feat: add notifications scope to GitHub OAuth defaultScope

Add the 'notifications' scope to the GitHub identity provider's defaultScope in the Keycloak realm configuration. This enables agents to read and manage GitHub notifications via the API (list notifications, mark as read/done). Co-authored-by: openhands <openhands@all-hands.dev>
Fix CVE-2025-64340: Update fastmcp to 3.2.0 (#13685 )
2026-04-29 03:00:45 -04:00 · 2026-04-10 23:34:45 +00:00 · 2026-04-10 20:08:57 +00:00 · 2026-04-10 13:24:42 -06:00 · 2026-04-10 12:23:00 -06:00 · 2026-04-10 11:36:15 -06:00
555 changed files with 25297 additions and 23045 deletions
@@ -1,8 +0,0 @@
-# CODEOWNERS file for OpenHands repository
-# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-
-/frontend/ @amanape @hieptl
-/openhands-ui/ @amanape @hieptl
-/openhands/ @tofarr @malhotra5 @hieptl
-/enterprise/ @chuckbutkus @tofarr @malhotra5
-/evaluation/ @xingyaoww @neubig
@@ -1,38 +1,46 @@
-<!-- If you are still working on the PR, please mark it as draft. Maintainers will review PRs marked ready for review, which leads to lost time if your PR is actually not ready yet. Keep the PR marked as draft until it is finally ready for review -->
+<!-- Keep this PR as draft until it is ready for review. -->

-## Summary of PR
+<!-- AI/LLM agents: be concise and specific. Do not check the box below. -->

-<!-- Summarize what the PR does -->
+- [ ] A human has tested these changes.

-## Demo Screenshots/Videos
+---

-<!-- AI/LLM AGENTS: This section is intended for a human author to add screenshots or videos demonstrating the PR in action (optional). While many pull requests may be generated by AI/LLM agents, we are fine with this as long as a human author has reviewed and tested the changes to ensure accuracy and functionality. -->
+## Why

-## Change Type
+<!-- Describe problem, motivation, etc.-->

-<!-- Choose the types that apply to your PR -->
+## Summary
+
+<!-- 1-3 bullets describing what changed. -->
+-
+
+## Issue Number
+<!-- Required if there is a relevant issue to this PR. -->
+
+## How to Test
+
+<!--
+Required. Share the steps for the reviewer to be able to test your PR. e.g. You can test by running `npm install` then `npm build dev`.
+
+If you could not test this, say why.
+-->
+
+## Video/Screenshots
+
+<!--
+Provide a video or screenshots of testing your PR. e.g. you added a new feature to the gui, show us the video of you testing it successfully.
+
+-->
+
+## Type

 - [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
+- [ ] Feature
 - [ ] Refactor
- [ ] Other (dependency update, docs, typo fixes, etc.)
+- [ ] Breaking change
+- [ ] Docs / chore

-## Checklist
-<!-- AI/LLM AGENTS: This checklist is for a human author to complete. Do NOT check either of the two boxes below. Leave them unchecked until a human has personally reviewed and tested the changes. -->
+## Notes

- [ ] I have read and reviewed the code and I understand what the code is doing.
- [ ] I have tested the code to the best of my ability and ensured it works as expected.
-
-## Fixes
-
-<!-- If this resolves an issue, link it here so it will close automatically upon merge. -->
-
-Resolves #(issue)
-
-## Release Notes
-
-<!-- Check the box if this change is worth adding to the release notes. If checked, you must provide an
-end-user friendly description for your change below the checkbox. -->
-
- [ ] Include this change in the Release Notes.
+<!-- Optional: migrations, config changes, rollout concerns, follow-ups, or anything reviewers should know. -->
@@ -12,7 +12,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
@@ -19,7 +19,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Install poetry via pipx
        uses: abatilo/actions-poetry@v4
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout PR branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
@@ -34,7 +34,7 @@ jobs:
          fi

      - name: Find Comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@v4
        id: find-comment
        with:
          issue-number: ${{ github.event.pull_request.number }}
@@ -17,18 +17,20 @@ concurrency:
 jobs:
  fe-e2e-test:
    name: FE E2E Tests
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    strategy:
      matrix:
        node-version: [22]
      fail-fast: true
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Set up Node.js
-        uses: useblacksmith/setup-node@v5
+        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
      - name: Install dependencies
        working-directory: ./frontend
        run: npm ci
@@ -21,18 +21,20 @@ jobs:
  # Run frontend unit tests
  fe-test:
    name: FE Unit Tests
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    strategy:
      matrix:
        node-version: [22]
      fail-fast: true
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Set up Node.js
-        uses: useblacksmith/setup-node@v5
+        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
      - name: Install dependencies
        working-directory: ./frontend
        run: npm ci
@@ -30,37 +30,42 @@ env:

 jobs:
  define-matrix:
-    runs-on: blacksmith
+    runs-on: ubuntu-latest
    outputs:
      base_image: ${{ steps.define-base-images.outputs.base_image }}
+      platforms: ${{ steps.define-base-images.outputs.platforms }}
    steps:
      - name: Define base images
        shell: bash
        id: define-base-images
        run: |
          if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
-            json=$(jq -n -c '[
-                { image: "nikolaik/python-nodejs:python3.12-nodejs22-slim", tag: "nikolaik" }
+            platforms="linux/amd64"
+            json=$(jq -n -c --arg platforms "$platforms" '[
+                { image: "nikolaik/python-nodejs:python3.12-nodejs22-slim", tag: "nikolaik", platforms: $platforms }
              ]')
          else
-            json=$(jq -n -c '[
-                { image: "nikolaik/python-nodejs:python3.12-nodejs22-slim", tag: "nikolaik" },
-                { image: "ubuntu:24.04", tag: "ubuntu" }
+            platforms="linux/amd64,linux/arm64"
+            json=$(jq -n -c --arg platforms "$platforms" '[
+                { image: "nikolaik/python-nodejs:python3.12-nodejs22-slim", tag: "nikolaik", platforms: $platforms },
+                { image: "ubuntu:24.04", tag: "ubuntu", platforms: $platforms }
              ]')
          fi
          echo "base_image=$json" >> "$GITHUB_OUTPUT"
+          echo "platforms=$platforms" >> "$GITHUB_OUTPUT"

  # Builds the OpenHands Docker images
  ghcr_build_app:
    name: Build App Image
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
+    needs: define-matrix
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
@@ -82,12 +87,12 @@ jobs:
      - name: Build and push app image
        if: "!github.event.pull_request.head.repo.fork"
        run: |
-          ./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --push
+          ./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --push -p ${{ needs.define-matrix.outputs.platforms }}

  # Builds the runtime Docker images
  ghcr_build_runtime:
    name: Build Runtime Image
-    runs-on: blacksmith-8vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
    permissions:
      contents: read
@@ -98,7 +103,7 @@ jobs:
        base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
@@ -117,7 +122,7 @@ jobs:
      - name: Install poetry via pipx
        run: pipx install poetry
      - name: Set up Python
-        uses: useblacksmith/setup-python@v6
+        uses: actions/setup-python@v5
        with:
          python-version: "3.12"
          cache: poetry
@@ -136,7 +141,7 @@ jobs:
        shell: bash
        run: |

-          ./containers/build.sh -i runtime -o ${{ env.REPO_OWNER }} -t ${{ matrix.base_image.tag }} --dry
+          ./containers/build.sh -i runtime -o ${{ env.REPO_OWNER }} -t ${{ matrix.base_image.tag }} --dry -p ${{ matrix.base_image.platforms }}

          DOCKER_BUILD_JSON=$(jq -c . < docker-build-dry.json)
          echo "DOCKER_TAGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.tags | join(",")')" >> $GITHUB_ENV
@@ -144,7 +149,7 @@ jobs:
          echo "DOCKER_BUILD_ARGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.build_args | join(",")')" >> $GITHUB_ENV
      - name: Build and push runtime image ${{ matrix.base_image.image }}
        if: github.event.pull_request.head.repo.fork != true
-        uses: useblacksmith/build-push-action@v1
+        uses: docker/build-push-action@v6
        with:
          push: true
          tags: ${{ env.DOCKER_TAGS }}
@@ -158,7 +163,7 @@ jobs:
      # Forked repos can't push to GHCR, so we just build in order to populate the cache for rebuilding
      - name: Build runtime image ${{ matrix.base_image.image }} for fork
        if: github.event.pull_request.head.repo.fork
-        uses: useblacksmith/build-push-action@v1
+        uses: docker/build-push-action@v6
        with:
          tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
          context: containers/runtime
@@ -171,7 +176,7 @@ jobs:

  ghcr_build_enterprise:
    name: Push Enterprise Image
-    runs-on: blacksmith-8vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    permissions:
      contents: read
      packages: write
@@ -180,7 +185,7 @@ jobs:
    if: github.event.pull_request.head.repo.fork != true
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}

@@ -210,6 +215,7 @@ jobs:
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
+            type=match,pattern=cloud-\d+\.\d+\.\d+
          flavor: |
            latest=auto
            prefix=
@@ -223,7 +229,7 @@ jobs:
          # rather than a mutable branch tag like "main" which can serve stale cached layers.
          echo "OPENHANDS_DOCKER_TAG=${RELEVANT_SHA}" >> $GITHUB_ENV
      - name: Build and push Docker image
-        uses: useblacksmith/build-push-action@v1
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: enterprise/Dockerfile
@@ -242,7 +248,7 @@ jobs:
  # We can remove this once the config changes
  runtime_tests_check_success:
    name: All Runtime Tests Passed
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    steps:
      - name: All tests passed
        run: echo "All runtime tests have passed successfully!"
@@ -251,10 +257,10 @@ jobs:
    name: Update PR Description
    if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'
    needs: [ghcr_build_runtime]
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Get short SHA
        id: short_sha
@@ -9,12 +9,12 @@ jobs:
  lint-fix-frontend:
    if: github.event.label.name == 'lint-fix'
    name: Fix frontend linting issues
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          ref: ${{ github.head_ref }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -22,13 +22,14 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Node.js 22
-        uses: useblacksmith/setup-node@v5
+        uses: actions/setup-node@v4
        with:
          node-version: 22
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
      - name: Install frontend dependencies
-        run: |
-          cd frontend
-          npm install --frozen-lockfile
+        working-directory: ./frontend
+        run: npm ci
      - name: Generate i18n and route types
        run: |
          cd frontend
@@ -58,12 +59,12 @@ jobs:
  lint-fix-python:
    if: github.event.label.name == 'lint-fix'
    name: Fix Python linting issues
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          ref: ${{ github.head_ref }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -71,7 +72,7 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up python
-        uses: useblacksmith/setup-python@v6
+        uses: actions/setup-python@v5
        with:
          python-version: 3.12
          cache: "pip"
@@ -19,34 +19,35 @@ jobs:
  # Run lint on the frontend code
  lint-frontend:
    name: Lint frontend
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
      - name: Install Node.js 22
-        uses: useblacksmith/setup-node@v5
+        uses: actions/setup-node@v4
        with:
          node-version: 22
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
      - name: Install dependencies
-        run: |
-          cd frontend
-          npm install --frozen-lockfile
+        working-directory: ./frontend
+        run: npm ci
      - name: Lint, TypeScript compilation, and translation checks
        run: |
          cd frontend
          npm run lint
-          npm run make-i18n && tsc
+          npm run make-i18n && npx tsc
          npm run check-translation-completeness

  # Run lint on the python code
  lint-python:
    name: Lint python
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up python
-        uses: useblacksmith/setup-python@v6
+        uses: actions/setup-python@v5
        with:
          python-version: 3.12
          cache: "pip"
@@ -57,13 +58,13 @@ jobs:

  lint-enterprise-python:
    name: Lint enterprise python
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up python
-        uses: useblacksmith/setup-python@v6
+        uses: actions/setup-python@v5
        with:
          python-version: 3.12
          cache: "pip"
@@ -18,7 +18,7 @@ concurrency:
 jobs:
  check-version:
    name: Check if version has changed
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    defaults:
      run:
        shell: bash
@@ -27,7 +27,7 @@ jobs:
      current-version: ${{ steps.version-check.outputs.current-version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 2 # Need previous commit to compare

@@ -55,7 +55,7 @@ jobs:

  publish:
    name: Publish to npm
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    needs: check-version
    if: needs.check-version.outputs.should-publish == 'true'
    defaults:
@@ -63,7 +63,7 @@ jobs:
        shell: bash
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
@@ -86,7 +86,7 @@ jobs:
    runs-on: "${{ inputs.runner || 'ubuntu-latest' }}"
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
@@ -28,7 +28,7 @@ jobs:
        steps:
            - name: Download review trace artifact
              id: download-trace
-              uses: dawidd6/action-download-artifact@v6
+              uses: dawidd6/action-download-artifact@v15
              continue-on-error: true
              with:
                  workflow: pr-review-by-openhands.yml
@@ -19,7 +19,7 @@ jobs:
  # Run python tests on Linux
  test-on-linux:
    name: Python Tests on Linux
-    runs-on: blacksmith-4vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
    env:
      INSTALL_DOCKER: "0" # Set to '0' to skip Docker installation
    strategy:
@@ -30,20 +30,22 @@ jobs:
      pull-requests: write
      contents: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
      - name: Install tmux
        run: sudo apt-get update && sudo apt-get install -y tmux
      - name: Setup Node.js
-        uses: useblacksmith/setup-node@v5
+        uses: actions/setup-node@v4
        with:
          node-version: "22.x"
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
      - name: Install poetry via pipx
        run: pipx install poetry
      - name: Set up Python
-        uses: useblacksmith/setup-python@v6
+        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: "poetry"
@@ -73,16 +75,16 @@ jobs:

  test-enterprise:
    name: Enterprise Python Unit Tests
-    runs-on: blacksmith-4vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
    strategy:
      matrix:
        python-version: ["3.12"]
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
      - name: Install poetry via pipx
        run: pipx install poetry
      - name: Set up Python
-        uses: useblacksmith/setup-python@v6
+        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: "poetry"
@@ -111,9 +113,9 @@ jobs:
      pull-requests: write
      contents: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6

-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@v7
        id: download
        with:
          pattern: coverage-*
@@ -17,14 +17,14 @@ on:

 jobs:
  release:
-    runs-on: blacksmith-4vcpu-ubuntu-2204
-    # Run when manually dispatched for "app server" OR for tag pushes that don't contain '-cli'
+    runs-on: ubuntu-22.04
+    # Run when manually dispatched for "app server" OR for tag pushes that don't contain '-cli' and don't start with 'cloud-'
    if: |
      (github.event_name == 'workflow_dispatch' && github.event.inputs.reason == 'app server')
-      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-cli'))
+      || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-cli') && !startsWith(github.ref, 'refs/tags/cloud-'))
    steps:
-      - uses: actions/checkout@v4
-      - uses: useblacksmith/setup-python@v6
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v5
        with:
          python-version: 3.12
      - name: Install Poetry
@@ -8,10 +8,10 @@ on:

 jobs:
  stale:
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    if: github.repository == 'OpenHands/OpenHands'
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
          stale-issue-message: 'This issue is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.'
          stale-pr-message: 'This PR is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.'
@@ -19,10 +19,10 @@ concurrency:
 jobs:
  ui-build:
    name: Build openhands-ui
-    runs-on: blacksmith-4vcpu-ubuntu-2204
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - uses: oven-sh/setup-bun@v2
        with:
          bun-version-file: "openhands-ui/.bun-version"
@@ -36,6 +36,42 @@ then re-run the command to ensure it passes. Common issues include:
 - Be especially careful with `git reset --hard` after staging files, as it will remove accidentally staged files
 - When remote has new changes, use `git fetch upstream && git rebase upstream/<branch>` on the same branch

+## Lockfile Regeneration (Preserve Original Tool Versions)
+
+When regenerating lockfiles (poetry.lock, uv.lock, etc.), you MUST use the same tool version that originally generated the lockfile to avoid unnecessary diff noise. Each lockfile contains a version header indicating which tool version was used.
+
+### Poetry (poetry.lock)
+
+1. Extract the version from the lockfile header:
+   ```bash
+   POETRY_VERSION=$(grep -m1 "^# This file is automatically @generated by Poetry" poetry.lock | sed 's/.*Poetry \([0-9.]*\).*/\1/')
+   ```
+2. If a version is found, install that specific version:
+   ```bash
+   pipx install poetry==$POETRY_VERSION --force
+   ```
+3. Then regenerate the lockfile:
+   ```bash
+   poetry lock --no-update
+   ```
+
+### uv (uv.lock)
+
+1. Extract the version from the lockfile header:
+   ```bash
+   UV_VERSION=$(grep -m1 "^# This file was autogenerated by uv" uv.lock | sed 's/.*uv version \([0-9.]*\).*/\1/')
+   ```
+2. If a version is found, install that specific version:
+   ```bash
+   pipx install uv==$UV_VERSION --force
+   ```
+3. Then regenerate the lockfile:
+   ```bash
+   uv lock
+   ```
+
+This ensures that lockfile updates only contain actual dependency changes, not tool version migration artifacts.
+
 ## PR-Specific Artifacts (`.pr/` directory)

 When working on a PR that requires design documents, scripts meant for development-only, or other temporary artifacts that should NOT be merged to main, store them in a `.pr/` directory at the repository root.
@@ -23,7 +23,6 @@
  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=pt">Português</a> |
  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=ru">Русский</a> |
  <a href="https://www.readme-i18n.com/OpenHands/OpenHands?lang=zh">中文</a>
-
 </div>

 <hr>
@@ -84,3 +83,71 @@ All our work is available under the MIT license, except for the `enterprise/` di
 The core `openhands` and `agent-server` Docker images are fully MIT-licensed as well.

 If you need help with anything, or just want to chat, [come find us on Slack](https://dub.sh/openhands).
+
+<hr>
+
+### Thank You to Our Contributors
+
+<div align="center">
+
+[![OpenHands Contributors](https://assets.openhands.dev/readme/openhands-openhands-contributors.svg)](https://github.com/OpenHands/OpenHands/graphs/contributors)
+
+</div>
+
+<hr>
+
+### Trusted by Engineers at
+
+<div align="center">
+  <br/><br/>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/tiktok.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/tiktok.svg" alt="TikTok" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/vmware.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/vmware.svg" alt="VMware" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/roche.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/roche.svg" alt="Roche" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/amazon.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/amazon.svg" alt="Amazon" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/c3-ai.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/c3-ai.svg" alt="C3 AI" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/netflix.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/netflix.svg" alt="Netflix" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/mastercard.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/mastercard.svg" alt="Mastercard" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/red-hat.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/red-hat.svg" alt="Red Hat" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/mongodb.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/mongodb.svg" alt="MongoDB" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/apple.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/apple.svg" alt="Apple" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/nvidia.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/nvidia.svg" alt="NVIDIA" height="17" hspace="5">
+  </picture>
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://assets.openhands.dev/logos/external/white/google.svg">
+    <img src="https://assets.openhands.dev/logos/external/black/google.svg" alt="Google" height="17" hspace="5">
+  </picture>
+</div>
+
+</div>
@@ -20,9 +20,11 @@ ENV POETRY_NO_INTERACTION=1 \
    POETRY_VIRTUALENVS_CREATE=1 \
    POETRY_CACHE_DIR=/tmp/poetry_cache

+# Pin Poetry version to match the version used to generate poetry.lock
+ARG POETRY_VERSION=2.3.3
 RUN apt-get update -y \
    && apt-get install -y curl make git build-essential jq gettext \
-    && python3 -m pip install "poetry>=2.3.0" --break-system-packages
+    && python3 -m pip install "poetry==${POETRY_VERSION}" --break-system-packages

 COPY pyproject.toml poetry.lock ./
 RUN touch README.md
@@ -50,7 +52,7 @@ RUN mkdir -p $FILE_STORE_PATH
 RUN mkdir -p $WORKSPACE_BASE

 RUN apt-get update -y \
-    && apt-get install -y curl ssh sudo \
+    && apt-get install -y curl git ssh sudo \
    && rm -rf /var/lib/apt/lists/*

 # Default is 1000, but OSX is often 501
@@ -73,6 +75,17 @@ ENV VIRTUAL_ENV=/app/.venv \

 COPY --chown=openhands:openhands --chmod=770 --from=backend-builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}

+# Pin pip to a known-good version (reproducible builds) and fix CVE-2025-8869
+# Pin both venv pip and system pip (Trivy scans both)
+# - `python -m pip` uses the venv because `PATH` is prefixed with `${VIRTUAL_ENV}/bin`
+# - `/usr/local/bin/python3 -m pip` uses the system interpreter regardless of `PATH`
+ARG PIP_VERSION=26.0.1
+RUN python -m pip install --no-cache-dir "pip==${PIP_VERSION}"
+
+USER root
+RUN /usr/local/bin/python3 -m pip install --no-cache-dir "pip==${PIP_VERSION}" --break-system-packages
+USER openhands
+
 COPY --chown=openhands:openhands --chmod=770 ./skills ./skills
 COPY --chown=openhands:openhands --chmod=770 ./openhands ./openhands
 COPY --chown=openhands:openhands --chmod=777 ./openhands/runtime/plugins ./openhands/runtime/plugins
@@ -8,15 +8,17 @@ push=0
 load=0
 tag_suffix=""
 dry_run=0
+platform_override=""

 # Function to display usage information
 usage() {
-    echo "Usage: $0 -i <image_name> [-o <org_name>] [--push] [--load] [-t <tag_suffix>] [--dry]"
+    echo "Usage: $0 -i <image_name> [-o <org_name>] [--push] [--load] [-t <tag_suffix>] [-p <platform>] [--dry]"
    echo "  -i: Image name (required)"
    echo "  -o: Organization name"
    echo "  --push: Push the image"
    echo "  --load: Load the image"
    echo "  -t: Tag suffix"
+    echo "  -p: Platform(s) to build for (e.g. linux/amd64 or linux/amd64,linux/arm64)"
    echo "  --dry: Don't build, only create build-args.json"
    exit 1
 }
@@ -29,6 +31,7 @@ while [[ $# -gt 0 ]]; do
        --push) push=1; shift ;;
        --load) load=1; shift ;;
        -t) tag_suffix="$2"; shift 2 ;;
+        -p) platform_override="$2"; shift 2 ;;
        --dry) dry_run=1; shift ;;
        *) usage ;;
    esac
@@ -134,8 +137,10 @@ fi

 echo "Args: $args"

-# Modify the platform selection based on --load flag
-if [[ $load -eq 1 ]]; then
+# Determine the platform(s) to build for
+if [[ -n "$platform_override" ]]; then
+  platform="$platform_override"
+elif [[ $load -eq 1 ]]; then
  # When loading, build only for the current platform
  platform=$(docker version -f '{{.Server.Os}}/{{.Server.Arch}}')
 else
@@ -13,7 +13,7 @@ services:
      - DOCKER_HOST_ADDR=host.docker.internal
      #
      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.12.0-python}
+      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.15.0-python}
      - SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234}
      - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
    ports:
@@ -58,6 +58,8 @@ repos:
            types-Markdown,
            pydantic,
            lxml,
+            "openhands-sdk==1.14",
+            "openhands-tools==1.14",
          ]
        # To see gaps add `--html-report mypy-report/`
        entry: mypy --config-file dev_config/python/mypy.ini openhands/
@@ -14,3 +14,11 @@ exclude = (third_party/|enterprise/)

 [mypy-openhands.memory.condenser.impl.*]
 disable_error_code = override
+
+[mypy-openai.*]
+follow_imports = skip
+ignore_missing_imports = True
+
+[mypy-litellm.*]
+follow_imports = skip
+ignore_missing_imports = True
@@ -8,7 +8,7 @@ services:
    container_name: openhands-app-${DATE:-}
    environment:
      - AGENT_SERVER_IMAGE_REPOSITORY=${AGENT_SERVER_IMAGE_REPOSITORY:-ghcr.io/openhands/agent-server}
-      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.12.0-python}
+      - AGENT_SERVER_IMAGE_TAG=${AGENT_SERVER_IMAGE_TAG:-1.15.0-python}
      #- SANDBOX_USER_ID=${SANDBOX_USER_ID:-1234} # enable this only if you want a specific non-root sandbox user but you will have to manually adjust permissions of ~/.openhands for this user
      - WORKSPACE_MOUNT_PATH=${WORKSPACE_BASE:-$PWD/workspace}
    ports:
@@ -33,8 +33,7 @@ RUN cd /tmp/enterprise && \
    # Export only main dependencies with hashes for supply chain security
    /app/.venv/bin/poetry export --only main -o requirements.txt && \
    # Remove the local path dependency (openhands-ai is already in base image)
-    # and git-based SDK dependencies (already installed via the base app image)
-    sed -i '/^-e /d; /openhands-ai/d; /^openhands-.*@ git+/d' requirements.txt && \
+    sed -i '/^-e /d; /openhands-ai/d' requirements.txt && \
    # Install pinned dependencies from lock file
    /app/.venv/bin/pip install -r requirements.txt && \
    # Cleanup - return to /app before removing /tmp/enterprise
@@ -723,11 +723,13 @@
        "https://$WEB_HOST/slack/keycloak-callback",
        "https://$WEB_HOST/oauth/device/keycloak-callback",
        "https://$WEB_HOST/api/email/verified",
-        "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*"
+        "/realms/$KEYCLOAK_REALM_NAME/$KEYCLOAK_CLIENT_ID/*",
+        "https://laminar.$WEB_HOST/api/auth/callback/keycloak"
      ],
      "webOrigins": [
        "https://$WEB_HOST",
-        "https://$AUTH_WEB_HOST"
+        "https://$AUTH_WEB_HOST",
+        "https://laminar.$WEB_HOST"
      ],
      "notBefore": 0,
      "bearerOnly": false,
@@ -1727,7 +1729,7 @@
        "syncMode": "IMPORT",
        "clientSecret": "$GITHUB_APP_CLIENT_SECRET",
        "caseSensitiveOriginalUsername": "false",
-        "defaultScope": "openid email profile",
+        "defaultScope": "openid email profile notifications",
        "baseUrl": "$GITHUB_BASE_URL"
      }
    },
@@ -106,18 +106,16 @@ async def summarize_issue_solvability(
            f'Solvability analysis disabled for user {github_view.user_info.user_id}'
        )

-    agent_settings = user_settings.agent_settings
-    llm_settings = agent_settings.llm
-    if llm_settings.api_key is None:
+    if user_settings.llm_api_key is None:
        raise ValueError(
            f'[Solvability] No LLM API key found for user {github_view.user_info.user_id}'
        )

    try:
        llm_config = LLMConfig(
-            model=llm_settings.model,
-            api_key=llm_settings.api_key.get_secret_value(),
-            base_url=llm_settings.base_url,
+            model=user_settings.llm_model,
+            api_key=user_settings.llm_api_key.get_secret_value(),
+            base_url=user_settings.llm_base_url,
        )
    except ValidationError as e:
        raise ValueError(
@@ -10,6 +10,7 @@ from integrations.github.github_types import (
 )
 from integrations.models import Message
 from integrations.resolver_context import ResolverUserContext
+from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.types import ResolverViewInterface, UserData
 from integrations.utils import (
    ENABLE_PROACTIVE_CONVERSATION_STARTERS,
@@ -26,6 +27,7 @@ from server.auth.token_manager import TokenManager
 from server.config import get_config
 from storage.org_store import OrgStore
 from storage.proactive_conversation_store import ProactiveConversationStore
+from storage.saas_conversation_store import SaasConversationStore
 from storage.saas_secrets_store import SaasSecretsStore

 from openhands.agent_server.models import SendMessageRequest
@@ -41,16 +43,14 @@ from openhands.integrations.github.github_service import GithubServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
 from openhands.sdk import TextContent
-from openhands.server.services.conversation_service import (
-    initialize_conversation,
-    start_conversation,
-)
+from openhands.server.services.conversation_service import start_conversation
 from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
    ConversationMetadata,
    ConversationTrigger,
 )
 from openhands.utils.async_utils import call_sync_from_async
+from openhands.utils.conversation_summary import get_default_conversation_title

 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)

