fix: include real errors in event detail, handle None payload explicitly, extract monitoring helper, add integration test

Co-authored-by: openhands <openhands@all-hands.dev>

.agents/skills/cross-repo-testing/SKILL.md

@@ -1,202 +0,0 @@
----
-name: cross-repo-testing
-description: This skill should be used when the user asks to "test a cross-repo feature", "deploy a feature branch to staging", "test SDK against OH Cloud", "e2e test a cloud workspace feature", "test provider tokens", "test secrets inheritance", or when changes span the SDK and OpenHands server repos and need end-to-end validation against a staging deployment.
-triggers:
-- cross-repo
-- staging deployment
-- feature branch deploy
-- test against cloud
-- e2e cloud
----
-
-# Cross-Repo Testing: SDK ↔ OpenHands Cloud
-
-How to end-to-end test features that span `OpenHands/software-agent-sdk` and `OpenHands/OpenHands` (the Cloud backend).
-
-## Repository Map
-
-| Repo | Role | What lives here |
-|------|------|-----------------|
-| [`software-agent-sdk`](https://github.com/OpenHands/software-agent-sdk) | Agent core | `openhands-sdk`, `openhands-workspace`, `openhands-tools` packages. `OpenHandsCloudWorkspace` lives here. |
-| [`OpenHands`](https://github.com/OpenHands/OpenHands) | Cloud backend | FastAPI server (`openhands/app_server/`), sandbox management, auth, enterprise integrations. Deployed as OH Cloud. |
-| [`deploy`](https://github.com/OpenHands/deploy) | Infrastructure | Helm charts + GitHub Actions that build the enterprise Docker image and deploy to staging/production. |
-
-**Data flow:** SDK client → OH Cloud API (`/api/v1/...`) → sandbox agent-server (inside runtime container)
-
-## When You Need This
-
-There are **two flows** depending on which direction the dependency goes:
-
-| Flow | When | Example |
-|------|------|---------|
-| **A — SDK client → new Cloud API** | The SDK calls an API that doesn't exist yet on production | `workspace.get_llm()` calling `GET /api/v1/users/me?expose_secrets=true` |
-| **B — OH server → new SDK code** | The Cloud server needs unreleased SDK packages or a new agent-server image | Server consumes a new tool, agent behavior, or workspace method from the SDK |
-
-Flow A only requires deploying the server PR. Flow B requires pinning the SDK to an unreleased commit in the server PR **and** using the SDK PR's agent-server image. Both flows may apply simultaneously.
-
----
-
-## Flow A: SDK Client Tests Against New Cloud API
-
-Use this when the SDK calls an endpoint that only exists on the server PR branch.
-
-### A1. Write and test the server-side changes
-
-In the `OpenHands` repo, implement the new API endpoint(s). Run unit tests:
-
-```bash
-cd OpenHands
-poetry run pytest tests/unit/app_server/test_<relevant>.py -v
-```
-
-Push a PR. Wait for the **"Push Enterprise Image" (Docker) CI job** to succeed — this builds `ghcr.io/openhands/enterprise-server:sha-<COMMIT>`.
-
-### A2. Write the SDK-side changes
-
-In `software-agent-sdk`, implement the client code (e.g., new methods on `OpenHandsCloudWorkspace`). Run SDK unit tests:
-
-```bash
-cd software-agent-sdk
-pip install -e openhands-sdk -e openhands-workspace
-pytest tests/ -v
-```
-
-Push a PR. SDK CI is independent — it doesn't need the server changes to pass unit tests.
-
-### A3. Deploy the server PR to staging
-
-See [Deploying to a Staging Feature Environment](#deploying-to-a-staging-feature-environment) below.
-
