests only)
+          echo "Verifying Playwright browsers installation for e2e tests..."
+          BROWSER_CHECK=$(poetry run python tests/e2e/check_playwright.py 2>/dev/null)
+
+          if [ "$BROWSER_CHECK" != "chromium_found" ]; then
+            echo "ERROR: Chromium browser not found or not working for e2e tests"
+            echo "$BROWSER_CHECK"
+            exit 1
+          else
+            echo "Playwright browsers are properly installed for e2e tests."
+          fi
+
+          # Docker runtime will handle workspace directory creation
+
+          # Start the application using make run with custom parameters and reduced logging
+          echo "Starting OpenHands using make run..."
+          # Set environment variables to reduce logging verbosity
+          export PYTHONUNBUFFERED=1
+          export LOG_LEVEL=WARNING
+          export UVICORN_LOG_LEVEL=warning
+          export OPENHANDS_LOG_LEVEL=WARNING
+          FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0 make run > /tmp/openhands-e2e-test.log 2>&1 &
+
+          # Store the PID of the make run process
+          MAKE_PID=$!
+          echo "OpenHands started with PID: $MAKE_PID"
+
+          # Wait for the application to start
+          echo "Waiting for OpenHands to start..."
+          max_attempts=15
+          attempt=1
+
+          while [ $attempt -le $max_attempts ]; do
+            echo "Checking if OpenHands is running (attempt $attempt of $max_attempts)..."
+
+            # Check if the process is still running
+            if ! ps -p $MAKE_PID > /dev/null; then
+              echo "ERROR: OpenHands process has terminated unexpectedly"
+              echo "Last 50 lines of the log:"
+              tail -n 50 /tmp/openhands-e2e-test.log
+              exit 1
+            fi
+
+            # Check if frontend port is open
+            if nc -z localhost 12000; then
+              # Verify we can get HTML content
+              if curl -s http://localhost:12000 | grep -q "<html"; then
+                echo "SUCCESS: OpenHands is running and serving HTML content on port 12000"
+                break
+              else
+                echo "Port 12000 is open but not serving HTML content yet"
+              fi
+            else
+              echo "Frontend port 12000 is not open yet"
+            fi
+
+            # Show log output on each attempt
+            echo "Recent log output:"
+            tail -n 20 /tmp/openhands-e2e-test.log
+
+            # Wait before next attempt
+            echo "Waiting 10 seconds before next check..."
+            sleep 10
+            attempt=$((attempt + 1))
+
+            # Exit if we've reached the maximum number of attempts
+            if [ $attempt -gt $max_attempts ]; then
+              echo "ERROR: OpenHands failed to start after $max_attempts attempts"
+              echo "Last 50 lines of the log:"
+              tail -n 50 /tmp/openhands-e2e-test.log
+              exit 1
+            fi
+          done
+
+          # Final verification that the app is running
+          if ! nc -z localhost 12000 || ! curl -s http://localhost:12000 | grep -q "<html"; then
+            echo "ERROR: OpenHands is not running properly on port 12000"
+            echo "Last 50 lines of the log:"
+            tail -n 50 /tmp/openhands-e2e-test.log
+            exit 1
+          fi
+
+          # Print success message
+          echo "OpenHands is running successfully on port 12000"
+
+      - name: Run end-to-end tests
+        env:
+          GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN }}
+          LLM_MODEL: ${{ secrets.LLM_MODEL || 'gpt-4o' }}
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY || 'test-key' }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+        run: |
+          # Check if the application is running
+          if ! nc -z localhost 12000; then
+            echo "ERROR: OpenHands is not running on port 12000"
+            echo "Last 50 lines of the log:"
+            tail -n 50 /tmp/openhands-e2e-test.log
+            exit 1
+          fi
+
+          # Run the tests with detailed output
+          cd tests/e2e
+          poetry run python -m pytest \
+            test_settings.py::test_github_token_configuration \
+            test_conversation.py::test_conversation_start \
+            test_browsing_catchphrase.py::test_browsing_catchphrase \
+            test_multi_conversation_resume.py::test_multi_conversation_resume \
+            -v --no-header --capture=no --timeout=900
+
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-report
+          path: tests/e2e/test-results/
+          retention-days: 30
+
+      - name: Upload OpenHands logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: openhands-logs
+          path: |
+            /tmp/openhands-e2e-test.log
+            /tmp/openhands-e2e-build.log
+            /tmp/openhands-backend.log
+            /tmp/openhands-frontend.log
+            /tmp/backend-health-check.log
+            /tmp/frontend-check.log
+            /tmp/vite-config.log
+            /tmp/makefile-contents.log
+          retention-days: 30
+
+      - name: Cleanup
+        if: always()
+        run: |
+          # Stop OpenHands processes
+          echo "Stopping OpenHands processes..."
+          pkill -f "python -m openhands.server" || true
+          pkill -f "npm run dev" || true
+          pkill -f "make run" || true
+
+          # Print process status for debugging
+          echo "Checking if any OpenHands processes are still running:"
+          ps aux | grep -E "openhands|npm run dev" || true

.github/workflows/enterprise-check-migrations.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -34,7 +34,7 @@ jobs:
           fi
 
       - name: Find Comment
-        uses: peter-evans/find-comment@v4
+        uses: peter-evans/find-comment@v3
         id: find-comment
         with:
           issue-number: ${{ github.event.pull_request.number }}
@@ -43,7 +43,7 @@ jobs:
             ⚠️ This PR contains **migrations**
 
       - name: Comment warning on PR
-        uses: peter-evans/create-or-update-comment@v5
+        uses: peter-evans/create-or-update-comment@v4
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-id: ${{ steps.find-comment.outputs.comment-id }}

.github/workflows/enterprise-preview.yml

@@ -0,0 +1,29 @@
+# Feature branch preview for enterprise code
+name: Enterprise Preview
+
+# Run on PRs labeled
+on:
+  pull_request:
+    types: [labeled]
+
+# Match ghcr-build.yml, but don't interrupt it.
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
+  cancel-in-progress: false
+
+jobs:
+  # This must happen for the PR Docker workflow when the label is present,
+  # and also if it's added after the fact. Thus, it exists in both places.
+  enterprise-preview:
+    name: Enterprise preview
+    if: github.event.label.name == 'deploy'
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    steps:
+      # This should match the version in ghcr-build.yml
+      - name: Trigger remote job
+        run: |
+          curl --fail-with-body -sS -X POST \
+            -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
+            https://api.github.com/repos/OpenHands/deploy/actions/workflows/deploy.yaml/dispatches

.github/workflows/fe-e2e-tests.yml

@@ -1,49 +0,0 @@
-# Workflow that runs frontend e2e tests with Playwright
-name: Run Frontend E2E Tests
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - "frontend/**"
-      - ".github/workflows/fe-e2e-tests.yml"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  fe-e2e-test:
-    name: FE E2E Tests
-    runs-on: ubuntu-22.04
-    strategy:
-      matrix:
-        node-version: [22]
-      fail-fast: true
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
-      - name: Install dependencies
-        working-directory: ./frontend
-        run: npm ci
-      - name: Install Playwright browsers
-        working-directory: ./frontend
-        run: npx playwright install --with-deps chromium
-      - name: Run Playwright tests
-        working-directory: ./frontend
-        run: npx playwright test --project=chromium
-      - name: Upload Playwright report
-        uses: actions/upload-artifact@v7
-        if: always()
-        with:
-          name: playwright-report
-          path: frontend/playwright-report/
-          retention-days: 30

.github/workflows/fe-unit-tests.yml

@@ -21,20 +21,18 @@ jobs:
   # Run frontend unit tests
   fe-test:
     name: FE Unit Tests
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     strategy:
       matrix:
         node-version: [22]
       fail-fast: true
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install dependencies
         working-directory: ./frontend
         run: npm ci

.github/workflows/ghcr-build.yml

@@ -1,13 +1,16 @@
-# Workflow that builds and pushes the OpenHands app and enterprise Docker images to ghcr.io.
-# Per-image build logic lives in .github/workflows/_build-image.yml.
+# Workflow that builds, tests and then pushes the OpenHands and runtime docker images to the ghcr.io repository
 name: Docker
 
+# Always run on "main"
+# Always run on tags
+# Always run on PRs
+# Can also be triggered manually
 on:
   push:
     branches:
       - main
-      - "saas-rel-*"
-      - "oss-rel-*"
+    tags:
+      - "*"
   pull_request:
   workflow_dispatch:
     inputs:
@@ -16,45 +19,396 @@ on:
         required: true
         default: ""
 
-# PR events share a group so pushes supersede each other; each commit on a release branch gets its own group.
+# If triggered by a PR, it will be in the same group. However, each commit on main will be in its own unique group
 concurrency:
   group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
   cancel-in-progress: true
 
+env:
+  RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+
 jobs:
-  build_app:
-    name: App
-    if: github.event.pull_request.head.repo.fork != true
-    uses: ./.github/workflows/_build-image.yml
-    with:
-      image: ghcr.io/openhands/openhands
-      dockerfile: containers/app/Dockerfile
+  define-matrix:
+    runs-on: blacksmith
+    outputs:
+      base_image: ${{ steps.define-base-images.outputs.base_image }}
+    steps:
+      - name: Define base images
+        shell: bash
+        id: define-base-images
+        run: |
+          if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
+            json=$(jq -n -c '[
+                { image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" },
+                { image: "ubuntu:24.04", tag: "ubuntu" }
+              ]')
+          else
+            json=$(jq -n -c '[
+                { image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" },
+                { image: "ubuntu:24.04", tag: "ubuntu" }
+              ]')
+          fi
+          echo "base_image=$json" >> "$GITHUB_OUTPUT"
 
-  build_enterprise:
-    name: Enterprise
-    if: github.event.pull_request.head.repo.fork != true
-    needs: build_app
-    uses: ./.github/workflows/_build-image.yml
-    with:
-      image: ghcr.io/openhands/enterprise-server
-      dockerfile: enterprise/Dockerfile
-      extra-build-args: OPENHANDS_VERSION=sha-${{ github.event.pull_request.head.sha || github.sha }}
-      provenance: true
-      sbom: true
-      buildx-driver-opts: network=host
+  # Builds the OpenHands Docker images
+  ghcr_build_app:
+    name: Build App Image
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+        with:
+          image: tonistiigi/binfmt:latest
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Lowercase Repository Owner
+        run: |
+          echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+      - name: Build and push app image
+        if: "!github.event.pull_request.head.repo.fork"
+        run: |
+          ./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --push
 
+  # Builds the runtime Docker images
+  ghcr_build_runtime:
+    name: Build Image
+    runs-on: blacksmith-8vcpu-ubuntu-2204
+    if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
+    permissions:
+      contents: read
+      packages: write
+    needs: define-matrix
+    strategy:
+      matrix:
+        base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+        with:
+          image: tonistiigi/binfmt:latest
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Install poetry via pipx
+        run: pipx install poetry
+      - name: Set up Python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: poetry
+      - name: Install Python dependencies using Poetry
+        run: make install-python-dependencies POETRY_GROUP=main INSTALL_PLAYWRIGHT=0
+      - name: Create source distribution and Dockerfile
+        run: poetry run python3 -m openhands.runtime.utils.runtime_build --base_image ${{ matrix.base_image.image }} --build_folder containers/runtime --force_rebuild
+      - name: Lowercase Repository Owner
+        run: |
+          echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+      - name: Short SHA
+        run: |
+          echo SHORT_SHA=$(git rev-parse --short "$RELEVANT_SHA") >> $GITHUB_ENV
+      - name: Determine docker build params
+        if: github.event.pull_request.head.repo.fork != true
+        shell: bash
+        run: |
+
+          ./containers/build.sh -i runtime -o ${{ env.REPO_OWNER }} -t ${{ matrix.base_image.tag }} --dry
+
+          DOCKER_BUILD_JSON=$(jq -c . < docker-build-dry.json)
+          echo "DOCKER_TAGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.tags | join(",")')" >> $GITHUB_ENV
+          echo "DOCKER_PLATFORM=$(echo "$DOCKER_BUILD_JSON" | jq -r '.platform')" >> $GITHUB_ENV
+          echo "DOCKER_BUILD_ARGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.build_args | join(",")')" >> $GITHUB_ENV
+      - name: Build and push runtime image ${{ matrix.base_image.image }}
+        if: github.event.pull_request.head.repo.fork != true
+        uses: useblacksmith/build-push-action@v1
+        with:
+          push: true
+          tags: ${{ env.DOCKER_TAGS }}
+          platforms: ${{ env.DOCKER_PLATFORM }}
+          build-args: ${{ env.DOCKER_BUILD_ARGS }}
+          context: containers/runtime
+          provenance: false
+      # Forked repos can't push to GHCR, so we just build in order to populate the cache for rebuilding
+      - name: Build runtime image ${{ matrix.base_image.image }} for fork
+        if: github.event.pull_request.head.repo.fork
+        uses: useblacksmith/build-push-action@v1
+        with:
+          tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
+          context: containers/runtime
+      - name: Upload runtime source for fork
+        if: github.event.pull_request.head.repo.fork
+        uses: actions/upload-artifact@v4
+        with:
+          name: runtime-src-${{ matrix.base_image.tag }}
+          path: containers/runtime
+
+  ghcr_build_enterprise:
+    name: Push Enterprise Image
+    runs-on: blacksmith-8vcpu-ubuntu-2204
+    permissions:
+      contents: read
+      packages: write
+    needs: [define-matrix, ghcr_build_app]
+    # Do not build enterprise in forks
+    if: github.event.pull_request.head.repo.fork != true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      # Set up Docker Buildx for better performance
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: network=host
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/openhands/enterprise-server
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+            type=sha,format=long
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+          flavor: |
+            latest=auto
+            prefix=
+            suffix=
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: true
+      - name: Determine app image tag
+        shell: bash
+        run: |
+          # Duplicated with build.sh
+          sanitized_ref_name=$(echo "$GITHUB_REF_NAME" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
+          OPENHANDS_BUILD_VERSION=$sanitized_ref_name
+          sanitized_ref_name=$(echo "$sanitized_ref_name" | tr '[:upper:]' '[:lower:]') # lower case is required in tagging
+          echo "OPENHANDS_DOCKER_TAG=${sanitized_ref_name}" >> $GITHUB_ENV
+      - name: Build and push Docker image
+        uses: useblacksmith/build-push-action@v1
+        with:
+          context: .
+          file: enterprise/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            OPENHANDS_VERSION=${{ env.OPENHANDS_DOCKER_TAG }}
+          platforms: linux/amd64
+          # Add build provenance
+          provenance: true
+          # Add build attestations for better security
+          sbom: true
+
+  enterprise-preview:
+    name: Enterprise preview
+    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy')
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    needs: [ghcr_build_enterprise]
+    steps:
+      # This should match the version in enterprise-preview.yml
+      - name: Trigger remote job
+        run: |
+          curl --fail-with-body -sS -X POST \
+            -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
+            https://api.github.com/repos/OpenHands/deploy/actions/workflows/deploy.yaml/dispatches
+
+  # Run unit tests with the Docker runtime Docker images as root
+  test_runtime_root:
+    name: RT Unit Tests (Root)
+    needs: [ghcr_build_runtime, define-matrix]
+    runs-on: blacksmith-8vcpu-ubuntu-2204
+    strategy:
+      fail-fast: false
+      matrix:
+        base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Download runtime source for fork
+        if: github.event.pull_request.head.repo.fork
+        uses: actions/download-artifact@v4
+        with:
+          name: runtime-src-${{ matrix.base_image.tag }}
+          path: containers/runtime
+      - name: Lowercase Repository Owner
+        run: |
+          echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+      # Forked repos can't push to GHCR, so we need to rebuild using cache
+      - name: Build runtime image ${{ matrix.base_image.image }} for fork
+        if: github.event.pull_request.head.repo.fork
+        uses: useblacksmith/build-push-action@v1
+        with:
+          load: true
+          tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
+          context: containers/runtime
+      - name: Install poetry via pipx
+        run: pipx install poetry
+      - name: Set up Python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: poetry
+      - name: Install Python dependencies using Poetry
+        run: make install-python-dependencies INSTALL_PLAYWRIGHT=0
+      - name: Run docker runtime tests
+        shell: bash
+        run: |
+          # We install pytest-xdist in order to run tests across CPUs
+          poetry run pip install pytest-xdist
+
+          # Install to be able to retry on failures for flaky tests
+          poetry run pip install pytest-rerunfailures
+
+          image_name=ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
+
+          # Setting RUN_AS_OPENHANDS to false means use root.
+          # That should mean SANDBOX_USER_ID is ignored but some tests do not check for RUN_AS_OPENHANDS.
+
+          TEST_RUNTIME=docker \
+          SANDBOX_USER_ID=$(id -u) \
+          SANDBOX_RUNTIME_CONTAINER_IMAGE=$image_name \
+          TEST_IN_CI=true \
+          RUN_AS_OPENHANDS=false \
+          poetry run pytest -n 0 -raRs --reruns 2 --reruns-delay 5 -s ./tests/runtime --ignore=tests/runtime/test_browsergym_envs.py --durations=10
+        env:
+          DEBUG: "1"
+
+  # Run unit tests with the Docker runtime Docker images as openhands user
+  test_runtime_oh:
+    name: RT Unit Tests (openhands)
+    runs-on: blacksmith-8vcpu-ubuntu-2204
+    needs: [ghcr_build_runtime, define-matrix]
+    strategy:
+      matrix:
+        base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Download runtime source for fork
+        if: github.event.pull_request.head.repo.fork
+        uses: actions/download-artifact@v4
+        with:
+          name: runtime-src-${{ matrix.base_image.tag }}
+          path: containers/runtime
+      - name: Lowercase Repository Owner
+        run: |
+          echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+      # Forked repos can't push to GHCR, so we need to rebuild using cache
+      - name: Build runtime image ${{ matrix.base_image.image }} for fork
+        if: github.event.pull_request.head.repo.fork
+        uses: useblacksmith/build-push-action@v1
+        with:
+          load: true
+          tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
+          context: containers/runtime
+      - name: Install poetry via pipx
+        run: pipx install poetry
+      - name: Set up Python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: poetry
+      - name: Install Python dependencies using Poetry
+        run: make install-python-dependencies POETRY_GROUP=main,test,runtime INSTALL_PLAYWRIGHT=0
+      - name: Run runtime tests
+        shell: bash
+        run: |
+          # We install pytest-xdist in order to run tests across CPUs
+          poetry run pip install pytest-xdist
+
+          # Install to be able to retry on failures for flaky tests
+          poetry run pip install pytest-rerunfailures
+
+          image_name=ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
+
+          TEST_RUNTIME=docker \
+          SANDBOX_USER_ID=$(id -u) \
+          SANDBOX_RUNTIME_CONTAINER_IMAGE=$image_name \
+          TEST_IN_CI=true \
+          RUN_AS_OPENHANDS=true \
+          poetry run pytest -n 0 -raRs --reruns 2 --reruns-delay 5 -s ./tests/runtime --ignore=tests/runtime/test_browsergym_envs.py --durations=10
+        env:
+          DEBUG: "1"
+
+  # The two following jobs (named identically) are to check whether all the runtime tests have passed as the
+  # "All Runtime Tests Passed" is a required job for PRs to merge
+  # Due to this bug: https://github.com/actions/runner/issues/2566, we want to create a job that runs when the
+  # prerequisites have been cancelled or failed so merging is disallowed, otherwise Github considers "skipped" as "success"
+  runtime_tests_check_success:
+    name: All Runtime Tests Passed
+    if: ${{ !cancelled() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    needs: [test_runtime_root, test_runtime_oh]
+    steps:
+      - name: All tests passed
+        run: echo "All runtime tests have passed successfully!"
+
+  runtime_tests_check_fail:
+    name: All Runtime Tests Passed
+    if: ${{ cancelled() || contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    needs: [test_runtime_root, test_runtime_oh]
+    steps:
+      - name: Some tests failed
+        run: |
+          echo "Some runtime tests failed or were cancelled"
+          exit 1
   update_pr_description:
     name: Update PR Description
     if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'
-    needs: build_app
-    runs-on: ubuntu-22.04
+    needs: [ghcr_build_runtime]
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Get short SHA
         id: short_sha
-        run: echo "SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-7)" >> "$GITHUB_OUTPUT"
+        run: echo "SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
 
       - name: Update PR Description
         env:
@@ -65,4 +419,4 @@ jobs:
         shell: bash
         run: |
           echo "Updating PR description with Docker and uvx commands"
-          bash "${GITHUB_WORKSPACE}/.github/scripts/update_pr_description.sh"
+          bash ${GITHUB_WORKSPACE}/.github/scripts/update_pr_description.sh

.github/workflows/integration-runner.yml

@@ -0,0 +1,199 @@
+name: Run Integration Tests
+
+on:
+  pull_request:
+    types: [labeled]
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for manual trigger'
+        required: true
+        default: ''
+  schedule:
+    - cron: '30 22 * * *'  # Runs at 10:30pm UTC every day
+
+env:
+  N_PROCESSES: 10 # Global configuration for number of parallel processes for evaluation
+
+jobs:
+  run-integration-tests:
+    if: github.event.label.name == 'integration-test' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    permissions:
+      contents: "read"
+      id-token: "write"
+      pull-requests: "write"
+      issues: "write"
+    strategy:
+      matrix:
+        python-version: ["3.12"]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install poetry via pipx
+        run: pipx install poetry
+
+      - name: Set up Python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+
+      - name: Setup Node.js
+        uses: useblacksmith/setup-node@v5
+        with:
+          node-version: '22.x'
+
+      - name: Comment on PR if 'integration-test' label is present
+        if: github.event_name == 'pull_request' && github.event.label.name == 'integration-test'
+        uses: KeisukeYamashita/create-comment@v1
+        with:
+          unique: false
+          comment: |
+            Hi! I started running the integration tests on your PR. You will receive a comment with the results shortly.
+
+      - name: Install Python dependencies using Poetry
+        run: poetry install --with dev,test,runtime,evaluation
+
+      - name: Configure config.toml for testing with Haiku
+        env:
+          LLM_MODEL: "litellm_proxy/claude-3-5-haiku-20241022"
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          MAX_ITERATIONS: 10
+        run: |
+          echo "[llm.eval]" > config.toml
+          echo "model = \"$LLM_MODEL\"" >> config.toml
+          echo "api_key = \"$LLM_API_KEY\"" >> config.toml
+          echo "base_url = \"$LLM_BASE_URL\"" >> config.toml
+          echo "temperature = 0.0" >> config.toml
+
+      - name: Build environment
+        run: make build
+
+      - name: Run integration test evaluation for Haiku
+        env:
+          SANDBOX_FORCE_REBUILD_RUNTIME: True
+        run: |
+          poetry run ./evaluation/integration_tests/scripts/run_infer.sh llm.eval HEAD CodeActAgent '' 10 $N_PROCESSES '' 'haiku_run'
+
+          # get integration tests report
+          REPORT_FILE_HAIKU=$(find evaluation/evaluation_outputs/outputs/integration_tests/CodeActAgent/*haiku*_maxiter_10_N* -name "report.md" -type f | head -n 1)
+          echo "REPORT_FILE: $REPORT_FILE_HAIKU"
+          echo "INTEGRATION_TEST_REPORT_HAIKU<<EOF" >> $GITHUB_ENV
+          cat $REPORT_FILE_HAIKU >> $GITHUB_ENV
+          echo >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
+      - name: Wait a little bit
+        run: sleep 10
+
+      - name: Configure config.toml for testing with DeepSeek
+        env:
+          LLM_MODEL: "litellm_proxy/deepseek-chat"
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          MAX_ITERATIONS: 10
+        run: |
+          echo "[llm.eval]" > config.toml
+          echo "model = \"$LLM_MODEL\"" >> config.toml
+          echo "api_key = \"$LLM_API_KEY\"" >> config.toml
+          echo "base_url = \"$LLM_BASE_URL\"" >> config.toml
+          echo "temperature = 0.0" >> config.toml
+
+      - name: Run integration test evaluation for DeepSeek
+        env:
+          SANDBOX_FORCE_REBUILD_RUNTIME: True
+        run: |
+          poetry run ./evaluation/integration_tests/scripts/run_infer.sh llm.eval HEAD CodeActAgent '' 10 $N_PROCESSES '' 'deepseek_run'
+
+          # get integration tests report
+          REPORT_FILE_DEEPSEEK=$(find evaluation/evaluation_outputs/outputs/integration_tests/CodeActAgent/deepseek*_maxiter_10_N* -name "report.md" -type f | head -n 1)
+          echo "REPORT_FILE: $REPORT_FILE_DEEPSEEK"
+          echo "INTEGRATION_TEST_REPORT_DEEPSEEK<<EOF" >> $GITHUB_ENV
+          cat $REPORT_FILE_DEEPSEEK >> $GITHUB_ENV
+          echo >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
+      # -------------------------------------------------------------
+      # Run VisualBrowsingAgent tests for DeepSeek, limited to t05 and t06
+      - name: Wait a little bit (again)
+        run: sleep 5
+
+      - name: Configure config.toml for testing VisualBrowsingAgent (DeepSeek)
+        env:
+          LLM_MODEL: "litellm_proxy/deepseek-chat"
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          MAX_ITERATIONS: 15
+        run: |
+          echo "[llm.eval]" > config.toml
+          echo "model = \"$LLM_MODEL\"" >> config.toml
+          echo "api_key = \"$LLM_API_KEY\"" >> config.toml
+          echo "base_url = \"$LLM_BASE_URL\"" >> config.toml
+          echo "temperature = 0.0" >> config.toml
+      - name: Run integration test evaluation for VisualBrowsingAgent (DeepSeek)
+        env:
+          SANDBOX_FORCE_REBUILD_RUNTIME: True
+        run: |
+          poetry run ./evaluation/integration_tests/scripts/run_infer.sh llm.eval HEAD VisualBrowsingAgent '' 15 $N_PROCESSES "t05_simple_browsing,t06_github_pr_browsing.py" 'visualbrowsing_deepseek_run'
+
+          # Find and export the visual browsing agent test results
+          REPORT_FILE_VISUALBROWSING_DEEPSEEK=$(find evaluation/evaluation_outputs/outputs/integration_tests/VisualBrowsingAgent/deepseek*_maxiter_15_N* -name "report.md" -type f | head -n 1)
+          echo "REPORT_FILE_VISUALBROWSING_DEEPSEEK: $REPORT_FILE_VISUALBROWSING_DEEPSEEK"
+          echo "INTEGRATION_TEST_REPORT_VISUALBROWSING_DEEPSEEK<<EOF" >> $GITHUB_ENV
+          cat $REPORT_FILE_VISUALBROWSING_DEEPSEEK >> $GITHUB_ENV
+          echo >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
+      - name: Create archive of evaluation outputs
+        run: |
+          TIMESTAMP=$(date +'%y-%m-%d-%H-%M')
+          cd evaluation/evaluation_outputs/outputs  # Change to the outputs directory
+          tar -czvf ../../../integration_tests_${TIMESTAMP}.tar.gz integration_tests/CodeActAgent/* integration_tests/VisualBrowsingAgent/* # Only include the actual result directories
+
+      - name: Upload evaluation results as artifact
+        uses: actions/upload-artifact@v4
+        id: upload_results_artifact
+        with:
+          name: integration-test-outputs-${{ github.run_id }}-${{ github.run_attempt }}
+          path: integration_tests_*.tar.gz
+
+      - name: Get artifact URLs
+        run: |
+          echo "ARTIFACT_URL=${{ steps.upload_results_artifact.outputs.artifact-url }}" >> $GITHUB_ENV
+
+      - name: Set timestamp and trigger reason
+        run: |
+          echo "TIMESTAMP=$(date +'%Y-%m-%d-%H-%M')" >> $GITHUB_ENV
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "TRIGGER_REASON=pr-${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            echo "TRIGGER_REASON=manual-${{ github.event.inputs.reason }}" >> $GITHUB_ENV
+          else
+            echo "TRIGGER_REASON=nightly-scheduled" >> $GITHUB_ENV
+          fi
+
+      - name: Comment with results and artifact link
+        id: create_comment
+        uses: KeisukeYamashita/create-comment@v1
+        with:
+          # if triggered by PR, use PR number, otherwise use 9745 as fallback issue number for manual triggers
+          number: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || 9745 }}
+          unique: false
+          comment: |
+              Trigger by: ${{ github.event_name == 'pull_request' && format('Pull Request (integration-test label on PR #{0})', github.event.pull_request.number) || (github.event_name == 'workflow_dispatch' && format('Manual Trigger: {0}', github.event.inputs.reason)) || 'Nightly Scheduled Run' }}
+              Commit: ${{ github.sha }}
+              **Integration Tests Report (Haiku)**
+              Haiku LLM Test Results:
+              ${{ env.INTEGRATION_TEST_REPORT_HAIKU }}
+              ---
+              **Integration Tests Report (DeepSeek)**
+              DeepSeek LLM Test Results:
+              ${{ env.INTEGRATION_TEST_REPORT_DEEPSEEK }}
+              ---
+              **Integration Tests Report VisualBrowsing (DeepSeek)**
+              ${{ env.INTEGRATION_TEST_REPORT_VISUALBROWSING_DEEPSEEK }}
+              ---
+              Download testing outputs (includes both Haiku and DeepSeek results): [Download](${{ steps.upload_results_artifact.outputs.artifact-url }})

.github/workflows/lint-fix.yml

@@ -9,12 +9,12 @@ jobs:
   lint-fix-frontend:
     if: github.event.label.name == 'lint-fix'
     name: Fix frontend linting issues
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     permissions:
       contents: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -22,14 +22,13 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Node.js 22
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: 22
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: npm ci
+        run: |
+          cd frontend
+          npm install --frozen-lockfile
       - name: Generate i18n and route types
         run: |
           cd frontend
@@ -59,12 +58,12 @@ jobs:
   lint-fix-python:
     if: github.event.label.name == 'lint-fix'
     name: Fix Python linting issues
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     permissions:
       contents: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -72,7 +71,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
           cache: "pip"