@@ -154,12 +154,17 @@ class GithubIssue(ResolverViewInterface):
        return user_secrets.custom_secrets if user_secrets else None

    async def initialize_new_conversation(self) -> ConversationMetadata:
-        # FIXME: Handle if initialize_conversation returns None
-
        self.v1_enabled = await is_v1_enabled_for_github_resolver(
            self.user_info.keycloak_user_id
        )

+        # Resolve target org based on claimed git organizations
+        self.resolved_org_id = await resolve_org_for_repo(
+            provider='github',
+            full_repo_name=self.full_repo_name,
+            keycloak_user_id=self.user_info.keycloak_user_id,
+        )
+
        logger.info(
            f'[GitHub V1]: User flag found for {self.user_info.keycloak_user_id} is {self.v1_enabled}'
        )
@@ -173,16 +178,28 @@ class GithubIssue(ResolverViewInterface):
                selected_repository=self.full_repo_name,
            )

-        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
-            user_id=self.user_info.keycloak_user_id,
-            conversation_id=None,
-            selected_repository=self.full_repo_name,
-            selected_branch=self._get_branch_name(),
-            conversation_trigger=ConversationTrigger.RESOLVER,
-            git_provider=ProviderType.GITHUB,
+        # Create the conversation store with resolver org routing
+        # (bypasses initialize_conversation to avoid threading enterprise-only
+        # resolver_org_id through the generic OSS interface)
+        store = await SaasConversationStore.get_resolver_instance(
+            get_config(),
+            self.user_info.keycloak_user_id,
+            self.resolved_org_id,
        )

-        self.conversation_id = conversation_metadata.conversation_id
+        conversation_id = uuid4().hex
+        conversation_metadata = ConversationMetadata(
+            trigger=ConversationTrigger.RESOLVER,
+            conversation_id=conversation_id,
+            title=get_default_conversation_title(conversation_id),
+            user_id=self.user_info.keycloak_user_id,
+            selected_repository=self.full_repo_name,
+            selected_branch=self._get_branch_name(),
+            git_provider=ProviderType.GITHUB,
+        )
+        await store.save_metadata(conversation_metadata)
+
+        self.conversation_id = conversation_id
        return conversation_metadata

    async def create_new_conversation(
@@ -294,7 +311,10 @@ class GithubIssue(ResolverViewInterface):
        )

        # Set up the GitHub user context for the V1 system
-        github_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
+        github_user_context = ResolverUserContext(
+            saas_user_auth=saas_user_auth,
+            resolver_org_id=self.resolved_org_id,
+        )
        setattr(injector_state, USER_CONTEXT_ATTR, github_user_context)

        async with get_app_conversation_service(
@@ -322,7 +342,7 @@ class GithubIssue(ResolverViewInterface):
                'full_repo_name': self.full_repo_name,
                'installation_id': self.installation_id,
            },
-            send_summary_instruction=self.send_summary_instruction,
+            should_request_summary=self.send_summary_instruction,
        )


@@ -476,7 +496,7 @@ class GithubInlinePRComment(GithubPRComment):
                'comment_id': self.comment_id,
            },
            inline_pr_comment=True,
-            send_summary_instruction=self.send_summary_instruction,
+            should_request_summary=self.send_summary_instruction,
        )


@@ -3,6 +3,7 @@ from uuid import UUID, uuid4

 from integrations.models import Message
 from integrations.resolver_context import ResolverUserContext
+from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.types import ResolverViewInterface, UserData
 from integrations.utils import (
    ENABLE_V1_GITLAB_RESOLVER,
@@ -14,6 +15,7 @@ from integrations.utils import (
 from jinja2 import Environment
 from server.auth.token_manager import TokenManager
 from server.config import get_config
+from storage.saas_conversation_store import SaasConversationStore
 from storage.saas_secrets_store import SaasSecretsStore

 from openhands.agent_server.models import SendMessageRequest
@@ -29,15 +31,13 @@ from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType
 from openhands.integrations.service_types import Comment
 from openhands.sdk import TextContent
-from openhands.server.services.conversation_service import (
-    initialize_conversation,
-    start_conversation,
-)
+from openhands.server.services.conversation_service import start_conversation
 from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
    ConversationMetadata,
    ConversationTrigger,
 )
+from openhands.utils.conversation_summary import get_default_conversation_title

 OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST)
 CONFIDENTIAL_NOTE = 'confidential_note'
@@ -118,6 +118,14 @@ class GitlabIssue(ResolverViewInterface):
    async def initialize_new_conversation(self) -> ConversationMetadata:
        # v1_enabled is already set at construction time in the factory method
        # This is the source of truth for the conversation type
+
+        # Resolve target org based on claimed git organizations
+        self.resolved_org_id = await resolve_org_for_repo(
+            provider='gitlab',
+            full_repo_name=self.full_repo_name,
+            keycloak_user_id=self.user_info.keycloak_user_id,
+        )
+
        if self.v1_enabled:
            # Create dummy conversation metadata
            # Don't save to conversation store
@@ -128,16 +136,28 @@ class GitlabIssue(ResolverViewInterface):
                selected_repository=self.full_repo_name,
            )

-        conversation_metadata: ConversationMetadata = await initialize_conversation(  # type: ignore[assignment]
-            user_id=self.user_info.keycloak_user_id,
-            conversation_id=None,
-            selected_repository=self.full_repo_name,
-            selected_branch=self._get_branch_name(),
-            conversation_trigger=ConversationTrigger.RESOLVER,
-            git_provider=ProviderType.GITLAB,
+        # Create the conversation store with resolver org routing
+        # (bypasses initialize_conversation to avoid threading enterprise-only
+        # resolver_org_id through the generic OSS interface)
+        store = await SaasConversationStore.get_resolver_instance(
+            get_config(),
+            self.user_info.keycloak_user_id,
+            self.resolved_org_id,
        )

-        self.conversation_id = conversation_metadata.conversation_id
+        conversation_id = uuid4().hex
+        conversation_metadata = ConversationMetadata(
+            trigger=ConversationTrigger.RESOLVER,
+            conversation_id=conversation_id,
+            title=get_default_conversation_title(conversation_id),
+            user_id=self.user_info.keycloak_user_id,
+            selected_repository=self.full_repo_name,
+            selected_branch=self._get_branch_name(),
+            git_provider=ProviderType.GITLAB,
+        )
+        await store.save_metadata(conversation_metadata)
+
+        self.conversation_id = conversation_id
        return conversation_metadata

    async def create_new_conversation(
@@ -228,7 +248,10 @@ class GitlabIssue(ResolverViewInterface):
        )

        # Set up the GitLab user context for the V1 system
-        gitlab_user_context = ResolverUserContext(saas_user_auth=saas_user_auth)
+        gitlab_user_context = ResolverUserContext(
+            saas_user_auth=saas_user_auth,
+            resolver_org_id=self.resolved_org_id,
+        )
        setattr(injector_state, USER_CONTEXT_ATTR, gitlab_user_context)

        async with get_app_conversation_service(
@@ -260,7 +283,7 @@ class GitlabIssue(ResolverViewInterface):
                'is_mr': self.is_mr,
                'discussion_id': getattr(self, 'discussion_id', None),
            },
-            send_summary_instruction=self.send_summary_instruction,
+            should_request_summary=self.send_summary_instruction,
        )


@@ -7,6 +7,7 @@ Views are responsible for:
 """

 from dataclasses import dataclass, field
+from uuid import uuid4

 import httpx
 from integrations.jira.jira_payload import JiraWebhookPayload
@@ -15,18 +16,25 @@ from integrations.jira.jira_types import (
    RepositoryNotFoundError,
    StartingConvoException,
 )
+from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.utils import CONVERSATION_URL, infer_repo_from_message
 from jinja2 import Environment
+from server.config import get_config
 from storage.jira_conversation import JiraConversation
 from storage.jira_integration_store import JiraIntegrationStore
 from storage.jira_user import JiraUser
 from storage.jira_workspace import JiraWorkspace
+from storage.saas_conversation_store import SaasConversationStore

 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.provider import ProviderHandler
-from openhands.server.services.conversation_service import create_new_conversation
+from openhands.server.services.conversation_service import start_conversation
 from openhands.server.user_auth.user_auth import UserAuth
-from openhands.storage.data_models.conversation_metadata import ConversationTrigger
+from openhands.storage.data_models.conversation_metadata import (
+    ConversationMetadata,
+    ConversationTrigger,
+)
+from openhands.utils.conversation_summary import get_default_conversation_title
 from openhands.utils.http_session import httpx_verify_option

 JIRA_CLOUD_API_URL = 'https://api.atlassian.com/ex/jira'
@@ -166,20 +174,68 @@ class JiraNewConversationView(JiraViewInterface):
        instructions, user_msg = await self._get_instructions(jinja_env)

        try:
-            agent_loop_info = await create_new_conversation(
-                user_id=self.jira_user.keycloak_user_id,
-                git_provider_tokens=provider_tokens,
-                selected_repository=self.selected_repo,
-                selected_branch=None,
-                initial_user_msg=user_msg,
-                conversation_instructions=instructions,
-                image_urls=None,
-                replay_json=None,
-                conversation_trigger=ConversationTrigger.JIRA,
-                custom_secrets=user_secrets.custom_secrets if user_secrets else None,
+            user_id = self.jira_user.keycloak_user_id
+
+            # Resolve git provider from repository
+            resolved_git_provider = None
+            if provider_tokens:
+                try:
+                    provider_handler = ProviderHandler(provider_tokens)
+                    repository = await provider_handler.verify_repo_provider(
+                        self.selected_repo
+                    )
+                    resolved_git_provider = repository.git_provider
+                except Exception as e:
+                    logger.warning(
+                        f'[Jira] Failed to resolve git provider for {self.selected_repo}: {e}'
+                    )
+
+            # Resolve target org based on claimed git organizations
+            resolved_org_id = None
+            if resolved_git_provider and self.selected_repo:
+                try:
+                    resolved_org_id = await resolve_org_for_repo(
+                        provider=resolved_git_provider.value,
+                        full_repo_name=self.selected_repo,
+                        keycloak_user_id=user_id,
+                    )
+                except Exception as e:
+                    logger.warning(
+                        f'[Jira] Failed to resolve org for {self.selected_repo}: {e}'
+                    )
+
+            # Create the conversation store with resolver org routing
+            store = await SaasConversationStore.get_resolver_instance(
+                get_config(),
+                user_id,
+                resolved_org_id,
            )

-            self.conversation_id = agent_loop_info.conversation_id
+            conversation_id = uuid4().hex
+            conversation_metadata = ConversationMetadata(
+                trigger=ConversationTrigger.JIRA,
+                conversation_id=conversation_id,
+                title=get_default_conversation_title(conversation_id),
+                user_id=user_id,
+                selected_repository=self.selected_repo,
+                selected_branch=None,
+                git_provider=resolved_git_provider,
+            )
+            await store.save_metadata(conversation_metadata)
+
+            await start_conversation(
+                user_id=user_id,
+                git_provider_tokens=provider_tokens,
+                custom_secrets=user_secrets.custom_secrets if user_secrets else None,
+                initial_user_msg=user_msg,
+                image_urls=None,
+                replay_json=None,
+                conversation_id=conversation_id,
+                conversation_metadata=conversation_metadata,
+                conversation_instructions=instructions,
+            )
+
+            self.conversation_id = conversation_id

            logger.info(
                '[Jira] Created conversation',
@@ -187,6 +243,9 @@ class JiraNewConversationView(JiraViewInterface):
                    'conversation_id': self.conversation_id,
                    'issue_key': self.payload.issue_key,
                    'selected_repo': self.selected_repo,
+                    'resolved_org_id': str(resolved_org_id)
+                    if resolved_org_id
+                    else None,
                },
            )

@@ -1,25 +1,34 @@
 from dataclasses import dataclass
+from uuid import uuid4

 from integrations.linear.linear_types import LinearViewInterface, StartingConvoException
 from integrations.models import JobContext
+from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.utils import CONVERSATION_URL, get_final_agent_observation
 from jinja2 import Environment
+from server.config import get_config
 from storage.linear_conversation import LinearConversation
 from storage.linear_integration_store import LinearIntegrationStore
 from storage.linear_user import LinearUser
 from storage.linear_workspace import LinearWorkspace
+from storage.saas_conversation_store import SaasConversationStore

 from openhands.core.logger import openhands_logger as logger
 from openhands.core.schema.agent import AgentState
 from openhands.events.action import MessageAction
 from openhands.events.serialization.event import event_to_dict
+from openhands.integrations.provider import ProviderHandler
 from openhands.server.services.conversation_service import (
-    create_new_conversation,
    setup_init_conversation_settings,
+    start_conversation,
 )
 from openhands.server.shared import ConversationStoreImpl, config, conversation_manager
 from openhands.server.user_auth.user_auth import UserAuth
-from openhands.storage.data_models.conversation_metadata import ConversationTrigger
+from openhands.storage.data_models.conversation_metadata import (
+    ConversationMetadata,
+    ConversationTrigger,
+)
+from openhands.utils.conversation_summary import get_default_conversation_title

 integration_store = LinearIntegrationStore.get_instance()

@@ -61,20 +70,70 @@ class LinearNewConversationView(LinearViewInterface):
        instructions, user_msg = await self._get_instructions(jinja_env)

        try:
-            agent_loop_info = await create_new_conversation(
-                user_id=self.linear_user.keycloak_user_id,
-                git_provider_tokens=provider_tokens,
-                selected_repository=self.selected_repo,
-                selected_branch=None,
-                initial_user_msg=user_msg,
-                conversation_instructions=instructions,
-                image_urls=None,
-                replay_json=None,
-                conversation_trigger=ConversationTrigger.LINEAR,
-                custom_secrets=user_secrets.custom_secrets if user_secrets else None,
+            user_id = self.linear_user.keycloak_user_id
+
+            # Resolve git provider from repository
+            resolved_git_provider = None
+            if provider_tokens:
+                try:
+                    provider_handler = ProviderHandler(provider_tokens)
+                    repository = await provider_handler.verify_repo_provider(
+                        self.selected_repo
+                    )
+                    resolved_git_provider = repository.git_provider
+                except Exception as e:
+                    logger.warning(
+                        f'[Linear] Failed to resolve git provider for {self.selected_repo}: {e}'
+                    )
+
+            # Resolve target org based on claimed git organizations
+            resolved_org_id = None
+            if resolved_git_provider and self.selected_repo:
+                try:
+                    resolved_org_id = await resolve_org_for_repo(
+                        provider=resolved_git_provider.value,
+                        full_repo_name=self.selected_repo,
+                        keycloak_user_id=user_id,
+                    )
+                except Exception as e:
+                    logger.warning(
+                        f'[Linear] Failed to resolve org for {self.selected_repo}: {e}'
+                    )
+
+            # Create the conversation store with resolver org routing
+            # (bypasses initialize_conversation to avoid threading enterprise-only
+            # resolver_org_id through the generic OSS interface)
+            store = await SaasConversationStore.get_resolver_instance(
+                get_config(),
+                user_id,
+                resolved_org_id,
            )

-            self.conversation_id = agent_loop_info.conversation_id
+            conversation_id = uuid4().hex
+            conversation_metadata = ConversationMetadata(
+                trigger=ConversationTrigger.LINEAR,
+                conversation_id=conversation_id,
+                title=get_default_conversation_title(conversation_id),
+                user_id=user_id,
+                selected_repository=self.selected_repo,
+                selected_branch=None,
+                git_provider=resolved_git_provider,
+            )
+            await store.save_metadata(conversation_metadata)
+
+            await start_conversation(
+                user_id=user_id,
+                git_provider_tokens=provider_tokens,
+                custom_secrets=user_secrets.custom_secrets if user_secrets else None,
+                initial_user_msg=user_msg,
+                image_urls=None,
+                replay_json=None,
+                conversation_id=conversation_id,
+                conversation_metadata=conversation_metadata,
+                conversation_instructions=instructions,
+            )
+
+            self.conversation_id = conversation_id

            logger.info(f'[Linear] Created conversation {self.conversation_id}')

@@ -1,7 +1,9 @@
+from uuid import UUID
+
 from openhands.app_server.user.user_context import UserContext
 from openhands.app_server.user.user_models import UserInfo
 from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderHandler
-from openhands.integrations.service_types import ProviderType
+from openhands.integrations.service_types import ProviderType, UserGitInfo
 from openhands.sdk.secret import SecretSource, StaticSecret
 from openhands.server.user_auth.user_auth import UserAuth

@@ -12,8 +14,10 @@ class ResolverUserContext(UserContext):
    def __init__(
        self,
        saas_user_auth: UserAuth,
+        resolver_org_id: UUID | None = None,
    ):
        self.saas_user_auth = saas_user_auth
+        self.resolver_org_id = resolver_org_id
        self._provider_handler: ProviderHandler | None = None

    async def get_user_id(self) -> str | None:
@@ -81,3 +85,6 @@ class ResolverUserContext(UserContext):

    async def get_mcp_api_key(self) -> str | None:
        return await self.saas_user_auth.get_mcp_api_key()
+
+    async def get_user_git_info(self) -> UserGitInfo | None:
+        return await self.saas_user_auth.get_user_git_info()
@@ -0,0 +1,68 @@
+"""Resolve which OpenHands organization workspace a resolver conversation should be created in.
+
+This module provides a reusable utility for routing resolver conversations
+(GitHub, GitLab, Bitbucket, Slack, etc.) to the correct OpenHands organization
+workspace based on claimed Git organizations.
+"""
+
+from uuid import UUID
+
+from storage.org_git_claim_store import OrgGitClaimStore
+from storage.org_member_store import OrgMemberStore
+
+from openhands.core.logger import openhands_logger as logger
+
+
+async def resolve_org_for_repo(
+    provider: str,
+    full_repo_name: str,
+    keycloak_user_id: str,
+) -> UUID | None:
+    """Determine the OpenHands org_id for a resolver conversation.
+
+    If the repo's git organization is claimed by an OpenHands org AND the user
+    is a member of that org, returns the claiming org's ID. Otherwise returns
+    None (caller should fall back to user.current_org_id / personal workspace).
+
+    Args:
+        provider: Git provider name ("github", "gitlab", "bitbucket")
+        full_repo_name: Full repository name (e.g., "OpenHands/foo")
+        keycloak_user_id: The user's Keycloak UUID string
+
+    Returns:
+        The org_id if the repo's org is claimed and user is a member, else None
+    """
+    git_org = full_repo_name.split('/')[0].lower()
+
+    try:
+        claim = await OrgGitClaimStore.get_claim_by_provider_and_git_org(
+            provider, git_org
+        )
+        if not claim:
+            logger.debug(
+                f'[OrgResolver] No claim found for {provider}/{git_org}',
+            )
+            return None
+
+        member = await OrgMemberStore.get_org_member(
+            claim.org_id, UUID(keycloak_user_id)
+        )
+        if not member:
+            logger.debug(
+                f'[OrgResolver] User {keycloak_user_id} is not a member of org '
+                f'{claim.org_id} (claimed {provider}/{git_org}). '
+                f'Falling back to personal workspace.',
+            )
+            return None
+
+        logger.info(
+            f'[OrgResolver] Routing conversation to org {claim.org_id} '
+            f'for {provider}/{git_org} (user {keycloak_user_id})',
+        )
+        return claim.org_id
+    except Exception as e:
+        logger.error(
+            f'[OrgResolver] Error resolving org for {provider}/{git_org}: {e}',
+            exc_info=True,
+        )
+        return None
@@ -239,12 +239,14 @@ class SlackManager(Manager[SlackViewInterface]):
    def _generate_repo_selection_form(
        self, message_ts: str, thread_ts: str | None
    ) -> list[dict[str, Any]]:
-        """Generate a repo selection form using external_select for dynamic loading.
+        """Generate a repo selection form with immediate "No Repository" button and search dropdown.

-        This uses Slack's external_select element which allows:
-        - Type-ahead search for repositories
-        - Dynamic loading of options from an external endpoint
-        - Support for users with many repositories (no 100 option limit)
+        This form provides two options side-by-side:
+        1. A "No Repository" button - immediately clickable without any loading
+        2. An external_select dropdown - for searching repositories dynamically
+
+        This design ensures "No Repository" is always immediately available while
+        still providing full dynamic search capability for repositories.

        Args:
            message_ts: The message timestamp for tracking
@@ -266,12 +268,22 @@ class SlackManager(Manager[SlackViewInterface]):
                'type': 'section',
                'text': {
                    'type': 'mrkdwn',
-                    'text': 'Type to search your repositories:',
+                    'text': 'Select a repository or continue without one:',
                },
            },
            {
                'type': 'actions',
                'elements': [
+                    {
+                        'type': 'button',
+                        'action_id': f'no_repository:{message_ts}:{thread_ts}',
+                        'text': {
+                            'type': 'plain_text',
+                            'text': 'No Repository',
+                            'emoji': True,
+                        },
+                        'value': '-',
+                    },
                    {
                        'type': 'external_select',
                        'action_id': f'repository_select:{message_ts}:{thread_ts}',
@@ -279,8 +291,8 @@ class SlackManager(Manager[SlackViewInterface]):
                            'type': 'plain_text',
                            'text': 'Search repositories...',
                        },
-                        'min_query_length': 0,  # Load initial options immediately
-                    }
+                        'min_query_length': 0,
+                    },
                ],
            },
        ]
@@ -288,8 +300,11 @@ class SlackManager(Manager[SlackViewInterface]):
    def _build_repo_options(self, repos: list[Repository]) -> list[dict[str, Any]]:
        """Build Slack options list from repositories.

-        Always includes a "No Repository" option at the top, followed by up to 99
-        repositories (Slack has a 100 option limit for external_select).
+        Returns up to 100 repositories formatted as Slack options
+        (Slack has a 100 option limit for external_select).
+
+        Note: "No Repository" is handled by a separate button in the form,
+        so it's not included in the dropdown options.

        Args:
            repos: List of Repository objects
@@ -297,13 +312,7 @@ class SlackManager(Manager[SlackViewInterface]):
        Returns:
            List of Slack option objects
        """
-        options: list[dict[str, Any]] = [
-            {
-                'text': {'type': 'plain_text', 'text': 'No Repository'},
-                'value': '-',
-            }
-        ]
-        options.extend(
+        return [
            {
                'text': {
                    'type': 'plain_text',
@@ -311,9 +320,8 @@ class SlackManager(Manager[SlackViewInterface]):
                },
                'value': repo.full_name,
            }
-            for repo in repos[:99]  # Leave room for "No Repository" option
-        )
-        return options
+            for repo in repos[:100]
+        ]

    async def search_repos_for_slack(
        self, user_auth: UserAuth, query: str, per_page: int = 20
@@ -363,33 +371,69 @@ class SlackManager(Manager[SlackViewInterface]):
                SlackError(SlackErrorCode.UNEXPECTED_ERROR),
            )

-    async def receive_form_interaction(self, slack_payload: dict):
-        """Process a Slack form interaction (repository selection).
+    def _parse_form_action(self, action: dict) -> tuple[str, str | None, str] | None:
+        """Parse action payload and extract message_ts, thread_ts, and selected value.

-        This handles the block_actions payload when a user selects a repository
-        from the dropdown form. It retrieves the original user message from Redis
-        and delegates to receive_message for processing.
+        This handles the different payload structures for button clicks vs dropdown
+        selections in the repository selection form.
+
+        Args:
+            action: The action object from the Slack payload
+
+        Returns:
+            Tuple of (message_ts, thread_ts, selected_value) if action is recognized,
+            None if the action_id is unknown.
+        """
+        action_id = action['action_id']
+
+        if action_id.startswith('no_repository:'):
+            # Button click - value is in 'value' field
+            attribs = action_id.split('no_repository:')[-1]
+            selected_value = action.get('value', '-')
+        elif action_id.startswith('repository_select:'):
+            # Dropdown selection - value is in 'selected_option'
+            attribs = action_id.split('repository_select:')[-1]
+            selected_value = action['selected_option']['value']
+        else:
+            return None
+
+        message_ts, thread_ts = attribs.split(':')
+        thread_ts = None if thread_ts == 'None' else thread_ts
+
+        return message_ts, thread_ts, selected_value
+
+    async def receive_form_interaction(self, slack_payload: dict):
+        """Process a Slack form interaction (repository selection or button click).
+
+        This handles the block_actions payload when a user interacts with the
+        repository selection form. It can handle:
+        - "No Repository" button click: proceeds with conversation without a repo
+        - Repository selection from dropdown: proceeds with the selected repo

        Args:
            slack_payload: The raw Slack interaction payload
        """
        # Extract fields from the Slack interaction payload
-        selected_repository = slack_payload['actions'][0]['selected_option']['value']
-        if selected_repository == '-':
-            selected_repository = None
-
+        action = slack_payload['actions'][0]
        slack_user_id = slack_payload['user']['id']
        channel_id = slack_payload['container']['channel_id']
        team_id = slack_payload['team']['id']

-        # Get original message_ts and thread_ts from action_id
-        attribs = slack_payload['actions'][0]['action_id'].split('repository_select:')[
-            -1
-        ]
-        message_ts, thread_ts = attribs.split(':')
-        thread_ts = None if thread_ts == 'None' else thread_ts
+        # Parse the action to extract message_ts, thread_ts, and selected value
+        parsed = self._parse_form_action(action)
+        if parsed is None:
+            logger.warning(
+                'slack_unknown_action_id',
+                extra={
+                    'action_id': action['action_id'],
+                    'slack_user_id': slack_user_id,
+                },
+            )
+            return

-        # Build partial payload for error handling during Redis retrieval
+        message_ts, thread_ts, selected_value = parsed
+
+        # Build partial payload for error handling
        payload = {
            'team_id': team_id,
            'channel_id': channel_id,
@@ -398,6 +442,9 @@ class SlackManager(Manager[SlackViewInterface]):
            'thread_ts': thread_ts,
        }

+        # Convert "-" (No Repository) to None
+        selected_repository = None if selected_value == '-' else selected_value
+
        # Retrieve the original user message from Redis
        try:
            user_msg = await self._retrieve_user_msg_for_form(message_ts, thread_ts)
@@ -111,9 +111,11 @@ class SlackV1CallbackProcessor(EventCallbackProcessor):

        try:
            # Post the summary as a threaded reply
+            # Use markdown_text instead of text to properly render standard Markdown
+            # (e.g., **bold**, [link](url)) which is used throughout the codebase
            response = client.chat_postMessage(
                channel=channel_id,
-                text=summary,
+                markdown_text=summary,
                thread_ts=thread_ts,
                unfurl_links=False,
                unfurl_media=False,
@@ -4,6 +4,7 @@ from uuid import UUID, uuid4

 from integrations.models import Message
 from integrations.resolver_context import ResolverUserContext
+from integrations.resolver_org_router import resolve_org_for_repo
 from integrations.slack.slack_types import (
    SlackMessageView,
    SlackViewInterface,
@@ -17,7 +18,9 @@ from integrations.utils import (
    get_user_v1_enabled_setting,
 )
 from jinja2 import Environment
+from server.config import get_config
 from slack_sdk import WebClient
+from storage.saas_conversation_store import SaasConversationStore
 from storage.slack_conversation import SlackConversation
 from storage.slack_conversation_store import SlackConversationStore
 from storage.slack_team_store import SlackTeamStore
@@ -36,18 +39,20 @@ from openhands.core.logger import openhands_logger as logger
 from openhands.core.schema.agent import AgentState
 from openhands.events.action import MessageAction
 from openhands.events.serialization.event import event_to_dict
-from openhands.integrations.provider import ProviderHandler, ProviderType
+from openhands.integrations.provider import ProviderHandler
 from openhands.sdk import TextContent
 from openhands.server.services.conversation_service import (
-    create_new_conversation,
    setup_init_conversation_settings,
+    start_conversation,
 )
 from openhands.server.shared import ConversationStoreImpl, config, conversation_manager
 from openhands.server.user_auth.user_auth import UserAuth
 from openhands.storage.data_models.conversation_metadata import (
+    ConversationMetadata,
    ConversationTrigger,
 )
 from openhands.utils.async_utils import GENERAL_TIMEOUT
+from openhands.utils.conversation_summary import get_default_conversation_title