-### A4. Run the SDK e2e test against staging
-
-See [Running E2E Tests Against Staging](#running-e2e-tests-against-staging) below.
-
----
-
-## Flow B: OH Server Needs Unreleased SDK Code
-
-Use this when the Cloud server depends on SDK changes that haven't been released to PyPI yet. The server's runtime containers run the `agent-server` image built from the SDK repo, so the server PR must be configured to use the SDK PR's image and packages.
-
-### B1. Get the SDK PR merged (or identify the commit)
-
-The SDK PR must have CI pass so its agent-server Docker image is built. The image is tagged with the **merge-commit SHA** from GitHub Actions — NOT the head-commit SHA shown in the PR.
-
-Find the correct image tag:
-- Check the SDK PR description for an `AGENT_SERVER_IMAGES` section
-- Or check the "Consolidate Build Information" CI job for `"short_sha": "<tag>"`
-
-### B2. Pin SDK packages to the commit in the OpenHands PR
-
-In the `OpenHands` repo PR, pin all 3 SDK packages (`openhands-sdk`, `openhands-agent-server`, `openhands-tools`) to the unreleased commit and update the agent-server image tag. This involves editing 3 files and regenerating 3 lock files.
-
-Follow the **`update-sdk` skill** → "Development: Pin SDK to an Unreleased Commit" section for the full procedure and file-by-file instructions.
-
-### B3. Wait for the OpenHands enterprise image to build
-
-Push the pinned changes. The OpenHands CI will build a new enterprise Docker image (`ghcr.io/openhands/enterprise-server:sha-<OH_COMMIT>`) that bundles the unreleased SDK. Wait for the "Push Enterprise Image" job to succeed.
-
-### B4. Deploy and test
-
-Follow [Deploying to a Staging Feature Environment](#deploying-to-a-staging-feature-environment) using the new OpenHands commit SHA.
-
-### B5. Before merging: remove the pin
-
-**CI guard:** `check-package-versions.yml` blocks merge to `main` if `[tool.poetry.dependencies]` contains `rev` fields. Before the OpenHands PR can merge, the SDK PR must be merged and released to PyPI, then the pin must be replaced with the released version number.
-
----
-
-## Deploying to a Staging Feature Environment
-
-The `deploy` repo creates preview environments from OpenHands PRs.
-
-**Option A — GitHub Actions UI (preferred):**
-Go to `OpenHands/deploy` → Actions → "Create OpenHands preview PR" → enter the OpenHands PR number. This creates a branch `ohpr-<PR>-<random>` and opens a deploy PR.
-
-**Option B — Update an existing feature branch:**
-```bash
-cd deploy
-git checkout ohpr-<PR>-<random>
-# In .github/workflows/deploy.yaml, update BOTH:
-#   OPENHANDS_SHA: "<full-40-char-commit>"
-#   OPENHANDS_RUNTIME_IMAGE_TAG: "<same-commit>-nikolaik"
-git commit -am "Update OPENHANDS_SHA to <commit>" && git push
-```
-
-**Before updating the SHA**, verify the enterprise Docker image exists:
-```bash
-gh api repos/OpenHands/OpenHands/actions/runs \
-  --jq '.workflow_runs[] | select(.head_sha=="<COMMIT>") | "\(.name): \(.conclusion)"' \
-  | grep Docker
-# Must show: "Docker: success"
-```
-
-The deploy CI auto-triggers and creates the environment at:
-```
-https://ohpr-<PR>-<random>.staging.all-hands.dev
-```
-
-**Wait for it to be live:**
-```bash
-curl -s -o /dev/null -w "%{http_code}" https://ohpr-<PR>-<random>.staging.all-hands.dev/api/v1/health
-# 401 = server is up (auth required). DNS may take 1-2 min on first deploy.
-```
-
-## Running E2E Tests Against Staging
-