.github/workflows/lint.yml

@@ -19,35 +19,34 @@ jobs:
   # Run lint on the frontend code
   lint-frontend:
     name: Lint frontend
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - name: Install Node.js 22
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: 22
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
       - name: Install dependencies
-        working-directory: ./frontend
-        run: npm ci
+        run: |
+          cd frontend
+          npm install --frozen-lockfile
       - name: Lint, TypeScript compilation, and translation checks
         run: |
           cd frontend
           npm run lint
-          npm run make-i18n && npx tsc
+          npm run make-i18n && tsc
           npm run check-translation-completeness
 
   # Run lint on the python code
   lint-python:
     name: Lint python
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
           cache: "pip"
@@ -58,13 +57,13 @@ jobs:
 
   lint-enterprise-python:
     name: Lint enterprise python
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
           cache: "pip"
@@ -73,3 +72,34 @@ jobs:
       - name: Run pre-commit hooks
         working-directory: ./enterprise
         run: pre-commit run --all-files --show-diff-on-failure --config ./dev_config/python/.pre-commit-config.yaml
+
+  lint-cli-python:
+    name: Lint CLI python
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: 3.12
+          cache: "pip"
+      - name: Install pre-commit
+        run: pip install pre-commit==4.2.0
+      - name: Run pre-commit hooks
+        working-directory: ./openhands-cli
+        run: pre-commit run --all-files --config ./dev_config/python/.pre-commit-config.yaml
+
+  # Check version consistency across documentation
+  check-version-consistency:
+    name: Check version consistency
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: 3.12
+      - name: Run version consistency check
+        run: .github/scripts/check_version_consistency.py

.github/workflows/mdx-lint.yml

@@ -0,0 +1,70 @@
+# Workflow that checks MDX format in docs/ folder
+name: MDX Lint
+
+# Run on pushes to main and on pull requests that modify docs/ files
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'docs/**/*.mdx'
+  pull_request:
+    paths:
+      - 'docs/**/*.mdx'
+
+# If triggered by a PR, it will be in the same group. However, each commit on main will be in its own unique group
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  mdx-lint:
+    name: Lint MDX files
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Node.js 22
+        uses: useblacksmith/setup-node@v5
+        with:
+          node-version: 22
+
+      - name: Install MDX dependencies
+        run: |
+          npm install @mdx-js/mdx@3 glob@10
+
+      - name: Validate MDX files
+        run: |
+          node -e "
+          const {compile} = require('@mdx-js/mdx');
+          const fs = require('fs');
+          const path = require('path');
+          const glob = require('glob');
+
+          async function validateMDXFiles() {
+            const files = glob.sync('docs/**/*.mdx');
+            console.log('Found', files.length, 'MDX files to validate');
+
+            let hasErrors = false;
+
+            for (const file of files) {
+              try {
+                const content = fs.readFileSync(file, 'utf8');
+                await compile(content);
+                console.log('✅ MDX parsing successful for', file);
+              } catch (err) {
+                console.error('❌ MDX parsing failed for', file, ':', err.message);
+                hasErrors = true;
+              }
+            }
+
+            if (hasErrors) {
+              console.error('\\n❌ Some MDX files have parsing errors. Please fix them before merging.');
+              process.exit(1);
+            } else {
+              console.log('\\n✅ All MDX files are valid!');
+            }
+          }
+
+          validateMDXFiles();
+          "

.github/workflows/npm-publish-ui.yml

@@ -18,7 +18,7 @@ concurrency:
 jobs:
   check-version:
     name: Check if version has changed
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     defaults:
       run:
         shell: bash
@@ -27,7 +27,7 @@ jobs:
       current-version: ${{ steps.version-check.outputs.current-version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           fetch-depth: 2 # Need previous commit to compare
 
@@ -55,7 +55,7 @@ jobs:
 
   publish:
     name: Publish to npm
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     needs: check-version
     if: needs.check-version.outputs.should-publish == 'true'
     defaults:
@@ -63,7 +63,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2

.github/workflows/openhands-resolver.yml

@@ -0,0 +1,433 @@
+name: Auto-Fix Tagged Issue with OpenHands
+
+on:
+  workflow_call:
+    inputs:
+      max_iterations:
+        required: false
+        type: number
+        default: 50
+      macro:
+        required: false
+        type: string
+        default: "@openhands-agent"
+      target_branch:
+        required: false
+        type: string
+        default: "main"
+        description: "Target branch to pull and create PR against"
+      pr_type:
+        required: false
+        type: string
+        default: "draft"
+        description: "The PR type that is going to be created (draft, ready)"
+      LLM_MODEL:
+        required: false
+        type: string
+        default: "anthropic/claude-sonnet-4-20250514"
+      LLM_API_VERSION:
+        required: false
+        type: string
+        default: ""
+      base_container_image:
+        required: false
+        type: string
+        default: ""
+        description: "Custom sandbox env"
+      runner:
+        required: false
+        type: string
+        default: "ubuntu-latest"
+    secrets:
+      LLM_MODEL:
+        required: false
+      LLM_API_KEY:
+        required: true
+      LLM_BASE_URL:
+        required: false
+      PAT_TOKEN:
+        required: false
+      PAT_USERNAME:
+        required: false
+
+  issues:
+    types: [labeled]
+  pull_request:
+    types: [labeled]
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  auto-fix:
+    if: |
+      github.event_name == 'workflow_call' ||
+      github.event.label.name == 'fix-me' ||
+      github.event.label.name == 'fix-me-experimental' ||
+      (
+        ((github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') &&
+        contains(github.event.comment.body, inputs.macro || '@openhands-agent') &&
+        (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'COLLABORATOR' || github.event.comment.author_association == 'MEMBER')
+        ) ||
+
+        (github.event_name == 'pull_request_review' &&
+        contains(github.event.review.body, inputs.macro || '@openhands-agent') &&
+        (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'COLLABORATOR' || github.event.review.author_association == 'MEMBER')
+        )
+      )
+    runs-on: "${{ inputs.runner || 'ubuntu-latest' }}"
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Upgrade pip
+        run: |
+          python -m pip install --upgrade pip
+
+      - name: Get latest versions and create requirements.txt
+        run: |
+          python -m pip index versions openhands-ai > openhands_versions.txt
+          OPENHANDS_VERSION=$(head -n 1 openhands_versions.txt | awk '{print $2}' | tr -d '()')
+
+          # Create a new requirements.txt locally within the workflow, ensuring no reference to the repo's file
+          echo "openhands-ai==${OPENHANDS_VERSION}" > /tmp/requirements.txt
+          cat /tmp/requirements.txt
+
+      - name: Cache pip dependencies
+        if: |
+          !(
+            github.event.label.name == 'fix-me-experimental' ||
+            (
+              (github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') &&
+              contains(github.event.comment.body, '@openhands-agent-exp')
+            ) ||
+            (
+              github.event_name == 'pull_request_review' &&
+              contains(github.event.review.body, '@openhands-agent-exp')
+            )
+          )
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.pythonLocation }}/lib/python3.12/site-packages/*
+          key: ${{ runner.os }}-pip-openhands-resolver-${{ hashFiles('/tmp/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-openhands-resolver-${{ hashFiles('/tmp/requirements.txt') }}
+
+      - name: Check required environment variables
+        env:
+          LLM_MODEL: ${{ secrets.LLM_MODEL || inputs.LLM_MODEL }}
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          LLM_API_VERSION: ${{ inputs.LLM_API_VERSION }}
+          PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
+          PAT_USERNAME: ${{ secrets.PAT_USERNAME }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          required_vars=("LLM_API_KEY")
+          for var in "${required_vars[@]}"; do
+            if [ -z "${!var}" ]; then
+              echo "Error: Required environment variable $var is not set."
+              exit 1
+            fi
+          done
+
+          # Check optional variables and warn about fallbacks
+          if [ -z "$LLM_BASE_URL" ]; then
+            echo "Warning: LLM_BASE_URL is not set, will use default API endpoint"
+          fi
+
+          if [ -z "$PAT_TOKEN" ]; then
+            echo "Warning: PAT_TOKEN is not set, falling back to GITHUB_TOKEN"
+          fi
+
+          if [ -z "$PAT_USERNAME" ]; then
+            echo "Warning: PAT_USERNAME is not set, will use openhands-agent"
+          fi
+
+      - name: Set environment variables
+        env:
+          REVIEW_BODY: ${{ github.event.review.body || '' }}
+        run: |
+          # Handle pull request events first
+          if [ -n "${{ github.event.pull_request.number }}" ]; then
+            echo "ISSUE_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+            echo "ISSUE_TYPE=pr" >> $GITHUB_ENV
+          # Handle pull request review events
+          elif [ -n "$REVIEW_BODY" ]; then
+            echo "ISSUE_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+            echo "ISSUE_TYPE=pr" >> $GITHUB_ENV
+          # Handle issue comment events that reference a PR
+          elif [ -n "${{ github.event.issue.pull_request }}" ]; then
+            echo "ISSUE_NUMBER=${{ github.event.issue.number }}" >> $GITHUB_ENV
+            echo "ISSUE_TYPE=pr" >> $GITHUB_ENV
+          # Handle regular issue events
+          else
+            echo "ISSUE_NUMBER=${{ github.event.issue.number }}" >> $GITHUB_ENV
+            echo "ISSUE_TYPE=issue" >> $GITHUB_ENV
+          fi
+
+          if [ -n "$REVIEW_BODY" ]; then
+            echo "COMMENT_ID=${{ github.event.review.id || 'None' }}" >> $GITHUB_ENV
+          else
+            echo "COMMENT_ID=${{ github.event.comment.id || 'None' }}" >> $GITHUB_ENV
+          fi
+
+          echo "MAX_ITERATIONS=${{ inputs.max_iterations || 50 }}" >> $GITHUB_ENV
+          echo "SANDBOX_ENV_GITHUB_TOKEN=${{ secrets.PAT_TOKEN || github.token }}" >> $GITHUB_ENV
+          echo "SANDBOX_BASE_CONTAINER_IMAGE=${{ inputs.base_container_image }}" >> $GITHUB_ENV
+
+          # Set branch variables
+          echo "TARGET_BRANCH=${{ inputs.target_branch || 'main' }}" >> $GITHUB_ENV
+
+      - name: Comment on issue with start message
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          script: |
+            const issueType = process.env.ISSUE_TYPE;
+            github.rest.issues.createComment({
+              issue_number: ${{ env.ISSUE_NUMBER }},
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `[OpenHands](https://github.com/OpenHands/OpenHands) started fixing the ${issueType}! You can monitor the progress [here](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}).`
+            });
+
+      - name: Install OpenHands
+        id: install_openhands
+        uses: actions/github-script@v7
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body || '' }}
+          REVIEW_BODY: ${{ github.event.review.body || '' }}
+          LABEL_NAME: ${{ github.event.label.name || '' }}
+          EVENT_NAME: ${{ github.event_name }}
+        with:
+          script: |
+            const commentBody = process.env.COMMENT_BODY.trim();
+            const reviewBody = process.env.REVIEW_BODY.trim();
+            const labelName = process.env.LABEL_NAME.trim();
+            const eventName = process.env.EVENT_NAME.trim();
+            // Check conditions
+            const isExperimentalLabel = labelName === "fix-me-experimental";
+            const isIssueCommentExperimental =
+              (eventName === "issue_comment" || eventName === "pull_request_review_comment") &&
+              commentBody.includes("@openhands-agent-exp");
+            const isReviewCommentExperimental =
+              eventName === "pull_request_review" && reviewBody.includes("@openhands-agent-exp");
+
+            // Set output variable
+            core.setOutput('isExperimental', isExperimentalLabel || isIssueCommentExperimental || isReviewCommentExperimental);
+
+            // Perform package installation
+            if (isExperimentalLabel || isIssueCommentExperimental || isReviewCommentExperimental) {
+              console.log("Installing experimental OpenHands...");
+
+              await exec.exec("pip install git+https://github.com/openhands/openhands.git");
+            } else {
+              console.log("Installing from requirements.txt...");
+
+              await exec.exec("pip install -r /tmp/requirements.txt");
+            }
+
+      - name: Attempt to resolve issue
+        env:
+          GITHUB_TOKEN: ${{ secrets.PAT_TOKEN || github.token }}
+          GITHUB_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
+          GIT_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
+          LLM_MODEL: ${{ secrets.LLM_MODEL || inputs.LLM_MODEL }}
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          LLM_API_VERSION: ${{ inputs.LLM_API_VERSION }}
+          PYTHONPATH: ""
+        run: |
+          cd /tmp && python -m openhands.resolver.resolve_issue \
+            --selected-repo ${{ github.repository }} \
+            --issue-number ${{ env.ISSUE_NUMBER }} \
+            --issue-type ${{ env.ISSUE_TYPE }} \
+            --max-iterations ${{ env.MAX_ITERATIONS }} \
+            --comment-id ${{ env.COMMENT_ID }} \
+            --is-experimental ${{ steps.install_openhands.outputs.isExperimental }}
+
+      - name: Check resolution result
+        id: check_result
+        run: |
+          if cd /tmp && grep -q '"success":true' output/output.jsonl; then
+            echo "RESOLUTION_SUCCESS=true" >> $GITHUB_OUTPUT
+          else
+            echo "RESOLUTION_SUCCESS=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Upload output.jsonl as artifact
+        uses: actions/upload-artifact@v4
+        if: always() # Upload even if the previous steps fail
+        with:
+          name: resolver-output
+          path: /tmp/output/output.jsonl
+          retention-days: 30 # Keep the artifact for 30 days
+
+      - name: Create draft PR or push branch
+        if: always() # Create PR or branch even if the previous steps fail
+        env:
+          GITHUB_TOKEN: ${{ secrets.PAT_TOKEN || github.token }}
+          GITHUB_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
+          GIT_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
+          LLM_MODEL: ${{ secrets.LLM_MODEL || inputs.LLM_MODEL }}
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          LLM_API_VERSION: ${{ inputs.LLM_API_VERSION }}
+          PYTHONPATH: ""
+        run: |
+          if [ "${{ steps.check_result.outputs.RESOLUTION_SUCCESS }}" == "true" ]; then
+            cd /tmp && python -m openhands.resolver.send_pull_request \
+              --issue-number ${{ env.ISSUE_NUMBER }} \
+              --target-branch ${{ env.TARGET_BRANCH }} \
+              --pr-type ${{ inputs.pr_type || 'draft' }} \
+              --reviewer ${{ github.actor }} | tee pr_result.txt && \
+              grep "PR created" pr_result.txt | sed 's/.*\///g' > pr_number.txt
+          else
+            cd /tmp && python -m openhands.resolver.send_pull_request \
+              --issue-number ${{ env.ISSUE_NUMBER }} \
+              --pr-type branch \
+              --send-on-failure | tee branch_result.txt && \
+              grep "branch created" branch_result.txt | sed 's/.*\///g; s/.expand=1//g' > branch_name.txt
+          fi
+
+      # Step leaves comment for when agent is invoked on PR
+      - name: Analyze Push Logs (Updated PR or No Changes) # Skip comment if PR update was successful OR leave comment if the agent made no code changes
+        uses: actions/github-script@v7
+        if: always()
+        env:
+          AGENT_RESPONDED: ${{ env.AGENT_RESPONDED || 'false' }}
+          ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}
+        with:
+          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          script: |
+            const fs = require('fs');
+            const issueNumber = process.env.ISSUE_NUMBER;
+            let logContent = '';
+
+            try {
+              logContent = fs.readFileSync('/tmp/pr_result.txt', 'utf8').trim();
+            } catch (error) {
+              console.error('Error reading pr_result.txt file:', error);
+            }
+
+            const noChangesMessage = `No changes to commit for issue #${issueNumber}. Skipping commit.`;
+
+            // Check logs from send_pull_request.py (pushes code to GitHub)
+            if (logContent.includes("Updated pull request")) {
+              console.log("Updated pull request found. Skipping comment.");
+              process.env.AGENT_RESPONDED = 'true';
+            } else if (logContent.includes(noChangesMessage)) {
+              github.rest.issues.createComment({
+                issue_number: issueNumber,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: `The workflow to fix this issue encountered an error. Openhands failed to create any code changes.`
+              });
+              process.env.AGENT_RESPONDED = 'true';
+            }
+
+      # Step leaves comment for when agent is invoked on issue
+      - name: Comment on issue # Comment link to either PR or branch created by agent
+        uses: actions/github-script@v7
+        if: always() # Comment on issue even if the previous steps fail
+        env:
+          AGENT_RESPONDED: ${{ env.AGENT_RESPONDED || 'false' }}
+          ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}
+          RESOLUTION_SUCCESS: ${{ steps.check_result.outputs.RESOLUTION_SUCCESS }}
+        with:
+          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const issueNumber = process.env.ISSUE_NUMBER;
+            const success = process.env.RESOLUTION_SUCCESS === 'true';
+
+            let prNumber = '';
+            let branchName = '';
+            let resultExplanation = '';
+
+            try {
+              if (success) {
+                prNumber = fs.readFileSync('/tmp/pr_number.txt', 'utf8').trim();
+              } else {
+                branchName = fs.readFileSync('/tmp/branch_name.txt', 'utf8').trim();
+              }
+            } catch (error) {
+              console.error('Error reading file:', error);
+            }
+
+
+            try {
+              if (!success){
+                // Read result_explanation from JSON file for failed resolution
+                const outputFilePath = path.resolve('/tmp/output/output.jsonl');
+                if (fs.existsSync(outputFilePath)) {
+                  const outputContent = fs.readFileSync(outputFilePath, 'utf8');
+                  const jsonLines = outputContent.split('\n').filter(line => line.trim() !== '');
+
+                  if (jsonLines.length > 0) {
+                    // First entry in JSON lines has the key 'result_explanation'
+                    const firstEntry = JSON.parse(jsonLines[0]);
+                    resultExplanation = firstEntry.result_explanation || '';
+                  }
+                }
+              }
+            } catch (error){
+              console.error('Error reading file:', error);
+            }
+
+            // Check "success" log from resolver output
+            if (success && prNumber) {
+              github.rest.issues.createComment({
+                issue_number: issueNumber,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: `A potential fix has been generated and a draft PR #${prNumber} has been created. Please review the changes.`
+              });
+              process.env.AGENT_RESPONDED = 'true';
+            } else if (!success && branchName) {
+              let commentBody = `An attempt was made to automatically fix this issue, but it was unsuccessful. A branch named '${branchName}' has been created with the attempted changes. You can view the branch [here](https://github.com/${context.repo.owner}/${context.repo.repo}/tree/${branchName}). Manual intervention may be required.`;
+
+              if (resultExplanation) {
+                commentBody += `\n\nAdditional details about the failure:\n${resultExplanation}`;
+              }
+
+              github.rest.issues.createComment({
+                issue_number: issueNumber,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: commentBody
+              });
+              process.env.AGENT_RESPONDED = 'true';
+            }
+
+      # Leave error comment when both PR/Issue comment handling fail
+      - name: Fallback Error Comment
+        uses: actions/github-script@v7
+        if: ${{ env.AGENT_RESPONDED == 'false' }} # Only run if no conditions were met in previous steps
+        env:
+          ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}
+        with:
+          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          script: |
+            const issueNumber = process.env.ISSUE_NUMBER;
+
+            github.rest.issues.createComment({
+              issue_number: issueNumber,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `The workflow to fix this issue encountered an error. Please check the [workflow logs](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) for more information.`
+            });

.github/workflows/pr-artifacts.yml

@@ -1,136 +0,0 @@
----
-name: PR Artifacts
-
-on:
-    workflow_dispatch: # Manual trigger for testing
-    pull_request:
-        types: [opened, synchronize, reopened]
-        branches: [main]
-    pull_request_review:
-        types: [submitted]
-
-jobs:
-  # Auto-remove .pr/ directory when a reviewer approves
-    cleanup-on-approval:
-        concurrency:
-            group: cleanup-pr-artifacts-${{ github.event.pull_request.number }}
-            cancel-in-progress: false
-        if: github.event_name == 'pull_request_review' && github.event.review.state == 'approved'
-        runs-on: ubuntu-latest
-        permissions:
-            contents: write
-            pull-requests: write
-        steps:
-            - name: Check if fork PR
-              id: check-fork
-              run: |
-                  if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.event.pull_request.base.repo.full_name }}" ]; then
-                    echo "is_fork=true" >> $GITHUB_OUTPUT
-                    echo "::notice::Fork PR detected - skipping auto-cleanup (manual removal required)"
-                  else
-                    echo "is_fork=false" >> $GITHUB_OUTPUT
-                  fi
-
-            - uses: actions/checkout@v6
-              if: steps.check-fork.outputs.is_fork == 'false'
-              with:
-                  ref: ${{ github.event.pull_request.head.ref }}
-                  token: ${{ secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC }}
-
-            - name: Remove .pr/ directory
-              id: remove
-              if: steps.check-fork.outputs.is_fork == 'false'
-              run: |
-                  if [ -d ".pr" ]; then
-                    git config user.name "allhands-bot"
-                    git config user.email "allhands-bot@users.noreply.github.com"
-                    git rm -rf .pr/
-                    git commit -m "chore: Remove PR-only artifacts [automated]"
-                    git push || {
-                      echo "::error::Failed to push cleanup commit. Check branch protection rules."
-                      exit 1
-                    }
-                    echo "removed=true" >> $GITHUB_OUTPUT
-                    echo "::notice::Removed .pr/ directory"
-                  else
-                    echo "removed=false" >> $GITHUB_OUTPUT
-                    echo "::notice::No .pr/ directory to remove"
-                  fi
-
-            - name: Update PR comment after cleanup
-              if: steps.check-fork.outputs.is_fork == 'false' && steps.remove.outputs.removed == 'true'
-              uses: actions/github-script@v9
-              with:
-                  script: |
-                      const marker = '<!-- pr-artifacts-notice -->';
-                      const body = `${marker}
-                      ✅ **PR Artifacts Cleaned Up**
-
-                      The \`.pr/\` directory has been automatically removed.
-                      `;
-
-                      const { data: comments } = await github.rest.issues.listComments({
-                        owner: context.repo.owner,
-                        repo: context.repo.repo,
-                        issue_number: context.issue.number,
-                      });
-
-                      const existing = comments.find(c => c.body.includes(marker));
-                      if (existing) {
-                        await github.rest.issues.updateComment({
-                          owner: context.repo.owner,
-                          repo: context.repo.repo,
-                          comment_id: existing.id,
-                          body: body,
-                        });
-                      }
-
-  # Warn if .pr/ directory exists (will be auto-removed on approval)
-    check-pr-artifacts:
-        if: github.event_name == 'pull_request'
-        runs-on: ubuntu-latest
-        permissions:
-            contents: read
-            pull-requests: write
-        steps:
-            - uses: actions/checkout@v6
-
-            - name: Check for .pr/ directory
-              id: check
-              run: |
-                  if [ -d ".pr" ]; then
-                    echo "exists=true" >> $GITHUB_OUTPUT
-                    echo "::warning::.pr/ directory exists and will be automatically removed when the PR is approved. For fork PRs, manual removal is required before merging."
-                  else
-                    echo "exists=false" >> $GITHUB_OUTPUT
-                  fi
-
-            - name: Post or update PR comment
-              if: steps.check.outputs.exists == 'true'
-              uses: actions/github-script@v9
-              with:
-                  script: |
-                      const marker = '<!-- pr-artifacts-notice -->';
-                      const body = `${marker}
-                      📁 **PR Artifacts Notice**
-
-                      This PR contains a \`.pr/\` directory with PR-specific documents. This directory will be **automatically removed** when the PR is approved.
-
-                      > For fork PRs: Manual removal is required before merging.
-                      `;
-
-                      const { data: comments } = await github.rest.issues.listComments({
-                        owner: context.repo.owner,
-                        repo: context.repo.repo,
-                        issue_number: context.issue.number,
-                      });
-
-                      const existing = comments.find(c => c.body.includes(marker));
-                      if (!existing) {
-                        await github.rest.issues.createComment({
-                          owner: context.repo.owner,
-                          repo: context.repo.repo,
-                          issue_number: context.issue.number,
-                          body: body,
-                        });
-                      }

.github/workflows/pr-review-by-openhands.yml

@@ -1,70 +0,0 @@
----
-name: PR Review by OpenHands
-
-on:
-    # Use pull_request for same-repo PRs so workflow changes can self-verify in PRs.
-    pull_request:
-        types: [opened, ready_for_review, labeled, review_requested]
-    # Use pull_request_target for fork PRs.
-    # The bot token used here is intentionally scoped to PR review operations,
-    # so the remaining blast radius is bounded even though PR content is untrusted.
-    pull_request_target:
-        types: [opened, ready_for_review, labeled, review_requested]
-
-permissions:
-    contents: read
-    pull-requests: write
-    issues: write
-
-jobs:
-    pr-review:
-        # Run on same-repo PRs via pull_request and on fork PRs via pull_request_target.
-        # Trigger when one of the following conditions is met:
-        #   1. A new non-draft PR is opened by a non-first-time contributor, OR
-        #   2. A draft PR is converted to ready for review by a non-first-time contributor, OR
-        #   3. The 'review-this' label is added, OR
-        #   4. openhands-agent or all-hands-bot is requested as a reviewer
-        # Note: FIRST_TIME_CONTRIBUTOR and NONE PRs require manual trigger via label/reviewer request.
-        # Trigger logic:
-        #   1. Route same-repo PRs through `pull_request` and fork PRs through `pull_request_target`
-        #   2. Auto-trigger on `opened` / `ready_for_review` for non-first-time contributors
-        #   3. Always allow manual triggers via `review-this` or reviewer request
-        # The author association check is duplicated intentionally for both
-        # auto-triggered actions (`opened` and `ready_for_review`).
-        if: |
-            (
-                (
-                    github.event_name == 'pull_request' &&
-                    github.event.pull_request.head.repo.full_name == github.repository
-                ) ||
-                (
-                    github.event_name == 'pull_request_target' &&
-                    github.event.pull_request.head.repo.full_name != github.repository
-                )
-            ) &&
-            (
-                (github.event.action == 'opened' && github.event.pull_request.draft == false && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && github.event.pull_request.author_association != 'NONE') ||
-                (github.event.action == 'ready_for_review' && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && github.event.pull_request.author_association != 'NONE') ||
-                (github.event.action == 'labeled' && github.event.label.name == 'review-this') ||
-                (
-                    github.event.action == 'review_requested' &&
-                    (
-                        github.event.requested_reviewer.login == 'openhands-agent' ||
-                        github.event.requested_reviewer.login == 'all-hands-bot'
-                    )
-                )
-            )
-        concurrency:
-            group: pr-review-${{ github.event.pull_request.number }}
-            cancel-in-progress: true
-        runs-on: ubuntu-24.04
-        steps:
-            - name: Run PR Review
-              uses: OpenHands/extensions/plugins/pr-review@main
-              with:
-                  llm-model: litellm_proxy/claude-sonnet-4-5-20250929
-                  llm-base-url: https://llm-proxy.app.all-hands.dev
-                  review-style: roasted
-                  llm-api-key: ${{ secrets.LLM_API_KEY }}
-                  github-token: ${{ secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC }}
-                  lmnr-api-key: ${{ secrets.LMNR_SKILLS_API_KEY }}

.github/workflows/pr-review-evaluation.yml

@@ -1,85 +0,0 @@
----
-name: PR Review Evaluation
-
-# This workflow evaluates how well PR review comments were addressed.
-# It runs when a PR is closed to assess review effectiveness.
-#
-# Security note: pull_request_target is safe here because:
-# 1. Only triggers on PR close (not on code changes)
-# 2. Does not checkout PR code - only downloads artifacts from trusted workflow runs
-# 3. Runs evaluation scripts from the extensions repo, not from the PR
-
-on:
-    pull_request_target:
-        types: [closed]
-
-permissions:
-    contents: read
-    pull-requests: read
-
-jobs:
-    evaluate:
-        runs-on: ubuntu-24.04
-        env:
-            PR_NUMBER: ${{ github.event.pull_request.number }}
-            REPO_NAME: ${{ github.repository }}
-            PR_MERGED: ${{ github.event.pull_request.merged }}
-
-        steps:
-            - name: Download review trace artifact
-              id: download-trace
-              uses: dawidd6/action-download-artifact@v15
-              continue-on-error: true
-              with:
-                  workflow: pr-review-by-openhands.yml
-                  name: pr-review-trace-${{ github.event.pull_request.number }}
-                  path: trace-info
-                  search_artifacts: true
-                  if_no_artifact_found: warn
-
-            - name: Check if trace file exists
-              id: check-trace
-              run: |
-                  if [ -f "trace-info/laminar_trace_info.json" ]; then
-                    echo "trace_exists=true" >> $GITHUB_OUTPUT
-                    echo "Found trace file for PR #$PR_NUMBER"
-                  else
-                    echo "trace_exists=false" >> $GITHUB_OUTPUT
-                    echo "No trace file found for PR #$PR_NUMBER - skipping evaluation"
-                  fi
-
-            # Always checkout main branch for security - cannot test script changes in PRs
-            - name: Checkout extensions repository
-              if: steps.check-trace.outputs.trace_exists == 'true'
-              uses: actions/checkout@v6
-              with:
-                  repository: OpenHands/extensions
-                  path: extensions
-
-            - name: Set up Python
-              if: steps.check-trace.outputs.trace_exists == 'true'
-              uses: actions/setup-python@v6
-              with:
-                  python-version: '3.12'
-
-            - name: Install dependencies
-              if: steps.check-trace.outputs.trace_exists == 'true'
-              run: pip install lmnr
-
-            - name: Run evaluation
-              if: steps.check-trace.outputs.trace_exists == 'true'
-              env:
-                  # Script expects LMNR_PROJECT_API_KEY; org secret is named LMNR_SKILLS_API_KEY
-                  LMNR_PROJECT_API_KEY: ${{ secrets.LMNR_SKILLS_API_KEY }}
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              run: |
-                  python extensions/plugins/pr-review/scripts/evaluate_review.py \
-                      --trace-file trace-info/laminar_trace_info.json
-
-            - name: Upload evaluation logs
-              uses: actions/upload-artifact@v7
-              if: always() && steps.check-trace.outputs.trace_exists == 'true'
-              with:
-                  name: pr-review-evaluation-${{ github.event.pull_request.number }}
-                  path: '*.log'
-                  retention-days: 30