 # =================================================
 # SECTION: Slack view types
@@ -202,6 +207,22 @@ class SlackNewConversationView(SlackViewInterface):
        provider_tokens = await self.saas_user_auth.get_provider_tokens()
        user_secrets = await self.saas_user_auth.get_secrets()

+        # Determine git provider from repository (needed for both org routing and conversation creation)
+        self._resolved_git_provider = None
+        if self.selected_repo and provider_tokens:
+            provider_handler = ProviderHandler(provider_tokens)
+            repository = await provider_handler.verify_repo_provider(self.selected_repo)
+            self._resolved_git_provider = repository.git_provider
+
+        # Resolve target org based on claimed git organizations
+        self.resolved_org_id = None
+        if self._resolved_git_provider and self.selected_repo:
+            self.resolved_org_id = await resolve_org_for_repo(
+                provider=self._resolved_git_provider.value,
+                full_repo_name=self.selected_repo,
+                keycloak_user_id=self.slack_to_openhands_user.keycloak_user_id,
+            )
+
        # Check if V1 conversations are enabled for this user
        self.v1_enabled = await is_v1_enabled_for_slack_resolver(
            self.slack_to_openhands_user.keycloak_user_id
@@ -224,30 +245,44 @@ class SlackNewConversationView(SlackViewInterface):
            jinja
        )

-        # Determine git provider from repository
-        git_provider = None
-        if self.selected_repo and provider_tokens:
-            provider_handler = ProviderHandler(provider_tokens)
-            repository = await provider_handler.verify_repo_provider(self.selected_repo)
-            git_provider = repository.git_provider
+        user_id = self.slack_to_openhands_user.keycloak_user_id

-        agent_loop_info = await create_new_conversation(
-            user_id=self.slack_to_openhands_user.keycloak_user_id,
-            git_provider_tokens=provider_tokens,
+        # Create the conversation store with resolver org routing
+        # (bypasses initialize_conversation to avoid threading enterprise-only
+        # resolver_org_id through the generic OSS interface)
+        store = await SaasConversationStore.get_resolver_instance(
+            get_config(),
+            user_id,
+            self.resolved_org_id,
+        )
+
+        conversation_id = uuid4().hex
+        conversation_metadata = ConversationMetadata(
+            trigger=ConversationTrigger.SLACK,
+            conversation_id=conversation_id,
+            title=get_default_conversation_title(conversation_id),
+            user_id=user_id,
            selected_repository=self.selected_repo,
            selected_branch=None,
+            git_provider=self._resolved_git_provider,
+        )
+        await store.save_metadata(conversation_metadata)
+
+        await start_conversation(
+            user_id=user_id,
+            git_provider_tokens=provider_tokens,
+            custom_secrets=user_secrets.custom_secrets if user_secrets else None,
            initial_user_msg=user_instructions,
+            image_urls=None,
+            replay_json=None,
+            conversation_id=conversation_id,
+            conversation_metadata=conversation_metadata,
            conversation_instructions=(
                conversation_instructions if conversation_instructions else None
            ),
-            image_urls=None,
-            replay_json=None,
-            conversation_trigger=ConversationTrigger.SLACK,
-            custom_secrets=user_secrets.custom_secrets if user_secrets else None,
-            git_provider=git_provider,
        )

-        self.conversation_id = agent_loop_info.conversation_id
+        self.conversation_id = conversation_id
        logger.info(f'[Slack]: Created V0 conversation: {self.conversation_id}')
        await self.save_slack_convo(v1_enabled=False)

@@ -265,13 +300,8 @@ class SlackNewConversationView(SlackViewInterface):
        # Create the Slack V1 callback processor
        slack_callback_processor = self._create_slack_v1_callback_processor()

-        # Determine git provider from repository
-        git_provider = None
-        provider_tokens = await self.saas_user_auth.get_provider_tokens()
-        if self.selected_repo and provider_tokens:
-            provider_handler = ProviderHandler(provider_tokens)
-            repository = await provider_handler.verify_repo_provider(self.selected_repo)
-            git_provider = ProviderType(repository.git_provider.value)
+        # Use git provider resolved in create_or_update_conversation
+        git_provider = self._resolved_git_provider

        # Get the app conversation service and start the conversation
        injector_state = InjectorState()
@@ -292,7 +322,10 @@ class SlackNewConversationView(SlackViewInterface):
        )

        # Set up the Slack user context for the V1 system
-        slack_user_context = ResolverUserContext(saas_user_auth=self.saas_user_auth)
+        slack_user_context = ResolverUserContext(
+            saas_user_auth=self.saas_user_auth,
+            resolver_org_id=self.resolved_org_id,
+        )
        setattr(injector_state, USER_CONTEXT_ATTR, slack_user_context)

        async with get_app_conversation_service(
@@ -8,7 +8,7 @@ logging.getLogger('alembic.runtime.plugins').setLevel(logging.WARNING)

 from alembic import context  # noqa: E402
 from google.cloud.sql.connector import Connector  # noqa: E402
-from sqlalchemy import create_engine  # noqa: E402
+from sqlalchemy import create_engine, text  # noqa: E402
 from storage.base import Base  # noqa: E402

 target_metadata = Base.metadata
@@ -109,6 +109,10 @@ def run_migrations_online() -> None:
            version_table_schema=target_metadata.schema,
        )

+        # Lock number must be unique — md5 hash of 'openhands_enterprise_migrations'
+        # Lock is released when the connection context manager exits
+        connection.execute(text('SELECT pg_advisory_lock(3617572382373537863)'))
+
        with context.begin_transaction():
            context.run_migrations()

@@ -1,296 +0,0 @@
-"""Add agent_settings columns to enterprise settings tables.
-
-Revision ID: 102
-Revises: 101
-Create Date: 2026-03-22 00:00:00.000000
-
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '102'
-down_revision: Union[str, None] = '101'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-_EMPTY_JSON = sa.text("'{}'::json")
-
-
-def upgrade() -> None:
-    op.add_column(
-        'user_settings',
-        sa.Column(
-            'agent_settings', sa.JSON(), nullable=False, server_default=_EMPTY_JSON
-        ),
-    )
-    op.add_column(
-        'org_member',
-        sa.Column(
-            'agent_settings', sa.JSON(), nullable=False, server_default=_EMPTY_JSON
-        ),
-    )
-    op.add_column(
-        'org',
-        sa.Column(
-            'agent_settings', sa.JSON(), nullable=False, server_default=_EMPTY_JSON
-        ),
-    )
-
-    op.execute(
-        sa.text(
-            """
-            UPDATE user_settings
-            SET agent_settings = jsonb_strip_nulls(
-                jsonb_build_object(
-                    'schema_version', 1,
-                    'agent', agent,
-                    'llm.model', llm_model,
-                    'llm.base_url', llm_base_url,
-                    'verification.confirmation_mode', confirmation_mode,
-                    'verification.security_analyzer', security_analyzer,
-                    'condenser.enabled', enable_default_condenser,
-                    'condenser.max_size', condenser_max_size,
-                    'max_iterations', max_iterations
-                ) || COALESCE(agent_settings::jsonb, '{}'::jsonb)
-            )::json
-            """
-        )
-    )
-    op.execute(
-        sa.text(
-            """
-            UPDATE org_member
-            SET agent_settings = jsonb_strip_nulls(
-                jsonb_build_object(
-                    'schema_version', 1,
-                    'llm.model', llm_model,
-                    'llm.base_url', llm_base_url,
-                    'max_iterations', max_iterations
-                ) || COALESCE(agent_settings::jsonb, '{}'::jsonb)
-            )::json
-            """
-        )
-    )
-    op.execute(
-        sa.text(
-            """
-            UPDATE org
-            SET agent_settings = jsonb_strip_nulls(
-                jsonb_build_object(
-                    'schema_version', 1,
-                    'agent', agent,
-                    'llm.model', default_llm_model,
-                    'llm.base_url', default_llm_base_url,
-                    'verification.confirmation_mode', confirmation_mode,
-                    'verification.security_analyzer', security_analyzer,
-                    'condenser.enabled', enable_default_condenser,
-                    'condenser.max_size', condenser_max_size,
-                    'max_iterations', default_max_iterations,
-                    'mcp_config', mcp_config
-                ) || COALESCE(agent_settings::jsonb, '{}'::jsonb)
-            )::json
-            """
-        )
-    )
-
-    op.execute(
-        sa.text(
-            """
-            UPDATE user_settings AS us
-            SET llm_api_key_for_byor = om._llm_api_key_for_byor
-            FROM "user" AS u
-            JOIN org_member AS om
-              ON om.user_id = u.id
-             AND om.org_id = u.current_org_id
-            WHERE us.keycloak_user_id = u.id::text
-              AND us.llm_api_key_for_byor IS NULL
-              AND om._llm_api_key_for_byor IS NOT NULL
-            """
-        )
-    )
-    op.execute(
-        sa.text(
-            """
-            INSERT INTO user_settings (keycloak_user_id, llm_api_key_for_byor, agent_settings)
-            SELECT u.id::text, om._llm_api_key_for_byor, '{}'::json
-            FROM "user" AS u
-            JOIN org_member AS om
-              ON om.user_id = u.id
-             AND om.org_id = u.current_org_id
-            LEFT JOIN user_settings AS us
-              ON us.keycloak_user_id = u.id::text
-            WHERE us.id IS NULL
-              AND om._llm_api_key_for_byor IS NOT NULL
-            """
-        )
-    )
-
-    op.alter_column('user_settings', 'agent_settings', server_default=None)
-    op.alter_column('org_member', 'agent_settings', server_default=None)
-    op.alter_column('org', 'agent_settings', server_default=None)
-    op.drop_column('user_settings', 'agent')
-    op.drop_column('user_settings', 'max_iterations')
-    op.drop_column('user_settings', 'security_analyzer')
-    op.drop_column('user_settings', 'confirmation_mode')
-    op.drop_column('user_settings', 'llm_model')
-    op.drop_column('user_settings', 'llm_base_url')
-    op.drop_column('user_settings', 'enable_default_condenser')
-    op.drop_column('user_settings', 'condenser_max_size')
-    op.drop_column('org_member', 'max_iterations')
-    op.drop_column('org_member', 'llm_model')
-    op.drop_column('org_member', '_llm_api_key_for_byor')
-    op.drop_column('org_member', 'llm_base_url')
-    op.drop_column('org', 'agent')
-    op.drop_column('org', 'default_max_iterations')
-    op.drop_column('org', 'security_analyzer')
-    op.drop_column('org', 'confirmation_mode')
-    op.drop_column('org', 'default_llm_model')
-    op.drop_column('org', 'default_llm_base_url')
-    op.drop_column('org', 'enable_default_condenser')
-    op.drop_column('org', 'mcp_config')
-    op.drop_column('org', 'condenser_max_size')
-
-
-def downgrade() -> None:
-    op.add_column('user_settings', sa.Column('agent', sa.String(), nullable=True))
-    op.add_column(
-        'user_settings', sa.Column('max_iterations', sa.Integer(), nullable=True)
-    )
-    op.add_column(
-        'user_settings', sa.Column('security_analyzer', sa.String(), nullable=True)
-    )
-    op.add_column(
-        'user_settings', sa.Column('confirmation_mode', sa.Boolean(), nullable=True)
-    )
-    op.add_column('user_settings', sa.Column('llm_model', sa.String(), nullable=True))
-    op.add_column(
-        'user_settings', sa.Column('llm_base_url', sa.String(), nullable=True)
-    )
-    op.add_column(
-        'user_settings',
-        sa.Column(
-            'enable_default_condenser',
-            sa.Boolean(),
-            nullable=False,
-            server_default=sa.true(),
-        ),
-    )
-    op.add_column(
-        'user_settings', sa.Column('condenser_max_size', sa.Integer(), nullable=True)
-    )
-    op.add_column('org_member', sa.Column('llm_base_url', sa.String(), nullable=True))
-    op.add_column(
-        'org_member', sa.Column('_llm_api_key_for_byor', sa.String(), nullable=True)
-    )
-    op.add_column('org_member', sa.Column('llm_model', sa.String(), nullable=True))
-    op.add_column(
-        'org_member', sa.Column('max_iterations', sa.Integer(), nullable=True)
-    )
-    op.add_column('org', sa.Column('agent', sa.String(), nullable=True))
-    op.add_column(
-        'org', sa.Column('default_max_iterations', sa.Integer(), nullable=True)
-    )
-    op.add_column('org', sa.Column('security_analyzer', sa.String(), nullable=True))
-    op.add_column('org', sa.Column('confirmation_mode', sa.Boolean(), nullable=True))
-    op.add_column('org', sa.Column('default_llm_model', sa.String(), nullable=True))
-    op.add_column('org', sa.Column('default_llm_base_url', sa.String(), nullable=True))
-    op.add_column(
-        'org',
-        sa.Column(
-            'enable_default_condenser',
-            sa.Boolean(),
-            nullable=False,
-            server_default=sa.true(),
-        ),
-    )
-    op.add_column('org', sa.Column('mcp_config', sa.JSON(), nullable=True))
-    op.add_column('org', sa.Column('condenser_max_size', sa.Integer(), nullable=True))
-
-    op.execute(
-        sa.text(
-            """
-            UPDATE user_settings
-            SET
-                agent = agent_settings ->> 'agent',
-                max_iterations = NULLIF(agent_settings ->> 'max_iterations', '')::integer,
-                security_analyzer =
-                    agent_settings ->> 'verification.security_analyzer',
-                confirmation_mode = CASE
-                    WHEN agent_settings::jsonb ? 'verification.confirmation_mode'
-                    THEN (agent_settings ->> 'verification.confirmation_mode')::boolean
-                    ELSE NULL
-                END,
-                llm_model = agent_settings ->> 'llm.model',
-                llm_base_url = agent_settings ->> 'llm.base_url',
-                enable_default_condenser = CASE
-                    WHEN agent_settings::jsonb ? 'condenser.enabled'
-                    THEN (agent_settings ->> 'condenser.enabled')::boolean
-                    ELSE TRUE
-                END,
-                condenser_max_size =
-                    NULLIF(agent_settings ->> 'condenser.max_size', '')::integer
-            """
-        )
-    )
-    op.execute(
-        sa.text(
-            """
-            UPDATE org_member
-            SET
-                llm_model = agent_settings ->> 'llm.model',
-                llm_base_url = agent_settings ->> 'llm.base_url',
-                max_iterations = NULLIF(agent_settings ->> 'max_iterations', '')::integer
-            """
-        )
-    )
-    op.execute(
-        sa.text(
-            """
-            UPDATE org
-            SET
-                agent = agent_settings ->> 'agent',
-                default_max_iterations =
-                    NULLIF(agent_settings ->> 'max_iterations', '')::integer,
-                security_analyzer =
-                    agent_settings ->> 'verification.security_analyzer',
-                confirmation_mode = CASE
-                    WHEN agent_settings::jsonb ? 'verification.confirmation_mode'
-                    THEN (agent_settings ->> 'verification.confirmation_mode')::boolean
-                    ELSE NULL
-                END,
-                default_llm_model = agent_settings ->> 'llm.model',
-                default_llm_base_url = agent_settings ->> 'llm.base_url',
-                enable_default_condenser = CASE
-                    WHEN agent_settings::jsonb ? 'condenser.enabled'
-                    THEN (agent_settings ->> 'condenser.enabled')::boolean
-                    ELSE TRUE
-                END,
-                mcp_config = agent_settings -> 'mcp_config',
-                condenser_max_size =
-                    NULLIF(agent_settings ->> 'condenser.max_size', '')::integer
-            """
-        )
-    )
-    op.execute(
-        sa.text(
-            """
-            UPDATE org_member AS om
-            SET _llm_api_key_for_byor = us.llm_api_key_for_byor
-            FROM "user" AS u
-            JOIN user_settings AS us
-              ON us.keycloak_user_id = u.id::text
-            WHERE om.user_id = u.id
-              AND om.org_id = u.current_org_id
-              AND us.llm_api_key_for_byor IS NOT NULL
-            """
-        )
-    )
-
-    op.drop_column('org', 'agent_settings')
-    op.drop_column('org_member', 'agent_settings')
-    op.drop_column('user_settings', 'agent_settings')
@@ -6,6 +6,7 @@ Create Date: 2026-03-26

 """

+import json
 from typing import Sequence, Union

 import sqlalchemy as sa
@@ -33,7 +34,7 @@ def upgrade() -> None:
            sa.text(
                'UPDATE org_member SET mcp_config = :config WHERE org_id = :org_id'
            ),
-            {'config': mcp_config, 'org_id': str(org_id)},
+            {'config': json.dumps(mcp_config), 'org_id': str(org_id)},
        )


@@ -0,0 +1,29 @@
+"""Add disabled_skills column to user table.
+
+Migration 102 added disabled_skills to the legacy user_settings table,
+but the active SaaS flow (SaasSettingsStore) reads from/writes to the
+user table. This migration adds the column where it is actually needed.
+
+Revision ID: 104
+Revises: 103
+Create Date: 2026-03-31
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '104'
+down_revision: Union[str, None] = '103'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column('user', sa.Column('disabled_skills', sa.JSON(), nullable=True))
+
+
+def downgrade() -> None:
+    op.drop_column('user', 'disabled_skills')
@@ -0,0 +1,37 @@
+"""Create org_git_claim table for tracking Git organization claims.
+
+Revision ID: 105
+Revises: 104
+Create Date: 2026-04-01
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '105'
+down_revision: Union[str, None] = '104'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        'org_git_claim',
+        sa.Column('id', sa.UUID(), nullable=False),
+        sa.Column('org_id', sa.UUID(), nullable=False),
+        sa.Column('provider', sa.String(), nullable=False),
+        sa.Column('git_organization', sa.String(), nullable=False),
+        sa.Column('claimed_by', sa.UUID(), nullable=False),
+        sa.Column('claimed_at', sa.DateTime(timezone=True), nullable=False),
+        sa.ForeignKeyConstraint(['org_id'], ['org.id'], ondelete='CASCADE'),
+        sa.ForeignKeyConstraint(['claimed_by'], ['user.id']),
+        sa.PrimaryKeyConstraint('id'),
+        sa.UniqueConstraint('provider', 'git_organization', name='uq_provider_git_org'),
+    )
+
+
+def downgrade() -> None:
+    op.drop_table('org_git_claim')
@@ -0,0 +1,32 @@
+"""Add tags column to conversation_metadata table.
+
+Tags store key-value pairs for automation context (trigger type, automation_id),
+skills used, and other metadata. This enables querying conversations by
+automation source and associating SDK-provided context with conversations.
+
+Revision ID: 106
+Revises: 105
+Create Date: 2026-03-31
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = '106'
+down_revision: Union[str, None] = '105'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column(
+        'conversation_metadata',
+        sa.Column('tags', sa.JSON(), nullable=True),
+    )
+
+
+def downgrade() -> None:
+    op.drop_column('conversation_metadata', 'tags')
@@ -49,6 +49,9 @@ from server.routes.readiness import readiness_router  # noqa: E402
 from server.routes.service import service_router  # noqa: E402
 from server.routes.user import saas_user_router  # noqa: E402
 from server.routes.user_app_settings import user_app_settings_router  # noqa: E402
+from server.routes.users_v1 import (  # noqa: E402
+    override_users_me_endpoint,
+)
 from server.sharing.shared_conversation_router import (  # noqa: E402
    router as shared_conversation_router,
 )
@@ -123,6 +126,10 @@ base_app.include_router(
 # This must happen after all routers are included
 override_llm_models_dependency(base_app)

+# Override the /api/v1/users/me endpoint to include organization info
+# This replaces the OSS endpoint with a SAAS version that adds org_id, org_name, role, permissions
+override_users_me_endpoint(base_app)
+
 base_app.include_router(invitation_router)  # Add routes for org invitation management
 base_app.include_router(invitation_accept_router)  # Add route for accepting invitations
 add_github_proxy_routes(base_app)
@@ -41,7 +41,7 @@ from storage.role import Role
 from storage.role_store import RoleStore

 from openhands.core.logger import openhands_logger as logger
-from openhands.server.user_auth import get_user_id
+from openhands.server.user_auth import get_user_auth, get_user_id


 class Permission(str, Enum):
@@ -84,6 +84,9 @@ class Permission(str, Enum):
    # Temporary permissions until we finish the API updates.
    EDIT_ORG_SETTINGS = 'edit_org_settings'

+    # Git organization claims
+    MANAGE_ORG_CLAIMS = 'manage_org_claims'
+

 class RoleName(str, Enum):
    """Role names used in the system."""
@@ -118,6 +121,8 @@ ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = {
            # Organization Management (Owner only)
            Permission.CHANGE_ORGANIZATION_NAME,
            Permission.DELETE_ORGANIZATION,
+            # Git organization claims
+            Permission.MANAGE_ORG_CLAIMS,
        ]
    ),
    RoleName.ADMIN: frozenset(
@@ -139,6 +144,8 @@ ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = {
            # Organization Management
            Permission.VIEW_ORG_SETTINGS,
            Permission.EDIT_ORG_SETTINGS,
+            # Git organization claims
+            Permission.MANAGE_ORG_CLAIMS,
        ]
    ),
    RoleName.MEMBER: frozenset(
@@ -311,3 +318,96 @@ def require_permission(permission: Permission):
        return user_id

    return permission_checker
+
+
+async def require_financial_data_access(
+    request: Request,
+    org_id: UUID,
+    user_id: str | None = Depends(get_user_id),
+) -> str:
+    """
+    Authorization dependency for accessing organization financial data.
+
+    Allows access if ANY of these conditions are met:
+    1. User has Admin or Owner role in the organization
+    2. User has @openhands.dev email domain
+
+    This is used for the organization members financial data endpoint.
+
+    Args:
+        request: FastAPI request object
+        org_id: Organization UUID from path parameter
+        user_id: User ID from authentication
+
+    Returns:
+        str: User ID if authorized
+
+    Raises:
+        HTTPException: 401 if not authenticated, 403 if not authorized
+    """
+    if not user_id:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail='User not authenticated',
+        )
+
+    # Validate API key organization binding
+    api_key_org_id = await get_api_key_org_id_from_request(request)
+    if api_key_org_id is not None:
+        if api_key_org_id != org_id:
+            logger.warning(
+                'API key organization mismatch for financial data access',
+                extra={
+                    'user_id': user_id,
+                    'api_key_org_id': str(api_key_org_id),
+                    'target_org_id': str(org_id),
+                },
+            )
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail='API key is not authorized for this organization',
+            )
+
+    # Check if user has @openhands.dev email
+    user_auth = await get_user_auth(request)
+    user_email = await user_auth.get_user_email()
+
+    if user_email and user_email.endswith('@openhands.dev'):
+        logger.debug(
+            'Financial data access granted via @openhands.dev email',
+            extra={'user_id': user_id, 'org_id': str(org_id)},
+        )
+        return user_id
+
+    # Check if user has Admin or Owner role in the organization
+    user_role = await get_user_org_role(user_id, org_id)
+
+    if not user_role:
+        logger.warning(
+            'Financial data access denied - user not a member of organization',
+            extra={'user_id': user_id, 'org_id': str(org_id)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail='User is not a member of this organization',
+        )
+
+    if user_role.name not in (RoleName.OWNER.value, RoleName.ADMIN.value):
+        logger.warning(
+            'Financial data access denied - insufficient role',
+            extra={
+                'user_id': user_id,
+                'org_id': str(org_id),
+                'user_role': user_role.name,
+            },
+        )
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail='Access restricted to organization admins, owners, or OpenHands members',
+        )
+
+    logger.debug(
+        'Financial data access granted via admin/owner role',
+        extra={'user_id': user_id, 'org_id': str(org_id), 'role': user_role.name},
+    )
+    return user_id
@@ -6,7 +6,6 @@ GITHUB_APP_WEBHOOK_SECRET = os.getenv('GITHUB_APP_WEBHOOK_SECRET', '')
 GITHUB_APP_PRIVATE_KEY = os.getenv('GITHUB_APP_PRIVATE_KEY', '').replace('\\n', '\n')
 KEYCLOAK_SERVER_URL = os.getenv('KEYCLOAK_SERVER_URL', '').rstrip('/')
 KEYCLOAK_REALM_NAME = os.getenv('KEYCLOAK_REALM_NAME', '')
-KEYCLOAK_PROVIDER_NAME = os.getenv('KEYCLOAK_PROVIDER_NAME', '')
 KEYCLOAK_CLIENT_ID = os.getenv('KEYCLOAK_CLIENT_ID', '')
 KEYCLOAK_CLIENT_SECRET = os.getenv('KEYCLOAK_CLIENT_SECRET', '')
 KEYCLOAK_SERVER_URL_EXT = os.getenv(
@@ -4,7 +4,6 @@ from server.auth.constants import (
    KEYCLOAK_ADMIN_PASSWORD,
    KEYCLOAK_CLIENT_ID,
    KEYCLOAK_CLIENT_SECRET,
-    KEYCLOAK_PROVIDER_NAME,
    KEYCLOAK_REALM_NAME,
    KEYCLOAK_SERVER_URL,
    KEYCLOAK_SERVER_URL_EXT,
@@ -12,7 +11,7 @@ from server.auth.constants import (
 from server.logger import logger

 logger.debug(
-    f'KEYCLOAK_SERVER_URL:{KEYCLOAK_SERVER_URL}, KEYCLOAK_SERVER_URL_EXT:{KEYCLOAK_SERVER_URL_EXT}, KEYCLOAK_PROVIDER_NAME:{KEYCLOAK_PROVIDER_NAME}, KEYCLOAK_CLIENT_ID:{KEYCLOAK_CLIENT_ID}'
+    f'KEYCLOAK_SERVER_URL:{KEYCLOAK_SERVER_URL}, KEYCLOAK_SERVER_URL_EXT:{KEYCLOAK_SERVER_URL_EXT}, KEYCLOAK_CLIENT_ID:{KEYCLOAK_CLIENT_ID}'
 )

 _keycloak_instances = {}
@@ -14,6 +14,10 @@ from server.auth.auth_error import (
    ExpiredError,
    NoCredentialsError,
 )
+from server.auth.authorization import (
+    get_role_permissions,
+    get_user_org_role,
+)
 from server.auth.constants import BITBUCKET_DATA_CENTER_HOST
 from server.auth.token_manager import TokenManager
 from server.config import get_config
@@ -23,10 +27,12 @@ from sqlalchemy import delete, select
 from storage.api_key_store import ApiKeyStore
 from storage.auth_tokens import AuthTokens
 from storage.database import a_session_maker
+from storage.org_store import OrgStore
 from storage.saas_secrets_store import SaasSecretsStore
 from storage.saas_settings_store import SaasSettingsStore
 from storage.user_authorization import UserAuthorizationType
 from storage.user_authorization_store import UserAuthorizationStore
+from storage.user_store import UserStore
 from tenacity import retry, retry_if_exception_type, stop_after_attempt, wait_fixed

 from openhands.integrations.provider import (
@@ -64,6 +70,12 @@ class SaasUserAuth(UserAuth):
    api_key_org_id: UUID | None = None  # Org bound to the API key used for auth
    api_key_id: int | None = None
    api_key_name: str | None = None
+    # Organization context fields - populated lazily via get_org_info()
+    _org_id: str | None = None
+    _org_name: str | None = None
+    _role: str | None = None
+    _permissions: list[str] | None = None
+    _org_info_loaded: bool = False

    def get_api_key_org_id(self) -> UUID | None:
        """Get the organization ID bound to the API key used for authentication.
@@ -242,6 +254,72 @@ class SaasUserAuth(UserAuth):
            )
        return mcp_api_key