-**Critical: Feature deployments have their own Keycloak instance.** API keys from `app.all-hands.dev` or `$OPENHANDS_API_KEY` will NOT work. You need a test API key issued by the specific feature deployment's Keycloak.
-
-**You (the agent) cannot obtain this key yourself** — the feature environment requires interactive browser login with credentials you do not have. You must **ask the user** to:
-1. Log in to the feature deployment at `https://ohpr-<PR>-<random>.staging.all-hands.dev` in their browser
-2. Generate a test API key from the UI
-3. Provide the key to you so you can proceed with e2e testing
-
-Do **not** attempt to log in via the browser or guess credentials. Wait for the user to supply the key before running any e2e tests.
-
-```python
-from openhands.workspace import OpenHandsCloudWorkspace
-
-STAGING = "https://ohpr-<PR>-<random>.staging.all-hands.dev"
-
-with OpenHandsCloudWorkspace(
-    cloud_api_url=STAGING,
-    cloud_api_key="<test-api-key-for-this-deployment>",
-) as workspace:
-    # Test the new feature
-    llm = workspace.get_llm()
-    secrets = workspace.get_secrets()
-    print(f"LLM: {llm.model}, secrets: {list(secrets.keys())}")
-```
-
-Or run an example script:
-```bash
-OPENHANDS_CLOUD_API_KEY="<key>" \
-OPENHANDS_CLOUD_API_URL="https://ohpr-<PR>-<random>.staging.all-hands.dev" \
-python examples/02_remote_agent_server/10_cloud_workspace_saas_credentials.py
-```
-
-### Recording results
-
-Both repos support a `.pr/` directory for temporary PR artifacts (design docs, test logs, scripts). These files are automatically removed when the PR is approved — see `.github/workflows/pr-artifacts.yml` and the "PR-Specific Artifacts" section in each repo's `AGENTS.md`.
-
-Push test output to the `.pr/logs/` directory of whichever repo you're working in:
-```bash
-mkdir -p .pr/logs
-python test_script.py 2>&1 | tee .pr/logs/<test_name>.log
-git add -f .pr/logs/
-git commit -m "docs: add e2e test results" && git push
-```
-
-Comment on **both PRs** with pass/fail summary and link to logs.
-
-## Key Gotchas
-
-| Gotcha | Details |
-|--------|---------|
-| **Feature env auth is isolated** | Each `ohpr-*` deployment has its own Keycloak. Production API keys don't work. Agents cannot log in — you must ask the user to provide a test API key from the feature deployment's UI. |
-| **Two SHAs in deploy.yaml** | `OPENHANDS_SHA` and `OPENHANDS_RUNTIME_IMAGE_TAG` must both be updated. The runtime tag is `<sha>-nikolaik`. |
-| **Enterprise image must exist** | The Docker CI job on the OpenHands PR must succeed before you can deploy. If it hasn't run, push an empty commit to trigger it. |
-| **DNS propagation** | First deployment of a new branch takes 1-2 min for DNS. Subsequent deploys are instant. |
-| **Merge-commit SHA ≠ head SHA** | SDK CI tags Docker images with GitHub Actions' merge-commit SHA, not the PR head SHA. Check the SDK PR description or CI logs for the correct tag. |
-| **SDK pin blocks merge** | `check-package-versions.yml` prevents merging an OpenHands PR that has `rev` fields in `[tool.poetry.dependencies]`. The SDK must be released to PyPI first. |
-| **Flow A: stock agent-server is fine** | When only the Cloud API changes, `OpenHandsCloudWorkspace` talks to the Cloud server, not the agent-server. No custom image needed. |
-| **Flow B: agent-server image is required** | When the server needs new SDK code inside runtime containers, you must pin to the SDK PR's agent-server image. |