.github/workflows/py-tests.yml

@@ -19,7 +19,7 @@ jobs:
   # Run python tests on Linux
   test-on-linux:
     name: Python Tests on Linux
-    runs-on: ubuntu-24.04
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     env:
       INSTALL_DOCKER: "0" # Set to '0' to skip Docker installation
     strategy:
@@ -30,18 +30,54 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
       - name: Install tmux
         run: sudo apt-get update && sudo apt-get install -y tmux
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: useblacksmith/setup-node@v5
         with:
           node-version: "22.x"
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
+      - name: Install poetry via pipx
+        run: pipx install poetry
+      - name: Set up Python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+      - name: Install Python dependencies using Poetry
+        run: poetry install --with dev,test,runtime
+      - name: Build Environment
+        run: make build
+      - name: Run Unit Tests
+        run: PYTHONPATH=".:$PYTHONPATH" poetry run pytest --forked -n auto -s ./tests/unit --cov=openhands --cov-branch
+        env:
+          COVERAGE_FILE: ".coverage.${{ matrix.python_version }}"
+      - name: Run Runtime Tests with CLIRuntime
+        run: PYTHONPATH=".:$PYTHONPATH" TEST_RUNTIME=cli poetry run pytest -s tests/runtime/test_bash.py --cov=openhands --cov-branch
+        env:
+          COVERAGE_FILE: ".coverage.runtime.${{ matrix.python_version }}"
+      - name: Store coverage file
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-openhands
+          path: |
+            .coverage.${{ matrix.python_version }}
+            .coverage.runtime.${{ matrix.python_version }}
+          include-hidden-files: true
+  # Run specific Windows python tests
+  test-on-windows:
+    name: Python Tests on Windows
+    runs-on: windows-latest
+    strategy:
+      matrix:
+        python-version: ["3.12"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install pipx
+        run: pip install pipx
       - name: Install poetry via pipx
         run: pipx install poetry
       - name: Set up Python
@@ -50,37 +86,30 @@ jobs:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
       - name: Install Python dependencies using Poetry
-        run: |
-          poetry install --with dev,test,runtime
-          poetry run pip install pytest-xdist
-          poetry run pip install pytest-rerunfailures
-      - name: Build Environment
-        run: make build
-      - name: Run Unit Tests
-        run: PYTHONPATH=".:$PYTHONPATH" poetry run pytest --forked -n auto -s ./tests/unit --cov=openhands --cov-branch
+        run: poetry install --with dev,test,runtime
+      - name: Run Windows unit tests
+        run: poetry run pytest -svv tests/unit/runtime/utils/test_windows_bash.py
         env:
-          COVERAGE_FILE: ".coverage.${{ matrix.python_version }}"
-      - name: Store coverage file
-        uses: actions/upload-artifact@v7
-        with:
-          name: coverage-openhands
-          path: |
-            .coverage.${{ matrix.python_version }}
-            .coverage.runtime.${{ matrix.python_version }}
-          include-hidden-files: true
-
+          PYTHONPATH: ".;$env:PYTHONPATH"
+          DEBUG: "1"
+      - name: Run Windows runtime tests with LocalRuntime
+        run: $env:TEST_RUNTIME="local"; poetry run pytest -svv tests/runtime/test_bash.py
+        env:
+          PYTHONPATH: ".;$env:PYTHONPATH"
+          TEST_RUNTIME: local
+          DEBUG: "1"
   test-enterprise:
     name: Enterprise Python Unit Tests
-    runs-on: ubuntu-24.04
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     strategy:
       matrix:
         python-version: ["3.12"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - name: Install poetry via pipx
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: useblacksmith/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -93,30 +122,79 @@ jobs:
         env:
           COVERAGE_FILE: ".coverage.enterprise.${{ matrix.python_version }}"
       - name: Store coverage file
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-enterprise
           path: ".coverage.enterprise.${{ matrix.python_version }}"
           include-hidden-files: true
 
+  # Run CLI unit tests
+  test-cli-python:
+    name: CLI Unit Tests
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    strategy:
+      matrix:
+        python-version: ["3.12"]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: useblacksmith/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+        with:
+          version: "latest"
+
+      - name: Install dependencies
+        working-directory: ./openhands-cli
+        run: |
+          uv sync --group dev
+
+      - name: Run CLI unit tests
+        working-directory: ./openhands-cli
+        env:
+          # write coverage to repo root so the merge step finds it
+          COVERAGE_FILE: "${{ github.workspace }}/.coverage.openhands-cli.${{ matrix.python-version }}"
+        run: |
+          uv run pytest --forked -n auto -s \
+            -p no:ddtrace -p no:ddtrace.pytest_bdd -p no:ddtrace.pytest_benchmark \
+            tests --cov=openhands_cli --cov-branch
+
+      - name: Store coverage file
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-openhands-cli
+          path: ".coverage.openhands-cli.${{ matrix.python-version }}"
+          include-hidden-files: true
+
+
   coverage-comment:
     name: Coverage Comment
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
-    needs: [test-on-linux, test-enterprise]
+    needs: [test-on-linux, test-enterprise, test-cli-python]
 
     permissions:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@v5
         id: download
         with:
           pattern: coverage-*
           merge-multiple: true
 
+      - name: Create symlink for CLI source files
+        run: ln -sf openhands-cli/openhands_cli openhands_cli
+
       - name: Coverage comment
         id: coverage_comment
         uses: py-cov-action/python-coverage-comment-action@v3

.github/workflows/pypi-release.yml

@@ -10,6 +10,7 @@ on:
         type: choice
         options:
           - app server
+          - cli
         default: app server
   push:
     tags:
@@ -17,14 +18,14 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-22.04
-    # Run when manually dispatched for "app server" OR for tag pushes that don't contain '-cli' and don't start with 'cloud-'
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    # Run when manually dispatched for "app server" OR for tag pushes that don't contain '-cli'
     if: |
       (github.event_name == 'workflow_dispatch' && github.event.inputs.reason == 'app server')
-      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-cli') && !startsWith(github.ref, 'refs/tags/cloud-'))
+      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-cli'))
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v4
+      - uses: useblacksmith/setup-python@v6
         with:
           python-version: 3.12
       - name: Install Poetry
@@ -38,3 +39,36 @@ jobs:
         run: ./build.sh
       - name: publish
         run: poetry publish -u __token__ -p ${{ secrets.PYPI_TOKEN }}
+
+  release-cli:
+    name: Publish CLI to PyPI
+    runs-on: ubuntu-latest
+    # Run when manually dispatched for "cli" OR for tag pushes that contain '-cli'
+    if: |
+      (github.event_name == 'workflow_dispatch' && github.event.inputs.reason == 'cli')
+      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-cli'))
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+        with:
+          version: "latest"
+
+      - name: Build CLI package
+        working-directory: openhands-cli
+        run: |
+          # Clean dist directory to avoid conflicts with binary builds
+          rm -rf dist/
+          uv build
+
+      - name: Publish CLI to PyPI
+        working-directory: openhands-cli
+        run: |
+          uv publish --token ${{ secrets.PYPI_TOKEN_OPENHANDS }}

.github/workflows/run-eval.yml

@@ -0,0 +1,135 @@
+# Run evaluation on a PR, after releases, or manually
+name: Run Eval
+
+# Runs when a PR is labeled with one of the "run-eval-" labels, after releases, or manually triggered
+on:
+  pull_request:
+    types: [labeled]
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to evaluate'
+        required: true
+        default: 'main'
+      eval_instances:
+        description: 'Number of evaluation instances'
+        required: true
+        default: '50'
+        type: choice
+        options:
+          - '1'
+          - '2'
+          - '50'
+          - '100'
+      reason:
+        description: 'Reason for manual trigger'
+        required: false
+        default: ''
+
+env:
+  # Environment variable for the master GitHub issue number where all evaluation results will be commented
+  # This should be set to the issue number where you want all evaluation results to be posted
+  MASTER_EVAL_ISSUE_NUMBER: ${{ vars.MASTER_EVAL_ISSUE_NUMBER || '0' }}
+
+jobs:
+  trigger-job:
+    name: Trigger remote eval job
+    if: ${{ (github.event_name == 'pull_request' && (github.event.label.name == 'run-eval-1' || github.event.label.name == 'run-eval-2' || github.event.label.name == 'run-eval-50' || github.event.label.name == 'run-eval-100')) || github.event_name == 'release' || github.event_name == 'workflow_dispatch' }}
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request' && github.head_ref || (github.event_name == 'workflow_dispatch' && github.event.inputs.branch) || github.ref }}
+
+      - name: Set evaluation parameters
+        id: eval_params
+        run: |
+          REPO_URL="https://github.com/${{ github.repository }}"
+          echo "Repository URL: $REPO_URL"
+
+          # Determine branch based on trigger type
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            EVAL_BRANCH="${{ github.head_ref }}"
+            echo "PR Branch: $EVAL_BRANCH"
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            EVAL_BRANCH="${{ github.event.inputs.branch }}"
+            echo "Manual Branch: $EVAL_BRANCH"
+          else
+            # For release events, use the tag name or main branch
+            EVAL_BRANCH="${{ github.ref_name }}"
+            echo "Release Branch/Tag: $EVAL_BRANCH"
+          fi
+
+          # Determine evaluation instances based on trigger type
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            if [[ "${{ github.event.label.name }}" == "run-eval-1" ]]; then
+              EVAL_INSTANCES="1"
+            elif [[ "${{ github.event.label.name }}" == "run-eval-2" ]]; then
+              EVAL_INSTANCES="2"
+            elif [[ "${{ github.event.label.name }}" == "run-eval-50" ]]; then
+              EVAL_INSTANCES="50"
+            elif [[ "${{ github.event.label.name }}" == "run-eval-100" ]]; then
+              EVAL_INSTANCES="100"
+            fi
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            EVAL_INSTANCES="${{ github.event.inputs.eval_instances }}"
+          else
+            # For release events, default to 50 instances
+            EVAL_INSTANCES="50"
+          fi
+
+          echo "Evaluation instances: $EVAL_INSTANCES"
+          echo "repo_url=$REPO_URL" >> $GITHUB_OUTPUT
+          echo "eval_branch=$EVAL_BRANCH" >> $GITHUB_OUTPUT
+          echo "eval_instances=$EVAL_INSTANCES" >> $GITHUB_OUTPUT
+
+      - name: Trigger remote job
+        run: |
+          # Determine PR number for the remote evaluation system
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            PR_NUMBER="${{ github.event.pull_request.number }}"
+          else
+            # For non-PR triggers, use the master issue number as PR number
+            PR_NUMBER="${{ env.MASTER_EVAL_ISSUE_NUMBER }}"
+          fi
+
+          curl -X POST \
+            -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -d "{\"ref\": \"main\", \"inputs\": {\"github-repo\": \"${{ steps.eval_params.outputs.repo_url }}\", \"github-branch\": \"${{ steps.eval_params.outputs.eval_branch }}\", \"pr-number\": \"${PR_NUMBER}\", \"eval-instances\": \"${{ steps.eval_params.outputs.eval_instances }}\"}}" \
+            https://api.github.com/repos/OpenHands/evaluation/actions/workflows/create-branch.yml/dispatches
+
+          # Send Slack message
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            TRIGGER_URL="https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}"
+            slack_text="PR $TRIGGER_URL has triggered evaluation on ${{ steps.eval_params.outputs.eval_instances }} instances..."
+          elif [[ "${{ github.event_name }}" == "release" ]]; then
+            TRIGGER_URL="https://github.com/${{ github.repository }}/releases/tag/${{ github.ref_name }}"
+            slack_text="Release $TRIGGER_URL has triggered evaluation on ${{ steps.eval_params.outputs.eval_instances }} instances..."
+          else
+            TRIGGER_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            slack_text="Manual trigger (${{ github.event.inputs.reason || 'No reason provided' }}) has triggered evaluation on ${{ steps.eval_params.outputs.eval_instances }} instances for branch ${{ steps.eval_params.outputs.eval_branch }}..."
+          fi
+
+          curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$slack_text"'"}' \
+            https://hooks.slack.com/services/${{ secrets.SLACK_TOKEN }}
+
+      - name: Comment on issue/PR
+        uses: KeisukeYamashita/create-comment@v1
+        with:
+          # For PR triggers, comment on the PR. For other triggers, comment on the master issue
+          number: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || env.MASTER_EVAL_ISSUE_NUMBER }}
+          unique: false
+          comment: |
+            **Evaluation Triggered**
+
+            **Trigger:** ${{ github.event_name == 'pull_request' && format('Pull Request #{0}', github.event.pull_request.number) || (github.event_name == 'release' && 'Release') || format('Manual Trigger: {0}', github.event.inputs.reason || 'No reason provided') }}
+            **Branch:** ${{ steps.eval_params.outputs.eval_branch }}
+            **Instances:** ${{ steps.eval_params.outputs.eval_instances }}
+            **Commit:** ${{ github.sha }}
+
+            Running evaluation on the specified branch. Once eval is done, the results will be posted here.

.github/workflows/stale.yml

@@ -8,10 +8,9 @@ on:
 
 jobs:
   stale:
-    runs-on: ubuntu-22.04
-    if: github.repository == 'OpenHands/OpenHands'
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@v9
         with:
           stale-issue-message: 'This issue is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.'
           stale-pr-message: 'This PR is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.'

.github/workflows/tag-image.yml

@@ -1,59 +0,0 @@
-# Adds a git-tag name to existing Docker images.
-# Triggered when a tag is pushed: finds the images built at the tag's commit
-# (tagged `sha-<full>`) and adds the tag name as an alias for the same manifest.
-# Semver tags (X.Y.Z) also get X.Y, X, and latest aliases.
-# No rebuild — pure registry-side retag via `docker buildx imagetools create`.
-name: Tag Docker images
-
-on:
-  push:
-    tags:
-      - "*"
-
-jobs:
-  retag:
-    runs-on: ubuntu-22.04
-    permissions:
-      packages: write
-    strategy:
-      matrix:
-        image:
-          - ghcr.io/openhands/openhands
-          - ghcr.io/openhands/enterprise-server
-    steps:
-      - name: Login to GHCR
-        uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Compute tags
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: ${{ matrix.image }}
-          flavor: latest=auto
-          tags: |
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-      - name: Add tags to existing image
-        env:
-          SRC: ${{ matrix.image }}:sha-${{ github.sha }}
-          TAGS: ${{ steps.meta.outputs.tags }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if ! docker buildx imagetools inspect "$SRC" > /dev/null 2>&1; then
-            echo "::error::Source image $SRC does not exist. The Docker workflow for commit ${{ github.sha }} may not have completed successfully. Re-run this workflow once the build finishes."
-            exit 1
-          fi
-          args=()
-          while IFS= read -r tag; do
-            [[ -z "$tag" ]] && continue
-            args+=(-t "$tag")
-          done <<< "$TAGS"
-          docker buildx imagetools create "${args[@]}" "$SRC"

.github/workflows/ui-build.yml

@@ -19,10 +19,10 @@ concurrency:
 jobs:
   ui-build:
     name: Build openhands-ui
-    runs-on: ubuntu-22.04
+    runs-on: blacksmith-4vcpu-ubuntu-2204
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - uses: oven-sh/setup-bun@v2
         with:
           bun-version-file: "openhands-ui/.bun-version"

.github/workflows/vscode-extension-build.yml

@@ -0,0 +1,156 @@
+# Workflow that validates the VSCode extension builds correctly
+name: VSCode Extension CI
+
+# * Always run on "main"
+# * Run on PRs that have changes in the VSCode extension folder or this workflow
+# * Run on tags that start with "ext-v"
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'ext-v*'
+  pull_request:
+    paths:
+      - 'openhands/integrations/vscode/**'
+      - 'build_vscode.py'
+      - '.github/workflows/vscode-extension-build.yml'
+
+# If triggered by a PR, it will be in the same group. However, each commit on main will be in its own unique group
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  # Validate VSCode extension builds correctly
+  validate-vscode-extension:
+    name: Validate VSCode Extension Build
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: useblacksmith/setup-node@v5
+        with:
+          node-version: '22'
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install VSCode extension dependencies
+        working-directory: ./openhands/integrations/vscode
+        run: npm ci
+
+      - name: Build VSCode extension via build_vscode.py
+        run: python build_vscode.py
+        env:
+          # Ensure we don't skip the build
+          SKIP_VSCODE_BUILD: ""
+
+      - name: Validate .vsix file
+        run: |
+          # Verify the .vsix was created and is valid
+          if [ -f "openhands/integrations/vscode/openhands-vscode-0.0.1.vsix" ]; then
+            echo "✅ VSCode extension built successfully"
+            ls -la openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
+
+            # Basic validation that the .vsix is a valid zip file
+            echo "🔍 Validating .vsix structure..."
+            file openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
+            unzip -t openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
+
+            echo "✅ VSCode extension validation passed"
+          else
+            echo "❌ VSCode extension build failed - .vsix not found"
+            exit 1
+          fi
+
+      - name: Upload VSCode extension artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: vscode-extension
+          path: openhands/integrations/vscode/openhands-vscode-0.0.1.vsix
+          retention-days: 7
+
+      - name: Comment on PR with artifact link
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+
+            // Get file size for display
+            const vsixPath = 'openhands/integrations/vscode/openhands-vscode-0.0.1.vsix';
+            const stats = fs.statSync(vsixPath);
+            const fileSizeKB = Math.round(stats.size / 1024);
+
+            const comment = `## 🔧 VSCode Extension Built Successfully!
+
+            The VSCode extension has been built and is ready for testing.
+
+            **📦 Download**: [openhands-vscode-0.0.1.vsix](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) (${fileSizeKB} KB)
+
+            **🚀 To install**:
+            1. Download the artifact from the workflow run above
+            2. In VSCode: \`Ctrl+Shift+P\` → "Extensions: Install from VSIX..."
+            3. Select the downloaded \`.vsix\` file
+
+            **✅ Tested with**: Node.js 22
+            **🔍 Validation**: File structure and integrity verified
+
+            ---
+            *Built from commit ${{ github.sha }}*`;
+
+            // Check if we already commented on this PR and delete it
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+
+            const botComment = comments.find(comment =>
+              comment.user.login === 'github-actions[bot]' &&
+              comment.body.includes('VSCode Extension Built Successfully')
+            );
+
+            if (botComment) {
+              await github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+              });
+            }
+
+            // Create a new comment
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: comment
+            });
+
+  release:
+    name: Create GitHub Release
+    runs-on: blacksmith-4vcpu-ubuntu-2204
+    needs: validate-vscode-extension
+    if: startsWith(github.ref, 'refs/tags/ext-v')
+
+    steps:
+      - name: Download .vsix artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: vscode-extension
+          path: ./
+
+      - name: Create Release
+        uses: ncipollo/release-action@v1.16.0
+        with:
+          artifacts: "*.vsix"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          draft: true
+          allowUpdates: true

.github/workflows/welcome-good-first-issue.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Check if welcome comment already exists
         id: check_comment
-        uses: actions/github-script@v9
+        uses: actions/github-script@v7
         with:
           result-encoding: string
           script: |
@@ -33,7 +33,7 @@ jobs:
 
       - name: Leave welcome comment
         if: steps.check_comment.outputs.result == 'false'
-        uses: actions/github-script@v9
+        uses: actions/github-script@v7
         with:
           script: |
             const repoUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}`;
@@ -45,7 +45,7 @@ jobs:
                     "This issue has been labeled as **good first issue**, which means it's a great place to get started with the OpenHands project.\n\n" +
                     "If you're interested in working on it, feel free to! No need to ask for permission.\n\n" +
                     "Be sure to check out our [development setup guide](" + repoUrl + "/blob/main/Development.md) to get your environment set up, and follow our [contribution guidelines](" + repoUrl + "/blob/main/CONTRIBUTING.md) when you're ready to submit a fix.\n\n" +
-                    "Feel free to join our developer community on [Slack](https://openhands.dev/joinslack). You can ask for [help](https://openhands-ai.slack.com/archives/C078L0FUGUX), [feedback](https://openhands-ai.slack.com/archives/C086ARSNMGA), and even ask for a [PR review](https://openhands-ai.slack.com/archives/C08D8FJ5771).\n\n" +
+                    "Feel free to join our developer community on [Slack](https://all-hands.dev/joinslack). You can ask for [help](https://openhands-ai.slack.com/archives/C078L0FUGUX), [feedback](https://openhands-ai.slack.com/archives/C086ARSNMGA), and even ask for a [PR review](https://openhands-ai.slack.com/archives/C08D8FJ5771).\n\n" +
                     "🙌 Happy hacking! 🙌\n\n" +
                     "<!-- auto-comment:good-first-issue -->"
             });

.gitignore

@@ -185,9 +185,6 @@ cython_debug/
 .repomix
 repomix-output.txt
 
-# Emacs backup
-*~
-
 # evaluation
 evaluation/evaluation_outputs
 evaluation/outputs
@@ -234,8 +231,6 @@ yarn-error.log*
 
 logs
 
-ralph/
-
 # agent
 .envrc
 /workspace
@@ -254,6 +249,10 @@ run_instance_logs
 
 runtime_*.tar
 
+# docker build
+containers/runtime/Dockerfile
+containers/runtime/project.tar.gz
+containers/runtime/code
 **/node_modules/
 