+    async def get_org_info(self) -> dict | None:
+        """Get organization info for the current user.
+
+        Lazily loads and caches organization data including:
+        - org_id: Current organization ID
+        - org_name: Current organization name
+        - role: User's role in the organization
+        - permissions: List of permission names for the role
+
+        Returns:
+            dict with org_id, org_name, role, permissions or None if not available
+        """
+        if self._org_info_loaded:
+            if self._org_id is None:
+                return None
+            return {
+                'org_id': self._org_id,
+                'org_name': self._org_name,
+                'role': self._role,
+                'permissions': self._permissions,
+            }
+
+        # Mark as loaded to avoid repeated attempts on failure
+        self._org_info_loaded = True
+
+        try:
+            # Get user and their current org
+            user = await UserStore.get_user_by_id(self.user_id)
+            if not user:
+                logger.warning(f'User {self.user_id} not found for org info')
+                return None
+
+            # Get the current org
+            org = await OrgStore.get_org_by_id(user.current_org_id)
+            if not org:
+                logger.warning(
+                    f'Organization {user.current_org_id} not found for user {self.user_id}'
+                )
+                return None
+
+            # Get user's role in the current org
+            role = await get_user_org_role(self.user_id, user.current_org_id)
+            role_name = role.name if role else None
+
+            # Get permissions for the role
+            permissions: list[str] = []
+            if role_name:
+                role_permissions = get_role_permissions(role_name)
+                permissions = [p.value for p in role_permissions]
+
+            # Cache the results
+            self._org_id = str(user.current_org_id)
+            self._org_name = org.name
+            self._role = role_name
+            self._permissions = permissions
+
+            return {
+                'org_id': self._org_id,
+                'org_name': self._org_name,
+                'role': self._role,
+                'permissions': self._permissions,
+            }
+        except Exception as e:
+            logger.error(f'Error fetching org info for user {self.user_id}: {e}')
+            return None
+
    @classmethod
    async def get_instance(cls, request: Request) -> UserAuth:
        logger.debug('saas_user_auth_get_instance')
@@ -80,8 +80,7 @@ def setup_json_logger(
    handler.setLevel(level)

    formatter = JsonFormatter(
-        '{message}{levelname}',
-        style='{',
+        '%(message)s%(levelname)s%(module)s%(funcName)s%(lineno)d',
        rename_fields={'levelname': 'severity'},
        json_serializer=custom_json_serializer,
        # Use 'ts' for consistency with LOG_JSON_FOR_CONSOLE mode (skip when console mode to avoid duplicates)
@@ -0,0 +1 @@
+# Enterprise server models
@@ -0,0 +1,16 @@
+"""SAAS-specific user models that extend OSS UserInfo with organization fields."""
+
+from openhands.app_server.user.user_models import UserInfo
+
+
+class SaasUserInfo(UserInfo):
+    """User info model for SAAS mode with organization context.
+
+    Extends the base UserInfo with SAAS-specific fields for organization
+    membership, role, and permissions.
+    """
+
+    org_id: str | None = None
+    org_name: str | None = None
+    role: str | None = None
+    permissions: list[str] | None = None
@@ -4,13 +4,12 @@ from typing import cast
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from pydantic import BaseModel, field_validator
 from server.auth.saas_user_auth import SaasUserAuth
-from sqlalchemy import select
 from storage.api_key import ApiKey
 from storage.api_key_store import ApiKeyStore
-from storage.database import a_session_maker
 from storage.lite_llm_manager import LiteLlmManager
+from storage.org_member import OrgMember
+from storage.org_member_store import OrgMemberStore
 from storage.org_service import OrgService
-from storage.user_settings import UserSettings
 from storage.user_store import UserStore

 from openhands.core.logger import openhands_logger as logger
@@ -21,29 +20,39 @@ from openhands.server.user_auth.user_auth import AuthType
 # Helper functions for BYOR API key management
 async def get_byor_key_from_db(user_id: str) -> str | None:
    """Get the BYOR key from the database for a user."""
-    async with a_session_maker() as session:
-        result = await session.execute(
-            select(UserSettings).filter(UserSettings.keycloak_user_id == user_id)
-        )
-        user_settings = result.scalars().first()
+    user = await UserStore.get_user_by_id(user_id)
+    if not user:
+        return None

-    byor_key = user_settings.llm_api_key_for_byor_secret if user_settings else None
-    return byor_key.get_secret_value() if byor_key else None
+    current_org_id = user.current_org_id
+    current_org_member: OrgMember | None = None
+    for org_member in user.org_members:
+        if org_member.org_id == current_org_id:
+            current_org_member = org_member
+            break
+    if not current_org_member:
+        return None
+    if current_org_member.llm_api_key_for_byor:
+        return current_org_member.llm_api_key_for_byor.get_secret_value()
+    return None


 async def store_byor_key_in_db(user_id: str, key: str) -> None:
    """Store the BYOR key in the database for a user."""
-    async with a_session_maker() as session:
-        result = await session.execute(
-            select(UserSettings).filter(UserSettings.keycloak_user_id == user_id)
-        )
-        user_settings = result.scalars().first()
-        if not user_settings:
-            user_settings = UserSettings(keycloak_user_id=user_id)
-            session.add(user_settings)
+    user = await UserStore.get_user_by_id(user_id)
+    if not user:
+        return None

-        user_settings.llm_api_key_for_byor_secret = key
-        await session.commit()
+    current_org_id = user.current_org_id
+    current_org_member: OrgMember | None = None
+    for org_member in user.org_members:
+        if org_member.org_id == current_org_id:
+            current_org_member = org_member
+            break
+    if not current_org_member:
+        return None
+    current_org_member.llm_api_key_for_byor = key
+    await OrgMemberStore.update_org_member(current_org_member)


 async def generate_byor_key(user_id: str) -> str | None:
@@ -7,8 +7,8 @@ from storage.database import a_session_maker
 from storage.feedback import ConversationFeedback
 from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas

+from openhands.app_server.utils.dependencies import get_dependencies
 from openhands.events.event_store import EventStore
-from openhands.server.dependencies import get_dependencies
 from openhands.server.shared import file_store
 from openhands.server.user_auth import get_user_id

@@ -335,6 +335,9 @@ async def on_options_load(request: Request, background_tasks: BackgroundTasks):
    2. Searches for repositories matching the user's query
    3. Returns up to 100 options for the dropdown

+    Note: "No Repository" is handled by a separate button in the form, so it's
+    not included in the dropdown options. Error cases return an empty list.
+
    Configuration: Set the Options Load URL in Slack App settings to:
    https://your-domain/slack/on-options-load
    """
@@ -120,3 +120,18 @@ class BatchInvitationResponse(BaseModel):

    successful: list[InvitationResponse]
    failed: list[InvitationFailure]
+
+
+class AcceptInvitationRequest(BaseModel):
+    """Request model for accepting an invitation via POST."""
+
+    token: str
+
+
+class AcceptInvitationResponse(BaseModel):
+    """Response model for successful invitation acceptance."""
+
+    success: bool
+    org_id: str
+    org_name: str
+    role: str
@@ -5,6 +5,8 @@ from uuid import UUID
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import RedirectResponse
 from server.routes.org_invitation_models import (
+    AcceptInvitationRequest,
+    AcceptInvitationResponse,
    BatchInvitationResponse,
    EmailMismatchError,
    InsufficientPermissionError,
@@ -17,10 +19,11 @@ from server.routes.org_invitation_models import (
 )
 from server.services.org_invitation_service import OrgInvitationService
 from server.utils.rate_limit_utils import check_rate_limit_by_user_id
+from storage.org_store import OrgStore
+from storage.role_store import RoleStore

 from openhands.core.logger import openhands_logger as logger
 from openhands.server.user_auth import get_user_id
-from openhands.server.user_auth.user_auth import get_user_auth

 # Router for invitation operations on an organization (requires org_id)
 invitation_router = APIRouter(prefix='/api/organizations/{org_id}/members')
@@ -123,70 +126,93 @@ async def create_invitation(


@accept_router.get('/accept')
-async def accept_invitation(
+async def accept_invitation_redirect(
    token: str,
    request: Request,
 ):
-    """Accept an organization invitation via token.
+    """Redirect invitation acceptance to frontend.

    This endpoint is accessed via the link in the invitation email.
+    It always redirects to the home page with the invitation token,
+    allowing the frontend to handle the acceptance flow via a modal.

-    Flow:
-    1. If user is authenticated: Accept invitation directly and redirect to home
-    2. If user is not authenticated: Redirect to login page with invitation token
-       - Frontend stores token and includes it in OAuth state during login
-       - After authentication, keycloak_callback processes the invitation
+    This approach works with SameSite='strict' cookies because:
+    - Cross-site navigation (clicking email link) doesn't send cookies
+    - But same-origin POST requests (from frontend) DO send cookies

    Args:
        token: The invitation token from the email link
        request: FastAPI request

    Returns:
-        RedirectResponse: Redirect to home page on success, or login page if not authenticated,
-                         or home page with error query params on failure
+        RedirectResponse: Redirect to home page with invitation_token query param
    """
    base_url = str(request.base_url).rstrip('/')

-    # Try to get user_id from auth (may not be authenticated)
-    user_id = None
-    try:
-        user_auth = await get_user_auth(request)
-        if user_auth:
-            user_id = await user_auth.get_user_id()
-    except Exception:
-        pass
+    logger.info(
+        'Invitation accept: redirecting to frontend for acceptance',
+        extra={'token_prefix': token[:10] + '...'},
+    )

-    if not user_id:
-        # User not authenticated - redirect to login page with invitation token
-        # Frontend will store the token and include it in OAuth state during login
-        logger.info(
-            'Invitation accept: redirecting unauthenticated user to login',
-            extra={'token_prefix': token[:10] + '...'},
-        )
-        login_url = f'{base_url}/login?invitation_token={token}'
-        return RedirectResponse(login_url, status_code=302)
+    return RedirectResponse(f'{base_url}/?invitation_token={token}', status_code=302)
+
+
+@accept_router.post('/accept', response_model=AcceptInvitationResponse)
+async def accept_invitation(
+    request_data: AcceptInvitationRequest,
+    user_id: str = Depends(get_user_id),
+):
+    """Accept an organization invitation via authenticated POST request.
+
+    This endpoint is called by the frontend after displaying the acceptance modal.
+    Requires authentication - cookies are sent because this is a same-origin request.
+
+    Args:
+        request_data: Contains the invitation token
+        user_id: Authenticated user ID (from dependency)
+
+    Returns:
+        AcceptInvitationResponse: Success response with organization details
+
+    Raises:
+        HTTPException 400: Invalid or expired token
+        HTTPException 403: Email mismatch
+        HTTPException 409: User already a member
+    """
+    token = request_data.token

-    # User is authenticated - process the invitation directly
    try:
-        await OrgInvitationService.accept_invitation(token, UUID(user_id))
+        invitation = await OrgInvitationService.accept_invitation(token, UUID(user_id))
+
+        # Get organization and role details for response
+        org = await OrgStore.get_org_by_id(invitation.org_id)
+        role = await RoleStore.get_role_by_id(invitation.role_id)

        logger.info(
-            'Invitation accepted successfully',
+            'Invitation accepted via API',
            extra={
                'token_prefix': token[:10] + '...',
                'user_id': user_id,
+                'org_id': str(invitation.org_id),
            },
        )

-        # Redirect to home page on success
-        return RedirectResponse(f'{base_url}/', status_code=302)
+        return AcceptInvitationResponse(
+            success=True,
+            org_id=str(invitation.org_id),
+            org_name=org.name if org else '',
+            role=role.name if role else '',
+        )

    except InvitationExpiredError:
        logger.warning(
            'Invitation accept failed: expired',
            extra={'token_prefix': token[:10] + '...', 'user_id': user_id},
        )
-        return RedirectResponse(f'{base_url}/?invitation_expired=true', status_code=302)
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='invitation_expired',
+        )

    except InvitationInvalidError as e:
        logger.warning(
@@ -197,14 +223,20 @@ async def accept_invitation(
                'error': str(e),
            },
        )
-        return RedirectResponse(f'{base_url}/?invitation_invalid=true', status_code=302)
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='invitation_invalid',
+        )

    except UserAlreadyMemberError:
        logger.info(
            'Invitation accept: user already member',
            extra={'token_prefix': token[:10] + '...', 'user_id': user_id},
        )
-        return RedirectResponse(f'{base_url}/?already_member=true', status_code=302)
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail='already_member',
+        )

    except EmailMismatchError as e:
        logger.warning(
@@ -215,15 +247,21 @@ async def accept_invitation(
                'error': str(e),
            },
        )
-        return RedirectResponse(f'{base_url}/?email_mismatch=true', status_code=302)
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail='email_mismatch',
+        )

    except Exception as e:
        logger.exception(
-            'Unexpected error accepting invitation',
+            'Unexpected error accepting invitation via API',
            extra={
                'token_prefix': token[:10] + '...',
                'user_id': user_id,
                'error': str(e),
            },
        )
-        return RedirectResponse(f'{base_url}/?invitation_error=true', status_code=302)
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='An unexpected error occurred',
+        )
@@ -1,4 +1,4 @@
-from typing import Annotated, Any
+from typing import Annotated

 from pydantic import (
    BaseModel,
@@ -8,10 +8,6 @@ from pydantic import (
    StringConstraints,
    field_validator,
 )
-from storage.agent_settings_utils import (
-    get_org_agent_settings,
-    get_org_member_agent_settings,
-)
 from storage.org import Org
 from storage.org_member import OrgMember
 from storage.role import Role
@@ -148,13 +144,21 @@ class OrgResponse(BaseModel):
    contact_name: str
    contact_email: str
    conversation_expiration: int | None = None
+    agent: str | None = None
+    default_max_iterations: int | None = None
+    security_analyzer: str | None = None
+    confirmation_mode: bool | None = None
+    default_llm_model: str | None = None
+    default_llm_api_key_for_byor: str | None = None
+    default_llm_base_url: str | None = None
    remote_runtime_resource_factor: int | None = None
+    enable_default_condenser: bool = True
    billing_margin: float | None = None
    enable_proactive_conversation_starters: bool = True
    sandbox_base_container_image: str | None = None
    sandbox_runtime_container_image: str | None = None
    org_version: int = 0
-    agent_settings: dict[str, Any] = Field(default_factory=dict)
+    mcp_config: dict | None = None
    search_api_key: str | None = None
    sandbox_api_key: str | None = None
    max_budget_per_task: float | None = None
@@ -167,14 +171,33 @@ class OrgResponse(BaseModel):
    def from_org(
        cls, org: Org, credits: float | None = None, user_id: str | None = None
    ) -> 'OrgResponse':
-        """Create an OrgResponse from an Org entity."""
+        """Create an OrgResponse from an Org entity.
+
+        Args:
+            org: The organization entity to convert
+            credits: Optional credits value (defaults to None)
+            user_id: Optional user ID to determine if org is personal (defaults to None)
+
+        Returns:
+            OrgResponse: The response model instance
+        """
        return cls(
            id=str(org.id),
            name=org.name,
            contact_name=org.contact_name,
            contact_email=org.contact_email,
            conversation_expiration=org.conversation_expiration,
+            agent=org.agent,
+            default_max_iterations=org.default_max_iterations,
+            security_analyzer=org.security_analyzer,
+            confirmation_mode=org.confirmation_mode,
+            default_llm_model=org.default_llm_model,
+            default_llm_api_key_for_byor=None,
+            default_llm_base_url=org.default_llm_base_url,
            remote_runtime_resource_factor=org.remote_runtime_resource_factor,
+            enable_default_condenser=org.enable_default_condenser
+            if org.enable_default_condenser is not None
+            else True,
            billing_margin=org.billing_margin,
            enable_proactive_conversation_starters=org.enable_proactive_conversation_starters
            if org.enable_proactive_conversation_starters is not None
@@ -182,7 +205,7 @@ class OrgResponse(BaseModel):
            sandbox_base_container_image=org.sandbox_base_container_image,
            sandbox_runtime_container_image=org.sandbox_runtime_container_image,
            org_version=org.org_version if org.org_version is not None else 0,
-            agent_settings=get_org_agent_settings(org),
+            mcp_config=org.mcp_config,
            search_api_key=None,
            sandbox_api_key=None,
            max_budget_per_task=org.max_budget_per_task,
@@ -204,6 +227,7 @@ class OrgPage(BaseModel):
 class OrgUpdate(BaseModel):
    """Request model for updating an organization."""

+    # Basic organization information (any authenticated user can update)
    name: Annotated[
        str | None,
        StringConstraints(strip_whitespace=True, min_length=1, max_length=255),
@@ -211,6 +235,7 @@ class OrgUpdate(BaseModel):
    contact_name: str | None = None
    contact_email: EmailStr | None = None
    conversation_expiration: int | None = None
+    default_max_iterations: int | None = Field(default=None, gt=0)
    remote_runtime_resource_factor: int | None = Field(default=None, gt=0)
    billing_margin: float | None = Field(default=None, ge=0, le=1)
    enable_proactive_conversation_starters: bool | None = None
@@ -220,15 +245,31 @@ class OrgUpdate(BaseModel):
    max_budget_per_task: float | None = Field(default=None, gt=0)
    enable_solvability_analysis: bool | None = None
    v1_enabled: bool | None = None
+
+    # LLM settings (require admin/owner role)
+    default_llm_model: str | None = None
+    default_llm_api_key_for_byor: str | None = None
+    default_llm_base_url: str | None = None
    search_api_key: str | None = None
-    agent_settings: dict[str, Any] | None = None
+    security_analyzer: str | None = None
+    agent: str | None = None
+    confirmation_mode: bool | None = None
+    enable_default_condenser: bool | None = None
+    condenser_max_size: int | None = Field(default=None, ge=20)


 class OrgLLMSettingsResponse(BaseModel):
    """Response model for organization LLM settings."""

-    agent_settings: dict[str, Any] = Field(default_factory=dict)
+    default_llm_model: str | None = None
+    default_llm_base_url: str | None = None
    search_api_key: str | None = None  # Masked in response
+    agent: str | None = None
+    confirmation_mode: bool | None = None
+    security_analyzer: str | None = None
+    enable_default_condenser: bool = True
+    condenser_max_size: int | None = None
+    default_max_iterations: int | None = None

    @staticmethod
    def _mask_key(secret: SecretStr | None) -> str | None:
@@ -246,45 +287,83 @@ class OrgLLMSettingsResponse(BaseModel):
    def from_org(cls, org: Org) -> 'OrgLLMSettingsResponse':
        """Create response from Org entity."""
        return cls(
-            agent_settings=get_org_agent_settings(org),
+            default_llm_model=org.default_llm_model,
+            default_llm_base_url=org.default_llm_base_url,
            search_api_key=cls._mask_key(org.search_api_key),
+            agent=org.agent,
+            confirmation_mode=org.confirmation_mode,
+            security_analyzer=org.security_analyzer,
+            enable_default_condenser=org.enable_default_condenser
+            if org.enable_default_condenser is not None
+            else True,
+            condenser_max_size=org.condenser_max_size,
+            default_max_iterations=org.default_max_iterations,
        )


 class OrgMemberLLMSettings(BaseModel):
-    """Shared LLM settings that may be propagated to organization members."""
+    """LLM settings to propagate to organization members.

-    agent_settings: dict[str, Any] | None = None
+    Field names match OrgMember DB columns.
+    """
+
+    llm_model: str | None = None
+    llm_base_url: str | None = None
+    max_iterations: int | None = None
    llm_api_key: str | None = None

    def has_updates(self) -> bool:
        """Check if any field is set (not None)."""
-        return any(
-            getattr(self, field) is not None for field in type(self).model_fields
-        )
+        return any(getattr(self, field) is not None for field in self.model_fields)


 class OrgLLMSettingsUpdate(BaseModel):
-    """Request model for updating organization LLM settings."""
+    """Request model for updating organization LLM settings.

-    agent_settings: dict[str, Any] | None = None
+    Field names match Org DB columns exactly.
+    """
+
+    default_llm_model: str | None = None
+    default_llm_base_url: str | None = None
    search_api_key: str | None = None
+    agent: str | None = None
+    confirmation_mode: bool | None = None
+    security_analyzer: str | None = None
+    enable_default_condenser: bool | None = None
+    condenser_max_size: int | None = Field(default=None, ge=20)
+    default_max_iterations: int | None = Field(default=None, gt=0)
    llm_api_key: str | None = None

    def has_updates(self) -> bool:
        """Check if any field is set (not None)."""
-        return any(
-            getattr(self, field) is not None for field in type(self).model_fields
-        )
+        return any(getattr(self, field) is not None for field in self.model_fields)

    def apply_to_org(self, org: Org) -> None:
-        """Apply non-None settings to the organization model."""
-        if self.search_api_key is not None:
-            org.search_api_key = self.search_api_key
+        """Apply non-None settings to the organization model.
+
+        Args:
+            org: Organization entity to update in place
+        """
+        for field_name in self.model_fields:
+            value = getattr(self, field_name)
+            # Skip llm_api_key - it's only for member propagation, not org-level
+            if value is not None and field_name != 'llm_api_key':
+                setattr(org, field_name, value)

    def get_member_updates(self) -> OrgMemberLLMSettings | None:
-        """Get updates that need to be propagated to org members."""
-        member_settings = OrgMemberLLMSettings(llm_api_key=self.llm_api_key)
+        """Get updates that need to be propagated to org members.
+
+        Returns:
+            OrgMemberLLMSettings with mapped field values, or None if no member updates needed.
+            Maps: default_llm_model → llm_model, default_llm_base_url → llm_base_url,
+                  default_max_iterations → max_iterations, llm_api_key → llm_api_key
+        """
+        member_settings = OrgMemberLLMSettings(
+            llm_model=self.default_llm_model,
+            llm_base_url=self.default_llm_base_url,
+            max_iterations=self.default_max_iterations,
+            llm_api_key=self.llm_api_key,
+        )
        return member_settings if member_settings.has_updates() else None


@@ -321,15 +400,18 @@ class MeResponse(BaseModel):
    email: str
    role: str
    llm_api_key: str
-    agent_settings: dict[str, Any] = Field(default_factory=dict)
+    max_iterations: int | None = None
+    llm_model: str | None = None
+    llm_api_key_for_byor: str | None = None
+    llm_base_url: str | None = None
    status: str | None = None

    @staticmethod
-    def _mask_key(secret: str | SecretStr | None) -> str:
+    def _mask_key(secret: SecretStr | None) -> str:
        """Mask an API key, showing only last 4 characters."""
        if secret is None:
            return ''
-        raw = secret.get_secret_value() if isinstance(secret, SecretStr) else secret
+        raw = secret.get_secret_value()
        if not raw:
            return ''
        if len(raw) <= 4:
@@ -337,20 +419,27 @@ class MeResponse(BaseModel):
        return '****' + raw[-4:]

    @classmethod
-    def from_org_member(
-        cls,
-        member: OrgMember,
-        role: Role,
-        email: str,
-    ) -> 'MeResponse':
-        """Create a MeResponse from an OrgMember, Role, and user email."""
+    def from_org_member(cls, member: OrgMember, role: Role, email: str) -> 'MeResponse':
+        """Create a MeResponse from an OrgMember, Role, and user email.
+
+        Args:
+            member: The OrgMember entity
+            role: The Role entity (provides role name)
+            email: The user's email address
+
+        Returns:
+            MeResponse with masked API keys
+        """
        return cls(
            org_id=str(member.org_id),
            user_id=str(member.user_id),
            email=email,
            role=role.name,
            llm_api_key=cls._mask_key(member.llm_api_key),
-            agent_settings=get_org_member_agent_settings(member),
+            max_iterations=member.max_iterations,
+            llm_model=member.llm_model,
+            llm_api_key_for_byor=cls._mask_key(member.llm_api_key_for_byor) or None,
+            llm_base_url=member.llm_base_url,
            status=member.status,
        )

@@ -394,3 +483,72 @@ class OrgAppSettingsUpdate(BaseModel):
        if v is not None and v <= 0:
            raise ValueError('max_budget_per_task must be greater than 0')
        return v
+
+
+VALID_GIT_PROVIDERS = {'github', 'gitlab', 'bitbucket'}
+
+
+class GitOrgClaimRequest(BaseModel):
+    """Request model for claiming a Git organization."""
+
+    provider: str
+    git_organization: str
+
+    @field_validator('provider')
+    @classmethod
+    def validate_provider(cls, v: str) -> str:
+        v = v.lower().strip()
+        if v not in VALID_GIT_PROVIDERS:
+            raise ValueError(
+                f'Invalid provider: "{v}". Must be one of: {", ".join(sorted(VALID_GIT_PROVIDERS))}'
+            )
+        return v
+
+    @field_validator('git_organization')
+    @classmethod
+    def validate_git_organization(cls, v: str) -> str:
+        v = v.strip().lower()
+        if not v:
+            raise ValueError('git_organization must not be empty')
+        return v
+
+
+class GitOrgClaimResponse(BaseModel):
+    """Response model for a Git organization claim."""
+
+    id: str
+    org_id: str
+    provider: str
+    git_organization: str
+    claimed_by: str
+    claimed_at: str
+
+
+class GitOrgAlreadyClaimedError(Exception):
+    """Raised when a Git organization is already claimed by another OpenHands org."""
+
+    def __init__(self, provider: str, git_organization: str):
+        self.provider = provider
+        self.git_organization = git_organization
+        super().__init__(
+            f'Git organization "{git_organization}" on {provider} is already claimed by another organization'
+        )
+
+
+class OrgMemberFinancialResponse(BaseModel):
+    """Financial data for a single organization member."""
+
+    user_id: str
+    email: str | None
+    lifetime_spend: float  # Total amount spent (from LiteLLM)
+    current_budget: float  # Remaining budget (max_budget - spend)
+    max_budget: float | None  # Total allocated budget (None = unlimited)
+
+
+class OrgMemberFinancialPage(BaseModel):
+    """Paginated response for organization member financial data."""
+
+    items: list[OrgMemberFinancialResponse]
+    current_page: int = 1
+    per_page: int = 10
+    next_page_id: str | None = None
@@ -4,11 +4,15 @@ from uuid import UUID
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from server.auth.authorization import (
    Permission,
+    require_financial_data_access,
    require_permission,
 )
 from server.email_validation import get_admin_user_id
 from server.routes.org_models import (
    CannotModifySelfError,
+    GitOrgAlreadyClaimedError,
+    GitOrgClaimRequest,
+    GitOrgClaimResponse,
    InsufficientPermissionError,
    InvalidRoleError,
    LastOwnerError,
@@ -22,6 +26,7 @@ from server.routes.org_models import (
    OrgDatabaseError,
    OrgLLMSettingsResponse,
    OrgLLMSettingsUpdate,
+    OrgMemberFinancialPage,
    OrgMemberNotFoundError,
    OrgMemberPage,
    OrgMemberResponse,
@@ -42,7 +47,10 @@ from server.services.org_llm_settings_service import (
    OrgLLMSettingsService,
    OrgLLMSettingsServiceInjector,
 )
+from server.services.org_member_financial_service import OrgMemberFinancialService
 from server.services.org_member_service import OrgMemberService
+from sqlalchemy.exc import IntegrityError
+from storage.org_git_claim_store import OrgGitClaimStore
 from storage.org_service import OrgService
 from storage.user_store import UserStore

@@ -883,6 +891,104 @@ async def get_org_members_count(
        )