.github/workflows/ghcr-build.yml

@@ -219,9 +219,11 @@ jobs:
       - name: Determine app image tag
         shell: bash
         run: |
-          # Use the commit SHA to pin the exact app image built by ghcr_build_app,
-          # rather than a mutable branch tag like "main" which can serve stale cached layers.
-          echo "OPENHANDS_DOCKER_TAG=${RELEVANT_SHA}" >> $GITHUB_ENV
+          # Duplicated with build.sh
+          sanitized_ref_name=$(echo "$GITHUB_REF_NAME" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
+          OPENHANDS_BUILD_VERSION=$sanitized_ref_name
+          sanitized_ref_name=$(echo "$sanitized_ref_name" | tr '[:upper:]' '[:lower:]') # lower case is required in tagging
+          echo "OPENHANDS_DOCKER_TAG=${sanitized_ref_name}" >> $GITHUB_ENV
       - name: Build and push Docker image
         uses: useblacksmith/build-push-action@v1
         with:

.github/workflows/pr-artifacts.yml

@@ -1,136 +0,0 @@
----
-name: PR Artifacts
-
-on:
-    workflow_dispatch: # Manual trigger for testing
-    pull_request:
-        types: [opened, synchronize, reopened]
-        branches: [main]
-    pull_request_review:
-        types: [submitted]
-
-jobs:
-  # Auto-remove .pr/ directory when a reviewer approves
-    cleanup-on-approval:
-        concurrency:
-            group: cleanup-pr-artifacts-${{ github.event.pull_request.number }}
-            cancel-in-progress: false
-        if: github.event_name == 'pull_request_review' && github.event.review.state == 'approved'
-        runs-on: ubuntu-latest
-        permissions:
-            contents: write
-            pull-requests: write
-        steps:
-            - name: Check if fork PR
-              id: check-fork
-              run: |
-                  if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.event.pull_request.base.repo.full_name }}" ]; then
-                    echo "is_fork=true" >> $GITHUB_OUTPUT
-                    echo "::notice::Fork PR detected - skipping auto-cleanup (manual removal required)"
-                  else
-                    echo "is_fork=false" >> $GITHUB_OUTPUT
-                  fi
-
-            - uses: actions/checkout@v5
-              if: steps.check-fork.outputs.is_fork == 'false'
-              with:
-                  ref: ${{ github.event.pull_request.head.ref }}
-                  token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
-
-            - name: Remove .pr/ directory
-              id: remove
-              if: steps.check-fork.outputs.is_fork == 'false'
-              run: |
-                  if [ -d ".pr" ]; then
-                    git config user.name "allhands-bot"
-                    git config user.email "allhands-bot@users.noreply.github.com"
-                    git rm -rf .pr/
-                    git commit -m "chore: Remove PR-only artifacts [automated]"
-                    git push || {
-                      echo "::error::Failed to push cleanup commit. Check branch protection rules."
-                      exit 1
-                    }
-                    echo "removed=true" >> $GITHUB_OUTPUT
-                    echo "::notice::Removed .pr/ directory"
-                  else
-                    echo "removed=false" >> $GITHUB_OUTPUT
-                    echo "::notice::No .pr/ directory to remove"
-                  fi
-
-            - name: Update PR comment after cleanup
-              if: steps.check-fork.outputs.is_fork == 'false' && steps.remove.outputs.removed == 'true'
-              uses: actions/github-script@v7
-              with:
-                  script: |
-                      const marker = '<!-- pr-artifacts-notice -->';
-                      const body = `${marker}
-                      ✅ **PR Artifacts Cleaned Up**
-
-                      The \`.pr/\` directory has been automatically removed.
-                      `;
-
-                      const { data: comments } = await github.rest.issues.listComments({
-                        owner: context.repo.owner,
-                        repo: context.repo.repo,
-                        issue_number: context.issue.number,
-                      });
-
-                      const existing = comments.find(c => c.body.includes(marker));
-                      if (existing) {
-                        await github.rest.issues.updateComment({
-                          owner: context.repo.owner,
-                          repo: context.repo.repo,
-                          comment_id: existing.id,
-                          body: body,
-                        });
-                      }
-
-  # Warn if .pr/ directory exists (will be auto-removed on approval)
-    check-pr-artifacts:
-        if: github.event_name == 'pull_request'
-        runs-on: ubuntu-latest
-        permissions:
-            contents: read
-            pull-requests: write
-        steps:
-            - uses: actions/checkout@v5
-
-            - name: Check for .pr/ directory
-              id: check
-              run: |
-                  if [ -d ".pr" ]; then
-                    echo "exists=true" >> $GITHUB_OUTPUT
-                    echo "::warning::.pr/ directory exists and will be automatically removed when the PR is approved. For fork PRs, manual removal is required before merging."
-                  else
-                    echo "exists=false" >> $GITHUB_OUTPUT
-                  fi
-
-            - name: Post or update PR comment
-              if: steps.check.outputs.exists == 'true'
-              uses: actions/github-script@v7
-              with:
-                  script: |
-                      const marker = '<!-- pr-artifacts-notice -->';
-                      const body = `${marker}
-                      📁 **PR Artifacts Notice**
-
-                      This PR contains a \`.pr/\` directory with PR-specific documents. This directory will be **automatically removed** when the PR is approved.
-
-                      > For fork PRs: Manual removal is required before merging.
-                      `;
-
-                      const { data: comments } = await github.rest.issues.listComments({
-                        owner: context.repo.owner,
-                        repo: context.repo.repo,
-                        issue_number: context.issue.number,
-                      });
-
-                      const existing = comments.find(c => c.body.includes(marker));
-                      if (!existing) {
-                        await github.rest.issues.createComment({
-                          owner: context.repo.owner,
-                          repo: context.repo.repo,
-                          issue_number: context.issue.number,
-                          body: body,
-                        });
-                      }