 # test results

.openhands/microagents/repo.md

@@ -13,21 +13,13 @@ export RUNTIME=local
 make build && make run FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0 &> /tmp/openhands-log.txt &
 ```
 
-Local run troubleshooting notes:
-- If the backend fails with `nc: command not found`, install `netcat-openbsd`.
-- If local runtime startup fails with `duplicate session: test-session`, clear the stale tmux session on the default socket: `tmux -S /tmp/tmux-$(id -u)/default kill-session -t test-session`.
-- Local runtime browser startup expects Playwright browsers under `~/.cache/playwright`; if needed run `PLAYWRIGHT_BROWSERS_PATH=$HOME/.cache/playwright poetry run playwright install chromium`.
-- In this sandbox environment, an inherited `SESSION_API_KEY` can make `/api/v1/settings` return 401 in the browser. Unset it before `make run` when you want to use the local web UI directly.
-- In this sandbox, `frontend`'s `npm run dev:mock` / `dev:mock:saas` can start but still be awkward to browse through the work-host proxy. For PR QA screenshots, a reliable fallback is to `npm run build` with the desired `VITE_MOCK_*` env, then serve `build/` with a tiny custom HTTP server that returns the minimal mock JSON endpoints needed by the settings page.
-
-
 IMPORTANT: Before making any changes to the codebase, ALWAYS run `make install-pre-commit-hooks` to ensure pre-commit hooks are properly installed.
 
 Before pushing any changes, you MUST ensure that any lint errors or simple test errors have been fixed.
 
 * If you've made changes to the backend, you should run `pre-commit run --config ./dev_config/python/.pre-commit-config.yaml` (this will run on staged files).
 * If you've made changes to the frontend, you should run `cd frontend && npm run lint:fix && npm run build ; cd ..`
-* If you've made changes to the VSCode extension, you should run `cd openhands/app_server/integrations/vscode && npm run lint:fix && npm run compile ; cd ../../..`
+* If you've made changes to the VSCode extension, you should run `cd openhands/integrations/vscode && npm run lint:fix && npm run compile ; cd ../../..`
 
 The pre-commit hooks MUST pass successfully before pushing any changes to the repository. This is a mandatory requirement to maintain code quality and consistency.
 
@@ -44,81 +36,9 @@ then re-run the command to ensure it passes. Common issues include:
 - Be especially careful with `git reset --hard` after staging files, as it will remove accidentally staged files
 - When remote has new changes, use `git fetch upstream && git rebase upstream/<branch>` on the same branch
 
-## Lockfile Regeneration (Preserve Original Tool Versions)
-
-When regenerating lockfiles (poetry.lock, uv.lock, etc.), you MUST use the same tool version that originally generated the lockfile to avoid unnecessary diff noise. Each lockfile contains a version header indicating which tool version was used.
-
-### Poetry (poetry.lock)
-
-1. Extract the version from the lockfile header:
-   ```bash
-   POETRY_VERSION=$(grep -m1 "^# This file is automatically @generated by Poetry" poetry.lock | sed 's/.*Poetry \([0-9.]*\).*/\1/')
-   ```
-2. If a version is found, install that specific version:
-   ```bash
-   pipx install poetry==$POETRY_VERSION --force
-   ```
-3. Then regenerate the lockfile:
-   ```bash
-   poetry lock --no-update
-   ```
-
-### uv (uv.lock)
-
-1. Extract the version from the lockfile header:
-   ```bash
-   UV_VERSION=$(grep -m1 "^# This file was autogenerated by uv" uv.lock | sed 's/.*uv version \([0-9.]*\).*/\1/')
-   ```
-2. If a version is found, install that specific version:
-   ```bash
-   pipx install uv==$UV_VERSION --force
-   ```
-3. Then regenerate the lockfile:
-   ```bash
-   uv lock
-   ```
-
-This ensures that lockfile updates only contain actual dependency changes, not tool version migration artifacts.
-
-## PR-Specific Artifacts (`.pr/` directory)
-
-When working on a PR that requires design documents, scripts meant for development-only, or other temporary artifacts that should NOT be merged to main, store them in a `.pr/` directory at the repository root.
-
-### Usage
-
-```
-.pr/
-├── design.md       # Design decisions and architecture notes
-├── analysis.md     # Investigation or debugging notes
-├── logs/           # Test output or CI logs for reviewer reference
-└── notes.md        # Any other PR-specific content
-```
-
-### How It Works
-
-1. **Notification**: When `.pr/` exists, a comment is posted to the PR conversation alerting reviewers
-2. **Auto-cleanup**: When the PR is approved, the `.pr/` directory is automatically removed via `.github/workflows/pr-artifacts.yml`
-3. **Fork PRs**: Auto-cleanup cannot push to forks, so manual removal is required before merging
-
-### Important Notes
-
-- Do NOT put anything in `.pr/` that needs to be preserved after merge
-- The `.pr/` check passes (green ✅) during development — it only posts a notification, not a blocking error
-- For fork PRs: You must manually remove `.pr/` before the PR can be merged
-
-### When to Use
-
-- Complex refactoring that benefits from written design rationale
-- Debugging sessions where you want to document your investigation
-- E2E test results or logs that demonstrate a cross-repo feature works
-- Feature implementations that need temporary planning docs
-- Any analysis that helps reviewers understand the PR but isn't needed long-term
-
 ## Repository Structure
 Backend:
 - Located in the `openhands` directory
-- The current V1 application server lives in `openhands/app_server/`. `make start-backend` still launches `openhands.server.listen:app`, which includes the V1 routes by default unless `ENABLE_V1=0`.
-- For V1 web-app docs, LLM setup should point users to the Settings UI.
 - Testing:
   - All tests are in `tests/unit/test_*.py`
   - To test new code, run `poetry run pytest tests/unit/test_xxx.py` where `xxx` is the appropriate file for the current functionality
@@ -143,14 +63,12 @@ Frontend:
   - We use TanStack Query (fka React Query) for data fetching and cache management
   - Data Access Layer: API client methods are located in `frontend/src/api` and should never be called directly from UI components - they must always be wrapped with TanStack Query
   - Custom hooks are located in `frontend/src/hooks/query/` and `frontend/src/hooks/mutation/`
-  - Query hooks should follow the pattern use[Resource] (e.g., `useConversationSkills`)
+  - Query hooks should follow the pattern use[Resource] (e.g., `useConversationMicroagents`)
   - Mutation hooks should follow the pattern use[Action] (e.g., `useDeleteConversation`)
   - Architecture rule: UI components → TanStack Query hooks → Data Access Layer (`frontend/src/api`) → API endpoints
-  - For SaaS organization management screens, prefer deriving the selected organization from `useOrganizations()` plus the selected org ID store instead of adding a dedicated single-org fetch when only list-level fields (for example `name`) are needed.
-
 
 VSCode Extension:
-- Located in the `openhands/app_server/integrations/vscode` directory
+- Located in the `openhands/integrations/vscode` directory
 - Setup: Run `npm install` in the extension directory
 - Linting:
   - Run linting with fixes: `npm run lint:fix`
@@ -232,11 +150,10 @@ Each integration follows a consistent pattern with service classes, storage mode
 
 **Important Notes:**
 - Enterprise code is licensed under Polyform Free Trial License (30-day limit)
-- The enterprise server extends the OpenHands server through dynamic imports
+- The enterprise server extends the OSS server through dynamic imports
 - Database changes require careful migration planning in `enterprise/migrations/`
-- Always test changes in both OpenHands and enterprise contexts
+- Always test changes in both OSS and enterprise contexts
 - Use the enterprise-specific Makefile commands for development
-- When the `openhands-ai` package (root project) version has been updated, run `poetry lock` in the `enterprise/` folder to update the version in the enterprise poetry lockfile.
 
 **Enterprise Testing Best Practices:**
 
@@ -248,8 +165,8 @@ Each integration follows a consistent pattern with service classes, storage mode
 
 **Import Patterns:**
 - Use relative imports without `enterprise.` prefix in enterprise code
-- Example: `from storage.database import a_session_maker` not `from enterprise.storage.database import a_session_maker`
-- This ensures code works in both OpenHands and enterprise contexts
+- Example: `from storage.database import session_maker` not `from enterprise.storage.database import session_maker`
+- This ensures code works in both OSS and enterprise contexts
 
 **Test Structure:**
 - Place tests in `enterprise/tests/unit/` following the same structure as the source code
@@ -284,32 +201,6 @@ If you are starting a pull request (PR), please follow the template in `.github/
 
 These details may or may not be useful for your current task.
 
-### Conversation State Management
-
-#### Agent State and Sandbox Status:
-The frontend uses `useAgentState` hook (`frontend/src/hooks/use-agent-state.ts`) to determine the current conversation state. This hook:
-- Returns `curAgentState` (AgentState enum) for UI state determination
-- Returns `isArchived` flag when `sandbox_status === "MISSING"` (archived conversations)
-- Prioritizes live WebSocket execution status over cached API data
-
-#### Archived Conversations (sandbox_status === "MISSING"):
-When a conversation's sandbox is no longer available (archived):
-- `useAgentState` returns `AgentState.STOPPED` and `isArchived: true`
-- Chat input is replaced with an archived banner (`ArchivedBanner` component)
-- VS Code tab, Terminal, and Planner show read-only messages instead of loading states
-- All interactive elements that require a running sandbox are disabled
-
-#### Testing useAgentState:
-When mocking `useAgentState` in tests, always include the `isArchived` property:
-```typescript
-vi.mock("#/hooks/use-agent-state", () => ({
-  useAgentState: () => ({
-    curAgentState: AgentState.AWAITING_USER_INPUT,
-    isArchived: false,
-  }),
-}));
-```
-
 ### Microagents
 
 Microagents are specialized prompts that enhance OpenHands with domain-specific knowledge and task-specific workflows. They are Markdown files that can include frontmatter for configuration.
@@ -389,7 +280,6 @@ There are two main patterns for saving settings in the OpenHands frontend:
 **When to use each pattern:**
 - Use Pattern 1 (Immediate Save) for entity management where each item is independent
 - Use Pattern 2 (Manual Save) for configuration forms where settings are interdependent or need validation
-- Git provider tokens in the local/OSS integrations settings are managed through the V1 secrets endpoints (`POST`/`DELETE /api/v1/secrets/git-providers`). Do not reuse the logout flow for disconnecting tokens; `useLogout` is for actual app logout and still targets legacy OSS logout behavior.
 
 ### Adding New LLM Models
 
@@ -452,30 +342,3 @@ To add a new LLM model to OpenHands, you need to update multiple files across bo
 - Models appear in CLI provider selection based on the verified arrays
 - The `organize_models_and_providers` function groups models by provider
 - Default model selection prioritizes verified models for each provider
-
-### Sandbox Settings API (SDK Credential Inheritance)
-
-The sandbox settings API allows SDK-created conversations to inherit the user's SaaS credentials
-(LLM config, secrets) securely via `LookupSecret`. Raw secret values only flow SaaS→sandbox,
-never through the SDK client.
-
-#### User Credentials with Exposed Secrets (in `openhands/app_server/user/user_router.py`):
-- `GET /api/v1/users/me?expose_secrets=true` → Full user settings with unmasked secrets (e.g., `llm_api_key`)
-- `GET /api/v1/users/me` → Full user settings (secrets masked, Bearer only)
-
-Auth requirements for `expose_secrets=true`:
-- Bearer token (proves user identity via `OPENHANDS_API_KEY`)
-- `X-Session-API-Key` header (proves caller has an active sandbox owned by the authenticated user)
-
-Called by `workspace.get_llm()` in the SDK to retrieve LLM config with the API key.
-
-#### Sandbox-Scoped Secrets Endpoints (in `openhands/app_server/sandbox/sandbox_router.py`):
-- `GET /sandboxes/{id}/settings/secrets` → list secret names (no values)
-- `GET /sandboxes/{id}/settings/secrets/{name}` → raw secret value (called FROM sandbox)
-
-#### Auth: `X-Session-API-Key` header, validated via `SandboxService.get_sandbox_by_session_api_key()`
-
-#### Related SDK code (in `software-agent-sdk` repo):
-- `openhands/sdk/llm/llm.py`: `LLM.api_key` accepts `SecretSource` (including `LookupSecret`)
-- `openhands/workspace/cloud/workspace.py`: `get_llm()` and `get_secrets()` return LookupSecret-backed objects
-- Tests: `tests/sdk/llm/test_llm_secret_source_api_key.py`, `tests/workspace/test_cloud_workspace_sdk_settings.py`

.openhands/pre-commit.sh

@@ -13,6 +13,7 @@ STAGED_FILES=$(git diff --cached --name-only)
 # Check if any files match specific patterns
 has_frontend_changes=false
 has_backend_changes=false
+has_vscode_changes=false
 
 # Check each file individually to avoid issues with grep
 for file in $STAGED_FILES; do
@@ -20,12 +21,17 @@ for file in $STAGED_FILES; do
         has_frontend_changes=true
     elif [[ $file == openhands/* || $file == evaluation/* || $file == tests/* ]]; then
         has_backend_changes=true
+        # Check for VSCode extension changes (subset of backend changes)
+        if [[ $file == openhands/integrations/vscode/* ]]; then
+            has_vscode_changes=true
+        fi
     fi
 done
 
 echo "Analyzing changes..."
 echo "- Frontend changes: $has_frontend_changes"
 echo "- Backend changes: $has_backend_changes"
+echo "- VSCode extension changes: $has_vscode_changes"
 
 # Run frontend linting if needed
 if [ "$has_frontend_changes" = true ]; then
@@ -86,6 +92,51 @@ else
     echo "Skipping backend checks (no backend changes detected)."
 fi
 
+# Run VSCode extension checks if needed
+if [ "$has_vscode_changes" = true ]; then
+    # Check if we're in a CI environment
+    if [ -n "$CI" ]; then
+        echo "Skipping VSCode extension checks (CI environment detected)."
+        echo "WARNING: VSCode extension files have changed but checks are being skipped."
+        echo "Please run VSCode extension checks manually before submitting your PR."
+    else
+        echo "Running VSCode extension checks..."
+        if [ -d "openhands/integrations/vscode" ]; then
+            cd openhands/integrations/vscode || exit 1
+
+            echo "Running npm lint:fix..."
+            npm run lint:fix
+            if [ $? -ne 0 ]; then
+                echo "VSCode extension linting failed. Please fix the issues before committing."
+                EXIT_CODE=1
+            else
+                echo "VSCode extension linting passed!"
+            fi
+
+            echo "Running npm typecheck..."
+            npm run typecheck
+            if [ $? -ne 0 ]; then
+                echo "VSCode extension type checking failed. Please fix the issues before committing."
+                EXIT_CODE=1
+            else
+                echo "VSCode extension type checking passed!"
+            fi
+
+            echo "Running npm compile..."
+            npm run compile
+            if [ $? -ne 0 ]; then
+                echo "VSCode extension compilation failed. Please fix the issues before committing."
+                EXIT_CODE=1
+            else
+                echo "VSCode extension compilation passed!"
+            fi
+
+            cd ../../..
+        fi
+    fi
+else
+    echo "Skipping VSCode extension checks (no VSCode extension changes detected)."
+fi
 
 # If no specific code changes detected, run basic checks
 if [ "$has_frontend_changes" = false ] && [ "$has_backend_changes" = false ]; then

CNAME

@@ -1 +0,0 @@
-docs.all-hands.dev

CODE_OF_CONDUCT.md

@@ -61,7 +61,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-contact@openhands.dev.
+contact@all-hands.dev.
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the
@@ -115,9 +115,7 @@ community.
 
 ### Slack Etiquettes
 
-These Slack etiquette guidelines are designed to foster an inclusive, respectful, and productive environment for all
-community members. By following these best practices, we ensure effective communication and collaboration while
-minimizing disruptions. Let’s work together to build a supportive and welcoming community!
+These Slack etiquette guidelines are designed to foster an inclusive, respectful, and productive environment for all community members. By following these best practices, we ensure effective communication and collaboration while minimizing disruptions. Let’s work together to build a supportive and welcoming community!
 
 - Communicate respectfully and professionally, avoiding sarcasm or harsh language, and remember that tone can be difficult to interpret in text.
 - Use threads for specific discussions to keep channels organized and easier to follow.
@@ -127,10 +125,7 @@ minimizing disruptions. Let’s work together to build a supportive and welcomin
 - When asking for help or raising issues, include necessary details like links, screenshots, or clear explanations to provide context.
 - Keep discussions in public channels whenever possible to allow others to benefit from the conversation, unless the matter is sensitive or private.
 - Always adhere to [our standards](https://github.com/OpenHands/OpenHands/blob/main/CODE_OF_CONDUCT.md#our-standards) to ensure a welcoming and collaborative environment.
-- If you choose to mute a channel, consider setting up alerts for topics that still interest you to stay engaged.
-   For Slack, Go to Settings → Notifications → My Keywords to add specific keywords that will notify you when mentioned.
-   For example, if you're here for discussions about LLMs, mute the channel if it’s too busy, but set notifications to
-   alert you only when “LLMs” appears in messages.
+- If you choose to mute a channel, consider setting up alerts for topics that still interest you to stay engaged. For Slack, Go to Settings → Notifications → My Keywords to add specific keywords that will notify you when mentioned. For example, if you're here for discussions about LLMs, mute the channel if it’s too busy, but set notifications to alert you only when “LLMs” appears in messages.
 
 ## Attribution
 

COMMUNITY.md

@@ -1,58 +1,43 @@
-# The OpenHands Community
+# 🙌 The OpenHands Community
 
-OpenHands is a community of engineers, academics, and enthusiasts reimagining software development for an AI-powered
-world.
+The OpenHands community is built around the belief that (1) AI and AI agents are going to fundamentally change the way
+we build software, and (2) if this is true, we should do everything we can to make sure that the benefits provided by
+such powerful technology are accessible to everyone.
 
-## Mission
+If this resonates with you, we'd love to have you join us in our quest!
 
-It’s very clear that AI is changing software development. We want the developer community to drive that change
-organically, through open source.
+## 🤝 How to Join
 
-So we’re not just building friendly interfaces for AI-driven development. We’re publishing _building blocks_ that
-empower developers to create new experiences, tailored to your own habits, needs, and imagination.
+Check out our [How to Join the Community section.](https://github.com/OpenHands/OpenHands?tab=readme-ov-file#-how-to-join-the-community)
 
-## Ethos
+## 💪 Becoming a Contributor
 
-We have two core values: **high openness** and **high agency**. While we don’t expect everyone in the community to
-embody these values, we want to establish them as norms.
+We welcome contributions from everyone! Whether you're a developer, a researcher, or simply enthusiastic about advancing
+the field of software engineering with AI, there are many ways to get involved:
 
-### High Openness
+- **Code Contributions:** Help us develop new core functionality, improve our agents, improve the frontend and other
+interfaces, or anything else that would help make OpenHands better.
+- **Research and Evaluation:** Contribute to our understanding of LLMs in software engineering, participate in
+evaluating the models, or suggest improvements.
+- **Feedback and Testing:** Use the OpenHands toolset, report bugs, suggest features, or provide feedback on usability.
 
-We welcome anyone and everyone into our community by default. You don’t have to be a software developer to help us
-build. You don’t have to be pro-AI to help us learn.
+For details, please check [CONTRIBUTING.md](./CONTRIBUTING.md).
 
-Our plans, our work, our successes, and our failures are all public record. We want the world to see not just the
-fruits of our work, but the whole process of growing it.
+## Code of Conduct
 
-We welcome thoughtful criticism, whether it’s a comment on a PR or feedback on the community as a whole.
+We have a [Code of Conduct](./CODE_OF_CONDUCT.md) that we expect all contributors to adhere to.
+Long story short, we are aiming for an open, welcoming, diverse, inclusive, and healthy community.
+All contributors are expected to contribute to building this sort of community.
 
-### High Agency
+## 🛠️ Becoming a Maintainer
 
-Everyone should feel empowered to contribute to OpenHands. Whether it’s by making a PR, hosting an event, sharing
-feedback, or just asking a question, don’t hold back!
+For contributors who have made significant and sustained contributions to the project, there is a possibility of joining
+the maintainer team. The process for this is as follows:
 
-OpenHands gives everyone the building blocks to create state-of-the-art developer experiences. We experiment constantly
-and love building new things.
+1. Any contributor who has made sustained and high-quality contributions to the codebase can be nominated by any
+maintainer. If you feel that you may qualify you can reach out to any of the maintainers that have reviewed your PRs and ask if you can be nominated.
+2. Once a maintainer nominates a new maintainer, there will be a discussion period among the maintainers for at least 3 days.
+3. If no concerns are raised the nomination will be accepted by acclamation, and if concerns are raised there will be a discussion and possible vote.
 
-Coding, development practices, and communities are changing rapidly. We won’t hesitate to change direction and make big bets.
-
-## Relationship to All Hands
-
-OpenHands is supported by the for-profit organization [All Hands AI, Inc](https://www.openhands.dev/).
-
-All Hands was founded by three of the first major contributors to OpenHands:
-
-- Xingyao Wang, a UIUC PhD candidate who got OpenHands to the top of the SWE-bench leaderboards
-- Graham Neubig, a CMU Professor who rallied the academic community around OpenHands
-- Robert Brennan, a software engineer who architected the user-facing features of OpenHands
-
-All Hands is an important part of the OpenHands ecosystem. We’ve raised over $20M--mainly to hire developers and
-researchers who can work on OpenHands full-time, and to provide them with expensive infrastructure. ([Join us!](https://allhandsai.applytojob.com/apply/))
-
-But we see OpenHands as much larger, and ultimately more important, than All Hands. When our financial responsibility
-to investors is at odds with our social responsibility to the community—as it inevitably will be, from time to time—we
-promise to navigate that conflict thoughtfully and transparently.
-
-At some point, we may transfer custody of OpenHands to an open source foundation. But for now,
-the [Benevolent Dictator approach](http://www.catb.org/~esr/writings/cathedral-bazaar/homesteading/ar01s16.html) helps us move forward with speed and intention. If we ever forget the
-“benevolent” part, please: fork us.
+Note that just making many PRs does not immediately imply that you will become a maintainer. We will be looking
+at sustained high-quality contributions over a period of time, as well as good teamwork and adherence to our [Code of Conduct](./CODE_OF_CONDUCT.md).

CONTRIBUTING.md

@@ -1,102 +1,71 @@
 # Contributing
 
-Thanks for your interest in contributing to OpenHands! We're building the future of AI-powered software development, and we'd love for you to be part of this journey.
+Thanks for your interest in contributing to OpenHands! We welcome and appreciate contributions.
 
-## Our Vision
+## Understanding OpenHands's CodeBase
 
-The OpenHands community is built around the belief that AI and AI agents are going to fundamentally change the way we build software. If this is true, we should do everything we can to make sure that the benefits provided by such powerful technology are accessible to everyone.
+To understand the codebase, please refer to the README in each module:
+- [frontend](./frontend/README.md)
+- [evaluation](./evaluation/README.md)
+- [openhands](./openhands/README.md)
+   - [agenthub](./openhands/agenthub/README.md)
+   - [server](./openhands/server/README.md)
 
-We believe in the power of open source to democratize access to cutting-edge AI technology. Just as the internet transformed how we share information, we envision a world where AI-powered development tools are available to every developer, regardless of their background or resources.
+## Setting up Your Development Environment
 
-## Getting Started
+We have a separate doc [Development.md](https://github.com/OpenHands/OpenHands/blob/main/Development.md) that tells you how to set up a development workflow.
 
-### Quick Ways to Contribute
+## How Can I Contribute?
 
-- **Use OpenHands** and [report issues](https://github.com/OpenHands/OpenHands/issues) you encounter
-- **Give feedback** using the thumbs-up/thumbs-down buttons after each session
-- **Star our repository** on [GitHub](https://github.com/OpenHands/OpenHands)
-- **Share OpenHands** with other developers
+There are many ways that you can contribute:
 
-### Set Up Your Development Environment
+1. **Download and use** OpenHands, and send [issues](https://github.com/OpenHands/OpenHands/issues) when you encounter something that isn't working or a feature that you'd like to see.
+2. **Send feedback** after each session by [clicking the thumbs-up thumbs-down buttons](https://docs.all-hands.dev/usage/feedback), so we can see where things are working and failing, and also build an open dataset for training code agents.
+3. **Improve the Codebase** by sending [PRs](#sending-pull-requests-to-openhands) (see details below). In particular, we have some [good first issues](https://github.com/OpenHands/OpenHands/labels/good%20first%20issue) that may be ones to start on.
 
-- **Requirements**: Linux/Mac/WSL, Docker, Python 3.12, Node.js 22+, Poetry 1.8+
-- **Quick setup**: `make build`
-- **Run locally**: `make run`
-- **LLM setup (V1 web app)**: configure your model and API key in the Settings UI after the app starts
+## What Can I Build?
+Here are a few ways you can help improve the codebase.
 
-Full details in our [Development Guide](./Development.md).
+#### UI/UX
+We're always looking to improve the look and feel of the application. If you've got a small fix
+for something that's bugging you, feel free to open up a PR that changes the [`./frontend`](./frontend) directory.
 
-### Find Your First Issue
+If you're looking to make a bigger change, add a new UI element, or significantly alter the style
+of the application, please open an issue first, or better, join the #eng-ui-ux channel in our Slack
+to gather consensus from our design team first.
 
-- Browse [good first issues](https://github.com/OpenHands/OpenHands/labels/good%20first%20issue)
-- Check our [project boards](https://github.com/OpenHands/OpenHands/projects) for organized tasks
-- Join our [Slack community](https://openhands.dev/joinslack) to ask what needs help
+#### Improving the agent
+Our main agent is the CodeAct agent. You can [see its prompts here](https://github.com/OpenHands/OpenHands/tree/main/openhands/agenthub/codeact_agent).
 
-## Understanding the Codebase
+Changes to these prompts, and to the underlying behavior in Python, can have a huge impact on user experience.
+You can try modifying the prompts to see how they change the behavior of the agent as you use the app
+locally, but we will need to do an end-to-end evaluation of any changes here to ensure that the agent
+is getting better over time.
 
-- **[Frontend](./frontend/README.md)** - React application
-- **[App Server (V1)](./openhands/app_server/README.md)** - Current FastAPI application server and REST API modules
-- **[Evaluation](https://github.com/OpenHands/benchmarks)** - Testing and benchmarks
+We use the [SWE-bench](https://www.swebench.com/) benchmark to test our agent. You can join the #evaluation
+channel in Slack to learn more.
 
-## What Can You Build?
+#### Adding a new agent
+You may want to experiment with building new types of agents. You can add an agent to [`openhands/agenthub`](./openhands/agenthub)
+to help expand the capabilities of OpenHands.
 
-### Frontend & UI/UX
-- React & TypeScript development
-- UI/UX improvements
-- Mobile responsiveness
-- Component libraries
+#### Adding a new runtime
+The agent needs a place to run code and commands. When you run OpenHands on your laptop, it uses a Docker container
+to do this by default. But there are other ways of creating a sandbox for the agent.
 
-For bigger changes, join the #proj-gui channel in [Slack](https://openhands.dev/joinslack) first.
+If you work for a company that provides a cloud-based runtime, you could help us add support for that runtime
+by implementing the [interface specified here](https://github.com/OpenHands/OpenHands/blob/main/openhands/runtime/base.py).
 
-### Agent Development
-- Prompt engineering
-- New agent types
-- Agent evaluation
-- Multi-agent systems
-
-We use [SWE-bench](https://www.swebench.com/) to evaluate agents.
-
-### Backend & Infrastructure
-- Python development
-- Runtime systems (Docker containers, sandboxes)
-- Cloud integrations
-- Performance optimization
-
-### Testing & Quality Assurance
-- Unit testing
-- Integration testing
-- Bug hunting
-- Performance testing
-
-### Documentation & Education
-- Technical documentation
-- Translation
-- Community support
-
-## Pull Request Process
-
-### Small Improvements
-- Quick review and approval
-- Ensure CI tests pass
-- Include clear description of changes
-
-### Core Agent Changes
-These are evaluated based on:
-- **Accuracy** - Does it make the agent better at solving problems?
-- **Efficiency** - Does it improve speed or reduce resource usage?
-- **Code Quality** - Is the code maintainable and well-tested?
-
-Discuss major changes in [GitHub issues](https://github.com/OpenHands/OpenHands/issues) or [Slack](https://openhands.dev/joinslack) first.
+#### Testing
+When you write code, it is also good to write tests. Please navigate to the [`./tests`](./tests) folder to see existing test suites.
+At the moment, we have two kinds of tests: [`unit`](./tests/unit) and [`integration`](./evaluation/integration_tests). Please refer to the README for each test suite. These tests also run on GitHub's continuous integration to ensure quality of the project.
 
 ## Sending Pull Requests to OpenHands
 
 You'll need to fork our repository to send us a Pull Request. You can learn more
 about how to fork a GitHub repo and open a PR with your changes in [this article](https://medium.com/swlh/forks-and-pull-requests-how-to-contribute-to-github-repos-8843fac34ce8).
 
-You may also check out previous PRs in the [PR list](https://github.com/OpenHands/OpenHands/pulls).
-
-### Pull Request Title Format
-
+### Pull Request title
 As described [here](https://github.com/commitizen/conventional-commit-types/blob/master/index.json), a valid PR title should begin with one of the following prefixes:
 
 - `feat`: A new feature
@@ -115,27 +84,40 @@ For example, a PR title could be:
 - `refactor: modify package path`
 - `feat(frontend): xxxx`, where `(frontend)` means that this PR mainly focuses on the frontend component.
 
-### Pull Request Description
+You may also check out previous PRs in the [PR list](https://github.com/OpenHands/OpenHands/pulls).
 
-- Explain what the PR does and why
-- Link to related issues
-- Include screenshots for UI changes
-- If your changes are user-facing (e.g. a new feature in the UI, a change in behavior, or a bugfix),
-  please include a short message that we can add to our changelog
+### Pull Request description
+- If your PR is small (such as a typo fix), you can go brief.
+- If it contains a lot of changes, it's better to write more details.
 
-## Becoming a Maintainer
+If your changes are user-facing (e.g. a new feature in the UI, a change in behavior, or a bugfix)
+please include a short message that we can add to our changelog.
 
-For contributors who have made significant and sustained contributions to the project, there is a possibility of joining the maintainer team.
-The process for this is as follows:
+## How to Make Effective Contributions
 
-1. Any contributor who has made sustained and high-quality contributions to the codebase can be nominated by any maintainer. If you feel that you may qualify you can reach out to any of the maintainers that have reviewed your PRs and ask if you can be nominated.
-2. Once a maintainer nominates a new maintainer, there will be a discussion period among the maintainers for at least 3 days.
-3. If no concerns are raised the nomination will be accepted by acclamation, and if concerns are raised there will be a discussion and possible vote.
+### Opening Issues
 
-Note that just making many PRs does not immediately imply that you will become a maintainer. We will be looking at sustained high-quality contributions over a period of time, as well as good teamwork and adherence to our [Code of Conduct](./CODE_OF_CONDUCT.md).
+If you notice any bugs or have any feature requests please open them via the [issues page](https://github.com/OpenHands/OpenHands/issues). We will triage based on how critical the bug is or how potentially useful the improvement is, discuss, and implement the ones that the community has interest/effort for.
 
-## Need Help?
+Further, if you see an issue you like, please leave a "thumbs-up" or a comment, which will help us prioritize.
 
-- **Slack**: [Join our community](https://openhands.dev/joinslack)
-- **GitHub Issues**: [Open an issue](https://github.com/OpenHands/OpenHands/issues)
-- **Email**: contact@openhands.dev
+### Making Pull Requests
+
+We're generally happy to consider all pull requests with the evaluation process varying based on the type of change:
+
+#### For Small Improvements
+
+Small improvements with few downsides are typically reviewed and approved quickly.
+One thing to check when making changes is to ensure that all continuous integration tests pass, which you can check before getting a review.
+
+#### For Core Agent Changes
+
+We need to be more careful with changes to the core agent, as it is imperative to maintain high quality. These PRs are evaluated based on three key metrics:
+
+1. **Accuracy**
+2. **Efficiency**
+3. **Code Complexity**
+
+If it improves accuracy, efficiency, or both with only a minimal change to code quality, that's great we're happy to merge it in!
+If there are bigger tradeoffs (e.g. helping efficiency a lot and hurting accuracy a little) we might want to put it behind a feature flag.
+Either way, please feel free to discuss on github issues or slack, and we will give guidance and preliminary feedback.

CREDITS.md

@@ -2,13 +2,11 @@
 
 ## Contributors
 
-We would like to thank all the [contributors](https://github.com/OpenHands/OpenHands/graphs/contributors) who have
-helped make OpenHands possible. We greatly appreciate your dedication and hard work.
+We would like to thank all the [contributors](https://github.com/OpenHands/OpenHands/graphs/contributors) who have helped make OpenHands possible. We greatly appreciate your dedication and hard work.
 
 ## Open Source Projects
 
-OpenHands includes and adapts the following open source projects. We are grateful for their contributions to the
-open source community:
+OpenHands includes and adapts the following open source projects. We are grateful for their contributions to the open source community:
 
 #### [SWE Agent](https://github.com/princeton-nlp/swe-agent)
    - License: MIT License
@@ -16,14 +14,14 @@ open source community:
 
 #### [Aider](https://github.com/paul-gauthier/aider)
    - License: Apache License 2.0
-   - Description: AI pair programming tool. OpenHands has adapted and integrated its linter module for code-related tasks.
+   - Description: AI pair programming tool. OpenHands has adapted and integrated its linter module for code-related tasks in [`agentskills utilities`](https://github.com/OpenHands/OpenHands/tree/main/openhands/runtime/plugins/agent_skills/utils/aider)
 
 #### [BrowserGym](https://github.com/ServiceNow/BrowserGym)
    - License: Apache License 2.0
    - Description: Adapted in implementing the browsing agent
 
-### Reference Implementations for Evaluation Benchmarks
 
+### Reference Implementations for Evaluation Benchmarks
 OpenHands integrates code of the reference implementations for the following agent evaluation benchmarks:
 
 #### [HumanEval](https://github.com/openai/human-eval)
@@ -54,44 +52,28 @@ OpenHands integrates code of the reference implementations for the following age
 #### [ProntoQA](https://github.com/asaparov/prontoqa)
    - License: Apache License 2.0
 
+
 ## Open Source licenses
 
 ### MIT License
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
-documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
-persons to whom the Software is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
-Software.
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
-THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
-OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 ### BSD 3-Clause License
 
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
-following conditions are met:
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 
-1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
-   disclaimer.
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
 
-2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
-   disclaimer in the documentation and/or other materials provided with the distribution.
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
 
-3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote
-   products derived from this software without specific prior written permission.
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 ### Apache License 2.0
 
@@ -286,6 +268,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
    Copyright [yyyy] [name of copyright owner]
 
+
+
 ### Non-Open Source Reference Implementations:
 
 #### [MultiPL-E](https://github.com/nuprl/MultiPL-E)

Development.md

@@ -6,196 +6,22 @@ If you wish to contribute your changes, check out the
 on how to clone and setup the project initially before moving on. Otherwise,
 you can clone the OpenHands project directly.
 
-## Choose Your Setup
+## Start the Server for Development
 
-Select your operating system to see the specific setup instructions:
+### 1. Requirements
 
-- [macOS](#macos-setup)
-- [Linux](#linux-setup)
-- [Windows WSL](#windows-wsl-setup)
-- [Dev Container](#dev-container)
-- [Developing in Docker](#developing-in-docker)
-- [No sudo access?](#develop-without-sudo-access)
+- Linux, Mac OS, or [WSL on Windows](https://learn.microsoft.com/en-us/windows/wsl/install) [Ubuntu >= 22.04]
+- [Docker](https://docs.docker.com/engine/install/) (For those on MacOS, make sure to allow the default Docker socket to be used from advanced settings!)
+- [Python](https://www.python.org/downloads/) = 3.12
+- [NodeJS](https://nodejs.org/en/download/package-manager) >= 22.x
+- [Poetry](https://python-poetry.org/docs/#installing-with-the-official-installer) >= 1.8
+- OS-specific dependencies:
+  - Ubuntu: build-essential => `sudo apt-get install build-essential python3.12-dev`
+  - WSL: netcat => `sudo apt-get install netcat`
 
----
+Make sure you have all these dependencies installed before moving on to `make build`.
 
-## macOS Setup
-
-### 1. Install Prerequisites
-
-You'll need the following installed:
-
-- **Python 3.12** — `brew install python@3.12` (see the [official Homebrew Python docs](https://docs.brew.sh/Homebrew-and-Python) for details). Make sure `python3.12` is available in your PATH (the `make build` step will verify this).
-- **Node.js >= 22** — `brew install node`
-- **Poetry >= 1.8** — `brew install poetry`
-- **Docker Desktop** — `brew install --cask docker`
-  - After installing, open Docker Desktop → **Settings → Advanced** → Enable **"Allow the default Docker socket to be used"**
-
-### 2. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 3. Configure the Language Model
-
-OpenHands supports a diverse array of Language Models (LMs) through the powerful [litellm](https://docs.litellm.ai) library.
-
-For the V1 web app, start OpenHands and configure your model and API key in the Settings UI.
-
-If you are running headless or CLI workflows, you can prepare local defaults with:
-
-```bash
-make setup-config
-```
-
-**Note on Alternative Models:**
-See [our documentation](https://docs.openhands.dev/usage/llms) for recommended models.
-
-### 4. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
-These targets serve the current OpenHands V1 API by default. In the codebase, `make start-backend` runs `openhands.server.listen:app`, and that app includes the `openhands/app_server` V1 routes unless `ENABLE_V1=0`.
-
----
-
-## Linux Setup
-
-This guide covers Ubuntu/Debian. For other distributions, adapt the package manager commands accordingly.
-
-### 1. Install Prerequisites
-
-```bash
-# Update package list
-sudo apt update
-
-# Install system dependencies
-sudo apt install -y build-essential curl netcat software-properties-common
-
-# Install Python 3.12
-# Ubuntu 24.04+ and Debian 13+ ship with Python 3.12 — skip the PPA step if
-# python3.12 --version already works on your system.
-# The deadsnakes PPA is Ubuntu-only and needed for Ubuntu 22.04 or older:
-sudo add-apt-repository -y ppa:deadsnakes/ppa
-sudo apt update
-sudo apt install -y python3.12 python3.12-dev python3.12-venv
-
-# Install Node.js 22.x
-curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
-sudo apt install -y nodejs
-
-# Install Poetry
-curl -sSL https://install.python-poetry.org | python3 -
-
-# Add Poetry to your PATH
-echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
-source ~/.bashrc
-
-# Install Docker
-# Follow the official guide: https://docs.docker.com/engine/install/ubuntu/
-# Quick version:
-sudo install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
-sudo chmod a+r /etc/apt/keyrings/docker.asc
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-sudo apt update
-sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-sudo usermod -aG docker $USER
-# Log out and back in for Docker group changes to take effect
-```
-
-### 2. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 3. Configure the Language Model
-
-See the [macOS section above](#3-configure-the-language-model) for guidance: configure your model and API key in the Settings UI.
-
-### 4. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
----
-
-## Windows WSL Setup
-
-WSL2 with Ubuntu is recommended. The setup is similar to Linux, with a few WSL-specific considerations.
-
-### 1. Install WSL2
-
-**Option A: Windows 11 (Microsoft Store)**
-The easiest way on Windows 11:
-1. Open the **Microsoft Store** app
-2. Search for **"Ubuntu 22.04 LTS"** or **"Ubuntu"**
-3. Click **Install**
-4. Launch Ubuntu from the Start menu
-
-**Option B: PowerShell**
-```powershell
-# Run this in PowerShell as Administrator
-wsl --install -d Ubuntu-22.04
-```
-
-After installation, restart your computer and open Ubuntu.
-
-### 2. Install Prerequisites (in WSL Ubuntu)
-
-Follow [Step 1 from the Linux setup](#1-install-prerequisites-1) to install system dependencies, Python 3.12, Node.js, and Poetry. Skip the Docker installation — Docker is provided through Docker Desktop below.
-
-### 3. Configure Docker for WSL2
-
-1. Install [Docker Desktop for Windows](https://www.docker.com/products/docker-desktop)
-2. Open Docker Desktop > Settings > General
-3. Enable: "Use the WSL 2 based engine"
-4. Go to Settings > Resources > WSL Integration
-5. Enable integration with your Ubuntu distribution
-
-**Important:** Keep your project files in the WSL filesystem (e.g., `~/workspace/openhands`), not in `/mnt/c`. Files accessed via `/mnt/c` will be significantly slower.
-
-### 4. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 5. Configure the Language Model
-
-See the [macOS section above](#3-configure-the-language-model) for the current V1 guidance: configure your model and API key in the Settings UI for the web app, and use `make setup-config` only for headless or CLI workflows.
-
-### 6. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
-Access the frontend at `http://localhost:3001` from your Windows browser.
-
----
-
-## Dev Container
+#### Dev container
 
 There is a [dev container](https://containers.dev/) available which provides a
 pre-configured environment with all the necessary dependencies installed if you
@@ -206,38 +32,7 @@ extension installed, you can open the project in a dev container by using the
 _Dev Container: Reopen in Container_ command from the Command Palette
 (Ctrl+Shift+P).
 
----
-
-## Developing in Docker
-
-If you don't want to install dependencies on your host machine, you can develop inside a Docker container.
-
-### Quick Start
-
-```bash
-make docker-dev
-```
-
-For more details, see the [dev container documentation](./containers/dev/README.md).
-
-### Alternative: Docker Run
-
-If you just want to run OpenHands without setting up a dev environment:
-
-```bash
-make docker-run
-```
-
-If you don't have `make` installed, run:
-
-```bash
-cd ./containers/dev
-./dev.sh
-```
-
----
-
-## Develop without sudo access
+#### Develop without sudo access
 
 If you want to develop without system admin/sudo access to upgrade/install `Python` and/or `NodeJS`, you can use
 `conda` or `mamba` to manage the packages for you:
@@ -253,79 +48,157 @@ mamba install conda-forge::nodejs
 mamba install conda-forge::poetry
 ```
 