+@org_router.get(
+    '/{org_id}/members/financial',
+    response_model=OrgMemberFinancialPage,
+)
+async def get_org_members_financial(
+    org_id: UUID,
+    page_id: Annotated[
+        str | None,
+        Query(
+            title='Pagination offset encoded as string',
+            description='Offset for pagination (e.g., "0", "10", "20")',
+        ),
+    ] = None,
+    limit: Annotated[
+        int,
+        Query(
+            title='Maximum items per page',
+            gt=0,
+            le=100,
+        ),
+    ] = 10,
+    email: Annotated[
+        str | None,
+        Query(
+            title='Filter members by email (case-insensitive partial match)',
+            min_length=1,
+            max_length=255,
+        ),
+    ] = None,
+    user_id: str = Depends(require_financial_data_access),
+) -> OrgMemberFinancialPage:
+    """Get paginated financial data for organization members.
+
+    Returns financial information (lifetime spend, current budget) for all members
+    within the specified organization. Access is restricted to:
+    - Organization Admins
+    - Organization Owners
+    - OpenHands members (users with @openhands.dev emails)
+
+    Args:
+        org_id: Organization ID (UUID)
+        page_id: Optional pagination offset encoded as string
+        limit: Maximum items per page (1-100, default 10)
+        email: Optional email filter (case-insensitive partial match)
+        user_id: Authenticated user ID (injected by require_financial_data_access)
+
+    Returns:
+        OrgMemberFinancialPage: Paginated response with member financial data
+            - items: List of members with user_id, email, lifetime_spend,
+                     current_budget, and max_budget
+            - current_page: Current page number (1-indexed)
+            - per_page: Items per page
+            - next_page_id: Offset for next page, or None if no more pages
+
+    Raises:
+        HTTPException: 401 if user is not authenticated
+        HTTPException: 403 if user lacks access (not admin/owner and not @openhands.dev)
+        HTTPException: 400 if page_id is invalid
+        HTTPException: 500 if retrieval fails
+    """
+    logger.info(
+        'Getting financial data for organization members',
+        extra={
+            'org_id': str(org_id),
+            'user_id': user_id,
+            'page_id': page_id,
+            'limit': limit,
+            'email_filter': email,
+        },
+    )
+
+    try:
+        return await OrgMemberFinancialService.get_org_members_financial_data(
+            org_id=org_id,
+            page_id=page_id,
+            limit=limit,
+            email_filter=email,
+        )
+    except ValueError as e:
+        logger.warning(
+            'Invalid page_id for financial data request',
+            extra={'org_id': str(org_id), 'page_id': page_id, 'error': str(e)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=str(e),
+        )
+    except Exception:
+        logger.exception(
+            'Error retrieving organization member financial data',
+            extra={'org_id': str(org_id)},
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to retrieve member financial data',
+        )
+
+
@org_router.delete('/{org_id}/members/{user_id}')
 async def remove_org_member(
    org_id: UUID,
@@ -1111,3 +1217,181 @@ async def update_org_member(
            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
            detail='Failed to update member',
        )
+
+
+@org_router.get(
+    '/{org_id}/git-claims',
+    response_model=list[GitOrgClaimResponse],
+)
+async def get_git_claims(
+    org_id: UUID,
+    user_id: str = Depends(require_permission(Permission.MANAGE_ORG_CLAIMS)),
+) -> list[GitOrgClaimResponse]:
+    """Get all Git organization claims for an OpenHands organization.
+
+    Only admin and owner roles can view Git organization claims.
+
+    Args:
+        org_id: OpenHands organization UUID
+        user_id: Authenticated user ID (injected by permission check)
+
+    Returns:
+        List of GitOrgClaimResponse with claim details
+    """
+    try:
+        claims = await OrgGitClaimStore.get_claims_by_org_id(org_id=org_id)
+        return [
+            GitOrgClaimResponse(
+                id=str(claim.id),
+                org_id=str(claim.org_id),
+                provider=claim.provider,
+                git_organization=claim.git_organization,
+                claimed_by=str(claim.claimed_by),
+                claimed_at=claim.claimed_at.isoformat(),
+            )
+            for claim in claims
+        ]
+    except Exception:
+        logger.exception('Error fetching Git organization claims')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to fetch Git organization claims',
+        )
+
+
+@org_router.post(
+    '/{org_id}/git-claims',
+    response_model=GitOrgClaimResponse,
+    status_code=status.HTTP_201_CREATED,
+)
+async def claim_git_organization(
+    org_id: UUID,
+    request: GitOrgClaimRequest,
+    user_id: str = Depends(require_permission(Permission.MANAGE_ORG_CLAIMS)),
+) -> GitOrgClaimResponse:
+    """Claim a Git organization for an OpenHands organization.
+
+    Only admin and owner roles can claim Git organizations.
+    A Git organization can only be claimed by one OpenHands organization at a time.
+
+    Args:
+        org_id: OpenHands organization UUID
+        request: Claim request with provider and git_organization
+        user_id: Authenticated user ID (injected by permission check)
+
+    Returns:
+        GitOrgClaimResponse with the created claim details
+
+    Raises:
+        HTTPException 409: If the Git organization is already claimed
+        HTTPException 403: If user lacks permission
+    """
+    try:
+        # Check if this Git org is already claimed (early feedback for the common case)
+        existing_claim = await OrgGitClaimStore.get_claim_by_provider_and_git_org(
+            provider=request.provider,
+            git_organization=request.git_organization,
+        )
+
+        if existing_claim:
+            raise GitOrgAlreadyClaimedError(
+                provider=request.provider,
+                git_organization=request.git_organization,
+            )
+
+        # Create the claim — the DB unique constraint handles the race condition
+        # where two concurrent requests both pass the check above.
+        claim = await OrgGitClaimStore.create_claim(
+            org_id=org_id,
+            provider=request.provider,
+            git_organization=request.git_organization,
+            claimed_by=UUID(user_id),
+        )
+
+        return GitOrgClaimResponse(
+            id=str(claim.id),
+            org_id=str(claim.org_id),
+            provider=claim.provider,
+            git_organization=claim.git_organization,
+            claimed_by=str(claim.claimed_by),
+            claimed_at=claim.claimed_at.isoformat(),
+        )
+
+    except GitOrgAlreadyClaimedError as e:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=str(e),
+        )
+    except IntegrityError as e:
+        # Only treat the unique constraint violation as a duplicate claim.
+        # Other integrity errors (e.g. FK violations) should surface as 500s.
+        if 'uq_provider_git_org' in str(e.orig):
+            raise HTTPException(
+                status_code=status.HTTP_409_CONFLICT,
+                detail=str(
+                    GitOrgAlreadyClaimedError(
+                        provider=request.provider,
+                        git_organization=request.git_organization,
+                    )
+                ),
+            )
+        logger.exception('Integrity error claiming Git organization')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to claim Git organization',
+        )
+    except Exception:
+        logger.exception('Error claiming Git organization')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to claim Git organization',
+        )
+
+
+@org_router.delete(
+    '/{org_id}/git-claims/{claim_id}',
+    status_code=status.HTTP_200_OK,
+)
+async def disconnect_git_organization(
+    org_id: UUID,
+    claim_id: UUID,
+    user_id: str = Depends(require_permission(Permission.MANAGE_ORG_CLAIMS)),
+) -> dict:
+    """Remove a Git organization claim from an OpenHands organization.
+
+    Only admin and owner roles can disconnect Git organization claims.
+
+    Args:
+        org_id: OpenHands organization UUID
+        claim_id: Claim UUID to remove
+        user_id: Authenticated user ID (injected by permission check)
+
+    Returns:
+        dict: Confirmation message on successful deletion
+
+    Raises:
+        HTTPException 404: If the claim is not found for this organization
+        HTTPException 403: If user lacks permission
+    """
+    try:
+        deleted = await OrgGitClaimStore.delete_claim(
+            claim_id=claim_id,
+            org_id=org_id,
+        )
+
+        if not deleted:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail='Git organization claim not found',
+            )
+
+        return {'message': 'Git organization claim removed successfully'}
+
+    except HTTPException:
+        raise
+    except Exception:
+        logger.exception('Error disconnecting Git organization')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to disconnect Git organization',
+        )
@@ -7,8 +7,10 @@ from server.auth.token_manager import TokenManager
 from storage.user_store import UserStore
 from utils.identity import resolve_display_name

+from openhands.app_server.utils.dependencies import get_dependencies
 from openhands.integrations.provider import (
    PROVIDER_TOKEN_TYPE,
+    ProviderHandler,
 )
 from openhands.integrations.service_types import (
    Branch,
@@ -22,7 +24,6 @@ from openhands.microagent.types import (
    MicroagentContentResponse,
    MicroagentResponse,
 )
-from openhands.server.dependencies import get_dependencies
 from openhands.server.routes.git import (
    get_repository_branches,
    get_repository_microagent_content,
@@ -44,7 +45,12 @@ saas_user_router = APIRouter(prefix='/api/user', dependencies=get_dependencies()
 token_manager = TokenManager()


-@saas_user_router.get('/installations', response_model=list[str])
+@saas_user_router.get(
+    '/installations',
+    response_model=list[str],
+    deprecated=True,
+    description='Deprecated: Use `/api/v1/git/installations` instead.',
+)
 async def saas_get_user_installations(
    provider: ProviderType,
    provider_tokens: PROVIDER_TOKEN_TYPE | None = Depends(get_provider_tokens),
@@ -67,7 +73,59 @@ async def saas_get_user_installations(
    )


-@saas_user_router.get('/repositories', response_model=list[Repository])
+@saas_user_router.get('/git-organizations')
+async def saas_get_user_git_organizations(
+    provider_tokens: PROVIDER_TOKEN_TYPE | None = Depends(get_provider_tokens),
+    access_token: SecretStr | None = Depends(get_access_token),
+    user_id: str | None = Depends(get_user_id),
+):
+    if not provider_tokens:
+        retval = await _check_idp(
+            access_token=access_token,
+            default_value={},
+        )
+        if retval is not None:
+            return retval
+        # _check_idp returned None (tokens refreshed on Keycloak side),
+        # but provider_tokens is still None for this request.
+        return JSONResponse(
+            content='Git provider token required.',
+            status_code=status.HTTP_401_UNAUTHORIZED,
+        )
+
+    client = ProviderHandler(
+        provider_tokens=provider_tokens,
+        external_auth_token=access_token,
+        external_auth_id=user_id,
+    )
+
+    # SaaS users sign in with one provider at a time
+    provider = next(iter(provider_tokens))
+
+    if provider == ProviderType.GITHUB:
+        orgs = await client.get_github_organizations()
+    elif provider == ProviderType.GITLAB:
+        orgs = await client.get_gitlab_groups()
+    elif provider == ProviderType.BITBUCKET:
+        orgs = await client.get_bitbucket_workspaces()
+    else:
+        return JSONResponse(
+            content=f"Provider {provider.value} doesn't support git organizations",
+            status_code=status.HTTP_400_BAD_REQUEST,
+        )
+
+    return {
+        'provider': provider.value,
+        'organizations': orgs,
+    }
+
+
+@saas_user_router.get(
+    '/repositories',
+    response_model=list[Repository],
+    deprecated=True,
+    description='Deprecated: Use `/api/v1/git/repositories` instead.',
+)
 async def saas_get_user_repositories(
    sort: str = 'pushed',
    selected_provider: ProviderType | None = None,
@@ -98,12 +156,13 @@ async def saas_get_user_repositories(
    )


-@saas_user_router.get('/info', response_model=User)
+@saas_user_router.get('/info', response_model=User, deprecated=True)
 async def saas_get_user(
    provider_tokens: PROVIDER_TOKEN_TYPE | None = Depends(get_provider_tokens),
    access_token: SecretStr | None = Depends(get_access_token),
    user_id: str | None = Depends(get_user_id),
 ) -> User | JSONResponse:
+    """Get the current user git info. Use GET /api/v1/users/git-info instead"""
    if not provider_tokens:
        if not access_token:
            return JSONResponse(
@@ -0,0 +1,106 @@
+"""SAAS-specific extensions for the /api/v1/users endpoints.
+
+This module provides SAAS-specific implementations that extend the OSS
+user endpoints with organization context (org_id, org_name, role, permissions).
+"""
+
+import logging
+
+from fastapi import APIRouter, FastAPI, Header, HTTPException, Query, status
+from fastapi.responses import JSONResponse
+from server.auth.saas_user_auth import SaasUserAuth
+from server.models.user_models import SaasUserInfo
+
+from openhands.app_server.config import depends_user_context
+from openhands.app_server.sandbox.session_auth import validate_session_key_ownership
+from openhands.app_server.user.auth_user_context import AuthUserContext
+from openhands.app_server.user.user_context import UserContext
+from openhands.app_server.utils.dependencies import get_dependencies
+
+_logger = logging.getLogger(__name__)
+
+saas_users_v1_router = APIRouter(
+    prefix='/api/v1/users', tags=['User'], dependencies=get_dependencies()
+)
+user_dependency = depends_user_context()
+
+
+@saas_users_v1_router.get('/me')
+async def get_current_user_saas(
+    user_context: UserContext = user_dependency,
+    expose_secrets: bool = Query(
+        default=False,
+        description='If true, return unmasked secret values (e.g. llm_api_key). '
+        'Requires a valid X-Session-API-Key header for an active sandbox '
+        'owned by the authenticated user.',
+    ),
+    x_session_api_key: str | None = Header(default=None),
+) -> SaasUserInfo:
+    """Get the current authenticated user with SAAS-specific org info.
+
+    Returns user settings along with organization context:
+    - org_id: Current organization ID
+    - org_name: Current organization name
+    - role: User's role in the organization
+    - permissions: List of permission strings for the role
+    """
+    # Get base user info from the context
+    base_user_info = await user_context.get_user_info()
+    if base_user_info is None:
+        raise HTTPException(status.HTTP_401_UNAUTHORIZED, detail='Not authenticated')
+
+    # Build SAAS user info from base settings
+    user_info_data = base_user_info.model_dump(
+        mode='json', context={'expose_secrets': True}
+    )
+
+    # Add org info if available (from SaasUserAuth)
+    org_info = await _get_org_info_from_context(user_context)
+    if org_info:
+        user_info_data.update(org_info)
+
+    user_info = SaasUserInfo(**user_info_data)
+
+    if expose_secrets:
+        await validate_session_key_ownership(user_context, x_session_api_key)
+        return JSONResponse(  # type: ignore[return-value]
+            content=user_info.model_dump(mode='json', context={'expose_secrets': True})
+        )
+    return user_info
+
+
+async def _get_org_info_from_context(user_context: UserContext) -> dict | None:
+    """Extract org info from the user context if available.
+
+    This works by checking if the underlying user_auth is a SaasUserAuth
+    instance that has the get_org_info method.
+    """
+    # Check if this is an AuthUserContext with a SaasUserAuth
+    if isinstance(user_context, AuthUserContext):
+        user_auth = user_context.user_auth
+        if isinstance(user_auth, SaasUserAuth):
+            return await user_auth.get_org_info()
+    return None
+
+
+def override_users_me_endpoint(app: FastAPI) -> None:
+    """Override the OSS /api/v1/users/me endpoint with SAAS version.
+
+    This removes the base OSS endpoint and registers the SAAS version
+    which includes organization context (org_id, org_name, role, permissions).
+
+    Must be called after the app is created in saas_server.py.
+    """
+    # Find and remove the OSS /api/v1/users/me route
+    routes_to_remove = []
+    for route in app.routes:
+        if hasattr(route, 'path') and route.path == '/api/v1/users/me':
+            routes_to_remove.append(route)
+
+    for route in routes_to_remove:
+        app.routes.remove(route)
+        _logger.debug('Removed OSS route: %s', route.path)
+
+    # Add the SAAS version
+    app.include_router(saas_users_v1_router)
+    _logger.debug('Added SAAS /api/v1/users/me endpoint')
@@ -522,9 +522,10 @@ class SaasNestedConversationManager(ConversationManager):

        mcp_config = await self._get_mcp_config(user_id)
        if mcp_config:
-            settings_mcp_config = settings.to_legacy_mcp_config()
-            if settings_mcp_config:
-                mcp_config = mcp_config.merge(settings_mcp_config)
+            # Merge with any MCP config from settings
+            if settings.mcp_config:
+                mcp_config = mcp_config.merge(settings.mcp_config)
+            # Check again since theoretically merge could return None.
            if mcp_config:
                init_conversation['mcp_config'] = mcp_config.model_dump()

@@ -854,7 +855,7 @@ class SaasNestedConversationManager(ConversationManager):
            user_id=user_id,
        )
        llm_registry.retry_listner = session._notify_on_llm_retry
-        agent_cls = settings.agent_settings.agent or self.config.default_agent
+        agent_cls = settings.agent or self.config.default_agent
        agent_config = self.config.get_agent_config(agent_cls)
        agent = Agent.get_cls(agent_cls)(agent_config, llm_registry)

@@ -371,9 +371,9 @@ class OrgInvitationService:
            raise InvitationInvalidError('Organization not found')

        # Step 5: Add user to organization with inherited org LLM settings
-        llm_api_key_secret = settings.get_secret_agent_setting('llm.api_key')
+        # Get the llm_api_key as string (it's SecretStr | None in Settings)
        llm_api_key = (
-            llm_api_key_secret.get_secret_value() if llm_api_key_secret else ''
+            settings.llm_api_key.get_secret_value() if settings.llm_api_key else ''
        )

        await OrgMemberStore.add_user_to_org(
@@ -382,7 +382,9 @@ class OrgInvitationService:
            role_id=invitation.role_id,
            llm_api_key=llm_api_key,
            status='active',
-            agent_settings=OrgStore.get_agent_settings_from_org(org),
+            llm_model=org.default_llm_model,
+            llm_base_url=org.default_llm_base_url,
+            max_iterations=org.default_max_iterations,
        )

        # Step 6: Mark invitation as accepted
@@ -0,0 +1,171 @@
+"""Service for managing organization member financial data."""
+
+from uuid import UUID
+
+import httpx
+from server.routes.org_models import (
+    OrgMemberFinancialPage,
+    OrgMemberFinancialResponse,
+)
+from storage.lite_llm_manager import LiteLlmManager
+from storage.org_member_store import OrgMemberStore
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class OrgMemberFinancialService:
+    """Service for organization member financial data operations."""
+
+    @staticmethod
+    async def get_org_members_financial_data(
+        org_id: UUID,
+        page_id: str | None = None,
+        limit: int = 10,
+        email_filter: str | None = None,
+    ) -> OrgMemberFinancialPage:
+        """Get paginated financial data for organization members.
+
+        Fetches member list from database and joins with financial data from LiteLLM.
+
+        Args:
+            org_id: Organization UUID
+            page_id: Offset encoded as string (e.g., "0", "10", "20")
+            limit: Maximum items per page (default 10)
+            email_filter: Optional case-insensitive partial email match
+
+        Returns:
+            OrgMemberFinancialPage: Paginated response with financial data
+
+        Raises:
+            ValueError: If page_id is invalid
+        """
+        # Parse page_id to get offset
+        offset = 0
+        if page_id is not None:
+            try:
+                offset = int(page_id)
+                if offset < 0:
+                    raise ValueError('page_id must be non-negative')
+            except ValueError as e:
+                raise ValueError(f'Invalid page_id: {page_id}') from e
+
+        # Fetch paginated members from database
+        members, total_count = await OrgMemberStore.get_org_members_paginated(
+            org_id=org_id,
+            offset=offset,
+            limit=limit,
+            email_filter=email_filter,
+        )
+
+        if not members:
+            return OrgMemberFinancialPage(
+                items=[],
+                current_page=(offset // limit) + 1,
+                per_page=limit,
+                next_page_id=None,
+            )
+
+        # Fetch financial data from LiteLLM for the entire team
+        # This is a single API call that returns all team members' data
+        try:
+            financial_data = await LiteLlmManager.get_team_members_financial_data(
+                str(org_id)
+            )
+        except httpx.HTTPStatusError as e:
+            # Re-raise auth errors - these indicate configuration issues that need fixing
+            if e.response.status_code in (401, 403):
+                logger.error(
+                    'LiteLLM authentication/authorization failed',
+                    extra={
+                        'org_id': str(org_id),
+                        'status_code': e.response.status_code,
+                        'error': str(e),
+                    },
+                )
+                raise
+            # For other HTTP errors (404, 500, etc.), use graceful degradation
+            logger.warning(
+                'Failed to fetch financial data from LiteLLM',
+                extra={
+                    'org_id': str(org_id),
+                    'status_code': e.response.status_code,
+                    'error_type': type(e).__name__,
+                    'error': str(e),
+                },
+            )
+            financial_data = {}
+        except Exception as e:
+            # For network errors, timeouts, etc., use graceful degradation
+            logger.warning(
+                'Failed to fetch financial data from LiteLLM',
+                extra={
+                    'org_id': str(org_id),
+                    'error_type': type(e).__name__,
+                    'error': str(e),
+                },
+            )
+            financial_data = {}
+
+        # Extract team-level data for shared budget calculation
+        team_spend = financial_data.get('team_spend', 0) or 0
+        members_financial = financial_data.get('members', {})
+
+        # Build response items by joining DB members with LiteLLM financial data
+        items: list[OrgMemberFinancialResponse] = []
+        for member in members:
+            user = member.user
+            user_id_str = str(member.user_id)
+
+            # Get financial data for this user (or defaults if not found)
+            user_financial = members_financial.get(user_id_str, {})
+            individual_spend = user_financial.get('spend', 0) or 0
+            max_budget = user_financial.get('max_budget')
+            uses_shared_budget = user_financial.get('uses_shared_budget', False)
+
+            # Calculate current budget (remaining)
+            # For shared team budgets, use team_spend to calculate remaining budget
+            # This ensures all members see the same remaining budget
+            if max_budget is not None:
+                if uses_shared_budget:
+                    # Shared budget - use team's total spend
+                    current_budget = max(max_budget - team_spend, 0)
+                else:
+                    # Individual budget - use individual spend
+                    current_budget = max(max_budget - individual_spend, 0)
+            else:
+                # If no max_budget, current_budget is unlimited (represented as 0)
+                current_budget = 0
+
+            items.append(
+                OrgMemberFinancialResponse(
+                    user_id=user_id_str,
+                    email=user.email if user else None,
+                    lifetime_spend=individual_spend,
+                    current_budget=current_budget,
+                    max_budget=max_budget,
+                )
+            )
+
+        # Calculate current page (1-indexed)
+        current_page = (offset // limit) + 1
+
+        # Calculate next_page_id
+        next_offset = offset + limit
+        next_page_id = str(next_offset) if next_offset < total_count else None
+
+        logger.debug(
+            'OrgMemberFinancialService:get_org_members_financial_data:success',
+            extra={
+                'org_id': str(org_id),
+                'items_count': len(items),
+                'current_page': current_page,
+                'total_count': total_count,
+            },
+        )
+
+        return OrgMemberFinancialPage(
+            items=items,
+            current_page=current_page,
+            per_page=limit,
+            next_page_id=next_page_id,
+        )
@@ -55,6 +55,7 @@ class OrgMemberService:
        if role is None:
            raise RoleNotFoundError(org_member.role_id)

+        # Get user email
        user = await UserStore.get_user_by_id(str(user_id))
        email = user.email if user and user.email else ''

@@ -363,6 +363,11 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
                    if api_key_org_id is not None:
                        org_id = api_key_org_id

+            # Override with resolver org_id if set (from git org claim resolution)
+            resolver_org_id = getattr(self.user_context, 'resolver_org_id', None)
+            if resolver_org_id is not None:
+                org_id = resolver_org_id
+
            # Check if SAAS metadata already exists
            saas_query = select(StoredConversationMetadataSaas).where(
                StoredConversationMetadataSaas.conversation_id == str(info.id)
@@ -29,7 +29,10 @@ def get_cookie_domain() -> str | None:


 def get_cookie_samesite() -> Literal['lax', 'strict']:
-    # for localhost and feature/staging stacks we set it to 'lax' as the cookie domain won't allow 'strict'
+    # Use 'strict' in production for maximum CSRF protection
+    # Use 'lax' for local development and staging environments
+    # Note: For invitation links from emails, the frontend handles acceptance via
+    # an authenticated POST request (same-origin), which works with 'strict' cookies
    web_url = get_global_config().web_url
    return (
        'strict'
@@ -17,7 +17,7 @@ from server.verified_models.verified_model_service import (

 from openhands.app_server.config import get_db_session
 from openhands.server.routes import public
-from openhands.utils.llm import get_supported_llm_models
+from openhands.utils.llm import ModelsResponse, get_supported_llm_models

 api_router = APIRouter(prefix='/api/admin/verified-models', tags=['Verified Models'])

@@ -117,7 +117,7 @@ async def delete_verified_model(
        )


-async def get_saas_llm_models_dependency(request: Request) -> list[str]:
+async def get_saas_llm_models_dependency(request: Request) -> ModelsResponse:
    """SaaS implementation for the LLM models endpoint."""
    async with get_db_session(request.state, request) as db_session:
        # Prevent circular import
@@ -19,6 +19,7 @@ from storage.linear_workspace import LinearWorkspace
 from storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus
 from storage.openhands_pr import OpenhandsPR
 from storage.org import Org
+from storage.org_git_claim import OrgGitClaim
 from storage.org_invitation import OrgInvitation
 from storage.org_member import OrgMember
 from storage.proactive_convos import ProactiveConversation
@@ -65,6 +66,7 @@ __all__ = [
    'MaintenanceTaskStatus',
    'OpenhandsPR',
    'Org',
+    'OrgGitClaim',
    'OrgInvitation',
    'OrgMember',
    'ProactiveConversation',
@@ -1,38 +0,0 @@
-from __future__ import annotations
-
-from typing import Any, Mapping
-
-from storage.org import Org
-from storage.org_member import OrgMember
-
-_SCHEMA_VERSION = 1
-
-
-def ensure_schema_version(agent_settings: Mapping[str, Any] | None) -> dict[str, Any]:
-    normalized = dict(agent_settings or {})
-    if normalized and 'schema_version' not in normalized:
-        normalized['schema_version'] = _SCHEMA_VERSION
-    return normalized
-
-
-def merge_agent_settings(
-    base: Mapping[str, Any] | None,
-    updates: Mapping[str, Any] | None,
-) -> dict[str, Any]:
-    merged = dict(base or {})
-    for key, value in (updates or {}).items():
-        if key == 'schema_version':
-            continue
-        if value is None:
-            merged.pop(key, None)
-        else:
-            merged[key] = value
-    return ensure_schema_version(merged)
-
-
-def get_org_agent_settings(org: Org) -> dict[str, Any]:
-    return ensure_schema_version(dict(getattr(org, 'agent_settings', {}) or {}))
-
-
-def get_org_member_agent_settings(org_member: OrgMember) -> dict[str, Any]:
-    return ensure_schema_version(dict(getattr(org_member, 'agent_settings', {}) or {}))
@@ -1,5 +1,13 @@
 """
 Unified SQLAlchemy declarative base for all models.
+
+Re-exports the core Base to ensure enterprise and core models share the same
+metadata registry. This allows foreign key relationships between enterprise
+models (e.g., ConversationCallback) and core models (e.g., StoredConversationMetadata).
+
+The core Base now uses SQLAlchemy 2.0 DeclarativeBase for proper type inference
+with Mapped types, while remaining backward compatible with existing Column()
+definitions.
 """

 from openhands.app_server.utils.sql_utils import Base
@@ -1,22 +1,28 @@
 from datetime import UTC, datetime
+from decimal import Decimal
+from typing import TYPE_CHECKING
+from uuid import UUID

-from sqlalchemy import DECIMAL, Column, DateTime, Enum, ForeignKey, String
-from sqlalchemy.dialects.postgresql import UUID
-from sqlalchemy.orm import relationship
+from sqlalchemy import DECIMAL, DateTime, Enum, ForeignKey, String
+from sqlalchemy.orm import Mapped, mapped_column, relationship
 from storage.base import Base

+if TYPE_CHECKING:
+    from storage.org import Org

-class BillingSession(Base):  # type: ignore
+
+class BillingSession(Base):
    """
    Represents a Stripe billing session for credit purchases.
    Tracks the status of payment transactions and associated user information.
    """

    __tablename__ = 'billing_sessions'
-    id = Column(String, primary_key=True)
-    user_id = Column(String, nullable=False)
-    org_id = Column(UUID(as_uuid=True), ForeignKey('org.id'), nullable=True)
-    status = Column(
+
+    id: Mapped[str] = mapped_column(String, primary_key=True)
+    user_id: Mapped[str] = mapped_column(String, nullable=False)
+    org_id: Mapped[UUID | None] = mapped_column(ForeignKey('org.id'), nullable=True)
+    status: Mapped[str] = mapped_column(
        Enum(
            'in_progress',
            'completed',
@@ -26,16 +32,16 @@ class BillingSession(Base):  # type: ignore
        ),
        default='in_progress',
    )
-    price = Column(DECIMAL(19, 4), nullable=False)
-    price_code = Column(String, nullable=False)
-    created_at = Column(
+    price: Mapped[Decimal] = mapped_column(DECIMAL(19, 4), nullable=False)
+    price_code: Mapped[str] = mapped_column(String, nullable=False)
+    created_at: Mapped[datetime | None] = mapped_column(
        DateTime(timezone=True),
-        default=lambda: datetime.now(UTC),  # type: ignore[attr-defined]
+        default=lambda: datetime.now(UTC),
    )
-    updated_at = Column(
+    updated_at: Mapped[datetime | None] = mapped_column(
        DateTime(timezone=True),
-        default=lambda: datetime.now(UTC),  # type: ignore[attr-defined]
+        default=lambda: datetime.now(UTC),
    )