----
+### 2. Build and Setup The Environment
 
-## Running OpenHands with OpenHands
-
-You can use OpenHands to develop and improve OpenHands itself!
-
-### Quick Start
+Begin by building the project which includes setting up the environment and installing dependencies. This step ensures
+that OpenHands is ready to run on your system:
 
 ```bash
-export INSTALL_DOCKER=0
-export RUNTIME=local
-make build && make run
+make build
 ```
 
-Access the interface at:
-- Local development: http://localhost:3001
-- Remote/cloud environments: Use the appropriate external URL
+### 3. Configuring the Language Model
 
-For external access:
-```bash
-make run FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0
-```
+OpenHands supports a diverse array of Language Models (LMs) through the powerful [litellm](https://docs.litellm.ai) library.
 
----
-
-## LLM Debugging
-
-If you encounter issues with the Language Model, enable debug logging:
+To configure the LM of your choice, run:
 
 ```bash
-export DEBUG=1
-# Restart the backend
-make start-backend
+make setup-config
 ```
 
-Logs will be saved to `logs/llm/CURRENT_DATE/` for troubleshooting.
+This command will prompt you to enter the LLM API key, model name, and other variables ensuring that OpenHands is
+tailored to your specific needs. Note that the model name will apply only when you run headless. If you use the UI,
+please set the model in the UI.
 
----
+Note: If you have previously run OpenHands using the docker command, you may have already set some environment
+variables in your terminal. The final configurations are set from highest to lowest priority:
+Environment variables > config.toml variables > default variables
 
-## Testing
+**Note on Alternative Models:**
+See [our documentation](https://docs.all-hands.dev/usage/llms) for recommended models.
 
-### Unit Tests
+### 4. Running the application
+
+#### Option A: Run the Full Application
+
+Once the setup is complete, this command starts both the backend and frontend servers, allowing you to interact with OpenHands:
 
 ```bash
-poetry run pytest ./tests/unit/test_*.py
+make run
 ```
 
----
+#### Option B: Individual Server Startup
 
-## Adding Dependencies
+- **Start the Backend Server:** If you prefer, you can start the backend server independently to focus on
+backend-related tasks or configurations.
 
-1. Add your dependency in `pyproject.toml` or use `poetry add xxx`
-2. Update the lock file: `poetry lock --no-update`
+  ```bash
+  make start-backend
+  ```
 
----
+- **Start the Frontend Server:** Similarly, you can start the frontend server on its own to work on frontend-related
+components or interface enhancements.
+  ```bash
+  make start-frontend
+  ```
 
-## Help
+### 5. Running OpenHands with OpenHands
+
+You can use OpenHands to develop and improve OpenHands itself! This is a powerful way to leverage AI assistance for contributing to the project.
+
+#### Quick Start
+
+1. **Build and run OpenHands:**
+   ```bash
+   export INSTALL_DOCKER=0
+   export RUNTIME=local
+   make build && make run
+   ```
+
+2. **Access the interface:**
+   - Local development: http://localhost:3001
+   - Remote/cloud environments: Use the appropriate external URL
+
+3. **Configure for external access (if needed):**
+   ```bash
+   # For external access (e.g., cloud environments)
+   make run FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0
+   ```
+
+### 6. LLM Debugging
+
+If you encounter any issues with the Language Model (LM) or you're simply curious, export DEBUG=1 in the environment and restart the backend.
+OpenHands will log the prompts and responses in the logs/llm/CURRENT_DATE directory, allowing you to identify the causes.
+
+### 7. Help
+
+Need help or info on available targets and commands? Use the help command for all the guidance you need with OpenHands.
 
 ```bash
 make help
 ```
 
----
+### 8. Testing
+
+To run tests, refer to the following:
+
+#### Unit tests
+
+```bash
+poetry run pytest ./tests/unit/test_*.py
+```
+
+### 9. Add or update dependency
+
+1. Add your dependency in `pyproject.toml` or use `poetry add xxx`.
+2. Update the poetry.lock file via `poetry lock --no-update`.
+
+### 10. Use existing Docker image
+
+To reduce build time (e.g., if no changes were made to the client-runtime component), you can use an existing Docker
+container image by setting the SANDBOX_RUNTIME_CONTAINER_IMAGE environment variable to the desired Docker image.
+
+Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:0.60-nikolaik`
+
+## Develop inside Docker container
+
+TL;DR
+
+```bash
+make docker-dev
+```
+
+See more details [here](./containers/dev/README.md).
+
+If you are just interested in running `OpenHands` without installing all the required tools on your host.
+
+```bash
+make docker-run
+```
+
+If you do not have `make` on your host, run:
+
+```bash
+cd ./containers/dev
+./dev.sh
+```
+
+You do need [Docker](https://docs.docker.com/engine/install/) installed on your host though.
 
 ## Key Documentation Resources
 
+Here's a guide to the important documentation files in the repository:
+
 - [/README.md](./README.md): Main project overview, features, and basic setup instructions
 - [/Development.md](./Development.md) (this file): Comprehensive guide for developers working on OpenHands
 - [/CONTRIBUTING.md](./CONTRIBUTING.md): Guidelines for contributing to the project, including code style and PR process
-- [DOC_STYLE_GUIDE.md](https://github.com/OpenHands/docs/blob/main/openhands/DOC_STYLE_GUIDE.md): Standards for writing and maintaining project documentation
-- [/openhands/app_server/README.md](./openhands/app_server/README.md): Current V1 application server implementation and REST API modules
+- [DOC_STYLE_GUIDE.md](https://github.com/All-Hands-AI/docs/blob/main/openhands/DOC_STYLE_GUIDE.md): Standards for writing and maintaining project documentation
+- [/openhands/README.md](./openhands/README.md): Details about the backend Python implementation
 - [/frontend/README.md](./frontend/README.md): Frontend React application setup and development guide
 - [/containers/README.md](./containers/README.md): Information about Docker containers and deployment
 - [/tests/unit/README.md](./tests/unit/README.md): Guide to writing and running unit tests
-- [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks): Documentation for the evaluation framework and benchmarks
-- [/skills/README.md](./skills/README.md): Information about the skills architecture and implementation
+- [/evaluation/README.md](./evaluation/README.md): Documentation for the evaluation framework and benchmarks
+- [/microagents/README.md](./microagents/README.md): Information about the microagents architecture and implementation
+- [/openhands/server/README.md](./openhands/server/README.md): Server implementation details and API documentation
+- [/openhands/runtime/README.md](./openhands/runtime/README.md): Documentation for the runtime environment and execution model

ISSUE_TRIAGE.md

@@ -3,14 +3,14 @@ These are the procedures and guidelines on how issues are triaged in this repo b
 
 ## General
 * All issues must be tagged with **enhancement**, **bug** or **troubleshooting/help**.
-* Issues may be tagged with what it relates to (**llm**, **app tab**, **UI/UX**, etc.).
+* Issues may be tagged with what it relates to (**agent quality**, **resolver**, **CLI**, etc.).
 
 ## Severity
 * **High**: High visibility issues or affecting many users.
 * **Critical**: Affecting all users or potential security issues.
 
 ## Difficulty
-* Issues good for newcomers may be tagged with **good first issue**.
+* Issues with low implementation difficulty may be tagged with **good first issue**.
 
 ## Not Enough Information
 * User is asked to provide more information (logs, how to reproduce, etc.) when the issue is not clear.
@@ -22,6 +22,6 @@ the issue may be closed as **not planned** (Usually after a week).
 * Issues may be broken down into multiple issues if required.
 
 ## Stale and Auto Closures
-* In order to keep a maintainable backlog, issues that have no activity within 40 days are automatically marked as **Stale**.
-* If issues marked as **Stale** continue to have no activity for 10 more days, they will automatically be closed as not planned.
+* In order to keep a maintainable backlog, issues that have no activity within 30 days are automatically marked as **Stale**.
+* If issues marked as **Stale** continue to have no activity for 7 more days, they will automatically be closed as not planned.
 * Issues may be reopened by maintainers if deemed important.

Makefile

@@ -11,15 +11,7 @@ DEFAULT_WORKSPACE_DIR = "./workspace"
 DEFAULT_MODEL = "gpt-4o"
 CONFIG_FILE = config.toml
 PRE_COMMIT_CONFIG_PATH = "./dev_config/python/.pre-commit-config.yaml"
-PYTHON_MIN_VERSION = 3.12
-PYTHON_MAX_VERSION = 3.14
-PYTHON_CANDIDATES ?= python3.13 python3.12 python3
-PYTHON ?= $(shell for cmd in $(PYTHON_CANDIDATES); do \
-	if command -v $$cmd > /dev/null 2>&1 && $$cmd -c 'import sys; raise SystemExit(0 if ((3, 12) <= sys.version_info[:2] < (3, 14)) else 1)' > /dev/null 2>&1; then \
-		echo $$cmd; \
-		exit 0; \
-	fi; \
- done)
+PYTHON_VERSION = 3.12
 KIND_CLUSTER_NAME = "local-hands"
 
 # ANSI color codes
@@ -71,10 +63,10 @@ check-system:
 
 check-python:
 	@echo "$(YELLOW)Checking Python installation...$(RESET)"
-	@if [ -n "$(PYTHON)" ]; then \
-		echo "$(BLUE)$$($(PYTHON) --version) is already installed (using $(PYTHON)).$(RESET)"; \
+	@if command -v python$(PYTHON_VERSION) > /dev/null; then \
+		echo "$(BLUE)$(shell python$(PYTHON_VERSION) --version) is already installed.$(RESET)"; \
 	else \
-		echo "$(RED)A compatible Python interpreter (>= $(PYTHON_MIN_VERSION), < $(PYTHON_MAX_VERSION)) is required. Please install Python 3.12 or 3.13 to continue.$(RESET)"; \
+		echo "$(RED)Python $(PYTHON_VERSION) is not installed. Please install Python $(PYTHON_VERSION) to continue.$(RESET)"; \
 		exit 1; \
 	fi
 
@@ -126,34 +118,31 @@ check-tmux:
 
 check-poetry:
 	@echo "$(YELLOW)Checking Poetry installation...$(RESET)"
-	@if [ -z "$(PYTHON)" ]; then \
-		echo "$(RED)A compatible Python interpreter (>= $(PYTHON_MIN_VERSION), < $(PYTHON_MAX_VERSION)) is required. Please install Python 3.12 or 3.13 to continue.$(RESET)"; \
-		exit 1; \
-	elif command -v poetry > /dev/null; then \
+	@if command -v poetry > /dev/null; then \
 		POETRY_VERSION=$(shell poetry --version 2>&1 | sed -E 's/Poetry \(version ([0-9]+\.[0-9]+\.[0-9]+)\)/\1/'); \
 		IFS='.' read -r -a POETRY_VERSION_ARRAY <<< "$$POETRY_VERSION"; \
 		if [ $${POETRY_VERSION_ARRAY[0]} -gt 1 ] || ([ $${POETRY_VERSION_ARRAY[0]} -eq 1 ] && [ $${POETRY_VERSION_ARRAY[1]} -ge 8 ]); then \
 			echo "$(BLUE)$(shell poetry --version) is already installed.$(RESET)"; \
 		else \
 			echo "$(RED)Poetry 1.8 or later is required. You can install poetry by running the following command, then adding Poetry to your PATH:"; \
-			echo "$(RED) curl -sSL https://install.python-poetry.org | $(PYTHON) -$(RESET)"; \
+			echo "$(RED) curl -sSL https://install.python-poetry.org | python$(PYTHON_VERSION) -$(RESET)"; \
 			echo "$(RED)More detail here: https://python-poetry.org/docs/#installing-with-the-official-installer$(RESET)"; \
 			exit 1; \
 		fi; \
 	else \
 		echo "$(RED)Poetry is not installed. You can install poetry by running the following command, then adding Poetry to your PATH:"; \
-		echo "$(RED) curl -sSL https://install.python-poetry.org | $(PYTHON) -$(RESET)"; \
+		echo "$(RED) curl -sSL https://install.python-poetry.org | python$(PYTHON_VERSION) -$(RESET)"; \
 		echo "$(RED)More detail here: https://python-poetry.org/docs/#installing-with-the-official-installer$(RESET)"; \
 		exit 1; \
 	fi
 
-install-python-dependencies: check-python
+install-python-dependencies:
 	@echo "$(GREEN)Installing Python dependencies...$(RESET)"
 	@if [ -z "${TZ}" ]; then \
 		echo "Defaulting TZ (timezone) to UTC"; \
 		export TZ="UTC"; \
 	fi
-	poetry env use $(PYTHON)
+	poetry env use python$(PYTHON_VERSION)
 	@if [ "$(shell uname)" = "Darwin" ]; then \
 		echo "$(BLUE)Installing chroma-hnswlib...$(RESET)"; \
 		export HNSWLIB_NO_NATIVE=1; \

README.md

@@ -1,18 +1,22 @@
 <a name="readme-top"></a>
 
 <div align="center">
-  <img src="https://raw.githubusercontent.com/OpenHands/docs/main/openhands/static/img/logo.png" alt="Logo" width="200">
-  <h1 align="center" style="border-bottom: none">OpenHands: AI-Driven Development</h1>
+  <img src="https://raw.githubusercontent.com/All-Hands-AI/docs/main/openhands/static/img/logo.png" alt="Logo" width="200">
+  <h1 align="center">OpenHands: Code Less, Make More</h1>
 </div>
 
 
 <div align="center">
-  <a href="https://github.com/OpenHands/OpenHands/blob/main/LICENSE"><img src="https://img.shields.io/badge/LICENSE-MIT-20B2AA?style=for-the-badge" alt="MIT License"></a>
-  <a href="https://docs.google.com/spreadsheets/d/1wOUdFCMyY6Nt0AIqF705KN4JKOWgeI4wUGUP60krXXs/edit?gid=811504672#gid=811504672"><img src="https://img.shields.io/badge/SWEBench-77.6-00cc00?logoColor=FFE165&style=for-the-badge" alt="Benchmark Score"></a>
+  <a href="https://github.com/OpenHands/OpenHands/graphs/contributors"><img src="https://img.shields.io/github/contributors/OpenHands/OpenHands?style=for-the-badge&color=blue" alt="Contributors"></a>
+  <a href="https://github.com/OpenHands/OpenHands/stargazers"><img src="https://img.shields.io/github/stars/OpenHands/OpenHands?style=for-the-badge&color=blue" alt="Stargazers"></a>
+  <a href="https://github.com/OpenHands/OpenHands/blob/main/LICENSE"><img src="https://img.shields.io/github/license/OpenHands/OpenHands?style=for-the-badge&color=blue" alt="MIT License"></a>
   <br/>
-  <a href="https://docs.openhands.dev/sdk"><img src="https://img.shields.io/badge/Documentation-000?logo=googledocs&logoColor=FFE165&style=for-the-badge" alt="Check out the documentation"></a>
-  <a href="https://arxiv.org/abs/2511.03690"><img src="https://img.shields.io/badge/Paper-000?logoColor=FFE165&logo=arxiv&style=for-the-badge" alt="Tech Report"></a>
-
+  <a href="https://all-hands.dev/joinslack"><img src="https://img.shields.io/badge/Slack-Join%20Us-red?logo=slack&logoColor=white&style=for-the-badge" alt="Join our Slack community"></a>
+  <a href="https://github.com/OpenHands/OpenHands/blob/main/CREDITS.md"><img src="https://img.shields.io/badge/Project-Credits-blue?style=for-the-badge&color=FFE165&logo=github&logoColor=white" alt="Credits"></a>
+  <br/>
+  <a href="https://docs.all-hands.dev/usage/getting-started"><img src="https://img.shields.io/badge/Documentation-000?logo=googledocs&logoColor=FFE165&style=for-the-badge" alt="Check out the documentation"></a>
+  <a href="https://arxiv.org/abs/2407.16741"><img src="https://img.shields.io/badge/Paper%20on%20Arxiv-000?logoColor=FFE165&logo=arxiv&style=for-the-badge" alt="Paper on Arxiv"></a>
+  <a href="https://docs.google.com/spreadsheets/d/1wOUdFCMyY6Nt0AIqF705KN4JKOWgeI4wUGUP60krXXs/edit?gid=0#gid=0"><img src="https://img.shields.io/badge/Benchmark%20score-000?logoColor=FFE165&logo=huggingface&style=for-the-badge" alt="Evaluation Benchmark Score"></a>
 
   <!-- Keep these links. Translations will automatically update with the README. -->
   <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=de">Deutsch</a> |
@@ -23,131 +27,158 @@
   <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=pt">Português</a> |
   <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=ru">Русский</a> |
   <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=zh">中文</a>
+
+  <hr>
 </div>
 
-<hr>
+Welcome to OpenHands (formerly OpenDevin), a platform for software development agents powered by AI.
 
-🙌 Welcome to OpenHands, a [community](COMMUNITY.md) focused on AI-driven development. We’d love for you to [join us on Slack](https://dub.sh/openhands).
+OpenHands agents can do anything a human developer can: modify code, run commands, browse the web,
+call APIs, and yes—even copy code snippets from StackOverflow.
 
-There are a few ways to work with OpenHands:
+Learn more at [docs.all-hands.dev](https://docs.all-hands.dev), or [sign up for OpenHands Cloud](https://app.all-hands.dev) to get started.
 
-### OpenHands Software Agent SDK
-The SDK is a composable Python library that contains all of our agentic tech. It's the engine that powers everything else below.
 
-Define agents in code, then run them locally, or scale to 1000s of agents in the cloud.
+> [!IMPORTANT]
+> **Upcoming change**: We are renaming our GitHub Org from `All-Hands-AI` to `OpenHands` on October 20th, 2025.
+> Check the [tracking issue](https://github.com/All-Hands-AI/OpenHands/issues/11376) for more information.
 
-[Check out the docs](https://docs.openhands.dev/sdk) or [view the source](https://github.com/OpenHands/software-agent-sdk/)
 
-### OpenHands CLI
-The CLI is the easiest way to start using OpenHands. The experience will be familiar to anyone who has worked
-with e.g. Claude Code or Codex. You can power it with Claude, GPT, or any other LLM.
+> [!IMPORTANT]
+> Using OpenHands for work? We'd love to chat! Fill out
+> [this short form](https://docs.google.com/forms/d/e/1FAIpQLSet3VbGaz8z32gW9Wm-Grl4jpt5WgMXPgJ4EDPVmCETCBpJtQ/viewform)
+> to join our Design Partner program, where you'll get early access to commercial features and the opportunity to provide input on our product roadmap.
 
-[Check out the docs](https://docs.openhands.dev/openhands/usage/run-openhands/cli-mode) or [view the source](https://github.com/OpenHands/OpenHands-CLI)
+## ☁️ OpenHands Cloud
+The easiest way to get started with OpenHands is on [OpenHands Cloud](https://app.all-hands.dev),
+which comes with $20 in free credits for new users.
 
-### OpenHands Local GUI
-Use the Local GUI for running agents on your laptop. It comes with a REST API and a single-page React application.
-The experience will be familiar to anyone who has used Devin or Jules.
+## 💻 Running OpenHands Locally
 
-[Check out the docs](https://docs.openhands.dev/openhands/usage/run-openhands/local-setup) or view the source in this repo.
+### Option 1: CLI Launcher (Recommended)
 
-### OpenHands Cloud
-This is a deployment of OpenHands GUI, running on hosted infrastructure.
+The easiest way to run OpenHands locally is using the CLI launcher with [uv](https://docs.astral.sh/uv/). This provides better isolation from your current project's virtual environment and is required for OpenHands' default MCP servers.
 
-You can try it for free using the Minimax model by [signing in with your GitHub or GitLab account](https://app.all-hands.dev).
+**Install uv** (if you haven't already):
 
-OpenHands Cloud comes with source-available features and integrations:
-- Integrations with Slack, Jira, and Linear
-- Multi-user support
-- RBAC and permissions
-- Collaboration features (e.g., conversation sharing)
+See the [uv installation guide](https://docs.astral.sh/uv/getting-started/installation/) for the latest installation instructions for your platform.
 
-### OpenHands Enterprise
-Large enterprises can work with us to self-host OpenHands Cloud in their own VPC, via Kubernetes.
-OpenHands Enterprise can also work with the CLI and SDK above.
+**Launch OpenHands**:
+```bash
+# Launch the GUI server
+uvx --python 3.12 openhands serve
 
-OpenHands Enterprise is source-available--you can see all the source code here in the enterprise/ directory,
-but you'll need to purchase a license if you want to run it for more than one month.
+# Or launch the CLI
+uvx --python 3.12 openhands
+```
 
-Enterprise contracts also come with extended support and access to our research team.
+You'll find OpenHands running at [http://localhost:3000](http://localhost:3000) (for GUI mode)!
 
-Learn more at [openhands.dev/enterprise](https://openhands.dev/enterprise)
+### Option 2: Docker
 
-### Everything Else
+<details>
+<summary>Click to expand Docker command</summary>
 
-Check out our [Product Roadmap](https://github.com/orgs/openhands/projects/1), and feel free to
-[open up an issue](https://github.com/OpenHands/OpenHands/issues) if there's something you'd like to see!
+You can also run OpenHands directly with Docker:
 
-You might also be interested in our [evaluation infrastructure](https://github.com/OpenHands/benchmarks), our [chrome extension](https://github.com/OpenHands/openhands-chrome-extension/), or our [Theory-of-Mind module](https://github.com/OpenHands/ToM-SWE).
+```bash
+docker pull docker.openhands.dev/openhands/runtime:0.60-nikolaik
 
-All our work is available under the MIT license, except for the `enterprise/` directory in this repository (see the [enterprise license](enterprise/LICENSE) for details).
-The core `openhands` and `agent-server` Docker images are fully MIT-licensed as well.
+docker run -it --rm --pull=always \
+    -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.openhands.dev/openhands/runtime:0.60-nikolaik \
+    -e LOG_ALL_EVENTS=true \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v ~/.openhands:/.openhands \
+    -p 3000:3000 \
+    --add-host host.docker.internal:host-gateway \
+    --name openhands-app \
+    docker.openhands.dev/openhands/openhands:0.60
+```
 
-If you need help with anything, or just want to chat, [come find us on Slack](https://dub.sh/openhands).
+</details>
 
-<hr>
+> **Note**: If you used OpenHands before version 0.44, you may want to run `mv ~/.openhands-state ~/.openhands` to migrate your conversation history to the new location.
 
-### Thank You to Our Contributors
+> [!WARNING]
+> On a public network? See our [Hardened Docker Installation Guide](https://docs.all-hands.dev/usage/runtimes/docker#hardened-docker-installation)
+> to secure your deployment by restricting network binding and implementing additional security measures.
 
-<div align="center">
+### Getting Started
 
-[![OpenHands Contributors](https://assets.openhands.dev/readme/openhands-openhands-contributors.svg)](https://github.com/OpenHands/OpenHands/graphs/contributors)
+When you open the application, you'll be asked to choose an LLM provider and add an API key.
+[Anthropic's Claude Sonnet 4.5](https://www.anthropic.com/api) (`anthropic/claude-sonnet-4-5-20250929`)
+works best, but you have [many options](https://docs.all-hands.dev/usage/llms).
 
-</div>
+See the [Running OpenHands](https://docs.all-hands.dev/usage/installation) guide for
+system requirements and more information.
 
-<hr>
+## 💡 Other ways to run OpenHands
 
-### Trusted by Engineers at
+> [!WARNING]
+> OpenHands is meant to be run by a single user on their local workstation.
+> It is not appropriate for multi-tenant deployments where multiple users share the same instance. There is no built-in authentication, isolation, or scalability.
+>
+> If you're interested in running OpenHands in a multi-tenant environment, check out the source-available, commercially-licensed
+> [OpenHands Cloud Helm Chart](https://github.com/openHands/OpenHands-cloud)
 
-<div align="center">
-  <br/><br/>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/tiktok.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/tiktok.svg" alt="TikTok" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/vmware.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/vmware.svg" alt="VMware" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/roche.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/roche.svg" alt="Roche" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/amazon.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/amazon.svg" alt="Amazon" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/c3-ai.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/c3-ai.svg" alt="C3 AI" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/netflix.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/netflix.svg" alt="Netflix" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/mastercard.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/mastercard.svg" alt="Mastercard" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/red-hat.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/red-hat.svg" alt="Red Hat" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/mongodb.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/mongodb.svg" alt="MongoDB" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/apple.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/apple.svg" alt="Apple" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/nvidia.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/nvidia.svg" alt="NVIDIA" height="17" hspace="5">
-  </picture>
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/google.svg">
-    <img src="https://assets.openhands.dev/logos/external/black/google.svg" alt="Google" height="17" hspace="5">
-  </picture>
-</div>
+You can [connect OpenHands to your local filesystem](https://docs.all-hands.dev/usage/runtimes/docker#connecting-to-your-filesystem),
+interact with it via a [friendly CLI](https://docs.all-hands.dev/usage/how-to/cli-mode),
+run OpenHands in a scriptable [headless mode](https://docs.all-hands.dev/usage/how-to/headless-mode),
+or run it on tagged issues with [a github action](https://docs.all-hands.dev/usage/how-to/github-action).
 
-</div>
+Visit [Running OpenHands](https://docs.all-hands.dev/usage/installation) for more information and setup instructions.
+
+If you want to modify the OpenHands source code, check out [Development.md](https://github.com/OpenHands/OpenHands/blob/main/Development.md).
+
+Having issues? The [Troubleshooting Guide](https://docs.all-hands.dev/usage/troubleshooting) can help.
+
+## 📖 Documentation
+
+To learn more about the project, and for tips on using OpenHands,
+check out our [documentation](https://docs.all-hands.dev/usage/getting-started).
+
+There you'll find resources on how to use different LLM providers,
+troubleshooting resources, and advanced configuration options.
+
+## 🤝 How to Join the Community
+
+OpenHands is a community-driven project, and we welcome contributions from everyone. We do most of our communication
+through Slack, so this is the best place to start, but we also are happy to have you contact us on Github:
+
+- [Join our Slack workspace](https://all-hands.dev/joinslack) - Here we talk about research, architecture, and future development.
+- [Read or post Github Issues](https://github.com/OpenHands/OpenHands/issues) - Check out the issues we're working on, or add your own ideas.
+
+See more about the community in [COMMUNITY.md](./COMMUNITY.md) or find details on contributing in [CONTRIBUTING.md](./CONTRIBUTING.md).
+
+## 📈 Progress
+
+See the monthly OpenHands roadmap [here](https://github.com/orgs/OpenHands/projects/1) (updated at the maintainer's meeting at the end of each month).
+
+<p align="center">
+  <a href="https://star-history.com/#OpenHands/OpenHands&Date">
+    <img src="https://api.star-history.com/svg?repos=OpenHands/OpenHands&type=Date" width="500" alt="Star History Chart">
+  </a>
+</p>
+
+## 📜 License
+
+Distributed under the MIT License, with the exception of the `enterprise/` folder. See [`LICENSE`](./LICENSE) for more information.
+
+## 🙏 Acknowledgements
+
+OpenHands is built by a large number of contributors, and every contribution is greatly appreciated! We also build upon other open source projects, and we are deeply thankful for their work.
+
+For a list of open source projects and licenses used in OpenHands, please see our [CREDITS.md](./CREDITS.md) file.
+
+## 📚 Cite
+
+```
+@inproceedings{
+  wang2025openhands,
+  title={OpenHands: An Open Platform for {AI} Software Developers as Generalist Agents},
+  author={Xingyao Wang and Boxuan Li and Yufan Song and Frank F. Xu and Xiangru Tang and Mingchen Zhuge and Jiayi Pan and Yueqi Song and Bowen Li and Jaskirat Singh and Hoang H. Tran and Fuqiang Li and Ren Ma and Mingzhang Zheng and Bill Qian and Yanjun Shao and Niklas Muennighoff and Yizhe Zhang and Binyuan Hui and Junyang Lin and Robert Brennan and Hao Peng and Heng Ji and Graham Neubig},
+  booktitle={The Thirteenth International Conference on Learning Representations},
+  year={2025},
+  url={https://openreview.net/forum?id=OJd3ayDDoF}
+}
+```

build_vscode.py

@@ -0,0 +1,113 @@
+import os
+import pathlib
+import subprocess
+
+# This script is intended to be run by Poetry during the build process.
+
+# Define the expected name of the .vsix file based on the extension's package.json
+# This should match the name and version in openhands-vscode/package.json
+EXTENSION_NAME = 'openhands-vscode'
+EXTENSION_VERSION = '0.0.1'
+VSIX_FILENAME = f'{EXTENSION_NAME}-{EXTENSION_VERSION}.vsix'
+
+# Paths
+ROOT_DIR = pathlib.Path(__file__).parent.resolve()
+VSCODE_EXTENSION_DIR = ROOT_DIR / 'openhands' / 'integrations' / 'vscode'
+
+
+def check_node_version():
+    """Check if Node.js version is sufficient for building the extension."""
+    try:
+        result = subprocess.run(
+            ['node', '--version'], capture_output=True, text=True, check=True
+        )
+        version_str = result.stdout.strip()
+        # Extract major version number (e.g., "v12.22.9" -> 12)
+        major_version = int(version_str.lstrip('v').split('.')[0])
+        return major_version >= 18  # Align with frontend actual usage (18.20.1)
+    except (subprocess.CalledProcessError, FileNotFoundError, ValueError):
+        return False
+
+
+def build_vscode_extension():
+    """Builds the VS Code extension."""
+    vsix_path = VSCODE_EXTENSION_DIR / VSIX_FILENAME
+
+    # Check if VSCode extension build is disabled via environment variable
+    if os.environ.get('SKIP_VSCODE_BUILD', '').lower() in ('1', 'true', 'yes'):
+        print('--- Skipping VS Code extension build (SKIP_VSCODE_BUILD is set) ---')
+        if vsix_path.exists():
+            print(f'--- Using existing VS Code extension: {vsix_path} ---')
+        else:
+            print('--- No pre-built VS Code extension found ---')
+        return
+
+    # Check Node.js version - if insufficient, use pre-built extension as fallback
+    if not check_node_version():
+        print('--- Warning: Node.js version < 18 detected or Node.js not found ---')
+        print('--- Skipping VS Code extension build (requires Node.js >= 18) ---')
+        print('--- Using pre-built extension if available ---')
+
+        if not vsix_path.exists():
+            print('--- Warning: No pre-built VS Code extension found ---')
+            print('--- VS Code extension will not be available ---')
+        else:
+            print(f'--- Using pre-built VS Code extension: {vsix_path} ---')
+        return
+
+    print(f'--- Building VS Code extension in {VSCODE_EXTENSION_DIR} ---')
+
+    try:
+        # Ensure npm dependencies are installed
+        print('--- Running npm install for VS Code extension ---')
+        subprocess.run(
+            ['npm', 'install'],
+            cwd=VSCODE_EXTENSION_DIR,
+            check=True,
+            shell=os.name == 'nt',
+        )
+
+        # Package the extension
+        print(f'--- Packaging VS Code extension ({VSIX_FILENAME}) ---')
+        subprocess.run(
+            ['npm', 'run', 'package-vsix'],
+            cwd=VSCODE_EXTENSION_DIR,
+            check=True,
+            shell=os.name == 'nt',
+        )
+
+        # Verify the generated .vsix file exists
+        if not vsix_path.exists():
+            raise FileNotFoundError(
+                f'VS Code extension package not found after build: {vsix_path}'
+            )
+
+        print(f'--- VS Code extension built successfully: {vsix_path} ---')
+
+    except subprocess.CalledProcessError as e:
+        print(f'--- Warning: Failed to build VS Code extension: {e} ---')
+        print('--- Continuing without building extension ---')
+        if not vsix_path.exists():
+            print('--- Warning: No pre-built VS Code extension found ---')
+            print('--- VS Code extension will not be available ---')
+
+
+def build(setup_kwargs):
+    """This function is called by Poetry during the build process.
+    `setup_kwargs` is a dictionary that will be passed to `setuptools.setup()`.
+    """
+    print('--- Running custom Poetry build script (build_vscode.py) ---')
+
+    # Build the VS Code extension and place the .vsix file
+    build_vscode_extension()
+
+    # Poetry will handle including files based on pyproject.toml `include` patterns.
+    # Ensure openhands/integrations/vscode/*.vsix is included there.
+
+    print('--- Custom Poetry build script (build_vscode.py) finished ---')
+
+
+if __name__ == '__main__':
+    print('Running build_vscode.py directly for testing VS Code extension packaging...')
+    build_vscode_extension()
+    print('Direct execution of build_vscode.py finished.')

config.template.toml

@@ -296,7 +296,7 @@ classpath = "my_package.my_module.MyCustomAgent"
 #user_id = 1000
 
 # Container image to use for the sandbox
-#base_container_image = "nikolaik/python-nodejs:python3.12-nodejs22-slim"
+#base_container_image = "nikolaik/python-nodejs:python3.12-nodejs22"
 
 # Use host network
 #use_host_network = false
@@ -440,6 +440,12 @@ type = "noop"
 #temperature = 0.1
 #max_input_tokens = 1024
 
+#################################### Eval ####################################
+# Configuration for the evaluation, please refer to the specific evaluation
+# plugin for the available options
+##############################################################################
+
+
 ########################### Kubernetes #######################################
 # Kubernetes configuration when using the Kubernetes runtime
 ##############################################################################

containers/app/Dockerfile

@@ -1,5 +1,5 @@
 ARG OPENHANDS_BUILD_VERSION=dev
-FROM node:25.9-trixie-slim AS frontend-builder
+FROM node:24.8-trixie-slim AS frontend-builder
 
 WORKDIR /app
 
@@ -20,11 +20,9 @@ ENV POETRY_NO_INTERACTION=1 \
     POETRY_VIRTUALENVS_CREATE=1 \
     POETRY_CACHE_DIR=/tmp/poetry_cache
 
-# Pin Poetry version to match the version used to generate poetry.lock
-ARG POETRY_VERSION=2.3.3
 RUN apt-get update -y \
     && apt-get install -y curl make git build-essential jq gettext \
-    && python3 -m pip install "poetry==${POETRY_VERSION}" --break-system-packages
+    && python3 -m pip install poetry --break-system-packages
 
 COPY pyproject.toml poetry.lock ./
 RUN touch README.md
@@ -52,7 +50,7 @@ RUN mkdir -p $FILE_STORE_PATH
 RUN mkdir -p $WORKSPACE_BASE
 
 RUN apt-get update -y \
-    && apt-get install -y curl git ssh sudo \
+    && apt-get install -y curl ssh sudo \
     && rm -rf /var/lib/apt/lists/*
 
 # Default is 1000, but OSX is often 501
@@ -75,21 +73,13 @@ ENV VIRTUAL_ENV=/app/.venv \
 
 COPY --chown=openhands:openhands --chmod=770 --from=backend-builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 
-# Pin pip to a known-good version (reproducible builds) and fix CVE-2025-8869
-# Pin both venv pip and system pip (Trivy scans both)
-# - `python -m pip` uses the venv because `PATH` is prefixed with `${VIRTUAL_ENV}/bin`
-# - `/usr/local/bin/python3 -m pip` uses the system interpreter regardless of `PATH`
-ARG PIP_VERSION=26.0.1
-RUN python -m pip install --no-cache-dir "pip==${PIP_VERSION}"
-
-USER root
-RUN /usr/local/bin/python3 -m pip install --no-cache-dir "pip==${PIP_VERSION}" --break-system-packages
-USER openhands
-
-COPY --chown=openhands:openhands --chmod=770 ./skills ./skills
+COPY --chown=openhands:openhands --chmod=770 ./microagents ./microagents
 COPY --chown=openhands:openhands --chmod=770 ./openhands ./openhands
+COPY --chown=openhands:openhands --chmod=777 ./openhands/runtime/plugins ./openhands/runtime/plugins
 COPY --chown=openhands:openhands pyproject.toml poetry.lock README.md MANIFEST.in LICENSE ./
 
+# This is run as "openhands" user, and will create __pycache__ with openhands:openhands ownership
+RUN python openhands/core/download.py # No-op to download assets
 # Add this line to set group ownership of all files/directories not already in "app" group
 # openhands:openhands -> openhands:openhands
 RUN find /app \! -group openhands -exec chgrp openhands {} +

containers/app/config.sh

@@ -0,0 +1,4 @@
+DOCKER_REGISTRY=ghcr.io
+DOCKER_ORG=openhands
+DOCKER_IMAGE=openhands
+DOCKER_BASE_DIR="."

containers/app/entrypoint.sh

@@ -23,6 +23,18 @@ if [ -z "$WORKSPACE_MOUNT_PATH" ]; then
   unset WORKSPACE_BASE
 fi
 
+if [[ "$INSTALL_THIRD_PARTY_RUNTIMES" == "true" ]]; then
+  echo "Downloading and installing third_party_runtimes..."
+  echo "Warning: Third-party runtimes are provided as-is, not actively supported and may be removed in future releases."
+
+  if pip install 'openhands-ai[third_party_runtimes]' -qqq 2> >(tee /dev/stderr); then
+    echo "third_party_runtimes installed successfully."
+  else
+    echo "Failed to install third_party_runtimes." >&2
+    exit 1
+  fi
+fi
+
 if [[ "$SANDBOX_USER_ID" -eq 0 ]]; then
   echo "Running OpenHands as root"
   export RUN_AS_OPENHANDS=false

containers/build.sh

@@ -0,0 +1,182 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# Initialize variables with default values
+image_name=""
+org_name=""
+push=0
+load=0
+tag_suffix=""
+dry_run=0
+
+# Function to display usage information
+usage() {
+    echo "Usage: $0 -i <image_name> [-o <org_name>] [--push] [--load] [-t <tag_suffix>] [--dry]"
+    echo "  -i: Image name (required)"
+    echo "  -o: Organization name"
+    echo "  --push: Push the image"
+    echo "  --load: Load the image"
+    echo "  -t: Tag suffix"
+    echo "  --dry: Don't build, only create build-args.json"
+    exit 1
+}
+
+# Parse command-line options
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -i) image_name="$2"; shift 2 ;;
+        -o) org_name="$2"; shift 2 ;;
+        --push) push=1; shift ;;
+        --load) load=1; shift ;;
+        -t) tag_suffix="$2"; shift 2 ;;
+        --dry) dry_run=1; shift ;;
+        *) usage ;;
+    esac
+done
+# Check if required arguments are provided
+if [[ -z "$image_name" ]]; then
+    echo "Error: Image name is required."
+    usage
+fi
+
+echo "Building: $image_name"
+tags=()
+
+OPENHANDS_BUILD_VERSION="dev"
+
+cache_tag_base="buildcache"
+cache_tag="$cache_tag_base"
+
+if [[ -n $RELEVANT_SHA ]]; then
+  git_hash=$(git rev-parse --short "$RELEVANT_SHA")
+  tags+=("$git_hash")
+  tags+=("$RELEVANT_SHA")
+fi
+
+if [[ -n $GITHUB_REF_NAME ]]; then
+  # check if ref name is a version number
+  if [[ $GITHUB_REF_NAME =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    major_version=$(echo "$GITHUB_REF_NAME" | cut -d. -f1)
+    minor_version=$(echo "$GITHUB_REF_NAME" | cut -d. -f1,2)
+    tags+=("$major_version" "$minor_version")
+    tags+=("latest")
+  fi
+  sanitized_ref_name=$(echo "$GITHUB_REF_NAME" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
+  OPENHANDS_BUILD_VERSION=$sanitized_ref_name
+  sanitized_ref_name=$(echo "$sanitized_ref_name" | tr '[:upper:]' '[:lower:]') # lower case is required in tagging
+  tags+=("$sanitized_ref_name")
+  cache_tag+="-${sanitized_ref_name}"
+fi
+
+if [[ -n $tag_suffix ]]; then
+  cache_tag+="-${tag_suffix}"
+  for i in "${!tags[@]}"; do
+    tags[$i]="${tags[$i]}-$tag_suffix"
+  done
+fi
+
+echo "Tags: ${tags[@]}"
+
+if [[ "$image_name" == "openhands" ]]; then
+  dir="./containers/app"
+elif [[ "$image_name" == "runtime" ]]; then
+  dir="./containers/runtime"
+else
+  dir="./containers/$image_name"
+fi
+
+if [[ (! -f "$dir/Dockerfile") && "$image_name" != "runtime" ]]; then
+  # Allow runtime to be built without a Dockerfile
+  echo "No Dockerfile found"
+  exit 1
+fi
+if [[ ! -f "$dir/config.sh" ]]; then
+  echo "No config.sh found for Dockerfile"
+  exit 1
+fi
+
+source "$dir/config.sh"
+
+if [[ -n "$org_name" ]]; then
+  DOCKER_ORG="$org_name"
+fi
+
+# If $DOCKER_IMAGE_SOURCE_TAG is set, add it to the tags
+if [[ -n "$DOCKER_IMAGE_SOURCE_TAG" ]]; then
+  tags+=("$DOCKER_IMAGE_SOURCE_TAG")
+fi
+# If $DOCKER_IMAGE_TAG is set, add it to the tags
+if [[ -n "$DOCKER_IMAGE_TAG" ]]; then
+  tags+=("$DOCKER_IMAGE_TAG")
+fi
+
+DOCKER_REPOSITORY="$DOCKER_REGISTRY/$DOCKER_ORG/$DOCKER_IMAGE"
+DOCKER_REPOSITORY=${DOCKER_REPOSITORY,,} # lowercase
+echo "Repo: $DOCKER_REPOSITORY"
+echo "Base dir: $DOCKER_BASE_DIR"
+
+args=""
+full_tags=()
+for tag in "${tags[@]}"; do
+  args+=" -t $DOCKER_REPOSITORY:$tag"
+  full_tags+=("$DOCKER_REPOSITORY:$tag")
+done
+
+
+if [[ $push -eq 1 ]]; then
+  args+=" --push"
+  args+=" --cache-to=type=registry,ref=$DOCKER_REPOSITORY:$cache_tag,mode=max"
+fi
+
+if [[ $load -eq 1 ]]; then
+  args+=" --load"
+fi
+
+echo "Args: $args"
+
+# Modify the platform selection based on --load flag
+if [[ $load -eq 1 ]]; then
+  # When loading, build only for the current platform
+  platform=$(docker version -f '{{.Server.Os}}/{{.Server.Arch}}')
+else
+  # For push or without load, build for multiple platforms
+  platform="linux/amd64,linux/arm64"
+fi
+if [[ $dry_run -eq 1 ]]; then
+  echo "Dry Run is enabled. Writing build config to docker-build-dry.json"
+  jq -n \
+    --argjson tags "$(printf '%s\n' "${full_tags[@]}" | jq -R . | jq -s .)" \
+    --arg platform "$platform" \
+    --arg openhands_build_version "$OPENHANDS_BUILD_VERSION" \
+    --arg dockerfile "$dir/Dockerfile" \
+    '{
+      tags: $tags,
+      platform: $platform,
+      build_args: [
+        "OPENHANDS_BUILD_VERSION=" + $openhands_build_version
+      ],
+      dockerfile: $dockerfile
+    }' > docker-build-dry.json
+
+    exit 0
+fi
+
+
+
+echo "Building for platform(s): $platform"
+
+docker buildx build \
+  $args \
+  --build-arg OPENHANDS_BUILD_VERSION="$OPENHANDS_BUILD_VERSION" \
+  --cache-from=type=registry,ref=$DOCKER_REPOSITORY:$cache_tag \
+  --cache-from=type=registry,ref=$DOCKER_REPOSITORY:$cache_tag_base-main \
+  --platform $platform \
+  --provenance=false \
+  -f "$dir/Dockerfile" \
+  "$DOCKER_BASE_DIR"
+
+# If load was requested, print the loaded images
+if [[ $load -eq 1 ]]; then
+  echo "Local images built:"
+  docker images "$DOCKER_REPOSITORY" --format "{{.Repository}}:{{.Tag}}"
+fi

containers/dev/README.md

@@ -1,7 +1,7 @@
 # Develop in Docker
 
 > [!WARNING]
-> This way of running OpenHands is not officially supported. It is maintained by the community and may not work.
+> This is not officially supported and may not work.
 
 Install [Docker](https://docs.docker.com/engine/install/) on your host machine and run:
 

containers/dev/compose.yml

@@ -12,8 +12,7 @@ services:
       - SANDBOX_API_HOSTNAME=host.docker.internal
       - DOCKER_HOST_ADDR=host.docker.internal
       #
-      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.15.0-python}
+      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-ghcr.io/openhands/runtime:0.60-nikolaik}
       - SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234}
       - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
     ports:

containers/runtime/README.md

@@ -0,0 +1,12 @@
+# Dynamically constructed Dockerfile
+
+This folder builds a runtime image (sandbox), which will use a dynamically generated `Dockerfile`
+that depends on the `base_image` **AND** a [Python source distribution](https://docs.python.org/3.10/distutils/sourcedist.html) that is based on the current commit of `openhands`.
+
+The following command will generate a `Dockerfile` file for `nikolaik/python-nodejs:python3.12-nodejs22` (the default base image), an updated `config.sh` and the runtime source distribution files/folders into `containers/runtime`:
+
+```bash
+poetry run python3 -m openhands.runtime.utils.runtime_build \
+    --base_image nikolaik/python-nodejs:python3.12-nodejs22 \
+    --build_folder containers/runtime
+```

containers/runtime/config.sh

@@ -0,0 +1,7 @@
+DOCKER_REGISTRY=ghcr.io
+DOCKER_ORG=openhands
+DOCKER_BASE_DIR="./containers/runtime"
+DOCKER_IMAGE=runtime
+# These variables will be appended by the runtime_build.py script
+# DOCKER_IMAGE_TAG=
+# DOCKER_IMAGE_SOURCE_TAG=

dev_config/python/.pre-commit-config.yaml

@@ -3,22 +3,13 @@ repos:
     rev: v5.0.0
     hooks:
       - id: trailing-whitespace
-        exclude: ^(docs/|modules/|python/|openhands-ui/|enterprise/)
+        exclude: ^(docs/|modules/|python/|openhands-ui/|third_party/|enterprise/|openhands-cli/)
       - id: end-of-file-fixer
-        exclude: ^(docs/|modules/|python/|openhands-ui/|enterprise/)
+        exclude: ^(docs/|modules/|python/|openhands-ui/|third_party/|enterprise/|openhands-cli/)
       - id: check-yaml
         args: ["--allow-multiple-documents"]
       - id: debug-statements
 
-
-  - repo: local
-    hooks:
-      - id: warn-appmode-oss
-        name: "Warn on AppMode.OSS in backend (use AppMode.OPENHANDS)"
-        language: system
-        entry: bash -lc 'if rg -n "\\bAppMode\\.OSS\\b" openhands tests/unit; then echo "Found AppMode.OSS usage. Prefer AppMode.OPENHANDS."; exit 1; fi'
-        pass_filenames: false
-
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.5.1
     hooks:
@@ -37,12 +28,12 @@ repos:
         entry: ruff check --config dev_config/python/ruff.toml
         types_or: [python, pyi, jupyter]
         args: [--fix, --unsafe-fixes]
-        exclude: ^(enterprise/)
+        exclude: ^(third_party/|enterprise/|openhands-cli/)
       # Run the formatter.
       - id: ruff-format
         entry: ruff format --config dev_config/python/ruff.toml
         types_or: [python, pyi, jupyter]
-        exclude: ^(enterprise/)
+        exclude: ^(third_party/|enterprise/|openhands-cli/)
 
   - repo: https://github.com/pre-commit/mirrors-mypy
     rev: v1.15.0
@@ -58,9 +49,6 @@ repos:
             types-Markdown,
             pydantic,
             lxml,
-            "openhands-sdk==1.17.0",
-            "openhands-tools==1.17.0",
-            "sqlalchemy>=2.0",
           ]
         # To see gaps add `--html-report mypy-report/`
         entry: mypy --config-file dev_config/python/mypy.ini openhands/

dev_config/python/mypy.ini

@@ -10,12 +10,7 @@ strict_optional = True
 disable_error_code = type-abstract
 
 # Exclude third-party runtime directory from type checking
-exclude = (enterprise/)
+exclude = (third_party/|enterprise/)
 
-[mypy-openai.*]
-follow_imports = skip
-ignore_missing_imports = True
-
-[mypy-litellm.*]
-follow_imports = skip
-ignore_missing_imports = True
+[mypy-openhands.memory.condenser.impl.*]
+disable_error_code = override

dev_config/python/ruff.toml

@@ -1,5 +1,5 @@
 # Exclude third-party runtime directory from linting
-exclude = ["enterprise/"]
+exclude = ["third_party/", "enterprise/"]
 
 [lint]
 select = [

docker-compose.yml

@@ -7,8 +7,7 @@ services:
     image: openhands:latest
     container_name: openhands-app-${DATE:-}
     environment:
-      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.15.0-python}
+      - SANDBOX_RUNTIME_CONTAINER_IMAGE=${SANDBOX_RUNTIME_CONTAINER_IMAGE:-docker.openhands.dev/openhands/runtime:0.60-nikolaik}
       #- SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234} # enable this only if you want a specific non-root sandbox user but you will have to manually adjust permissions of ~/.openhands for this user
       - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
     ports:

enterprise/Dockerfile

@@ -10,7 +10,7 @@ LABEL com.datadoghq.tags.env="${DD_ENV}"
 # Apply security updates to fix CVEs
 RUN apt-get update && \
     apt-get install -y curl && \
-    curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
     apt-get install -y nodejs && \
     apt-get install -y jq gettext && \
     # Apply security updates for packages with available fixes
@@ -23,27 +23,17 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-# Install poetry and export before importing current code.
-RUN /app/.venv/bin/pip install poetry poetry-plugin-export
-
-# Install Python dependencies from poetry.lock for reproducible builds
-# Copy lock files first for better Docker layer caching
-COPY --chown=openhands:openhands enterprise/pyproject.toml enterprise/poetry.lock /tmp/enterprise/
-RUN cd /tmp/enterprise && \
-    # Export only main dependencies with hashes for supply chain security
-    /app/.venv/bin/poetry export --only main -o requirements.txt && \
-    # Remove the local path dependency (openhands-ai is already in base image)
-    sed -i '/^-e /d; /openhands-ai/d' requirements.txt && \
-    # Install pinned dependencies from lock file
-    /app/.venv/bin/pip install -r requirements.txt && \
-    # Cleanup - return to /app before removing /tmp/enterprise
-    cd /app && \
-    rm -rf /tmp/enterprise && \
-    /app/.venv/bin/pip uninstall -y poetry poetry-plugin-export
+# Install Python packages with security fixes
+RUN pip install alembic psycopg2-binary cloud-sql-python-connector pg8000 gspread stripe python-keycloak asyncpg sqlalchemy[asyncio] resend tenacity slack-sdk ddtrace "posthog>=6.0.0" "limits==5.2.0" coredis prometheus-client shap scikit-learn pandas numpy && \
+    # Update packages with known CVE fixes
+    pip install --upgrade \
+        "mcp>=1.10.0" \
+        "pillow>=11.3.0"
 
 WORKDIR /app
-COPY --chown=openhands:openhands --chmod=770 enterprise .
+COPY enterprise .
 
+RUN chown -R openhands:openhands /app && chmod -R 770 /app
 USER openhands
 
 # Command will be overridden by Kubernetes deployment template

enterprise/LICENSE

@@ -1,7 +1,5 @@
 # PolyForm Free Trial License 1.0.0
 
-Copyright (c) 2026 All Hands AI
-
 ## Acceptance
 
 In order to get any license under these terms, you must agree

enterprise/Makefile

@@ -2,7 +2,7 @@ BACKEND_HOST ?= "127.0.0.1"
 BACKEND_PORT = 3000
 BACKEND_HOST_PORT = "$(BACKEND_HOST):$(BACKEND_PORT)"
 FRONTEND_PORT = 3001
-OPENHANDS_PATH ?= ".."
+OPENHANDS_PATH ?= "../../OpenHands"
 OPENHANDS := $(OPENHANDS_PATH)
 OPENHANDS_FRONTEND_PATH = $(OPENHANDS)/frontend/build
 

enterprise/README.md

@@ -1,6 +1,6 @@
 # OpenHands Enterprise Server
 > [!WARNING]
-> This software is licensed under the [Polyform Free Trial License](./LICENSE). This is **NOT** an open source license. Usage is limited to 30 days per calendar year without a commercial license. If you would like to use it beyond 30 days, please [contact us](https://www.openhands.dev/contact).
+> This software is licensed under the [Polyform Free Trial License](./LICENSE). This is **NOT** an open source license. Usage is limited to 30 days per calendar year without a commercial license. If you would like to use it beyond 30 days, please [contact us](https://www.all-hands.dev/contact).
 
 > [!WARNING]
 > This is a work in progress and may contain bugs, incomplete features, or breaking changes.
@@ -10,13 +10,13 @@ This directory contains the enterprise server used by [OpenHands Cloud](https://
 
 You may also want to check out the MIT-licensed [OpenHands](https://github.com/OpenHands/OpenHands)
 
-## Extension of OpenHands
+## Extension of OpenHands (OSS)
 
-The code in `/enterprise` builds on top of OpenHands (MIT-licensed), extending its functionality. The enterprise code is entangled with OpenHands in two ways:
+The code in `/enterprise` directory builds on top of open source (OSS) code, extending its functionality. The enterprise code is entangled with the OSS code in two ways
 
-- Enterprise stacks on top of OpenHands. For example, the middleware in enterprise is stacked right on top of the middlewares in OpenHands. In `SAAS`, the middleware from BOTH repos will be present and running (which can sometimes cause conflicts)
+- Enterprise stacks on top of OSS. For example, the middleware in enterprise is stacked right on top of the middlewares in OSS. In `SAAS`, the middleware from BOTH repos will be present and running (which can sometimes cause conflicts)
 
-- Enterprise overrides the implementation in OpenHands (only one is present at a time). For example, the server config SaasServerConfig overrides [`ServerConfig`](https://github.com/OpenHands/OpenHands/blob/main/openhands/server/config/server_config.py#L8) in OpenHands. This is done through dynamic imports ([see here](https://github.com/OpenHands/OpenHands/blob/main/openhands/server/config/server_config.py#L37-#L45))
+- Enterprise overrides the implementation in OSS (only one is present at a time). For example, the server config SaasServerConfig which overrides [`ServerConfig`](https://github.com/OpenHands/OpenHands/blob/main/openhands/server/config/server_config.py#L8) on OSS. This is done through dynamic imports ([see here](https://github.com/OpenHands/OpenHands/blob/main/openhands/server/config/server_config.py#L37-#L45))
 
 Key areas that change on `SAAS` are
 
@@ -26,11 +26,11 @@ Key areas that change on `SAAS` are
 
 ### Authentication
 
-| Aspect                    | OpenHands                                              | Enterprise                                                                                                                                 |
+| Aspect                    | OSS                                                    | Enterprise                                                                                                                                 |
 | ------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
-| **Authentication Method** | User adds a personal access token (PAT) through the UI | User performs OAuth through the UI. The GitHub app provides a short-lived access token and refresh token                            |
+| **Authentication Method** | User adds a personal access token (PAT) through the UI | User performs OAuth through the UI. The Github app provides a short-lived access token and refresh token                            |
 | **Token Storage**         | PAT is stored in **Settings**                          | Token is stored in **GithubTokenManager** (a file store in our backend)                                                             |
-| **Authenticated status**  | We simply check if token exists in `Settings`          | We issue a signed cookie with `github_user_id` during OAuth, so subsequent requests with the cookie can be considered authenticated |
+| **Authenticated status**  | We simply check if token exists in `Settings`          | We issue a signed cookie with `github_user_id` during oauth, so subsequent requests with the cookie can be considered authenticated |
 
 Note that in the future, authentication will happen via keycloak. All modifications for authentication will happen in enterprise.
 