    # Relationships
-    org = relationship('Org', back_populates='billing_sessions')
+    org: Mapped['Org | None'] = relationship('Org', back_populates='billing_sessions')
@@ -3,7 +3,8 @@
 from datetime import datetime, timezone
 from enum import Enum

-from sqlalchemy import Column, DateTime, Integer, String
+from sqlalchemy import DateTime, String
+from sqlalchemy.orm import Mapped, mapped_column
 from storage.base import Base


@@ -25,21 +26,33 @@ class DeviceCode(Base):

    __tablename__ = 'device_codes'

-    id = Column(Integer, primary_key=True, autoincrement=True)
-    device_code = Column(String(128), unique=True, nullable=False, index=True)
-    user_code = Column(String(16), unique=True, nullable=False, index=True)
-    status = Column(String(32), nullable=False, default=DeviceCodeStatus.PENDING.value)
+    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
+    device_code: Mapped[str] = mapped_column(
+        String(128), unique=True, nullable=False, index=True
+    )
+    user_code: Mapped[str] = mapped_column(
+        String(16), unique=True, nullable=False, index=True
+    )
+    status: Mapped[str] = mapped_column(
+        String(32), nullable=False, default=DeviceCodeStatus.PENDING.value
+    )

    # Keycloak user ID who authorized the device (set during verification)
-    keycloak_user_id = Column(String(255), nullable=True)
+    keycloak_user_id: Mapped[str | None] = mapped_column(String(255), nullable=True)

    # Timestamps
-    expires_at = Column(DateTime(timezone=True), nullable=False)
-    authorized_at = Column(DateTime(timezone=True), nullable=True)
+    expires_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), nullable=False
+    )
+    authorized_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )

    # Rate limiting fields for RFC 8628 section 3.5 compliance
-    last_poll_time = Column(DateTime(timezone=True), nullable=True)
-    current_interval = Column(Integer, nullable=False, default=5)
+    last_poll_time: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    current_interval: Mapped[int] = mapped_column(nullable=False, default=5)

    def __repr__(self) -> str:
        return f"<DeviceCode(user_code='{self.user_code}', status='{self.status}')>"
@@ -1,29 +1,34 @@
-from sqlalchemy import JSON, Column, DateTime, Enum, Integer, String, Text
-from sqlalchemy.sql import func
+from datetime import datetime
+from typing import Any
+
+from sqlalchemy import JSON, Enum, String, Text, func
+from sqlalchemy.orm import Mapped, mapped_column
 from storage.base import Base


-class Feedback(Base):  # type: ignore
+class Feedback(Base):
    __tablename__ = 'feedback'

-    id = Column(String, primary_key=True)
-    version = Column(String, nullable=False)
-    email = Column(String, nullable=False)
-    polarity = Column(
+    id: Mapped[str] = mapped_column(String, primary_key=True)
+    version: Mapped[str] = mapped_column(String, nullable=False)
+    email: Mapped[str] = mapped_column(String, nullable=False)
+    polarity: Mapped[str] = mapped_column(
        Enum('positive', 'negative', name='polarity_enum'), nullable=False
    )
-    permissions = Column(
+    permissions: Mapped[str] = mapped_column(
        Enum('public', 'private', name='permissions_enum'), nullable=False
    )
-    trajectory = Column(JSON, nullable=True)
+    trajectory: Mapped[dict[str, Any] | None] = mapped_column(JSON, nullable=True)


-class ConversationFeedback(Base):  # type: ignore
+class ConversationFeedback(Base):
    __tablename__ = 'conversation_feedback'

-    id = Column(Integer, primary_key=True, autoincrement=True)
-    conversation_id = Column(String, nullable=False, index=True)
-    event_id = Column(Integer, nullable=True)
-    rating = Column(Integer, nullable=False)
-    reason = Column(Text, nullable=True)
-    created_at = Column(DateTime, nullable=False, server_default=func.now())
+    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
+    conversation_id: Mapped[str] = mapped_column(String, nullable=False, index=True)
+    event_id: Mapped[int | None] = mapped_column(nullable=True)
+    rating: Mapped[int] = mapped_column(nullable=False)
+    reason: Mapped[str | None] = mapped_column(Text, nullable=True)
+    created_at: Mapped[datetime] = mapped_column(
+        nullable=False, server_default=func.now()
+    )
@@ -216,11 +216,11 @@ class LiteLlmManager:
                    None,
                )

-        oss_settings.set_agent_setting('agent', 'CodeActAgent')
+        oss_settings.agent = 'CodeActAgent'
        # Use the model corresponding to the current user settings version
-        oss_settings.set_agent_setting('llm.model', get_default_litellm_model())
-        oss_settings.set_agent_setting('llm.api_key', SecretStr(key))
-        oss_settings.set_agent_setting('llm.base_url', LITE_LLM_API_URL)
+        oss_settings.llm_model = get_default_litellm_model()
+        oss_settings.llm_api_key = SecretStr(key)
+        oss_settings.llm_base_url = LITE_LLM_API_URL
        return oss_settings

    @staticmethod
@@ -354,15 +354,10 @@ class LiteLlmManager:
                # Check if the database key exists in LiteLLM
                # If not, generate a new key to prevent verification failures later
                db_key = None
-                llm_base_url = (
-                    user_settings.agent_settings.get('llm.base_url')
-                    if user_settings and user_settings.agent_settings
-                    else None
-                )
                if (
                    user_settings
                    and user_settings.llm_api_key
-                    and llm_base_url == LITE_LLM_API_URL
+                    and user_settings.llm_base_url == LITE_LLM_API_URL
                ):
                    db_key = user_settings.llm_api_key
                    if hasattr(db_key, 'get_secret_value'):
@@ -398,7 +393,7 @@ class LiteLlmManager:
                        )
                        # Update user_settings with the new key so it gets stored in org_member
                        user_settings.llm_api_key = SecretStr(new_key)
-                        user_settings.llm_api_key_for_byor_secret = SecretStr(new_key)
+                        user_settings.llm_api_key_for_byor = SecretStr(new_key)

        logger.info(
            'LiteLlmManager:migrate_lite_llm_entries:complete',
@@ -1529,6 +1524,83 @@ class LiteLlmManager:
            'LiteLlmManager:_delete_key:key_deleted',
        )

+    @staticmethod
+    async def _get_team_members_financial_data(
+        client: httpx.AsyncClient,
+        team_id: str,
+    ) -> dict:
+        """
+        Get financial data for all members in a team.
+
+        Fetches team info from LiteLLM and extracts spending/budget data for each member.
+
+        Args:
+            client: HTTP client for LiteLLM API
+            team_id: The team/organization ID
+
+        Returns:
+            Dict with structure:
+            {
+                "team_max_budget": float | None,  # Team's shared budget
+                "team_spend": float,              # Team's total spend (for shared budget calc)
+                "members": {
+                    user_id: {
+                        "spend": float,
+                        "max_budget": float | None,
+                        "uses_shared_budget": bool  # True if using team budget
+                    },
+                    ...
+                }
+            }
+            Returns empty dict if team not found or LiteLLM is not configured.
+        """
+        if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None:
+            logger.warning('LiteLLM API configuration not found')
+            return {}
+
+        team_info = await LiteLlmManager._get_team(client, team_id)
+        if not team_info:
+            logger.warning(
+                'LiteLlmManager:_get_team_members_financial_data:team_not_found',
+                extra={'team_id': team_id},
+            )
+            return {}
+
+        members: dict[str, dict] = {}
+        team_memberships = team_info.get('team_memberships', [])
+
+        # Get team-level budget info (shared across all members in team orgs)
+        team_data = team_info.get('team_info', {})
+        team_max_budget = team_data.get('max_budget')
+        team_spend = team_data.get('spend', 0) or 0
+
+        for membership in team_memberships:
+            user_id = membership.get('user_id')
+            if not user_id:
+                continue
+
+            # Use individual max_budget_in_team if set, otherwise fall back to team budget
+            member_max_budget = membership.get('max_budget_in_team')
+            uses_shared_budget = member_max_budget is None
+            if uses_shared_budget:
+                member_max_budget = team_max_budget
+
+            members[user_id] = {
+                'spend': membership.get('spend', 0) or 0,
+                'max_budget': member_max_budget,
+                'uses_shared_budget': uses_shared_budget,
+            }
+
+        logger.debug(
+            'LiteLlmManager:_get_team_members_financial_data:success',
+            extra={'team_id': team_id, 'member_count': len(members)},
+        )
+        return {
+            'team_max_budget': team_max_budget,
+            'team_spend': team_spend,
+            'members': members,
+        }
+
    @staticmethod
    def with_http_client(
        internal_fn: Callable[..., Awaitable[Any]],
@@ -1564,3 +1636,6 @@ class LiteLlmManager:
    get_user_keys = staticmethod(with_http_client(_get_user_keys))
    delete_key_by_alias = staticmethod(with_http_client(_delete_key_by_alias))
    update_user_keys = staticmethod(with_http_client(_update_user_keys))
+    get_team_members_financial_data = staticmethod(
+        with_http_client(_get_team_members_financial_data)
+    )
@@ -21,7 +21,14 @@ class Org(Base):  # type: ignore
    name = Column(String, nullable=False, unique=True)
    contact_name = Column(String, nullable=True)
    contact_email = Column(String, nullable=True)
+    agent = Column(String, nullable=True)
+    default_max_iterations = Column(Integer, nullable=True)
+    security_analyzer = Column(String, nullable=True)
+    confirmation_mode = Column(Boolean, nullable=True, default=False)
+    default_llm_model = Column(String, nullable=True)
+    default_llm_base_url = Column(String, nullable=True)
    remote_runtime_resource_factor = Column(Integer, nullable=True)
+    enable_default_condenser = Column(Boolean, nullable=False, default=True)
    billing_margin = Column(Float, nullable=True, default=DEFAULT_BILLING_MARGIN)
    enable_proactive_conversation_starters = Column(
        Boolean, nullable=False, default=True
@@ -29,7 +36,7 @@ class Org(Base):  # type: ignore
    sandbox_base_container_image = Column(String, nullable=True)
    sandbox_runtime_container_image = Column(String, nullable=True)
    org_version = Column(Integer, nullable=False, default=0)
-    agent_settings = Column(JSON, nullable=False, default=dict)
+    mcp_config = Column(JSON, nullable=True)
    # encrypted column, don't set directly, set without the underscore
    _search_api_key = Column(String, nullable=True)
    # encrypted column, don't set directly, set without the underscore
@@ -38,6 +45,7 @@ class Org(Base):  # type: ignore
    enable_solvability_analysis = Column(Boolean, nullable=True, default=False)
    v1_enabled = Column(Boolean, nullable=True)
    conversation_expiration = Column(Integer, nullable=True)
+    condenser_max_size = Column(Integer, nullable=True)
    byor_export_enabled = Column(Boolean, nullable=False, default=False)
    sandbox_grouping_strategy = Column(String, nullable=True)

@@ -56,6 +64,7 @@ class Org(Base):  # type: ignore
    slack_conversations = relationship('SlackConversation', back_populates='org')
    slack_users = relationship('SlackUser', back_populates='org')
    stripe_customers = relationship('StripeCustomer', back_populates='org')
+    git_claims = relationship('OrgGitClaim', back_populates='org')

    def __init__(self, **kwargs):
        # Handle known SQLAlchemy columns directly
@@ -13,7 +13,6 @@ from server.constants import (
 from server.routes.org_models import OrgAppSettingsUpdate
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
-from storage.agent_settings_utils import get_org_agent_settings, merge_agent_settings
 from storage.org import Org
 from storage.user import User

@@ -66,13 +65,8 @@ class OrgAppSettingsStore:
        """
        if org.org_version < ORG_SETTINGS_VERSION:
            org.org_version = ORG_SETTINGS_VERSION
-            org.agent_settings = merge_agent_settings(
-                get_org_agent_settings(org),
-                {
-                    'llm.model': get_default_litellm_model(),
-                    'llm.base_url': LITE_LLM_API_URL,
-                },
-            )
+            org.default_llm_model = get_default_litellm_model()
+            org.llm_base_url = LITE_LLM_API_URL
            await self.db_session.flush()
            await self.db_session.refresh(org)

@@ -0,0 +1,30 @@
+"""
+SQLAlchemy model for Git Organization Claims.
+"""
+
+from uuid import uuid4
+
+from sqlalchemy import UUID, Column, DateTime, ForeignKey, String, UniqueConstraint
+from sqlalchemy.orm import relationship
+from storage.base import Base
+
+
+class OrgGitClaim(Base):  # type: ignore
+    """Model for tracking which OpenHands org has claimed a Git organization."""
+
+    __tablename__ = 'org_git_claim'
+
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid4)
+    org_id = Column(
+        UUID(as_uuid=True), ForeignKey('org.id', ondelete='CASCADE'), nullable=False
+    )
+    provider = Column(String, nullable=False)
+    git_organization = Column(String, nullable=False)
+    claimed_by = Column(UUID(as_uuid=True), ForeignKey('user.id'), nullable=False)
+    claimed_at = Column(DateTime(timezone=True), nullable=False)
+
+    __table_args__ = (
+        UniqueConstraint('provider', 'git_organization', name='uq_provider_git_org'),
+    )
+
+    org = relationship('Org', back_populates='git_claims')
@@ -0,0 +1,141 @@
+"""
+Store class for managing Git organization claims.
+"""
+
+from datetime import datetime, timezone
+from typing import Optional
+from uuid import UUID
+
+from sqlalchemy import and_, select
+from storage.database import a_session_maker
+from storage.org_git_claim import OrgGitClaim
+
+from openhands.core.logger import openhands_logger as logger
+
+
+class OrgGitClaimStore:
+    """Store for managing Git organization claims."""
+
+    @staticmethod
+    async def create_claim(
+        org_id: UUID,
+        provider: str,
+        git_organization: str,
+        claimed_by: UUID,
+    ) -> OrgGitClaim:
+        """Create a new Git organization claim.
+
+        Args:
+            org_id: OpenHands organization UUID
+            provider: Git provider ('github', 'gitlab', 'bitbucket')
+            git_organization: Name of the Git organization being claimed
+            claimed_by: User UUID who is making the claim
+
+        Returns:
+            OrgGitClaim: The created claim record
+        """
+        async with a_session_maker() as session:
+            claim = OrgGitClaim(
+                org_id=org_id,
+                provider=provider,
+                git_organization=git_organization,
+                claimed_by=claimed_by,
+                claimed_at=datetime.now(timezone.utc),
+            )
+            session.add(claim)
+            await session.commit()
+            await session.refresh(claim)
+
+            logger.info(
+                'Created Git organization claim',
+                extra={
+                    'claim_id': str(claim.id),
+                    'org_id': str(org_id),
+                    'provider': provider,
+                    'git_organization': git_organization,
+                    'claimed_by': str(claimed_by),
+                },
+            )
+
+            return claim
+
+    @staticmethod
+    async def get_claim_by_provider_and_git_org(
+        provider: str,
+        git_organization: str,
+    ) -> Optional[OrgGitClaim]:
+        """Check if a Git organization is already claimed.
+
+        Args:
+            provider: Git provider name
+            git_organization: Name of the Git organization
+
+        Returns:
+            OrgGitClaim or None if not claimed
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(OrgGitClaim).filter(
+                    and_(
+                        OrgGitClaim.provider == provider,
+                        OrgGitClaim.git_organization == git_organization,
+                    )
+                )
+            )
+            return result.scalars().first()
+
+    @staticmethod
+    async def get_claims_by_org_id(org_id: UUID) -> list[OrgGitClaim]:
+        """Get all Git organization claims for an OpenHands organization.
+
+        Args:
+            org_id: OpenHands organization UUID
+
+        Returns:
+            List of OrgGitClaim records
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(OrgGitClaim).filter(OrgGitClaim.org_id == org_id)
+            )
+            return list(result.scalars().all())
+
+    @staticmethod
+    async def delete_claim(claim_id: UUID, org_id: UUID) -> bool:
+        """Delete a Git organization claim.
+
+        Args:
+            claim_id: Claim UUID to delete
+            org_id: OpenHands organization UUID (for ownership verification)
+
+        Returns:
+            True if deleted, False if not found
+        """
+        async with a_session_maker() as session:
+            result = await session.execute(
+                select(OrgGitClaim).filter(
+                    and_(
+                        OrgGitClaim.id == claim_id,
+                        OrgGitClaim.org_id == org_id,
+                    )
+                )
+            )
+            claim = result.scalars().first()
+
+            if not claim:
+                return False
+
+            await session.delete(claim)
+            await session.commit()
+
+            logger.info(
+                'Deleted Git organization claim',
+                extra={
+                    'claim_id': str(claim_id),
+                    'org_id': str(org_id),
+                    'provider': claim.provider,
+                    'git_organization': claim.git_organization,
+                },
+            )
+
+            return True
@@ -9,7 +9,6 @@ from uuid import UUID
 from server.routes.org_models import OrgLLMSettingsUpdate
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
-from storage.agent_settings_utils import get_org_agent_settings, merge_agent_settings
 from storage.org import Org
 from storage.org_member_store import OrgMemberStore
 from storage.user import User
@@ -68,12 +67,8 @@ class OrgLLMSettingsStore:
        if not org:
            return None

+        # Apply updates to org (excludes llm_api_key which is member-only)
        update_data.apply_to_org(org)
-        if update_data.agent_settings is not None:
-            org.agent_settings = merge_agent_settings(
-                get_org_agent_settings(org),
-                update_data.agent_settings,
-            )

        # Propagate relevant settings to all org members
        member_updates = update_data.get_member_updates()
@@ -1,4 +1,6 @@
-"""SQLAlchemy model for organization-member relationships."""
+"""
+SQLAlchemy model for Organization-Member relationship.
+"""

 from pydantic import SecretStr
 from sqlalchemy import JSON, UUID, Column, ForeignKey, Integer, String
@@ -16,30 +18,51 @@ class OrgMember(Base):  # type: ignore
    user_id = Column(UUID(as_uuid=True), ForeignKey('user.id'), primary_key=True)
    role_id = Column(Integer, ForeignKey('role.id'), nullable=False)
    _llm_api_key = Column(String, nullable=False)
-    agent_settings = Column(JSON, nullable=False, default=dict)
+    max_iterations = Column(Integer, nullable=True)
+    llm_model = Column(String, nullable=True)
+    _llm_api_key_for_byor = Column(String, nullable=True)
+    llm_base_url = Column(String, nullable=True)
    status = Column(String, nullable=True)
    mcp_config = Column(JSON, nullable=True)

+    # Relationships
    org = relationship('Org', back_populates='org_members')
    user = relationship('User', back_populates='org_members')
    role = relationship('Role', back_populates='org_members')

    def __init__(self, **kwargs):
+        # Handle known SQLAlchemy columns directly
        for key in list(kwargs):
            if hasattr(self.__class__, key):
                setattr(self, key, kwargs.pop(key))

+        # Handle custom property-style fields
        if 'llm_api_key' in kwargs:
            self.llm_api_key = kwargs.pop('llm_api_key')
+        if 'llm_api_key_for_byor' in kwargs:
+            self.llm_api_key_for_byor = kwargs.pop('llm_api_key_for_byor')

        if kwargs:
            raise TypeError(f'Unexpected keyword arguments: {list(kwargs.keys())}')

    @property
    def llm_api_key(self) -> SecretStr:
-        return SecretStr(decrypt_value(self._llm_api_key))
+        decrypted = decrypt_value(self._llm_api_key)
+        return SecretStr(decrypted)

    @llm_api_key.setter
    def llm_api_key(self, value: str | SecretStr):
        raw = value.get_secret_value() if isinstance(value, SecretStr) else value
        self._llm_api_key = encrypt_value(raw)
+
+    @property
+    def llm_api_key_for_byor(self) -> SecretStr | None:
+        if self._llm_api_key_for_byor:
+            decrypted = decrypt_value(self._llm_api_key_for_byor)
+            return SecretStr(decrypted)
+        return None
+
+    @llm_api_key_for_byor.setter
+    def llm_api_key_for_byor(self, value: str | SecretStr | None):
+        raw = value.get_secret_value() if isinstance(value, SecretStr) else value
+        self._llm_api_key_for_byor = encrypt_value(raw) if raw else None
@@ -6,14 +6,11 @@ from typing import Optional
 from uuid import UUID

 from server.routes.org_models import OrgMemberLLMSettings
-from sqlalchemy import func, select
+from sqlalchemy import func, select, update
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import joinedload
-from storage.agent_settings_utils import (
-    get_org_member_agent_settings,
-    merge_agent_settings,
-)
 from storage.database import a_session_maker
+from storage.encrypt_utils import encrypt_value
 from storage.org_member import OrgMember
 from storage.user import User
 from storage.user_settings import UserSettings
@@ -31,11 +28,11 @@ class OrgMemberStore:
        role_id: int,
        llm_api_key: str,
        status: Optional[str] = None,
-        agent_settings: Optional[dict] = None,
+        llm_model: Optional[str] = None,
+        llm_base_url: Optional[str] = None,
+        max_iterations: Optional[int] = None,
    ) -> OrgMember:
        """Add a user to an organization with a specific role."""
-        agent_settings = dict(agent_settings or {})
-
        async with a_session_maker() as session:
            org_member = OrgMember(
                org_id=org_id,
@@ -43,7 +40,9 @@ class OrgMemberStore:
                role_id=role_id,
                llm_api_key=llm_api_key,
                status=status,
-                agent_settings=agent_settings,
+                llm_model=llm_model,
+                llm_base_url=llm_base_url,
+                max_iterations=max_iterations,
            )
            session.add(org_member)
            await session.commit()
@@ -149,28 +148,23 @@ class OrgMemberStore:
            await session.commit()
            return True

-    @staticmethod
-    def get_agent_settings_from_org_member(org_member: OrgMember) -> dict[str, object]:
-        return get_org_member_agent_settings(org_member)
-
    @staticmethod
    def get_kwargs_from_settings(settings: Settings):
-        return {
-            'llm_api_key': settings.get_secret_agent_setting('llm.api_key'),
-            'agent_settings': settings.normalized_agent_settings(
-                strip_secret_values=True
-            ),
+        kwargs = {
+            normalized: getattr(settings, normalized)
+            for c in OrgMember.__table__.columns
+            if (normalized := c.name.lstrip('_')) and hasattr(settings, normalized)
        }
+        return kwargs

    @staticmethod
    def get_kwargs_from_user_settings(user_settings: UserSettings):
-        agent_settings = dict(user_settings.agent_settings or {})
-        if agent_settings and 'schema_version' not in agent_settings:
-            agent_settings['schema_version'] = 1
-        return {
-            'llm_api_key': user_settings.llm_api_key,
-            'agent_settings': agent_settings,
+        kwargs = {
+            normalized: getattr(user_settings, normalized)
+            for c in OrgMember.__table__.columns
+            if (normalized := c.name.lstrip('_')) and hasattr(user_settings, normalized)
        }
+        return kwargs

    @staticmethod
    async def get_org_members_count(
@@ -250,34 +244,21 @@ class OrgMemberStore:
        org_id: UUID,
        member_settings: OrgMemberLLMSettings,
    ) -> None:
-        """Update shared LLM settings for all members of an organization.
+        """Update LLM settings for all members of an organization.

        Args:
            session: Database session (passed from caller for transaction)
            org_id: Organization ID
-            member_settings: Shared settings to apply to all members
+            member_settings: Typed LLM settings to apply to all members
        """
+        # Build update values from non-None fields
        values = member_settings.model_dump(exclude_none=True)
-        if not values:
-            return

-        result = await session.execute(
-            select(OrgMember).where(OrgMember.org_id == org_id)
-        )
-        org_members = list(result.scalars().all())
+        # Handle encrypted llm_api_key field - map to _llm_api_key column with encryption
+        if 'llm_api_key' in values:
+            raw_key = values.pop('llm_api_key')
+            values['_llm_api_key'] = encrypt_value(raw_key)

-        raw_key = values.pop('llm_api_key', None)
-        agent_settings_updates = values.pop('agent_settings', None)
-
-        for org_member in org_members:
-            if raw_key is not None:
-                org_member.llm_api_key = raw_key
-
-            if agent_settings_updates is not None:
-                org_member.agent_settings = merge_agent_settings(
-                    get_org_member_agent_settings(org_member),
-                    agent_settings_updates,
-                )
-
-            for key, value in values.items():
-                setattr(org_member, key, value)
+        if values:
+            stmt = update(OrgMember).where(OrgMember.org_id == org_id).values(**values)
+            await session.execute(stmt)
@@ -113,10 +113,7 @@ class OrgService:
            contact_name=contact_name,
            contact_email=contact_email,
            org_version=ORG_SETTINGS_VERSION,
-            agent_settings={
-                'schema_version': 1,
-                'llm.model': get_default_litellm_model(),
-            },
+            default_llm_model=get_default_litellm_model(),
        )

    @staticmethod
@@ -470,6 +467,42 @@ class OrgService:
            )
            return False

+    @staticmethod
+    def _get_llm_settings_fields() -> set[str]:
+        """
+        Get the set of organization fields that are considered LLM settings
+        and require admin/owner role to update.
+
+        Returns:
+            set[str]: Set of field names that require elevated permissions
+        """
+        return {
+            'default_llm_model',
+            'default_llm_api_key_for_byor',
+            'default_llm_base_url',
+            'search_api_key',
+            'security_analyzer',
+            'agent',
+            'confirmation_mode',
+            'enable_default_condenser',
+            'condenser_max_size',
+        }
+
+    @staticmethod
+    def _has_llm_settings_updates(update_data: OrgUpdate) -> set[str]:
+        """
+        Check if the update contains any LLM settings fields.
+
+        Args:
+            update_data: The organization update data
+
+        Returns:
+            set[str]: Set of LLM fields being updated (empty if none)
+        """
+        llm_fields = OrgService._get_llm_settings_fields()
+        update_dict = update_data.model_dump(exclude_none=True)
+        return llm_fields.intersection(update_dict.keys())
+
    @staticmethod
    async def update_org_with_permissions(
        org_id: UUID,
@@ -538,6 +571,33 @@ class OrgService:
                )
                raise OrgNameExistsError(update_data.name)

+        # Check if update contains any LLM settings
+        llm_fields_being_updated = OrgService._has_llm_settings_updates(update_data)
+        if llm_fields_being_updated:
+            # Verify user has admin or owner role
+            has_permission = await OrgService.has_admin_or_owner_role(user_id, org_id)
+            if not has_permission:
+                logger.warning(
+                    'User attempted to update LLM settings without permission',
+                    extra={
+                        'user_id': user_id,
+                        'org_id': str(org_id),
+                        'attempted_fields': list(llm_fields_being_updated),
+                    },
+                )
+                raise PermissionError(
+                    'Admin or owner role required to update LLM settings'
+                )
+
+            logger.debug(
+                'User has permission to update LLM settings',
+                extra={
+                    'user_id': user_id,
+                    'org_id': str(org_id),
+                    'llm_fields': list(llm_fields_being_updated),
+                },
+            )
+
        # Convert to dict for OrgStore (excluding None values)
        update_dict = update_data.model_dump(exclude_none=True)
        if not update_dict:
@@ -547,24 +607,6 @@ class OrgService:
            )
            return existing_org

-        restricted_fields = {'agent_settings', 'search_api_key', 'sandbox_api_key'}
-        if restricted_fields.intersection(
-            update_dict
-        ) and not await OrgService.has_admin_or_owner_role(user_id, org_id):
-            logger.warning(
-                'Insufficient role for restricted organization settings update',
-                extra={
-                    'user_id': user_id,
-                    'org_id': str(org_id),
-                    'restricted_fields': sorted(
-                        restricted_fields.intersection(update_dict)
-                    ),
-                },
-            )
-            raise PermissionError(
-                'Admin or owner role required to update organization agent settings'
-            )
-
        # Perform the update
        try:
            updated_org = await OrgStore.update_org(org_id, update_dict)
@@ -14,10 +14,6 @@ from server.constants import (
 from server.routes.org_models import OrgLLMSettingsUpdate, OrphanedUserError
 from sqlalchemy import select, text
 from sqlalchemy.orm import joinedload
-from storage.agent_settings_utils import (
-    get_org_agent_settings,
-    merge_agent_settings,
-)
 from storage.database import a_session_maker
 from storage.lite_llm_manager import LiteLlmManager
 from storage.org import Org
@@ -28,32 +24,10 @@ from storage.user_settings import UserSettings
 from openhands.core.logger import openhands_logger as logger
 from openhands.storage.data_models.settings import Settings

-_ORG_SETTINGS_EXCLUDED_FIELDS = {
-    'id',
-    'name',
-    'contact_name',
-    'contact_email',
-    'org_version',
-    'agent_settings',
-}
-_ORG_SETTINGS_FIELDS = {
-    normalized
-    for column in Org.__table__.columns
-    if (normalized := column.name.lstrip('_')) not in _ORG_SETTINGS_EXCLUDED_FIELDS
-}
-

 class OrgStore:
    """Store for managing organizations."""