@@ -38,7 +38,7 @@ Note that in the future, authentication will happen via keycloak. All modificati
 
 The github service is responsible for interacting with Github APIs. As a consequence, it uses the user's token and refreshes it if need be
 
-| Aspect                    | OpenHands                               | Enterprise                                            |
+| Aspect                    | OSS                                    | Enterprise                                            |
 | ------------------------- | -------------------------------------- | ---------------------------------------------- |
 | **Class used**            | `GitHubService`                        | `SaaSGitHubService`                            |
 | **Token used**            | User's PAT fetched from `Settings`     | User's token fetched from `GitHubTokenManager` |
@@ -50,7 +50,7 @@ NOTE: in the future we will simply replace the `GithubTokenManager` with keycloa
 
 ## User ID vs User Token
 
-- In OpenHands, the entire app revolves around the GitHub token the user sets. `openhands/server` uses `request.state.github_token` for the entire app
-- On Enterprise, the entire APP resolves around the Github User ID. This is because the cookie sets it, so `openhands/server` AND `enterprise/server` depend on it and completely ignore `request.state.github_token` (token is fetched from `GithubTokenManager` instead)
+- On OSS, the entire APP revolves around the Github token the user sets. `openhands/server` uses `request.state.github_token` for the entire app
+- On Enterprise, the entire APP resolves around the Github User ID. This is because the cookie sets it, so `openhands/server` AND `enterprise/server` depend on it and completly ignore `request.state.github_token` (token is fetched from `GithubTokenManager` instead)
 
-Note that introducing GitHub User ID in OpenHands, for instance, will cause large breakages.
+Note that introducing Github User ID on OSS, for instance, will cause large breakages.

enterprise/alembic.ini

@@ -59,7 +59,7 @@ handlers = console
 qualname =
 
 [logger_sqlalchemy]
-level = WARNING
+level = DEBUG
 handlers =
 qualname = sqlalchemy.engine
 

enterprise/allhands-realm-github-provider.json.tmpl

@@ -721,17 +721,12 @@
         "https://$WEB_HOST/oauth/keycloak/callback",
         "https://$WEB_HOST/oauth/keycloak/offline/callback",
         "https://$WEB_HOST/slack/keycloak-callback",
-        "https://$WEB_HOST/oauth/device/keycloak-callback",
         "https://$WEB_HOST/api/email/verified",
-        "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*",
-        "https://laminar.$WEB_HOST/api/auth/callback/keycloak",
-        "https://analytics.$WEB_HOST/api/auth/callback/keycloak"
+        "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*"
       ],
       "webOrigins": [
         "https://$WEB_HOST",
-        "https://$AUTH_WEB_HOST",
-        "https://laminar.$WEB_HOST",
-        "https://analytics.$WEB_HOST"
+        "https://$AUTH_WEB_HOST"
       ],
       "notBefore": 0,
       "bearerOnly": false,
@@ -1776,40 +1771,6 @@
         "sendIdTokenOnLogout": "true",
         "passMaxAge": "false"
       }
-    },
-    {
-      "alias": "bitbucket_data_center",
-      "displayName": "Bitbucket Data Center",
-      "internalId": "b77b4ead-20e8-451c-ad27-99f92d561616",
-      "providerId": "oauth2",
-      "enabled": true,
-      "updateProfileFirstLoginMode": "on",
-      "trustEmail": true,
-      "storeToken": true,
-      "addReadTokenRoleOnCreate": false,
-      "authenticateByDefault": false,
-      "linkOnly": false,
-      "hideOnLogin": false,
-      "config": {
-        "givenNameClaim": "given_name",
-        "userInfoUrl": "https://${WEB_HOST}/bitbucket-dc-proxy/oauth2/userinfo",
-        "clientId": "$BITBUCKET_DATA_CENTER_CLIENT_ID",
-        "tokenUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/token",
-        "acceptsPromptNoneForwardFromClient": "false",
-        "fullNameClaim": "name",
-        "userIDClaim": "sub",
-        "emailClaim": "email",
-        "userNameClaim": "preferred_username",
-        "caseSensitiveOriginalUsername": "false",
-        "familyNameClaim": "family_name",
-        "pkceEnabled": "false",
-        "authorizationUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/authorize",
-        "clientAuthMethod": "client_secret_post",
-        "syncMode": "IMPORT",
-        "clientSecret": "$BITBUCKET_DATA_CENTER_CLIENT_SECRET",
-        "allowedClockSkew": "0",
-        "defaultScope": "REPO_WRITE"
-      }
     }
   ],
   "identityProviderMappers": [
@@ -1867,26 +1828,6 @@
         "syncMode": "FORCE",
         "attribute": "identity_provider"
       }
-    },
-    {
-      "name": "id-mapper",
-      "identityProviderAlias": "bitbucket_data_center",
-      "identityProviderMapper": "oidc-user-attribute-idp-mapper",
-      "config": {
-        "syncMode": "FORCE",
-        "claim": "sub",
-        "user.attribute": "bitbucket_data_center_id"
-      }
-    },
-    {
-      "name": "identity-provider",
-      "identityProviderAlias": "bitbucket_data_center",
-      "identityProviderMapper": "hardcoded-attribute-idp-mapper",
-      "config": {
-        "attribute.value": "bitbucket_data_center",
-        "syncMode": "FORCE",
-        "attribute": "identity_provider"
-      }
     }
   ],
   "components": {

enterprise/dev_config/python/.pre-commit-config.yaml

@@ -50,11 +50,8 @@ repos:
           - ./
           - stripe==11.5.0
           - pygithub==2.6.1
-          - sqlalchemy>=2.0
-        # Use -p (package) to avoid dual module name conflict when using MYPYPATH
-        # MYPYPATH=enterprise allows resolving bare imports like "from integrations.xxx"
-        # Note: tests package excluded to avoid conflict with core openhands tests
-        entry: bash -c 'MYPYPATH=enterprise mypy --config-file enterprise/dev_config/python/mypy.ini -p integrations -p server -p storage -p sync'
+        # To see gaps add `--html-report mypy-report/`
+        entry: mypy --config-file enterprise/dev_config/python/mypy.ini enterprise/
         always_run: true
         pass_filenames: false
         files: ^enterprise/

enterprise/dev_config/python/mypy.ini

@@ -2,6 +2,7 @@
 warn_unused_configs = True
 ignore_missing_imports = True
 check_untyped_defs = True
+explicit_package_bases = True
 warn_unreachable = True
 warn_redundant_casts = True
 no_implicit_optional = True

enterprise/doc/architecture/README.md

@@ -1,13 +0,0 @@
-# Enterprise Architecture Documentation
-
-Architecture diagrams specific to the OpenHands SaaS/Enterprise deployment.
-
-## Documentation
-
-- [Authentication Flow](./authentication.md) - Keycloak-based authentication for SaaS deployment
-- [External Integrations](./external-integrations.md) - GitHub, Slack, Jira, and other service integrations
-
-## Related Documentation
-
-For core OpenHands architecture (applicable to all deployments), see:
-- [Core Architecture Documentation](../../../openhands/architecture/README.md)

enterprise/doc/architecture/authentication.md

@@ -1,58 +0,0 @@
-# Authentication Flow (SaaS Deployment)
-
-OpenHands uses Keycloak for identity management in the SaaS deployment. The authentication flow involves multiple services:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant User as User (Browser)
-    participant App as App Server
-    participant KC as Keycloak
-    participant IdP as Identity Provider<br/>(GitHub, Google, etc.)
-    participant DB as User Database
-
-    Note over User,DB: OAuth 2.0 / OIDC Authentication Flow
-
-    User->>App: Access OpenHands
-    App->>User: Redirect to Keycloak
-    User->>KC: Login request
-    KC->>User: Show login options
-    User->>KC: Select provider (e.g., GitHub)
-    KC->>IdP: OAuth redirect
-    User->>IdP: Authenticate
-    IdP-->>KC: OAuth callback + tokens
-    Note over KC: Create/update user session
-    KC-->>User: Redirect with auth code
-    User->>App: Auth code
-    App->>KC: Exchange code for tokens
-    KC-->>App: Access token + Refresh token
-    Note over App: Create signed JWT cookie
-    App->>DB: Store/update user record
-    App-->>User: Set keycloak_auth cookie
-
-    Note over User,DB: Subsequent Requests
-
-    User->>App: Request with cookie
-    Note over App: Verify JWT signature
-    App->>KC: Validate token (if needed)
-    KC-->>App: Token valid
-    Note over App: Extract user context
-    App-->>User: Authorized response
-```
-
-### Authentication Components
-
-| Component | Purpose | Location |
-|-----------|---------|----------|
-| **Keycloak** | Identity provider, SSO, token management | External service |
-| **UserAuth** | Abstract auth interface | `openhands/server/user_auth/user_auth.py` |
-| **SaasUserAuth** | Keycloak implementation | `enterprise/server/auth/saas_user_auth.py` |
-| **JWT Service** | Token signing/verification | `openhands/app_server/services/jwt_service.py` |
-| **Auth Routes** | Login/logout endpoints | `enterprise/server/routes/auth.py` |
-
-### Token Flow
-
-1. **Keycloak Access Token**: Short-lived token for API access
-2. **Keycloak Refresh Token**: Long-lived token to obtain new access tokens
-3. **Signed JWT Cookie**: App Server's session cookie containing encrypted Keycloak tokens
-4. **Provider Tokens**: OAuth tokens for GitHub, GitLab, etc. (stored separately for git operations)

enterprise/doc/architecture/external-integrations.md

@@ -1,88 +0,0 @@
-# External Integrations
-
-OpenHands integrates with external services (GitHub, Slack, Jira, etc.) through webhook-based event handling:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant Ext as External Service<br/>(GitHub/Slack/Jira)
-    participant App as App Server
-    participant IntRouter as Integration Router
-    participant Manager as Integration Manager
-    participant Conv as Conversation Service
-    participant Sandbox as Sandbox
-
-    Note over Ext,Sandbox: Webhook Event Flow (e.g., GitHub Issue Created)
-
-    Ext->>App: POST /api/integration/{service}/events
-    App->>IntRouter: Route to service handler
-    Note over IntRouter: Verify signature (HMAC)
-
-    IntRouter->>Manager: Parse event payload
-    Note over Manager: Extract context (repo, issue, user)
-    Note over Manager: Map external user → OpenHands user
-
-    Manager->>Conv: Create conversation (with issue context)
-    Conv->>Sandbox: Provision sandbox
-    Sandbox-->>Conv: Ready
-
-    Manager->>Sandbox: Start agent with task
-
-    Note over Ext,Sandbox: Agent Works on Task...
-
-    Sandbox-->>Manager: Task complete
-    Manager->>Ext: POST result<br/>(PR, comment, etc.)
-
-    Note over Ext,Sandbox: Callback Flow (Agent → External Service)
-
-    Sandbox->>App: Webhook callback<br/>/api/v1/webhooks
-    App->>Manager: Process callback
-    Manager->>Ext: Update external service
-```
-
-### Supported Integrations
-
-| Integration | Trigger Events | Agent Actions |
-|-------------|----------------|---------------|
-| **GitHub** | Issue created, PR opened, @mention | Create PR, comment, push commits |
-| **GitLab** | Issue created, MR opened | Create MR, comment, push commits |
-| **Slack** | @mention in channel | Reply in thread, create tasks |
-| **Jira** | Issue created/updated | Update ticket, add comments |
-| **Linear** | Issue created | Update status, add comments |
-
-### Integration Components
-
-| Component | Purpose | Location |
-|-----------|---------|----------|
-| **Integration Routes** | Webhook endpoints per service | `enterprise/server/routes/integration/` |
-| **Integration Managers** | Business logic per service | `enterprise/integrations/{service}/` |
-| **Token Manager** | Store/retrieve OAuth tokens | `enterprise/server/auth/token_manager.py` |
-| **Callback Processor** | Handle agent → service updates | `enterprise/integrations/{service}/*_callback_processor.py` |
-
-### Integration Authentication
-
-```
-External Service (e.g., GitHub)
-        │
-        ▼
-┌─────────────────────────────────┐
-│ GitHub App Installation         │
-│ - Webhook secret for signature  │
-│ - App private key for API calls │
-└─────────────────────────────────┘
-        │
-        ▼
-┌─────────────────────────────────┐
-│ User Account Linking            │
-│ - Keycloak user ID              │
-│ - GitHub user ID                │
-│ - Stored OAuth tokens           │
-└─────────────────────────────────┘
-        │
-        ▼
-┌─────────────────────────────────┐
-│ Agent Execution                 │
-│ - Uses linked tokens for API    │
-│ - Can push, create PRs, comment │
-└─────────────────────────────────┘
-```

enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md

@@ -200,7 +200,7 @@ class MetricsCollector(ABC):
     """Base class for metrics collectors."""
 
     @abstractmethod
-    async def collect(self) -> List[MetricResult]:
+    def collect(self) -> List[MetricResult]:
         """Collect metrics and return results."""
         pass
 
@@ -264,13 +264,12 @@ class SystemMetricsCollector(MetricsCollector):
     def collector_name(self) -> str:
         return "system_metrics"
 
-    async def collect(self) -> List[MetricResult]:
+    def collect(self) -> List[MetricResult]:
         results = []
 
         # Collect user count
-        async with a_session_maker() as session:
-            user_count_result = await session.execute(select(func.count()).select_from(UserSettings))
-            user_count = user_count_result.scalar()
+        with session_maker() as session:
+            user_count = session.query(UserSettings).count()
             results.append(MetricResult(
                 key="total_users",
                 value=user_count
@@ -278,11 +277,9 @@ class SystemMetricsCollector(MetricsCollector):
 
             # Collect conversation count (last 30 days)
             thirty_days_ago = datetime.now(timezone.utc) - timedelta(days=30)
-            conversation_count_result = await session.execute(
-                select(func.count()).select_from(StoredConversationMetadata)
-                .where(StoredConversationMetadata.created_at >= thirty_days_ago)
-            )
-            conversation_count = conversation_count_result.scalar()
+            conversation_count = session.query(StoredConversationMetadata)\
+                .filter(StoredConversationMetadata.created_at >= thirty_days_ago)\
+                .count()
 
             results.append(MetricResult(
                 key="conversations_30d",
@@ -306,7 +303,7 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
         """Collect metrics from all registered collectors."""
 
         # Check if collection is needed
-        if not await self._should_collect():
+        if not self._should_collect():
             return {"status": "skipped", "reason": "too_recent"}
 
         # Collect metrics from all registered collectors
@@ -316,7 +313,7 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
         for collector in collector_registry.get_all_collectors():
             try:
                 if collector.should_collect():
-                    results = await collector.collect()
+                    results = collector.collect()
                     for result in results:
                         all_metrics[result.key] = result.value
                     collector_results[collector.collector_name] = len(results)
@@ -325,13 +322,13 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
                 collector_results[collector.collector_name] = f"error: {e}"
 
         # Store metrics in database
-        async with a_session_maker() as session:
+        with session_maker() as session:
             telemetry_record = TelemetryMetrics(
                 metrics_data=all_metrics,
                 collected_at=datetime.now(timezone.utc)
             )
             session.add(telemetry_record)
-            await session.commit()
+            session.commit()
 
             # Note: No need to track last_collection_at separately
             # Can be derived from MAX(collected_at) in telemetry_metrics
@@ -342,12 +339,11 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor):
             "collectors_run": collector_results
         }
 
-    async def _should_collect(self) -> bool:
+    def _should_collect(self) -> bool:
         """Check if collection is needed based on interval."""
-        async with a_session_maker() as session:
+        with session_maker() as session:
             # Get last collection time from metrics table
-            result = await session.execute(select(func.max(TelemetryMetrics.collected_at)))
-            last_collected = result.scalar()
+            last_collected = session.query(func.max(TelemetryMetrics.collected_at)).scalar()
             if not last_collected:
                 return True
 
@@ -370,19 +366,17 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
         """Upload pending metrics to Replicated."""
 
         # Get pending metrics
-        async with a_session_maker() as session:
-            result = await session.execute(
-                select(TelemetryMetrics)
-                .where(TelemetryMetrics.uploaded_at.is_(None))
-                .order_by(TelemetryMetrics.collected_at)
-            )
-            pending_metrics = result.scalars().all()
+        with session_maker() as session:
+            pending_metrics = session.query(TelemetryMetrics)\
+                .filter(TelemetryMetrics.uploaded_at.is_(None))\
+                .order_by(TelemetryMetrics.collected_at)\
+                .all()
 
         if not pending_metrics:
             return {"status": "no_pending_metrics"}
 
         # Get admin email - skip if not available
-        admin_email = await self._get_admin_email()
+        admin_email = self._get_admin_email()
         if not admin_email:
             logger.info("Skipping telemetry upload - no admin email available")
             return {
@@ -419,15 +413,13 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
                     await instance.set_status(InstanceStatus.RUNNING)
 
                     # Mark as uploaded
-                    async with a_session_maker() as session:
-                        result = await session.execute(
-                            select(TelemetryMetrics)
-                            .where(TelemetryMetrics.id == metric_record.id)
-                        )
-                        record = result.scalar_one_or_none()
+                    with session_maker() as session:
+                        record = session.query(TelemetryMetrics)\
+                            .filter(TelemetryMetrics.id == metric_record.id)\
+                            .first()
                         if record:
                             record.uploaded_at = datetime.now(timezone.utc)
-                            await session.commit()
+                            session.commit()
 
                     uploaded_count += 1
 
@@ -435,16 +427,14 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
                     logger.error(f"Failed to upload metrics {metric_record.id}: {e}")
 
                     # Update error info
-                    async with a_session_maker() as session:
-                        result = await session.execute(
-                            select(TelemetryMetrics)
-                            .where(TelemetryMetrics.id == metric_record.id)
-                        )
-                        record = result.scalar_one_or_none()
+                    with session_maker() as session:
+                        record = session.query(TelemetryMetrics)\
+                            .filter(TelemetryMetrics.id == metric_record.id)\
+                            .first()
                         if record:
                             record.upload_attempts += 1
                             record.last_upload_error = str(e)
-                            await session.commit()
+                            session.commit()
 
                     failed_count += 1
 
@@ -458,7 +448,7 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
             "total_processed": len(pending_metrics)
         }
 
-    async def _get_admin_email(self) -> str | None:
+    def _get_admin_email(self) -> str | None:
         """Get administrator email for customer identification."""
         # 1. Check environment variable first
         env_admin_email = os.getenv('OPENHANDS_ADMIN_EMAIL')
@@ -467,15 +457,12 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
             return env_admin_email
 
         # 2. Use first active user's email (earliest accepted_tos)
-        async with a_session_maker() as session:
-            result = await session.execute(
-                select(UserSettings)
-                .where(UserSettings.email.isnot(None))
-                .where(UserSettings.accepted_tos.isnot(None))
-                .order_by(UserSettings.accepted_tos.asc())
-                .limit(1)
-            )
-            first_user = result.scalar_one_or_none()
+        with session_maker() as session:
+            first_user = session.query(UserSettings)\
+                .filter(UserSettings.email.isnot(None))\
+                .filter(UserSettings.accepted_tos.isnot(None))\
+                .order_by(UserSettings.accepted_tos.asc())\
+                .first()
 
             if first_user and first_user.email:
                 logger.info(f"Using first active user email: {first_user.email}")
@@ -487,16 +474,15 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor):
 
     async def _update_telemetry_identity(self, customer_id: str, instance_id: str) -> None:
         """Update or create telemetry identity record."""
-        async with a_session_maker() as session:
-            result = await session.execute(select(TelemetryIdentity).limit(1))
-            identity = result.scalar_one_or_none()
+        with session_maker() as session:
+            identity = session.query(TelemetryIdentity).first()
             if not identity:
                 identity = TelemetryIdentity()
                 session.add(identity)
 
             identity.customer_id = customer_id
             identity.instance_id = instance_id
-            await session.commit()
+            session.commit()
 ```
 
 ### 4.4 License Warning System
@@ -517,13 +503,11 @@ async def get_license_status():
     if not _is_openhands_enterprise():
         return {"warn": False, "message": ""}
 
-    async with a_session_maker() as session:
+    with session_maker() as session:
         # Get last successful upload time from metrics table
-        result = await session.execute(
-            select(func.max(TelemetryMetrics.uploaded_at))
-            .where(TelemetryMetrics.uploaded_at.isnot(None))
-        )
-        last_upload = result.scalar()
+        last_upload = session.query(func.max(TelemetryMetrics.uploaded_at))\
+            .filter(TelemetryMetrics.uploaded_at.isnot(None))\
+            .scalar()
 
         if not last_upload:
             # No successful uploads yet - show warning after 4 days
@@ -537,13 +521,10 @@ async def get_license_status():
 
         if days_since_upload > 4:
             # Find oldest unsent batch
-            result = await session.execute(
-                select(TelemetryMetrics)
-                .where(TelemetryMetrics.uploaded_at.is_(None))
-                .order_by(TelemetryMetrics.collected_at)
-                .limit(1)
-            )
-            oldest_unsent = result.scalar_one_or_none()
+            oldest_unsent = session.query(TelemetryMetrics)\
+                .filter(TelemetryMetrics.uploaded_at.is_(None))\
+                .order_by(TelemetryMetrics.collected_at)\
+                .first()
 
             if oldest_unsent:
                 # Calculate expiration date (oldest unsent + 34 days)
@@ -649,23 +630,19 @@ spec:
             - python
             - -c
             - |
-              import asyncio
               from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
-              from enterprise.storage.database import a_session_maker
+              from enterprise.storage.database import session_maker
               from enterprise.server.telemetry.collection_processor import TelemetryCollectionProcessor
 
-              async def main():
-                  # Create collection task
-                  processor = TelemetryCollectionProcessor()
-                  task = MaintenanceTask()
-                  task.set_processor(processor)
-                  task.status = MaintenanceTaskStatus.PENDING
+              # Create collection task
+              processor = TelemetryCollectionProcessor()
+              task = MaintenanceTask()
+              task.set_processor(processor)
+              task.status = MaintenanceTaskStatus.PENDING
 
-                  async with a_session_maker() as session:
-                      session.add(task)
-                      await session.commit()
-
-              asyncio.run(main())
+              with session_maker() as session:
+                  session.add(task)
+                  session.commit()
           restartPolicy: OnFailure
 ```
 
@@ -703,27 +680,23 @@ spec:
             - python
             - -c
             - |
-              import asyncio
               from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
-              from enterprise.storage.database import a_session_maker
+              from enterprise.storage.database import session_maker
               from enterprise.server.telemetry.upload_processor import TelemetryUploadProcessor
               import os
 
-              async def main():
-                  # Create upload task
-                  processor = TelemetryUploadProcessor(
-                      replicated_publishable_key=os.getenv('REPLICATED_PUBLISHABLE_KEY'),
-                      replicated_app_slug=os.getenv('REPLICATED_APP_SLUG', 'openhands-enterprise')
-                  )
-                  task = MaintenanceTask()
-                  task.set_processor(processor)
-                  task.status = MaintenanceTaskStatus.PENDING
+              # Create upload task
+              processor = TelemetryUploadProcessor(
+                  replicated_publishable_key=os.getenv('REPLICATED_PUBLISHABLE_KEY'),
+                  replicated_app_slug=os.getenv('REPLICATED_APP_SLUG', 'openhands-enterprise')
+              )
+              task = MaintenanceTask()
+              task.set_processor(processor)
+              task.status = MaintenanceTaskStatus.PENDING
 
-                  async with a_session_maker() as session:
-                      session.add(task)
-                      await session.commit()
-
-              asyncio.run(main())
+              with session_maker() as session:
+                  session.add(task)
+                  session.commit()
           restartPolicy: OnFailure
 ```
 

enterprise/doc/design-doc/plugin-launch-flow.md

@@ -1,131 +0,0 @@
-# Plugin Launch Flow
-
-This document describes how plugins are launched in OpenHands Saas / Enterprise, from the plugin directory through to agent execution.
-
-## Architecture Overview
-
-```
-Plugin Directory ──▶ Frontend /launch ──▶ App Server ──▶ Agent Server ──▶ SDK
-    (external)           (modal)           (API)        (in sandbox)    (plugin loading)
-```
-
-| Component | Responsibility |
-|-----------|---------------|
-| **Plugin Directory** | Index plugins, present to user, construct launch URLs |
-| **Frontend** | Display confirmation modal, collect parameters, call API |
-| **App Server** | Validate request, pass plugin specs to agent server |
-| **Agent Server** | Run inside sandbox, delegate plugin loading to SDK |
-| **SDK** | Fetch plugins, load contents, merge skills/hooks/MCP into agent |
-
-## User Experience
-
-### Plugin Directory
-
-The plugin directory presents users with a catalog of available plugins. For each plugin, users see:
-- Plugin name and description (from `plugin.json`)
-- Author and version information
-- A "Launch" button
-
-When a user clicks "Launch", the plugin directory:
-1. Reads the plugin's `entry_command` to know which slash command to invoke
-2. Determines what parameters the plugin accepts (if any)
-3. Redirects to OpenHands with this information encoded in the URL
-
-### Parameter Collection
-
-If a plugin requires user input (API keys, configuration values, etc.), the frontend displays a form modal before starting the conversation. Parameters are passed in the launch URL and rendered as form fields based on their type:
-
-- **String values** → Text input
-- **Number values** → Number input
-- **Boolean values** → Checkbox
-
-Only primitive types are supported. Complex types (arrays, objects) are not currently supported for parameter input.
-
-The user fills in required values, then clicks "Start Conversation" to proceed.
-
-## Launch Flow
-
-1. **Plugin Directory** (external) constructs a launch URL to the OpenHands app server when user clicks "Launch":
-   ```
-   /launch?plugins=BASE64_JSON&message=/city-weather:now%20Tokyo
-   ```
-
-   The `plugins` parameter includes any parameter definitions with default values:
-   ```json
-   [{
-     "source": "github:owner/repo",
-     "repo_path": "plugins/my-plugin",
-     "parameters": {"api_key": "", "timeout": 30, "debug": false}
-   }]
-   ```
-
-2. **OpenHands Frontend** (`/launch` route, [PR #12699](https://github.com/OpenHands/OpenHands/pull/12699)) displays modal with parameter form, collects user input
-
-3. **OpenHands App Server** ([PR #12338](https://github.com/OpenHands/OpenHands/pull/12338)) receives the API call:
-   ```
-   POST /api/v1/app-conversations
-   {
-     "plugins": [{"source": "github:owner/repo", "repo_path": "plugins/city-weather"}],
-     "initial_message": {"content": [{"type": "text", "text": "/city-weather:now Tokyo"}]}
-   }
-   ```
-
-   Call stack:
-   - `AppConversationRouter` receives request with `PluginSpec` list
-   - `LiveStatusAppConversationService._finalize_conversation_request()` converts `PluginSpec` → `PluginSource`
-   - Creates `StartConversationRequest(plugins=sdk_plugins, ...)` and sends to agent server
-
-4. **Agent Server** (inside sandbox, [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651)) stores specs, defers loading:
-
-   Call stack:
-   - `ConversationService.start_conversation()` receives `StartConversationRequest`
-   - Creates `StoredConversation` with plugin specs
-   - Creates `LocalConversation(plugins=request.plugins, ...)`
-   - Plugin loading deferred until first `run()` or `send_message()`
-
-5. **SDK** fetches and loads plugins on first use:
-
-   Call stack:
-   - `LocalConversation._ensure_plugins_loaded()` triggered by first message
-   - For each plugin spec:
-     - `Plugin.fetch(source, ref, repo_path)` → clones/caches git repo
-     - `Plugin.load(path)` → parses `plugin.json`, loads commands/skills/hooks
-     - `plugin.add_skills_to(context)` → merges skills into agent
-     - `plugin.add_mcp_config_to(config)` → merges MCP servers
-
-6. **Agent** receives message, `/city-weather:now` triggers the skill
-
-## Key Design Decisions
-
-### Plugin Loading in Sandbox
-
-Plugins load **inside the sandbox** because:
-- Plugin hooks and scripts need isolated execution
-- MCP servers run inside the sandbox
-- Skills may reference sandbox filesystem
-
-### Entry Command Handling
-
-The `entry_command` field in `plugin.json` allows plugin authors to declare a default command:
-
-```json
-{
-  "name": "city-weather",
-  "entry_command": "now"
-}
-```
-
-This flows through the system:
-1. Plugin author declares `entry_command` in plugin.json
-2. Plugin directory reads it when indexing
-3. Plugin directory includes `/city-weather:now` in the launch URL's `message` parameter
-4. Message passes through to agent as `initial_message`
-
-The SDK exposes this field but does not auto-invoke it—callers control the initial message.
-
-## Related
-
-- [OpenHands PR #12338](https://github.com/OpenHands/OpenHands/pull/12338) - App server plugin support
-- [OpenHands PR #12699](https://github.com/OpenHands/OpenHands/pull/12699) - Frontend `/launch` route
-- [SDK PR #1651](https://github.com/OpenHands/software-agent-sdk/pull/1651) - Agent server plugin loading
-- [SDK PR #1647](https://github.com/OpenHands/software-agent-sdk/pull/1647) - Plugin.fetch() for remote plugin fetching

enterprise/enterprise_local/README.md

@@ -2,7 +2,7 @@
 
 You have a few options here, which are expanded on below:
 
-- A simple local development setup, with live reloading for both OpenHands and this repo
+- A simple local development setup, with live reloading for both OSS and this repo
 - A more complex setup that includes Redis
 - An even more complex setup that includes GitHub events
 
@@ -26,7 +26,7 @@ Before starting, make sure you have the following tools installed:
 
 ## Option 1: Simple local development
 
-This option will allow you to modify both the OpenHands code and the code in this repo,
+This option will allow you to modify the both the OSS code and the code in this repo,
 and see the changes in real-time.
 
 This option works best for most scenarios. The only thing it's missing is
@@ -50,7 +50,7 @@ First run this to retrieve Github App secrets
 ```
 gcloud auth application-default login
 gcloud config set project global-432717
-enterprise_local/decrypt_env.sh /path/to/root/of/deploy/repo
+local/decrypt_env.sh
 ```
 
 Now run this to generate a `.env` file, which will used to run SAAS locally
@@ -61,6 +61,13 @@ export LITE_LLM_API_KEY=<your LLM API key>
 python enterprise_local/convert_to_env.py
 ```
 
+You'll also need to set up the runtime image, so that the dev server doesn't try to rebuild it.
+
+```
+export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:main-nikolaik
+docker pull $SANDBOX_RUNTIME_CONTAINER_IMAGE
+```
+
 By default the application will log in json, you can override.
 
 ```
@@ -98,9 +105,9 @@ export REDIS_PORT=6379
 
 (see above)
 
-### 2. Build OpenHands
+### 2. Build OSS Openhands
 
-Develop on [Openhands](https://github.com/OpenHands/OpenHands) locally. When ready, run the following inside Openhands repo (not the Deploy repo)
+Develop on [Openhands](https://github.com/All-Hands-AI/OpenHands) locally. When ready, run the following inside Openhands repo (not the Deploy repo)
 
 ```
 docker build -f containers/app/Dockerfile -t openhands .
@@ -148,7 +155,7 @@ Visit the tunnel domain found in Step 4 to run the app (`https://bc71-2603-7000-
 
 ### Local Debugging with VSCode
 
-Local Development necessitates running a version of OpenHands that is as similar as possible to the version running in the SAAS Environment. Before running these steps, it is assumed you have a local development version of OpenHands running.
+Local Development necessitates running a version of OpenHands that is as similar as possible to the version running in the SAAS Environment. Before running these steps, it is assumed you have a local development version of the OSS OpenHands project running.
 
 #### Redis
 
@@ -194,8 +201,9 @@ And then invoking `printenv`. NOTE: _DO NOT DO THIS WITH PROD!!!_ (Hopefully by
                 "DEBUG": "1",
                 "FILE_STORE": "local",
                 "REDIS_HOST": "localhost:6379",
-                "OPENHANDS": "<YOUR LOCAL OPENHANDS DIR>",
-                "FRONTEND_DIRECTORY": "<YOUR LOCAL OPENHANDS DIR>/frontend/build",
+                "OPENHANDS": "<YOUR LOCAL OSS OPENHANDS DIR>",
+                "FRONTEND_DIRECTORY": "<YOUR LOCAL OSS OPENHANDS DIR>/frontend/build",
+                "SANDBOX_RUNTIME_CONTAINER_IMAGE": "ghcr.io/openhands/runtime:main-nikolaik",
                 "FILE_STORE_PATH": "<YOUR HOME DIRECTORY>>/.openhands-state",
                 "OPENHANDS_CONFIG_CLS": "server.config.SaaSServerConfig",
                 "GITHUB_APP_ID": "1062351",
@@ -227,8 +235,9 @@ And then invoking `printenv`. NOTE: _DO NOT DO THIS WITH PROD!!!_ (Hopefully by
                 "DEBUG": "1",
                 "FILE_STORE": "local",
                 "REDIS_HOST": "localhost:6379",
-                "OPENHANDS": "<YOUR LOCAL OPENHANDS DIR>",
-                "FRONTEND_DIRECTORY": "<YOUR LOCAL OPENHANDS DIR>/frontend/build",
+                "OPENHANDS": "<YOUR LOCAL OSS OPENHANDS DIR>",
+                "FRONTEND_DIRECTORY": "<YOUR LOCAL OSS OPENHANDS DIR>/frontend/build",
+                "SANDBOX_RUNTIME_CONTAINER_IMAGE": "ghcr.io/openhands/runtime:main-nikolaik",
                 "FILE_STORE_PATH": "<YOUR HOME DIRECTORY>>/.openhands-state",
                 "OPENHANDS_CONFIG_CLS": "server.config.SaaSServerConfig",
                 "GITHUB_APP_ID": "1062351",

enterprise/enterprise_local/convert_to_env.py

@@ -110,13 +110,13 @@ lines.append(
     'OPENHANDS_BITBUCKET_SERVICE_CLS=integrations.bitbucket.bitbucket_service.SaaSBitBucketService'
 )
 lines.append(
-    'OPENHANDS_BITBUCKET_DATA_CENTER_SERVICE_CLS=integrations.bitbucket_data_center.bitbucket_dc_service.SaaSBitbucketDCService'
+    'OPENHANDS_CONVERSATION_VALIDATOR_CLS=storage.saas_conversation_validator.SaasConversationValidator'
 )
 lines.append('POSTHOG_CLIENT_KEY=test')
 lines.append('ENABLE_PROACTIVE_CONVERSATION_STARTERS=true')
 lines.append('MAX_CONCURRENT_CONVERSATIONS=10')
 lines.append('LITE_LLM_API_URL=https://llm-proxy.eval.all-hands.dev')
-lines.append('LITELLM_DEFAULT_MODEL=litellm_proxy/claude-opus-4-5-20251101')
+lines.append('LITELLM_DEFAULT_MODEL=litellm_proxy/claude-sonnet-4-20250514')
 lines.append(f'LITE_LLM_API_KEY={lite_llm_api_key}')
 lines.append('LOCAL_DEPLOYMENT=true')
 lines.append('DB_HOST=localhost')

enterprise/enterprise_local/decrypt_env.sh

@@ -4,12 +4,12 @@ set -euo pipefail
 # Check if DEPLOY_DIR argument was provided
 if [ $# -lt 1 ]; then
   echo "Usage: $0 <DEPLOY_DIR>"
-  echo "Example: $0 /path/to/root/of/deploy/repo"
+  echo "Example: $0 /path/to/deploy"
   exit 1
 fi
 
 # Normalize path (remove trailing slash)
-DEPLOY_DIR="${1%/}"
+DEPLOY_DIR="${DEPLOY_DIR%/}"
 
 # Function to decrypt and rename
 decrypt_and_move() {

enterprise/experiments/constants.py

@@ -0,0 +1,47 @@
+import os
+
+import posthog
+
+from openhands.core.logger import openhands_logger as logger
+
+# Initialize PostHog
+posthog.api_key = os.environ.get('POSTHOG_CLIENT_KEY', 'phc_placeholder')
+posthog.host = os.environ.get('POSTHOG_HOST', 'https://us.i.posthog.com')
+
+# Log PostHog configuration with masked API key for security
+api_key = posthog.api_key
+if api_key and len(api_key) > 8:
+    masked_key = f'{api_key[:4]}...{api_key[-4:]}'
+else:
+    masked_key = 'not_set_or_too_short'
+logger.info('posthog_configuration', extra={'posthog_api_key_masked': masked_key})
+
+# Global toggle for the experiment manager
+ENABLE_EXPERIMENT_MANAGER = (
+    os.environ.get('ENABLE_EXPERIMENT_MANAGER', 'false').lower() == 'true'
+)
+
+# Get the current experiment type from environment variable
+# If None, no experiment is running
+EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT = os.environ.get(
+    'EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT', ''
+)
+# System prompt experiment toggle
+EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT = os.environ.get(
+    'EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT', ''
+)
+
+EXPERIMENT_CLAUDE4_VS_GPT5 = os.environ.get('EXPERIMENT_CLAUDE4_VS_GPT5', '')
+
+EXPERIMENT_CONDENSER_MAX_STEP = os.environ.get('EXPERIMENT_CONDENSER_MAX_STEP', '')
+
+logger.info(
+    'experiment_manager:run_conversation_variant_test:experiment_config',
+    extra={
+        'enable_experiment_manager': ENABLE_EXPERIMENT_MANAGER,
+        'experiment_litellm_default_model_experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
+        'experiment_system_prompt_experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
+        'experiment_claude4_vs_gpt5_experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
+        'experiment_condenser_max_step': EXPERIMENT_CONDENSER_MAX_STEP,
+    },
+)

enterprise/experiments/experiment_manager.py

@@ -0,0 +1,118 @@
+from uuid import UUID
+
+from experiments.constants import (
+    ENABLE_EXPERIMENT_MANAGER,
+    EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
+)
+from experiments.experiment_versions import (
+    handle_condenser_max_step_experiment,
+    handle_system_prompt_experiment,
+)
+from experiments.experiment_versions._004_condenser_max_step_experiment import (
+    handle_condenser_max_step_experiment__v1,
+)
+
+from openhands.core.config.openhands_config import OpenHandsConfig
+from openhands.core.logger import openhands_logger as logger
+from openhands.experiments.experiment_manager import ExperimentManager
+from openhands.sdk import Agent
+from openhands.server.session.conversation_init_data import ConversationInitData
+
+
+class SaaSExperimentManager(ExperimentManager):
+    @staticmethod
+    def run_agent_variant_tests__v1(
+        user_id: str | None, conversation_id: UUID, agent: Agent
+    ) -> Agent:
+        if not ENABLE_EXPERIMENT_MANAGER:
+            logger.info(
+                'experiment_manager:run_conversation_variant_test:skipped',
+                extra={'reason': 'experiment_manager_disabled'},
+            )
+            return agent
+
+        agent = handle_condenser_max_step_experiment__v1(
+            user_id, conversation_id, agent
+        )
+
+        if EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT:
+            agent = agent.model_copy(
+                update={'system_prompt_filename': 'system_prompt_long_horizon.j2'}
+            )
+
+        return agent
+
+    @staticmethod
+    def run_conversation_variant_test(
+        user_id, conversation_id, conversation_settings
+    ) -> ConversationInitData:
+        """
+        Run conversation variant test and potentially modify the conversation settings
+        based on the PostHog feature flags.
+
+        Args:
+            user_id: The user ID
+            conversation_id: The conversation ID
+            conversation_settings: The conversation settings that may include convo_id and llm_model
+
+        Returns:
+            The modified conversation settings
+        """
+        logger.debug(
+            'experiment_manager:run_conversation_variant_test:started',
+            extra={'user_id': user_id},
+        )
+
+        # Skip all experiment processing if the experiment manager is disabled
+        if not ENABLE_EXPERIMENT_MANAGER:
+            logger.info(
+                'experiment_manager:run_conversation_variant_test:skipped',
+                extra={'reason': 'experiment_manager_disabled'},
+            )
+            return conversation_settings
+
+        # Apply conversation-scoped experiments
+        conversation_settings = handle_condenser_max_step_experiment(
+            user_id, conversation_id, conversation_settings
+        )
+
+        return conversation_settings
+
+    @staticmethod
+    def run_config_variant_test(
+        user_id: str | None, conversation_id: str, config: OpenHandsConfig
+    ) -> OpenHandsConfig:
+        """
+        Run agent config variant test and potentially modify the OpenHands config
+        based on the current experiment type and PostHog feature flags.
+
+        Args:
+            user_id: The user ID
+            conversation_id: The conversation ID
+            config: The OpenHands configuration
+
+        Returns:
+            The modified OpenHands configuration
+        """
+        logger.info(
+            'experiment_manager:run_config_variant_test:started',
+            extra={'user_id': user_id},
+        )
+
+        # Skip all experiment processing if the experiment manager is disabled
+        if not ENABLE_EXPERIMENT_MANAGER:
+            logger.info(
+                'experiment_manager:run_config_variant_test:skipped',
+                extra={'reason': 'experiment_manager_disabled'},
+            )
+            return config
+
+        # Pass the entire OpenHands config to the system prompt experiment
+        # Let the experiment handler directly modify the config as needed
+        modified_config = handle_system_prompt_experiment(
+            user_id, conversation_id, config
+        )
+
+        # Condenser max step experiment is applied via conversation variant test,
+        # not config variant test. Return modified config from system prompt only.
+        return modified_config

enterprise/experiments/experiment_versions/_001_litellm_default_model_experiment.py

@@ -0,0 +1,107 @@
+"""
+LiteLLM model experiment handler.
+
+This module contains the handler for the LiteLLM model experiment.
+"""
+
+import posthog
+from experiments.constants import EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT
+from server.constants import (
+    IS_FEATURE_ENV,
+    build_litellm_proxy_model_path,
+    get_default_litellm_model,
+)
+
+from openhands.core.logger import openhands_logger as logger
+
+
+def handle_litellm_default_model_experiment(
+    user_id, conversation_id, conversation_settings
+):
+    """
+    Handle the LiteLLM model experiment.
+
+    Args:
+        user_id: The user ID
+        conversation_id: The conversation ID
+        conversation_settings: The conversation settings
+
+    Returns:
+        Modified conversation settings
+    """
+    # No-op if the specific experiment is not enabled
+    if not EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT:
+        logger.info(
+            'experiment_manager:ab_testing:skipped',
+            extra={
+                'convo_id': conversation_id,
+                'reason': 'experiment_not_enabled',
+                'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
+            },
+        )
+        return conversation_settings
+
+    # Use experiment name as the flag key
+    try:
+        enabled_variant = posthog.get_feature_flag(
+            EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT, conversation_id
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:get_feature_flag:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
+                'error': str(e),
+            },
+        )
+        return conversation_settings
+
+    # Log the experiment event
+    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
+    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
+
+    try:
+        posthog.capture(
+            distinct_id=posthog_user_id,
+            event='model_set',
+            properties={
+                'conversation_id': conversation_id,
+                'variant': enabled_variant,
+                'original_user_id': user_id,
+                'is_feature_env': IS_FEATURE_ENV,
+            },
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:posthog_capture:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT,
+                'error': str(e),
+            },
+        )
+        # Continue execution as this is not critical
+
+    logger.info(
+        'posthog_capture',
+        extra={
+            'event': 'model_set',
+            'posthog_user_id': posthog_user_id,
+            'is_feature_env': IS_FEATURE_ENV,
+            'conversation_id': conversation_id,
+            'variant': enabled_variant,
+        },
+    )
+
+    # Set the model based on the feature flag variant
+    if enabled_variant == 'claude37':
+        # Use the shared utility to construct the LiteLLM proxy model path
+        model = build_litellm_proxy_model_path('claude-3-7-sonnet-20250219')
+        # Update the conversation settings with the selected model
+        conversation_settings.llm_model = model
+    else:
+        # Update the conversation settings with the default model for the current version
+        conversation_settings.llm_model = get_default_litellm_model()
+
+    return conversation_settings

enterprise/experiments/experiment_versions/_002_system_prompt_experiment.py

@@ -0,0 +1,181 @@
+"""
+System prompt experiment handler.
+
+This module contains the handler for the system prompt experiment that uses
+the PostHog variant as the system prompt filename.
+"""
+
+import copy
+
+import posthog
+from experiments.constants import EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT
+from server.constants import IS_FEATURE_ENV
+from storage.experiment_assignment_store import ExperimentAssignmentStore
+
+from openhands.core.config.openhands_config import OpenHandsConfig
+from openhands.core.logger import openhands_logger as logger
+
+
+def _get_system_prompt_variant(user_id, conversation_id):
+    """
+    Get the system prompt variant for the experiment.
+
+    Args:
+        user_id: The user ID
+        conversation_id: The conversation ID
+
+    Returns:
+        str or None: The PostHog variant name or None if experiment is not enabled or error occurs
+    """
+    # No-op if the specific experiment is not enabled
+    if not EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT:
+        logger.info(
+            'experiment_manager_002:ab_testing:skipped',
+            extra={
+                'convo_id': conversation_id,
+                'reason': 'experiment_not_enabled',
+                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
+            },
+        )
+        return None
+
+    # Use experiment name as the flag key
+    try:
+        enabled_variant = posthog.get_feature_flag(
+            EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, conversation_id
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:get_feature_flag:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
+                'error': str(e),
+            },
+        )
+        return None
+
+    # Store the experiment assignment in the database
+    try:
+        experiment_store = ExperimentAssignmentStore()
+        experiment_store.update_experiment_variant(
+            conversation_id=conversation_id,
+            experiment_name='system_prompt_experiment',
+            variant=enabled_variant,
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:store_assignment:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
+                'variant': enabled_variant,
+                'error': str(e),
+            },
+        )
+        # Fail the experiment if we cannot track the splits - results would not be explainable
+        return None
+
+    # Log the experiment event
+    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
+    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
+
+    try:
+        posthog.capture(
+            distinct_id=posthog_user_id,
+            event='system_prompt_set',
+            properties={
+                'conversation_id': conversation_id,
+                'variant': enabled_variant,
+                'original_user_id': user_id,
+                'is_feature_env': IS_FEATURE_ENV,
+            },
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:posthog_capture:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT,
+                'error': str(e),
+            },
+        )
+        # Continue execution as this is not critical
+
+    logger.info(
+        'posthog_capture',
+        extra={
+            'event': 'system_prompt_set',
+            'posthog_user_id': posthog_user_id,
+            'is_feature_env': IS_FEATURE_ENV,
+            'conversation_id': conversation_id,
+            'variant': enabled_variant,
+        },
+    )
+
+    return enabled_variant
+
+
+def handle_system_prompt_experiment(
+    user_id, conversation_id, config: OpenHandsConfig
+) -> OpenHandsConfig:
+    """
+    Handle the system prompt experiment for OpenHands config.
+
+    Args:
+        user_id: The user ID
+        conversation_id: The conversation ID
+        config: The OpenHands configuration
+
+    Returns:
+        Modified OpenHands configuration
+    """
+    enabled_variant = _get_system_prompt_variant(user_id, conversation_id)
+
+    # If variant is None, experiment is not enabled or there was an error
+    if enabled_variant is None:
+        return config
+
+    # Deep copy the config to avoid modifying the original
+    modified_config = copy.deepcopy(config)
+
+    # Set the system prompt filename based on the variant
+    if enabled_variant == 'control':
+        # Use the long-horizon system prompt for the control variant
+        agent_config = modified_config.get_agent_config(modified_config.default_agent)
+        agent_config.system_prompt_filename = 'system_prompt_long_horizon.j2'
+        agent_config.enable_plan_mode = True
+    elif enabled_variant == 'interactive':
+        modified_config.get_agent_config(
+            modified_config.default_agent
+        ).system_prompt_filename = 'system_prompt_interactive.j2'
+    elif enabled_variant == 'no_tools':
+        modified_config.get_agent_config(
+            modified_config.default_agent
+        ).system_prompt_filename = 'system_prompt.j2'
+    else:
+        logger.error(
+            'system_prompt_experiment:unknown_variant',
+            extra={
+                'user_id': user_id,
+                'convo_id': conversation_id,
+                'variant': enabled_variant,
+                'reason': 'no explicit mapping; returning original config',
+            },
+        )
+        return config
+
+    # Log which prompt is being used
+    logger.info(
+        'system_prompt_experiment:prompt_selected',
+        extra={
+            'user_id': user_id,
+            'convo_id': conversation_id,
+            'system_prompt_filename': modified_config.get_agent_config(
+                modified_config.default_agent
+            ).system_prompt_filename,
+            'variant': enabled_variant,
+        },
+    )
+
+    return modified_config

enterprise/experiments/experiment_versions/_003_llm_claude4_vs_gpt5_experiment.py

@@ -0,0 +1,137 @@
+"""
+LiteLLM model experiment handler.
+
+This module contains the handler for the LiteLLM model experiment.
+"""
+
+import posthog
+from experiments.constants import EXPERIMENT_CLAUDE4_VS_GPT5
+from server.constants import (
+    IS_FEATURE_ENV,
+    build_litellm_proxy_model_path,
+    get_default_litellm_model,
+)
+from storage.experiment_assignment_store import ExperimentAssignmentStore
+
+from openhands.core.logger import openhands_logger as logger
+from openhands.server.session.conversation_init_data import ConversationInitData
+
+
+def _get_model_variant(user_id: str | None, conversation_id: str) -> str | None:
+    if not EXPERIMENT_CLAUDE4_VS_GPT5:
+        logger.info(
+            'experiment_manager:ab_testing:skipped',
+            extra={
+                'convo_id': conversation_id,
+                'reason': 'experiment_not_enabled',
+                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
+            },
+        )
+        return None
+
+    try:
+        enabled_variant = posthog.get_feature_flag(
+            EXPERIMENT_CLAUDE4_VS_GPT5, conversation_id
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:get_feature_flag:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
+                'error': str(e),
+            },
+        )
+        return None
+
+    # Store the experiment assignment in the database
+    try:
+        experiment_store = ExperimentAssignmentStore()
+        experiment_store.update_experiment_variant(
+            conversation_id=conversation_id,
+            experiment_name='claude4_vs_gpt5_experiment',
+            variant=enabled_variant,
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:store_assignment:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
+                'variant': enabled_variant,
+                'error': str(e),
+            },
+        )
+        # Fail the experiment if we cannot track the splits - results would not be explainable
+        return None
+
+    # Log the experiment event
+    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
+    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
+
+    try:
+        posthog.capture(
+            distinct_id=posthog_user_id,
+            event='claude4_or_gpt5_set',
+            properties={
+                'conversation_id': conversation_id,
+                'variant': enabled_variant,
+                'original_user_id': user_id,
+                'is_feature_env': IS_FEATURE_ENV,
+            },
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:posthog_capture:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_CLAUDE4_VS_GPT5,
+                'error': str(e),
+            },
+        )
+        # Continue execution as this is not critical
+
+    logger.info(
+        'posthog_capture',
+        extra={
+            'event': 'claude4_or_gpt5_set',
+            'posthog_user_id': posthog_user_id,
+            'is_feature_env': IS_FEATURE_ENV,
+            'conversation_id': conversation_id,
+            'variant': enabled_variant,
+        },
+    )
+
+    return enabled_variant
+
+
+def handle_claude4_vs_gpt5_experiment(
+    user_id: str | None,
+    conversation_id: str,
+    conversation_settings: ConversationInitData,
+) -> ConversationInitData:
+    """
+    Handle the LiteLLM model experiment.
+
+    Args:
+        user_id: The user ID
+        conversation_id: The conversation ID
+        conversation_settings: The conversation settings
+
+    Returns:
+        Modified conversation settings
+    """
+
+    enabled_variant = _get_model_variant(user_id, conversation_id)
+
+    if not enabled_variant:
+        return conversation_settings
+
+    # Set the model based on the feature flag variant
+    if enabled_variant == 'gpt5':
+        model = build_litellm_proxy_model_path('gpt-5-2025-08-07')
+        conversation_settings.llm_model = model
+    else:
+        conversation_settings.llm_model = get_default_litellm_model()
+
+    return conversation_settings

enterprise/experiments/experiment_versions/_004_condenser_max_step_experiment.py

@@ -0,0 +1,232 @@
+"""
+Condenser max step experiment handler.
+
+This module contains the handler for the condenser max step experiment that tests
+different max_size values for the condenser configuration.
+"""
+
+from uuid import UUID
+
+import posthog
+from experiments.constants import EXPERIMENT_CONDENSER_MAX_STEP
+from server.constants import IS_FEATURE_ENV
+from storage.experiment_assignment_store import ExperimentAssignmentStore
+
+from openhands.core.logger import openhands_logger as logger
+from openhands.sdk import Agent
+from openhands.sdk.context.condenser import (
+    LLMSummarizingCondenser,
+)
+from openhands.server.session.conversation_init_data import ConversationInitData
+
+
+def _get_condenser_max_step_variant(user_id, conversation_id):
+    """
+    Get the condenser max step variant for the experiment.
+
+    Args:
+        user_id: The user ID
+        conversation_id: The conversation ID
+
+    Returns:
+        str or None: The PostHog variant name or None if experiment is not enabled or error occurs
+    """
+    # No-op if the specific experiment is not enabled
+    if not EXPERIMENT_CONDENSER_MAX_STEP:
+        logger.info(
+            'experiment_manager_004:ab_testing:skipped',
+            extra={
+                'convo_id': conversation_id,
+                'reason': 'experiment_not_enabled',
+                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
+            },
+        )
+        return None
+
+    # Use experiment name as the flag key
+    try:
+        enabled_variant = posthog.get_feature_flag(
+            EXPERIMENT_CONDENSER_MAX_STEP, conversation_id
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:get_feature_flag:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
+                'error': str(e),
+            },
+        )
+        return None
+
+    # Store the experiment assignment in the database
+    try:
+        experiment_store = ExperimentAssignmentStore()
+        experiment_store.update_experiment_variant(
+            conversation_id=conversation_id,
+            experiment_name='condenser_max_step_experiment',
+            variant=enabled_variant,
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:store_assignment:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
+                'variant': enabled_variant,
+                'error': str(e),
+            },
+        )
+        # Fail the experiment if we cannot track the splits - results would not be explainable
+        return None
+
+    # Log the experiment event
+    # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog
+    posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id
+
+    try:
+        posthog.capture(
+            distinct_id=posthog_user_id,
+            event='condenser_max_step_set',
+            properties={
+                'conversation_id': conversation_id,
+                'variant': enabled_variant,
+                'original_user_id': user_id,
+                'is_feature_env': IS_FEATURE_ENV,
+            },
+        )
+    except Exception as e:
+        logger.error(
+            'experiment_manager:posthog_capture:failed',
+            extra={
+                'convo_id': conversation_id,
+                'experiment': EXPERIMENT_CONDENSER_MAX_STEP,
+                'error': str(e),
+            },
+        )
+        # Continue execution as this is not critical
+
+    logger.info(
+        'posthog_capture',
+        extra={
+            'event': 'condenser_max_step_set',
+            'posthog_user_id': posthog_user_id,
+            'is_feature_env': IS_FEATURE_ENV,
+            'conversation_id': conversation_id,
+            'variant': enabled_variant,
+        },
+    )
+
+    return enabled_variant
+
+
+def handle_condenser_max_step_experiment(
+    user_id: str | None,
+    conversation_id: str,
+    conversation_settings: ConversationInitData,
+) -> ConversationInitData:
+    """
+    Handle the condenser max step experiment for conversation settings.
+
+    We should not modify persistent user settings. Instead, apply the experiment
+    variant to the conversation's in-memory settings object for this session only.
+
+    Variants:
+    - control -> condenser_max_size = 120
+    - treatment -> condenser_max_size = 80
+
+    Returns the (potentially) modified conversation_settings.
+    """
+
+    enabled_variant = _get_condenser_max_step_variant(user_id, conversation_id)
+
+    if enabled_variant is None:
+        return conversation_settings
+
+    if enabled_variant == 'control':
+        condenser_max_size = 120
+    elif enabled_variant == 'treatment':
+        condenser_max_size = 80
+    else:
+        logger.error(
+            'condenser_max_step_experiment:unknown_variant',
+            extra={
+                'user_id': user_id,
+                'convo_id': conversation_id,
+                'variant': enabled_variant,
+                'reason': 'unknown variant; returning original conversation settings',
+            },
+        )
+        return conversation_settings
+
+    try:
+        # Apply the variant to this conversation only; do not persist to DB.
+        # Not all OpenHands versions expose `condenser_max_size` on settings.
+        if hasattr(conversation_settings, 'condenser_max_size'):
+            conversation_settings.condenser_max_size = condenser_max_size
+            logger.info(
+                'condenser_max_step_experiment:conversation_settings_applied',
+                extra={
+                    'user_id': user_id,
+                    'convo_id': conversation_id,
+                    'variant': enabled_variant,
+                    'condenser_max_size': condenser_max_size,
+                },
+            )
+        else:
+            logger.warning(
+                'condenser_max_step_experiment:field_missing_on_settings',
+                extra={
+                    'user_id': user_id,
+                    'convo_id': conversation_id,
+                    'variant': enabled_variant,
+                    'reason': 'condenser_max_size not present on ConversationInitData',
+                },
+            )
+    except Exception as e:
+        logger.error(
+            'condenser_max_step_experiment:apply_failed',
+            extra={
+                'user_id': user_id,
+                'convo_id': conversation_id,
+                'variant': enabled_variant,
+                'error': str(e),
+            },
+        )
+        return conversation_settings
+
+    return conversation_settings
+
+
+def handle_condenser_max_step_experiment__v1(
+    user_id: str | None,
+    conversation_id: UUID,
+    agent: Agent,
+) -> Agent:
+    enabled_variant = _get_condenser_max_step_variant(user_id, str(conversation_id))
+
+    if enabled_variant is None:
+        return agent
+
+    if enabled_variant == 'control':
+        condenser_max_size = 120
+    elif enabled_variant == 'treatment':
+        condenser_max_size = 80
+    else:
+        logger.error(
+            'condenser_max_step_experiment:unknown_variant',
+            extra={
+                'user_id': user_id,
+                'convo_id': conversation_id,
+                'variant': enabled_variant,
+                'reason': 'unknown variant; returning original conversation settings',
+            },
+        )
+        return agent
+
+    condenser_llm = agent.llm.model_copy(update={'usage_id': 'condenser'})
+    condenser = LLMSummarizingCondenser(
+        llm=condenser_llm, max_size=condenser_max_size, keep_first=4
+    )
+
+    return agent.model_copy(update={'condenser': condenser})

enterprise/experiments/experiment_versions/__init__.py

@@ -0,0 +1,25 @@
+"""
+Experiment versions package.
+
+This package contains handlers for different experiment versions.
+"""
+
+from experiments.experiment_versions._001_litellm_default_model_experiment import (
+    handle_litellm_default_model_experiment,
+)
+from experiments.experiment_versions._002_system_prompt_experiment import (
+    handle_system_prompt_experiment,
+)
+from experiments.experiment_versions._003_llm_claude4_vs_gpt5_experiment import (
+    handle_claude4_vs_gpt5_experiment,
+)
+from experiments.experiment_versions._004_condenser_max_step_experiment import (
+    handle_condenser_max_step_experiment,
+)
+
+__all__ = [
+    'handle_litellm_default_model_experiment',
+    'handle_system_prompt_experiment',
+    'handle_claude4_vs_gpt5_experiment',
+    'handle_condenser_max_step_experiment',
+]