-    @staticmethod
-    def get_agent_settings_from_org(org: Org) -> dict[str, object]:
-        return get_org_agent_settings(org)
-
-    @staticmethod
-    def sync_agent_settings(org: Org) -> None:
-        org.agent_settings = get_org_agent_settings(org)
-
    @staticmethod
    async def create_org(
        kwargs: dict,
@@ -62,13 +36,7 @@ class OrgStore:
        async with a_session_maker() as session:
            org = Org(**kwargs)
            org.org_version = ORG_SETTINGS_VERSION
-            org.agent_settings = merge_agent_settings(
-                org.agent_settings,
-                {
-                    'llm.model': get_org_agent_settings(org).get('llm.model')
-                    or get_default_litellm_model()
-                },
-            )
+            org.default_llm_model = get_default_litellm_model()
            if org.v1_enabled is None:
                org.v1_enabled = DEFAULT_V1_ENABLED
            session.add(org)
@@ -124,10 +92,8 @@ class OrgStore:
                org.id,
                {
                    'org_version': ORG_SETTINGS_VERSION,
-                    'agent_settings': {
-                        'llm.model': get_default_litellm_model(),
-                        'llm.base_url': LITE_LLM_API_URL,
-                    },
+                    'default_llm_model': get_default_litellm_model(),
+                    'llm_base_url': LITE_LLM_API_URL,
                },
            )
        return org
@@ -214,45 +180,57 @@ class OrgStore:

            if 'id' in kwargs:
                kwargs.pop('id')
-
-            agent_settings_updates = kwargs.pop('agent_settings', None)
            for key, value in kwargs.items():
                if hasattr(org, key):
                    setattr(org, key, value)

-            if agent_settings_updates is not None:
-                org.agent_settings = merge_agent_settings(
-                    get_org_agent_settings(org),
-                    agent_settings_updates,
-                )
-
            await session.commit()
            await session.refresh(org)
            return org

    @staticmethod
    def get_kwargs_from_settings(settings: Settings):
-        kwargs = {
-            field: getattr(settings, field)
-            for field in _ORG_SETTINGS_FIELDS
-            if hasattr(settings, field)
-        }
-        kwargs['agent_settings'] = settings.normalized_agent_settings(
-            strip_secret_values=True
-        )
+        kwargs = {}
+
+        for c in Org.__table__.columns:
+            # Normalize for lookup
+            normalized = (
+                c.name.removeprefix('_default_').removeprefix('default_').lstrip('_')
+            )
+
+            if not hasattr(settings, normalized):
+                continue
+
+            # ---- FIX: Output key should drop *only* leading "_" but preserve "default" ----
+            key = c.name
+            if key.startswith('_'):
+                key = key[1:]  # remove only the very first leading underscore
+
+            kwargs[key] = getattr(settings, normalized)
+
        return kwargs

    @staticmethod
    def get_kwargs_from_user_settings(user_settings: UserSettings):
-        kwargs = {
-            field: getattr(user_settings, field)
-            for field in _ORG_SETTINGS_FIELDS
-            if hasattr(user_settings, field)
-        }
+        kwargs = {}
+
+        for c in Org.__table__.columns:
+            # Normalize for lookup
+            normalized = (
+                c.name.removeprefix('_default_').removeprefix('default_').lstrip('_')
+            )
+
+            if not hasattr(user_settings, normalized):
+                continue
+
+            # ---- FIX: Output key should drop *only* leading "_" but preserve "default" ----
+            key = c.name
+            if key.startswith('_'):
+                key = key[1:]  # remove only the very first leading underscore
+
+            kwargs[key] = getattr(user_settings, normalized)
+
        kwargs['org_version'] = user_settings.user_version
-        kwargs['agent_settings'] = (
-            user_settings.to_settings().normalized_agent_settings(strip_secret_values=True)
-        )
        return kwargs

    @staticmethod
@@ -453,12 +431,8 @@ class OrgStore:
            if not org:
                return None

+            # Apply updates to org
            llm_settings.apply_to_org(org)
-            if llm_settings.agent_settings is not None:
-                org.agent_settings = merge_agent_settings(
-                    get_org_agent_settings(org),
-                    llm_settings.agent_settings,
-                )

            # Propagate relevant settings to all org members
            member_updates = llm_settings.get_member_updates()
@@ -34,10 +34,17 @@ class SaasConversationStore(ConversationStore):
    session_maker: sessionmaker
    org_id: UUID | None = None  # will be fetched automatically

-    def __init__(self, user_id: str, org_id: UUID, session_maker: sessionmaker):
+    def __init__(
+        self,
+        user_id: str,
+        org_id: UUID,
+        session_maker: sessionmaker,
+        resolver_org_id: UUID | None = None,
+    ):
        self.user_id = user_id
        self.org_id = org_id
        self.session_maker = session_maker
+        self.resolver_org_id = resolver_org_id

    def _select_by_id(self, session, conversation_id: str):
        # Join StoredConversationMetadata with ConversationMetadataSaas to filter by user/org
@@ -103,6 +110,13 @@ class SaasConversationStore(ConversationStore):

        stored_metadata = StoredConversationMetadata(**kwargs)

+        # Override with resolver org_id if set (from git org claim resolution),
+        # same pattern as V1's save_app_conversation_info in
+        # saas_app_conversation_info_injector.py
+        org_id = self.org_id
+        if self.resolver_org_id is not None:
+            org_id = self.resolver_org_id
+
        def _save_metadata():
            with self.session_maker() as session:
                # Save the main conversation metadata
@@ -122,13 +136,13 @@ class SaasConversationStore(ConversationStore):
                    saas_metadata = StoredConversationMetadataSaas(
                        conversation_id=stored_metadata.conversation_id,
                        user_id=UUID(self.user_id),
-                        org_id=self.org_id,
+                        org_id=org_id,
                    )
                    session.add(saas_metadata)
                else:
                    # Validate
                    expected_user_id = UUID(self.user_id)
-                    expected_org_id = self.org_id
+                    expected_org_id = org_id

                    if saas_metadata.user_id != expected_user_id:
                        raise ValueError(
@@ -240,3 +254,19 @@ class SaasConversationStore(ConversationStore):
        user = await UserStore.get_user_by_id(user_id)
        org_id = user.current_org_id if user else None
        return SaasConversationStore(user_id, org_id, session_maker)
+
+    @classmethod
+    async def get_resolver_instance(
+        cls,
+        config: OpenHandsConfig,
+        user_id: str,
+        resolver_org_id: UUID | None = None,
+    ) -> 'SaasConversationStore':
+        """Get a store for resolver conversations with explicit org routing.
+
+        Unlike get_instance, this accepts a resolver_org_id that overrides
+        the user's default org when saving conversation metadata.
+        """
+        user = await UserStore.get_user_by_id(user_id)
+        org_id = user.current_org_id if user else None
+        return SaasConversationStore(user_id, org_id, session_maker, resolver_org_id)
@@ -1,8 +1,12 @@
 from __future__ import annotations

+import binascii
+import hashlib
 import uuid
+from base64 import b64decode, b64encode
 from dataclasses import dataclass

+from cryptography.fernet import Fernet
 from pydantic import SecretStr
 from server.auth.token_manager import TokenManager
 from server.constants import LITE_LLM_API_URL
@@ -10,10 +14,10 @@ from server.logger import logger
 from sqlalchemy import select, update
 from sqlalchemy.orm import joinedload
 from storage.database import a_session_maker
+from storage.encrypt_utils import encrypt_value
 from storage.lite_llm_manager import LiteLlmManager, get_openhands_cloud_key_alias
 from storage.org import Org
 from storage.org_member import OrgMember
-from storage.org_member_store import OrgMemberStore
 from storage.org_store import OrgStore
 from storage.user import User
 from storage.user_settings import UserSettings
@@ -29,6 +33,7 @@ from openhands.utils.llm import is_openhands_model
 class SaasSettingsStore(SettingsStore):
    user_id: str
    config: OpenHandsConfig
+    ENCRYPT_VALUES = ['llm_api_key', 'llm_api_key_for_byor', 'search_api_key']

    async def _get_user_settings_by_keycloak_id_async(
        self, keycloak_user_id: str, session=None
@@ -64,33 +69,6 @@ class SaasSettingsStore(SettingsStore):
                )
                return result.scalars().first()

-    async def _persist_agent_settings_async(
-        self, org_id: uuid.UUID, agent_settings: dict
-    ) -> None:
-        async with a_session_maker() as session:
-            stmt = (
-                update(OrgMember)
-                .where(
-                    OrgMember.org_id == org_id,
-                    OrgMember.user_id == uuid.UUID(self.user_id),
-                )
-                .values(agent_settings=agent_settings)
-            )
-            await session.execute(stmt)
-            await session.commit()
-
-    async def _persist_org_agent_settings_async(
-        self, org_id: uuid.UUID, agent_settings: dict
-    ) -> None:
-        async with a_session_maker() as session:
-            stmt = (
-                update(Org)
-                .where(Org.id == org_id)
-                .values(agent_settings=agent_settings)
-            )
-            await session.execute(stmt)
-            await session.commit()
-
    async def load(self) -> Settings | None:
        user = await UserStore.get_user_by_id(self.user_id)
        if not user:
@@ -111,11 +89,6 @@ class SaasSettingsStore(SettingsStore):
                f'Org not found for ID {org_id} as the current org for user {self.user_id}'
            )
            return None
-        org_agent_settings = OrgStore.get_agent_settings_from_org(org)
-        member_agent_settings = OrgMemberStore.get_agent_settings_from_org_member(
-            org_member
-        )
-
        kwargs = {
            **{
                normalized: getattr(org, c.name)
@@ -134,13 +107,17 @@ class SaasSettingsStore(SettingsStore):
            },
        }
        kwargs['llm_api_key'] = org_member.llm_api_key
+        if org_member.max_iterations:
+            kwargs['max_iterations'] = org_member.max_iterations
+        if org_member.llm_model:
+            kwargs['llm_model'] = org_member.llm_model
+        if org_member.llm_api_key_for_byor:
+            kwargs['llm_api_key_for_byor'] = org_member.llm_api_key_for_byor
+        if org_member.llm_base_url:
+            kwargs['llm_base_url'] = org_member.llm_base_url
+        # MCP config is user-specific (stored on org_member, not org)
        if org_member.mcp_config is not None:
            kwargs['mcp_config'] = org_member.mcp_config
-        effective_member_agent_settings = {
-            **org_agent_settings,
-            **member_agent_settings,
-        }
-        kwargs['agent_settings'] = effective_member_agent_settings
        if org.v1_enabled is None:
            kwargs['v1_enabled'] = True
        # Apply default if sandbox_grouping_strategy is None in the database
@@ -148,12 +125,6 @@ class SaasSettingsStore(SettingsStore):
            kwargs.pop('sandbox_grouping_strategy', None)

        settings = Settings(**kwargs)
-        if org_agent_settings != (org.agent_settings or {}):
-            await self._persist_org_agent_settings_async(org_id, org_agent_settings)
-        if effective_member_agent_settings != (org_member.agent_settings or {}):
-            await self._persist_agent_settings_async(
-                org_id, effective_member_agent_settings
-            )
        return settings

    async def store(self, item: Settings):
@@ -210,52 +181,62 @@ class SaasSettingsStore(SettingsStore):
                )
                return None

-            llm_model = item.get_agent_setting('llm.model')
-            llm_base_url = item.get_agent_setting('llm.base_url')
-            uses_managed_llm_key = not llm_base_url or llm_base_url == LITE_LLM_API_URL
-
            # Check if we need to generate an LLM key.
-            if uses_managed_llm_key:
+            # Only generate/verify proxy keys when the base URL is explicitly the
+            # LiteLLM proxy, or when it's unset and the model is an OpenHands model
+            # (which always needs a proxy key). For non-OpenHands models with no
+            # base URL (e.g. basic view BYOR), preserve the user's own API key.
+            if item.llm_base_url == LITE_LLM_API_URL or (
+                not item.llm_base_url and is_openhands_model(item.llm_model)
+            ):
                await self._ensure_api_key(
-                    item, str(org_id), openhands_type=is_openhands_model(llm_model)
+                    item, str(org_id), openhands_type=is_openhands_model(item.llm_model)
                )

-            normalized_agent_settings = item.normalized_agent_settings(
-                strip_secret_values=True
-            )
-            shared_agent_settings = {
-                key: value
-                for key, value in normalized_agent_settings.items()
-                if key not in {'llm.api_key', 'mcp_config'}
-            }
-            current_member_llm_api_key = item.get_secret_agent_setting('llm.api_key')
-            shared_llm_api_key = (
-                current_member_llm_api_key.get_secret_value()
-                if current_member_llm_api_key and not uses_managed_llm_key
-                else None
-            )
-
            kwargs = item.model_dump(context={'expose_secrets': True})
-            kwargs.pop('agent_settings', None)
-            for key, value in kwargs.items():
-                if hasattr(user, key):
-                    setattr(user, key, value)
-                if key != 'mcp_config' and hasattr(org, key):
-                    setattr(org, key, value)
-                if key == 'mcp_config' and hasattr(org_member, key):
-                    setattr(org_member, key, value)
+            for model in (user, org, org_member):
+                for key, value in kwargs.items():
+                    # Skip mcp_config for org - it should only be stored on org_member (user-specific)
+                    if key == 'mcp_config' and model is org:
+                        continue
+                    if hasattr(model, key):
+                        setattr(model, key, value)

-            org.agent_settings = shared_agent_settings
+            # Map Settings fields to Org fields with 'default_' prefix
+            # The generic loop above doesn't update these because Org uses
+            # 'default_llm_model' not 'llm_model', etc.
+            # Use exclude_unset to only update explicitly-set fields (allows clearing with null)
+            settings_data = item.model_dump(exclude_unset=True)
+            if 'llm_model' in settings_data:
+                org.default_llm_model = settings_data['llm_model']
+            if 'llm_base_url' in settings_data:
+                org.default_llm_base_url = settings_data['llm_base_url']
+            if 'max_iterations' in settings_data:
+                org.default_max_iterations = settings_data['max_iterations']

-            result = await session.execute(select(OrgMember).filter(OrgMember.org_id == org_id))
-            org_members = list(result.scalars().all())
-            for member in org_members:
-                member.agent_settings = dict(shared_agent_settings)
-                if shared_llm_api_key is not None:
-                    member.llm_api_key = shared_llm_api_key
+            # Propagate LLM settings to all org members
+            # This ensures all members see the same LLM configuration when an admin saves
+            # Note: Concurrent saves by multiple admins will result in last-write-wins.
+            # Consider adding optimistic locking if this becomes a problem.
+            member_update_values: dict = {}
+            if item.llm_model is not None:
+                member_update_values['llm_model'] = item.llm_model
+            if item.llm_base_url is not None:
+                member_update_values['llm_base_url'] = item.llm_base_url
+            if item.max_iterations is not None:
+                member_update_values['max_iterations'] = item.max_iterations
+            if item.llm_api_key is not None:
+                member_update_values['_llm_api_key'] = encrypt_value(
+                    item.llm_api_key.get_secret_value()
+                )

-            if current_member_llm_api_key is not None:
-                org_member.llm_api_key = current_member_llm_api_key
+            if member_update_values:
+                stmt = (
+                    update(OrgMember)
+                    .where(OrgMember.org_id == org_id)
+                    .values(**member_update_values)
+                )
+                await session.execute(stmt)

            await session.commit()

@@ -268,6 +249,52 @@ class SaasSettingsStore(SettingsStore):
        logger.debug(f'saas_settings_store.get_instance::{user_id}')
        return SaasSettingsStore(user_id, config)

+    def _should_encrypt(self, key):
+        return key in self.ENCRYPT_VALUES
+
+    def _decrypt_kwargs(self, kwargs: dict):
+        fernet = self._fernet()
+        for key, value in kwargs.items():
+            try:
+                if value is None:
+                    continue
+                if self._should_encrypt(key):
+                    if isinstance(value, SecretStr):
+                        value = fernet.decrypt(
+                            b64decode(value.get_secret_value().encode())
+                        ).decode()
+                    else:
+                        value = fernet.decrypt(b64decode(value.encode())).decode()
+                    kwargs[key] = value
+            except binascii.Error:
+                pass  # Key is in legacy format...
+
+    def _encrypt_kwargs(self, kwargs: dict):
+        fernet = self._fernet()
+        for key, value in kwargs.items():
+            if value is None:
+                continue
+
+            if isinstance(value, dict):
+                self._encrypt_kwargs(value)
+                continue
+
+            if self._should_encrypt(key):
+                if isinstance(value, SecretStr):
+                    value = b64encode(
+                        fernet.encrypt(value.get_secret_value().encode())
+                    ).decode()
+                else:
+                    value = b64encode(fernet.encrypt(value.encode())).decode()
+                kwargs[key] = value
+
+    def _fernet(self):
+        if not self.config.jwt_secret:
+            raise ValueError('jwt_secret must be defined on config')
+        jwt_secret = self.config.jwt_secret.get_secret_value()
+        fernet_key = b64encode(hashlib.sha256(jwt_secret.encode()).digest())
+        return Fernet(fernet_key)
+
    async def _ensure_api_key(
        self, item: Settings, org_id: str, openhands_type: bool = False
    ) -> None:
@@ -277,11 +304,9 @@ class SaasSettingsStore(SettingsStore):
        is valid in LiteLLM. If valid, reuses it. Otherwise, generates a new key.
        """

-        llm_api_key = item.get_secret_agent_setting('llm.api_key')
-
        # First, check if our current key is valid
-        if llm_api_key and not await LiteLlmManager.verify_existing_key(
-            llm_api_key.get_secret_value(),
+        if item.llm_api_key and not await LiteLlmManager.verify_existing_key(
+            item.llm_api_key.get_secret_value(),
            self.user_id,
            org_id,
            openhands_type=openhands_type,
@@ -304,7 +329,7 @@ class SaasSettingsStore(SettingsStore):
                    None,
                )

-            item.set_agent_setting('llm.api_key', SecretStr(generated_key))
+            item.llm_api_key = SecretStr(generated_key)
            logger.info(
                'saas_settings_store:store:generated_openhands_key',
                extra={'user_id': self.user_id},
@@ -1,10 +1,12 @@
 from datetime import UTC, datetime
+from decimal import Decimal

-from sqlalchemy import DECIMAL, Column, DateTime, Enum, Integer, String
+from sqlalchemy import DECIMAL, DateTime, Enum, String
+from sqlalchemy.orm import Mapped, mapped_column
 from storage.base import Base


-class SubscriptionAccess(Base):  # type: ignore
+class SubscriptionAccess(Base):
    """
    Represents a user's subscription access record.
    Tracks subscription status, duration, payment information, and cancellation status.
@@ -12,8 +14,8 @@ class SubscriptionAccess(Base):  # type: ignore

    __tablename__ = 'subscription_access'

-    id = Column(Integer, primary_key=True, autoincrement=True)
-    status = Column(
+    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
+    status: Mapped[str] = mapped_column(
        Enum(
            'ACTIVE',
            'DISABLED',
@@ -22,22 +24,30 @@ class SubscriptionAccess(Base):  # type: ignore
        nullable=False,
        index=True,
    )
-    user_id = Column(String, nullable=False, index=True)
-    start_at = Column(DateTime(timezone=True), nullable=True)
-    end_at = Column(DateTime(timezone=True), nullable=True)
-    amount_paid = Column(DECIMAL(19, 4), nullable=True)
-    stripe_invoice_payment_id = Column(String, nullable=False)
-    cancelled_at = Column(DateTime(timezone=True), nullable=True)
-    stripe_subscription_id = Column(String, nullable=True, index=True)
-    created_at = Column(
+    user_id: Mapped[str] = mapped_column(String, nullable=False, index=True)
+    start_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    end_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    amount_paid: Mapped[Decimal | None] = mapped_column(DECIMAL(19, 4), nullable=True)
+    stripe_invoice_payment_id: Mapped[str] = mapped_column(String, nullable=False)
+    cancelled_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    stripe_subscription_id: Mapped[str | None] = mapped_column(
+        String, nullable=True, index=True
+    )
+    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
-        default=lambda: datetime.now(UTC),  # type: ignore[attr-defined]
+        default=lambda: datetime.now(UTC),
        nullable=False,
    )
-    updated_at = Column(
+    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
-        default=lambda: datetime.now(UTC),  # type: ignore[attr-defined]
-        onupdate=lambda: datetime.now(UTC),  # type: ignore[attr-defined]
+        default=lambda: datetime.now(UTC),
+        onupdate=lambda: datetime.now(UTC),
        nullable=False,
    )

@@ -5,6 +5,7 @@ SQLAlchemy model for User.
 from uuid import uuid4

 from sqlalchemy import (
+    JSON,
    UUID,
    Boolean,
    Column,
@@ -34,6 +35,7 @@ class User(Base):  # type: ignore
    git_user_name = Column(String, nullable=True)
    git_user_email = Column(String, nullable=True)
    sandbox_grouping_strategy = Column(String, nullable=True)
+    disabled_skills = Column(JSON, nullable=True)

    # Relationships
    role = relationship('Role', back_populates='users')
@@ -1,10 +1,6 @@
-from __future__ import annotations
-
-from pydantic import SecretStr
 from server.constants import DEFAULT_BILLING_MARGIN
 from sqlalchemy import JSON, Boolean, Column, DateTime, Float, Identity, Integer, String
 from storage.base import Base
-from storage.encrypt_utils import decrypt_legacy_value, encrypt_legacy_value


 class UserSettings(Base):  # type: ignore
@@ -12,9 +8,17 @@ class UserSettings(Base):  # type: ignore
    id = Column(Integer, Identity(), primary_key=True)
    keycloak_user_id = Column(String, nullable=True, index=True)
    language = Column(String, nullable=True)
+    agent = Column(String, nullable=True)
+    max_iterations = Column(Integer, nullable=True)
+    security_analyzer = Column(String, nullable=True)
+    confirmation_mode = Column(Boolean, nullable=True, default=False)
+    llm_model = Column(String, nullable=True)
    llm_api_key = Column(String, nullable=True)
    llm_api_key_for_byor = Column(String, nullable=True)
+    llm_base_url = Column(String, nullable=True)
    remote_runtime_resource_factor = Column(Integer, nullable=True)
+    enable_default_condenser = Column(Boolean, nullable=False, default=True)
+    condenser_max_size = Column(Integer, nullable=True)
    user_consents_to_analytics = Column(Boolean, nullable=True)
    billing_margin = Column(Float, nullable=True, default=DEFAULT_BILLING_MARGIN)
    enable_sound_notifications = Column(Boolean, nullable=True, default=False)
@@ -37,31 +41,6 @@ class UserSettings(Base):  # type: ignore
    git_user_name = Column(String, nullable=True)
    git_user_email = Column(String, nullable=True)
    v1_enabled = Column(Boolean, nullable=True)
-    agent_settings = Column(JSON, nullable=False, default=dict)
-
-    @property
-    def llm_api_key_for_byor_secret(self) -> SecretStr | None:
-        raw = self.llm_api_key_for_byor
-        if not raw:
-            return None
-        try:
-            return SecretStr(decrypt_legacy_value(raw))
-        except Exception:
-            return SecretStr(raw)
-
-    @llm_api_key_for_byor_secret.setter
-    def llm_api_key_for_byor_secret(self, value: str | SecretStr | None) -> None:
-        if value is None:
-            self.llm_api_key_for_byor = None
-            return
-        raw = value.get_secret_value() if isinstance(value, SecretStr) else value
-        self.llm_api_key_for_byor = encrypt_legacy_value(raw)
-
    already_migrated = Column(
        Boolean, nullable=True, default=False
    )  # False = not migrated, True = migrated
-
-    def to_settings(self):
-        from openhands.storage.data_models.settings import Settings
-
-        return Settings(agent_settings=dict(self.agent_settings or {}))
@@ -91,6 +91,9 @@ class UserStore:
            from storage.org_member_store import OrgMemberStore

            org_member_kwargs = OrgMemberStore.get_kwargs_from_settings(settings)
+            # avoid setting org member llm fields to use org defaults on user creation
+            del org_member_kwargs['llm_model']
+            del org_member_kwargs['llm_base_url']
            org_member = OrgMember(
                org_id=org.id,
                user_id=user.id,
@@ -230,13 +233,10 @@ class UserStore:
            org_kwargs = OrgStore.get_kwargs_from_user_settings(decrypted_user_settings)
            org_kwargs.pop('id', None)

-            # If the user has custom settings, keep the org defaults minimal.
+            # if user has custom settings, set org defaults to current version
            if custom_settings:
-                org_kwargs['agent_settings'] = {
-                    'schema_version': 1,
-                    'llm.model': get_default_litellm_model(),
-                    'llm.base_url': LITE_LLM_API_URL,
-                }
+                org_kwargs['default_llm_model'] = get_default_litellm_model()
+                org_kwargs['llm_base_url'] = LITE_LLM_API_URL
                org_kwargs['org_version'] = ORG_SETTINGS_VERSION

            for key, value in org_kwargs.items():
@@ -276,10 +276,12 @@ class UserStore:
            org_member_kwargs = OrgMemberStore.get_kwargs_from_user_settings(
                decrypted_user_settings
            )
+
+            # if the user did not have custom settings in the old model,
+            # then use the org defaults by not setting org_member fields
            if not custom_settings:
-                org_member_kwargs['agent_settings'] = (
-                    OrgStore.get_agent_settings_from_org(org)
-                )
+                del org_member_kwargs['llm_model']
+                del org_member_kwargs['llm_base_url']

            org_member = OrgMember(
                org_id=org.id,
@@ -465,6 +467,13 @@ class UserStore:
                    user_settings.llm_api_key = encrypt_legacy_value(
                        org_member.llm_api_key.get_secret_value()
                    )
+                if (
+                    org_member.llm_api_key_for_byor
+                    and org_member.llm_api_key_for_byor.get_secret_value()
+                ):
+                    user_settings.llm_api_key_for_byor = encrypt_legacy_value(
+                        org_member.llm_api_key_for_byor.get_secret_value()
+                    )
                logger.info(
                    'user_store:downgrade_user:updated_user_settings_from_org_member',
                    extra={'user_id': user_id},
@@ -942,20 +951,44 @@ class UserStore:
        Returns:
            A new UserSettings object populated from the entities
        """
-        from storage.org_member_store import OrgMemberStore
-        from storage.org_store import OrgStore
+        # Mapping from OrgMember fields to corresponding Org "default_" fields
+        org_member_to_org_default = {
+            'llm_model': 'default_llm_model',
+            'llm_base_url': 'default_llm_base_url',
+            'max_iterations': 'default_max_iterations',
+        }

-        member_agent_settings = OrgMemberStore.get_agent_settings_from_org_member(
-            org_member
+        def get_value_with_org_fallback(field_name: str, org_member_value):
+            """Get value from OrgMember, falling back to Org default if None."""
+            if org_member_value is not None:
+                return org_member_value
+            org_default_field = org_member_to_org_default.get(field_name)
+            if org_default_field and hasattr(org, org_default_field):
+                return getattr(org, org_default_field)
+            return None
+
+        # Get values from OrgMember with Org fallback for fields with default_ prefix
+        llm_model = get_value_with_org_fallback('llm_model', org_member.llm_model)
+        llm_base_url = get_value_with_org_fallback(
+            'llm_base_url', org_member.llm_base_url
+        )
+        max_iterations = get_value_with_org_fallback(
+            'max_iterations', org_member.max_iterations
        )
-        org_agent_settings = OrgStore.get_agent_settings_from_org(org)
-        agent_settings = {**org_agent_settings, **member_agent_settings}

        return UserSettings(
            keycloak_user_id=user_id,
+            # OrgMember fields
            llm_api_key=org_member.llm_api_key.get_secret_value()
            if org_member.llm_api_key
            else None,
+            llm_api_key_for_byor=org_member.llm_api_key_for_byor.get_secret_value()
+            if org_member.llm_api_key_for_byor
+            else None,
+            llm_model=llm_model,
+            llm_base_url=llm_base_url,
+            max_iterations=max_iterations,
+            # User fields
            accepted_tos=user.accepted_tos,
            enable_sound_notifications=user.enable_sound_notifications,
            language=user.language,
@@ -964,12 +997,18 @@ class UserStore:
            email_verified=user.email_verified,
            git_user_name=user.git_user_name,
            git_user_email=user.git_user_email,
+            # Org fields
+            agent=org.agent,
+            security_analyzer=org.security_analyzer,
+            confirmation_mode=org.confirmation_mode,
            remote_runtime_resource_factor=org.remote_runtime_resource_factor,
+            enable_default_condenser=org.enable_default_condenser,
            billing_margin=org.billing_margin,
            enable_proactive_conversation_starters=org.enable_proactive_conversation_starters,
            sandbox_base_container_image=org.sandbox_base_container_image,
            sandbox_runtime_container_image=org.sandbox_runtime_container_image,
            user_version=org.org_version,
+            mcp_config=org.mcp_config,
            search_api_key=org.search_api_key.get_secret_value()
            if org.search_api_key
            else None,
@@ -979,8 +1018,7 @@ class UserStore:
            max_budget_per_task=org.max_budget_per_task,
            enable_solvability_analysis=org.enable_solvability_analysis,
            v1_enabled=org.v1_enabled,
-            sandbox_grouping_strategy=org.sandbox_grouping_strategy,
-            agent_settings=agent_settings,
+            condenser_max_size=org.condenser_max_size,
            already_migrated=False,
        )

@@ -998,17 +1036,16 @@ class UserStore:
        Returns:
            True if user has custom settings, False if using old defaults
        """
-        persisted_agent_settings = user_settings.agent_settings or {}
-        user_model = persisted_agent_settings.get('llm.model') or getattr(
-            user_settings, 'llm_model', None
+        # Normalize values
+        user_model = (
+            user_settings.llm_model.strip() or None if user_settings.llm_model else None
        )
-        user_base_url = persisted_agent_settings.get('llm.base_url') or getattr(
-            user_settings, 'llm_base_url', None
+        user_base_url = (
+            user_settings.llm_base_url.strip() or None
+            if user_settings.llm_base_url
+            else None
        )

-        user_model = user_model.strip() or None if user_model else None
-        user_base_url = user_base_url.strip() or None if user_base_url else None
-
        # Custom base_url = definitely custom settings (BYOK)
        if user_base_url and user_base_url != LITE_LLM_API_URL:
            return True
@@ -13,7 +13,6 @@ Required environment variables:
 - RESEND_AUDIENCE_ID: ID of the Resend audience to add users to

 Optional environment variables:
- KEYCLOAK_PROVIDER_NAME: Provider name for Keycloak
 - KEYCLOAK_CLIENT_ID: Client ID for Keycloak
 - KEYCLOAK_CLIENT_SECRET: Client secret for Keycloak
 - RESEND_FROM_EMAIL: Email address to use as the sender (default: "OpenHands Team <no-reply@welcome.openhands.dev>")
@@ -49,7 +48,6 @@ from openhands.core.logger import openhands_logger as logger
 # Get Keycloak configuration from environment variables
 KEYCLOAK_SERVER_URL = os.environ.get('KEYCLOAK_SERVER_URL', '')
 KEYCLOAK_REALM_NAME = os.environ.get('KEYCLOAK_REALM_NAME', '')
-KEYCLOAK_PROVIDER_NAME = os.environ.get('KEYCLOAK_PROVIDER_NAME', '')
 KEYCLOAK_CLIENT_ID = os.environ.get('KEYCLOAK_CLIENT_ID', '')
 KEYCLOAK_CLIENT_SECRET = os.environ.get('KEYCLOAK_CLIENT_SECRET', '')
 KEYCLOAK_ADMIN_PASSWORD = os.environ.get('KEYCLOAK_ADMIN_PASSWORD', '')
@@ -1,4 +1,3 @@
-import os
 import uuid
 from datetime import datetime
 from uuid import UUID
@@ -26,6 +25,7 @@ from storage.device_code import DeviceCode  # noqa: F401
 from storage.feedback import Feedback
 from storage.github_app_installation import GithubAppInstallation
 from storage.org import Org
+from storage.org_git_claim import OrgGitClaim  # noqa: F401
 from storage.org_invitation import OrgInvitation  # noqa: F401
 from storage.org_member import OrgMember
 from storage.role import Role
@@ -37,20 +37,6 @@ from storage.stored_conversation_metadata_saas import (
 from storage.stored_offline_token import StoredOfflineToken
 from storage.stripe_customer import StripeCustomer
 from storage.user import User
-from storage.user_settings import UserSettings  # noqa: F401
-
-
-@pytest.fixture(autouse=True)
-def allow_short_context_windows():
-    old = os.environ.get('ALLOW_SHORT_CONTEXT_WINDOWS')
-    os.environ['ALLOW_SHORT_CONTEXT_WINDOWS'] = 'true'
-    try:
-        yield
-    finally:
-        if old is None:
-            os.environ.pop('ALLOW_SHORT_CONTEXT_WINDOWS', None)
-        else:
-            os.environ['ALLOW_SHORT_CONTEXT_WINDOWS'] = old


@pytest.fixture
@@ -186,6 +172,7 @@ def add_minimal_fixtures(session_maker):
                id=uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081'),
                name='mock-org',
                org_version=ORG_SETTINGS_VERSION,
+                enable_default_condenser=True,
                enable_proactive_conversation_starters=True,
            )
        )
@@ -88,6 +88,7 @@ class TestGithubViewV1InitialUserMessage:
            view.previous_comments = [MagicMock(author='alice', body='old comment 1')]

        view._load_resolver_context = AsyncMock(side_effect=_load_context)  # type: ignore[method-assign]
+        view.resolved_org_id = None

        fake_service = _FakeAppConversationService()
        mock_get_app_conversation_service.return_value = (
@@ -144,6 +145,7 @@ class TestGithubViewV1InitialUserMessage:
            ]

        view._load_resolver_context = AsyncMock(side_effect=_load_context)  # type: ignore[method-assign]
+        view.resolved_org_id = None

        fake_service = _FakeAppConversationService()
        mock_get_app_conversation_service.return_value = (
@@ -200,6 +202,7 @@ class TestGithubViewV1InitialUserMessage:
            view.previous_comments = []

        view._load_resolver_context = AsyncMock(side_effect=_load_context)  # type: ignore[method-assign]
+        view.resolved_org_id = None

        fake_service = _FakeAppConversationService()
        mock_get_service.return_value = _fake_app_conversation_service_ctx(fake_service)
@@ -3,6 +3,7 @@ Tests for Jira view classes and factory.
 """

 from unittest.mock import AsyncMock, MagicMock, patch
+from uuid import UUID

 import pytest
 from integrations.jira.jira_payload import (
@@ -18,6 +19,9 @@ from integrations.jira.jira_view import (
    JiraNewConversationView,
 )

+from openhands.integrations.service_types import ProviderType
+from openhands.server.user_auth.user_auth import UserAuth
+

 class TestJiraNewConversationView:
    """Tests for JiraNewConversationView"""
@@ -86,29 +90,49 @@ class TestJiraNewConversationView:
        assert 'Test Issue' in user_msg

    @pytest.mark.asyncio
-    @patch('integrations.jira.jira_view.create_new_conversation')
+    @patch('integrations.jira.jira_view.resolve_org_for_repo', new_callable=AsyncMock)
+    @patch('integrations.jira.jira_view.ProviderHandler')
+    @patch(
+        'integrations.jira.jira_view.SaasConversationStore.get_resolver_instance',
+        new_callable=AsyncMock,
+    )
+    @patch('integrations.jira.jira_view.start_conversation', new_callable=AsyncMock)
    @patch('integrations.jira.jira_view.integration_store')
    async def test_create_or_update_conversation_success(
        self,
-        mock_store,
-        mock_create_conversation,
+        mock_integration_store,
+        mock_start_convo,
+        mock_get_resolver_instance,
+        mock_provider_handler_cls,
+        mock_resolve_org,
        new_conversation_view,
        mock_jinja_env,
-        mock_agent_loop_info,
    ):
        """Test successful conversation creation"""
        new_conversation_view._issue_title = 'Test Issue'
        new_conversation_view._issue_description = 'Test description'
-        mock_create_conversation.return_value = mock_agent_loop_info
-        mock_store.create_conversation = AsyncMock()
+
+        mock_repo = MagicMock()
+        mock_repo.git_provider = ProviderType.GITHUB
+        mock_handler = MagicMock()
+        mock_handler.verify_repo_provider = AsyncMock(return_value=mock_repo)
+        mock_provider_handler_cls.return_value = mock_handler
+
+        mock_resolve_org.return_value = None
+        mock_store = MagicMock()
+        mock_store.save_metadata = AsyncMock()
+        mock_get_resolver_instance.return_value = mock_store
+        mock_integration_store.create_conversation = AsyncMock()

        result = await new_conversation_view.create_or_update_conversation(
            mock_jinja_env
        )

-        assert result == 'conv-123'
-        mock_create_conversation.assert_called_once()
-        mock_store.create_conversation.assert_called_once()
+        assert result is not None
+        assert isinstance(result, str)
+        assert len(result) == 32  # uuid4().hex format
+        mock_start_convo.assert_called_once()
+        mock_integration_store.create_conversation.assert_called_once()

    @pytest.mark.asyncio
    async def test_create_or_update_conversation_no_repo(
@@ -348,6 +372,125 @@ class TestJiraFactory:
                )


+CLAIMING_ORG_ID = UUID('aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa')
+
+
+class TestJiraV0ConversationRouting:
+    """Test V0 conversation routing logic based on claimed git organizations."""
+
+    @pytest.fixture
+    def routing_view(
+        self,
+        sample_webhook_payload,
+        sample_jira_user,
+        sample_jira_workspace,
+    ):
+        """View with non-empty provider tokens for routing tests."""
+        user_auth = MagicMock(spec=UserAuth)
+        user_auth.get_provider_tokens = AsyncMock(
+            return_value={ProviderType.GITHUB: MagicMock()}
+        )
+        user_auth.get_secrets = AsyncMock(return_value=None)
+        return JiraNewConversationView(
+            payload=sample_webhook_payload,
+            saas_user_auth=user_auth,
+            jira_user=sample_jira_user,
+            jira_workspace=sample_jira_workspace,
+            selected_repo='test/repo1',
+            _issue_title='Test Issue',
+            _issue_description='Test description',
+            _decrypted_api_key='decrypted_key',
+        )
+
+    @pytest.mark.asyncio
+    @patch('integrations.jira.jira_view.resolve_org_for_repo', new_callable=AsyncMock)
+    @patch('integrations.jira.jira_view.ProviderHandler')
+    @patch(
+        'integrations.jira.jira_view.SaasConversationStore.get_resolver_instance',
+        new_callable=AsyncMock,
+    )
+    @patch('integrations.jira.jira_view.start_conversation', new_callable=AsyncMock)
+    @patch('integrations.jira.jira_view.integration_store')
+    async def test_routes_to_claimed_org_when_user_is_member(
+        self,
+        mock_integration_store,
+        mock_start_convo,
+        mock_get_resolver_instance,
+        mock_provider_handler_cls,
+        mock_resolve_org,
+        routing_view,
+        mock_jinja_env,
+    ):
+        """When repo belongs to a claimed org and user is a member, conversation is created in that org."""
+        # Arrange
+        mock_repo = MagicMock()
+        mock_repo.git_provider = ProviderType.GITHUB
+        mock_handler = MagicMock()
+        mock_handler.verify_repo_provider = AsyncMock(return_value=mock_repo)
+        mock_provider_handler_cls.return_value = mock_handler
+
+        mock_resolve_org.return_value = CLAIMING_ORG_ID
+        mock_store = MagicMock()
+        mock_store.save_metadata = AsyncMock()
+        mock_get_resolver_instance.return_value = mock_store
+        mock_integration_store.create_conversation = AsyncMock()
+
+        # Act
+        await routing_view.create_or_update_conversation(mock_jinja_env)
+
+        # Assert
+        mock_resolve_org.assert_called_once_with(
+            provider='github',
+            full_repo_name='test/repo1',
+            keycloak_user_id='test_keycloak_id',
+        )
+        call_args = mock_get_resolver_instance.call_args
+        assert call_args[0][1] == 'test_keycloak_id'  # user_id
+        assert call_args[0][2] == CLAIMING_ORG_ID  # resolver_org_id
+        saved_metadata = mock_store.save_metadata.call_args[0][0]
+        assert saved_metadata.git_provider == ProviderType.GITHUB
+
+    @pytest.mark.asyncio
+    @patch('integrations.jira.jira_view.resolve_org_for_repo', new_callable=AsyncMock)
+    @patch('integrations.jira.jira_view.ProviderHandler')
+    @patch(
+        'integrations.jira.jira_view.SaasConversationStore.get_resolver_instance',
+        new_callable=AsyncMock,
+    )
+    @patch('integrations.jira.jira_view.start_conversation', new_callable=AsyncMock)
+    @patch('integrations.jira.jira_view.integration_store')
+    async def test_falls_back_to_personal_workspace_when_no_claim(
+        self,
+        mock_integration_store,
+        mock_start_convo,
+        mock_get_resolver_instance,
+        mock_provider_handler_cls,
+        mock_resolve_org,
+        routing_view,
+        mock_jinja_env,
+    ):
+        """When no org has claimed the git org, conversation goes to personal workspace."""
+        # Arrange
+        mock_repo = MagicMock()
+        mock_repo.git_provider = ProviderType.GITHUB
+        mock_handler = MagicMock()
+        mock_handler.verify_repo_provider = AsyncMock(return_value=mock_repo)
+        mock_provider_handler_cls.return_value = mock_handler
+
+        mock_resolve_org.return_value = None
+        mock_store = MagicMock()
+        mock_store.save_metadata = AsyncMock()
+        mock_get_resolver_instance.return_value = mock_store
+        mock_integration_store.create_conversation = AsyncMock()
+
+        # Act
+        await routing_view.create_or_update_conversation(mock_jinja_env)
+
+        # Assert
+        call_args = mock_get_resolver_instance.call_args
+        assert call_args[0][2] is None  # resolver_org_id is None
+
+
 class TestJiraPayloadParser:
    """Tests for JiraPayloadParser"""

@@ -73,6 +73,7 @@ def sample_user_auth():
    """Create a mock UserAuth for testing."""
    user_auth = MagicMock(spec=UserAuth)
    user_auth.get_provider_tokens = AsyncMock(return_value={})
+    user_auth.get_secrets = AsyncMock(return_value=MagicMock(custom_secrets={}))
    user_auth.get_access_token = AsyncMock(return_value='test_token')
    user_auth.get_user_id = AsyncMock(return_value='test_user_id')
    return user_auth
@@ -29,27 +29,33 @@ class TestLinearNewConversationView:
        assert 'Test Issue' in user_msg
        assert 'Fix this bug @openhands' in user_msg

-    @patch('integrations.linear.linear_view.create_new_conversation')
+    @patch(
+        'integrations.linear.linear_view.SaasConversationStore.get_resolver_instance',
+        new_callable=AsyncMock,
+    )
+    @patch('integrations.linear.linear_view.start_conversation', new_callable=AsyncMock)
    @patch('integrations.linear.linear_view.integration_store')
    async def test_create_or_update_conversation_success(
        self,
-        mock_store,
-        mock_create_conversation,
+        mock_integration_store,
+        mock_start_convo,
+        mock_get_resolver_instance,
        new_conversation_view,
        mock_jinja_env,
-        mock_agent_loop_info,
    ):
        """Test successful conversation creation"""
-        mock_create_conversation.return_value = mock_agent_loop_info
-        mock_store.create_conversation = AsyncMock()
+        mock_store = MagicMock()
+        mock_store.save_metadata = AsyncMock()
+        mock_get_resolver_instance.return_value = mock_store
+        mock_integration_store.create_conversation = AsyncMock()

        result = await new_conversation_view.create_or_update_conversation(
            mock_jinja_env
        )

-        assert result == 'conv-123'
-        mock_create_conversation.assert_called_once()
-        mock_store.create_conversation.assert_called_once()
+        assert result is not None
+        mock_start_convo.assert_called_once()
+        mock_integration_store.create_conversation.assert_called_once()

    async def test_create_or_update_conversation_no_repo(
        self, new_conversation_view, mock_jinja_env
@@ -60,12 +66,23 @@ class TestLinearNewConversationView:
        with pytest.raises(StartingConvoException, match='No repository selected'):
            await new_conversation_view.create_or_update_conversation(mock_jinja_env)

-    @patch('integrations.linear.linear_view.create_new_conversation')
+    @patch(
+        'integrations.linear.linear_view.SaasConversationStore.get_resolver_instance',
+        new_callable=AsyncMock,
+    )
+    @patch('integrations.linear.linear_view.start_conversation', new_callable=AsyncMock)
    async def test_create_or_update_conversation_failure(
-        self, mock_create_conversation, new_conversation_view, mock_jinja_env
+        self,
+        mock_start_convo,
+        mock_get_resolver_instance,
+        new_conversation_view,
+        mock_jinja_env,
    ):
        """Test conversation creation failure"""
-        mock_create_conversation.side_effect = Exception('Creation failed')
+        mock_store = MagicMock()
+        mock_store.save_metadata = AsyncMock()
+        mock_get_resolver_instance.return_value = mock_store
+        mock_start_convo.side_effect = Exception('Creation failed')

        with pytest.raises(
            StartingConvoException, match='Failed to create conversation'
@@ -300,43 +317,57 @@ class TestLinearFactory:
 class TestLinearViewEdgeCases:
    """Tests for edge cases and error scenarios"""

-    @patch('integrations.linear.linear_view.create_new_conversation')
+    @patch(
+        'integrations.linear.linear_view.SaasConversationStore.get_resolver_instance',
+        new_callable=AsyncMock,
+    )
+    @patch('integrations.linear.linear_view.start_conversation', new_callable=AsyncMock)
    @patch('integrations.linear.linear_view.integration_store')
    async def test_conversation_creation_with_no_user_secrets(
        self,
-        mock_store,
-        mock_create_conversation,
+        mock_integration_store,
+        mock_start_convo,
+        mock_get_resolver_instance,
        new_conversation_view,
        mock_jinja_env,
-        mock_agent_loop_info,
    ):
        """Test conversation creation when user has no secrets"""
-        new_conversation_view.saas_user_auth.get_secrets.return_value = None
-        mock_create_conversation.return_value = mock_agent_loop_info
-        mock_store.create_conversation = AsyncMock()
+        new_conversation_view.saas_user_auth.get_secrets = AsyncMock(return_value=None)
+        mock_store = MagicMock()
+        mock_store.save_metadata = AsyncMock()
+        mock_get_resolver_instance.return_value = mock_store
+        mock_integration_store.create_conversation = AsyncMock()

        result = await new_conversation_view.create_or_update_conversation(
            mock_jinja_env
        )

-        assert result == 'conv-123'
-        # Verify create_new_conversation was called with custom_secrets=None
-        call_kwargs = mock_create_conversation.call_args[1]
+        assert result is not None
+        # Verify start_conversation was called with custom_secrets=None
+        call_kwargs = mock_start_convo.call_args[1]
        assert call_kwargs['custom_secrets'] is None

-    @patch('integrations.linear.linear_view.create_new_conversation')
+    @patch(
+        'integrations.linear.linear_view.SaasConversationStore.get_resolver_instance',
+        new_callable=AsyncMock,
+    )
+    @patch('integrations.linear.linear_view.start_conversation', new_callable=AsyncMock)
    @patch('integrations.linear.linear_view.integration_store')
    async def test_conversation_creation_store_failure(
        self,
-        mock_store,
-        mock_create_conversation,
+        mock_integration_store,
+        mock_start_convo,
+        mock_get_resolver_instance,
        new_conversation_view,
        mock_jinja_env,
-        mock_agent_loop_info,
    ):
        """Test conversation creation when store creation fails"""
-        mock_create_conversation.return_value = mock_agent_loop_info
-        mock_store.create_conversation = AsyncMock(side_effect=Exception('Store error'))
+        mock_store = MagicMock()
+        mock_store.save_metadata = AsyncMock()
+        mock_get_resolver_instance.return_value = mock_store
+        mock_integration_store.create_conversation = AsyncMock(
+            side_effect=Exception('Store error')
+        )

        with pytest.raises(
            StartingConvoException, match='Failed to create conversation'
@@ -257,7 +257,7 @@ class TestSlackV1CallbackProcessor:
        # Verify Slack posting
        mock_slack_client.chat_postMessage.assert_called_once_with(
            channel='C1234567890',
-            text='Test summary from agent',
+            markdown_text='Test summary from agent',
            thread_ts='1234567890.123456',
            unfurl_links=False,
            unfurl_media=False,
@@ -509,7 +509,7 @@ class TestSlackV1CallbackProcessor:
        # Verify user-friendly message was posted to Slack
        mock_slack_client.chat_postMessage.assert_called_once()
        call_kwargs = mock_slack_client.chat_postMessage.call_args[1]
-        posted_message = call_kwargs.get('text', '')
+        posted_message = call_kwargs.get('markdown_text', '')
        assert 'OpenHands encountered an error' in posted_message
        assert 'LLM budget has been exceeded' in posted_message
        assert 'please re-fill' in posted_message
@@ -32,6 +32,28 @@ def resolver_context(mock_saas_user_auth):
    return ResolverUserContext(saas_user_auth=mock_saas_user_auth)


+# ---------------------------------------------------------------------------
+# Tests for resolver_org_id - org routing for resolver conversations
+# ---------------------------------------------------------------------------
+
+
+def test_resolver_org_id_defaults_to_none(mock_saas_user_auth):
+    """Test that resolver_org_id defaults to None when not provided."""
+    ctx = ResolverUserContext(saas_user_auth=mock_saas_user_auth)
+    assert ctx.resolver_org_id is None
+
+
+def test_resolver_org_id_can_be_set_via_constructor(mock_saas_user_auth):
+    """Test that resolver_org_id can be set via constructor for org routing."""
+    from uuid import UUID
+
+    org_id = UUID('aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa')
+    ctx = ResolverUserContext(
+        saas_user_auth=mock_saas_user_auth, resolver_org_id=org_id
+    )
+    assert ctx.resolver_org_id == org_id
+
+
 def create_custom_secret(value: str, description: str = 'Test secret') -> CustomSecret:
    """Helper to create CustomSecret instances."""
    return CustomSecret(secret=SecretStr(value), description=description)
@@ -0,0 +1,111 @@
+"""Tests for resolver org routing logic.
+
+Tests the resolve_org_for_repo function which determines which OpenHands
+organization workspace a resolver conversation should be created in.
+"""
+
+from unittest.mock import AsyncMock, MagicMock, patch
+from uuid import UUID
+
+import pytest
+
+CLAIMING_ORG_ID = UUID('aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa')
+USER_ID = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb'
+
+# Patch at module level where the names are looked up
+_CLAIM_STORE = 'enterprise.integrations.resolver_org_router.OrgGitClaimStore'
+_MEMBER_STORE = 'enterprise.integrations.resolver_org_router.OrgMemberStore'
+
+
+@pytest.fixture(autouse=True)
+def mock_stores():
+    """Mock OrgGitClaimStore and OrgMemberStore for all tests."""
+    with (
+        patch(_CLAIM_STORE) as mock_claim_store,
+        patch(_MEMBER_STORE) as mock_member_store,
+    ):
+        mock_claim_store.get_claim_by_provider_and_git_org = AsyncMock(
+            return_value=None
+        )
+        mock_member_store.get_org_member = AsyncMock(return_value=None)
+        yield mock_claim_store, mock_member_store
+
+
+@pytest.mark.asyncio
+async def test_returns_org_id_when_claimed_and_user_is_member(mock_stores):
+    """When the git org is claimed and the user is a member, return the claiming org's ID."""
+    from enterprise.integrations.resolver_org_router import resolve_org_for_repo
+
+    mock_claim_store, mock_member_store = mock_stores
+
+    # Arrange
+    claim = MagicMock()
+    claim.org_id = CLAIMING_ORG_ID
+    mock_claim_store.get_claim_by_provider_and_git_org.return_value = claim
+    mock_member_store.get_org_member.return_value = MagicMock()  # member exists
+
+    # Act
+    result = await resolve_org_for_repo('github', 'OpenHands/foo', USER_ID)
+
+    # Assert
+    assert result == CLAIMING_ORG_ID
+    mock_claim_store.get_claim_by_provider_and_git_org.assert_called_once_with(
+        'github', 'openhands'
+    )
+    mock_member_store.get_org_member.assert_called_once_with(
+        CLAIMING_ORG_ID, UUID(USER_ID)
+    )
+
+
+@pytest.mark.asyncio
+async def test_returns_none_when_claimed_but_user_not_member(mock_stores):
+    """When the git org is claimed but user is not a member, return None."""
+    from enterprise.integrations.resolver_org_router import resolve_org_for_repo
+
+    mock_claim_store, mock_member_store = mock_stores
+
+    # Arrange
+    claim = MagicMock()
+    claim.org_id = CLAIMING_ORG_ID
+    mock_claim_store.get_claim_by_provider_and_git_org.return_value = claim
+    mock_member_store.get_org_member.return_value = None
+
+    # Act
+    result = await resolve_org_for_repo('github', 'OpenHands/foo', USER_ID)
+
+    # Assert
+    assert result is None
+
+
+@pytest.mark.asyncio
+async def test_returns_none_when_no_claim_exists(mock_stores):
+    """When no org has claimed the git organization, return None."""
+    from enterprise.integrations.resolver_org_router import resolve_org_for_repo
+
+    mock_claim_store, _ = mock_stores
+    mock_claim_store.get_claim_by_provider_and_git_org.return_value = None
+
+    # Act
+    result = await resolve_org_for_repo('github', 'UnclaimedOrg/repo', USER_ID)
+
+    # Assert
+    assert result is None
+    mock_claim_store.get_claim_by_provider_and_git_org.assert_called_once_with(
+        'github', 'unclaimedorg'
+    )
+
+
+@pytest.mark.asyncio
+async def test_extracts_git_org_lowercase_from_repo_name(mock_stores):
+    """The git org is extracted from repo name and lowercased for claim lookup."""
+    from enterprise.integrations.resolver_org_router import resolve_org_for_repo
+
+    mock_claim_store, _ = mock_stores
+
+    # Act
+    await resolve_org_for_repo('github', 'MyOrg/some-repo', USER_ID)
+
+    # Assert
+    mock_claim_store.get_claim_by_provider_and_git_org.assert_called_once_with(
+        'github', 'myorg'
+    )
--- a/Show More
+++ b/Show More