.gitignore

@@ -234,8 +234,6 @@ yarn-error.log*
 
 logs
 
-ralph/
-
 # agent
 .envrc
 /workspace

AGENTS.md

@@ -1,21 +1,6 @@
 This repository contains the code for OpenHands, an automated AI software engineer. It has a Python backend
 (in the `openhands` directory) and React frontend (in the `frontend` directory).
 
-
-## Repository Memory
-- Legacy `/api/settings` responses can bridge to the SDK by returning `sdk_settings_schema` from `openhands.sdk.settings` when that package is available. Use this as the compatibility handoff while V1 settings work moves into the SDK and newer clients.
-- The legacy LLM settings screen now renders SDK-backed sections from `sdk_settings_schema` and reads/writes values through the generic settings blob. The canonical backend field is `agent_settings`; `sdk_settings_values` is a compatibility alias for older callers.
-- In enterprise mode, persist the generic SDK settings blob in `agent_settings` on `enterprise/storage/org_member.py` and `enterprise/storage/user_settings.py`. Keep a `sdk_settings_values` alias only for compatibility with older tests/callers.
-- Persisted SaaS `agent_settings` should carry a `schema_version` and canonical dotted keys, but should not duplicate secret SDK values like `llm.api_key` in plaintext JSON. Reconstruct those from encrypted legacy columns on load, and backfill/migrate rows on read/write.
-- The frontend settings query still normalizes canonical backend fields (`agent_settings`, `agent_settings_schema`) back into legacy `sdk_settings_values` / `sdk_settings_schema` for existing settings screens. Strip both canonical and legacy schema/value blobs from save payloads so redacted GET metadata is never POSTed back.
-
-- The SDK settings schema now uses neutral metadata (`value_type`, `prominence`, `choices`, `depends_on`) instead of legacy UI-only fields like `widget`, `advanced`, or `placeholder`. Frontend helpers should derive control types from `value_type`/`choices`, and dotted `sdk_settings_values` may include structured JSON objects/arrays.
-- When constructing runtime `LLM`s for `openhands/*` models, keep explicit user-provided `llm.base_url` overrides, but prefer the app's `openhands_provider_base_url` when the user did not set one. Newer SDK defaults may populate an OpenHands proxy URL automatically, so check persisted user settings rather than `AgentSettings.llm.base_url` alone.
-- SDK `AgentSettings` sections are: `llm`, `condenser`, `verification`. The `verification` section merges former `critic` + `security` settings into one `VerificationSettings` model. Backward-compat property accessors (`.critic`, `.security`, `.enabled`, `.mode`, `.threshold`) and type aliases (`CriticSettings`, `SecuritySettings`) are preserved. Do NOT subclass `AgentSettings` in OpenHands — use it directly.
-
-
-
-
 ## General Setup:
 To set up the entire repo, including frontend and backend, run `make build`.
 You don't need to do this unless the user asks you to, or if you're trying to run the entire application.
@@ -51,45 +36,9 @@ then re-run the command to ensure it passes. Common issues include:
 - Be especially careful with `git reset --hard` after staging files, as it will remove accidentally staged files
 - When remote has new changes, use `git fetch upstream && git rebase upstream/<branch>` on the same branch
 
-## PR-Specific Artifacts (`.pr/` directory)
-
-When working on a PR that requires design documents, scripts meant for development-only, or other temporary artifacts that should NOT be merged to main, store them in a `.pr/` directory at the repository root.
-
-### Usage
-
-```
-.pr/
-├── design.md       # Design decisions and architecture notes
-├── analysis.md     # Investigation or debugging notes
-├── logs/           # Test output or CI logs for reviewer reference
-└── notes.md        # Any other PR-specific content
-```
-
-### How It Works
-
-1. **Notification**: When `.pr/` exists, a comment is posted to the PR conversation alerting reviewers
-2. **Auto-cleanup**: When the PR is approved, the `.pr/` directory is automatically removed via `.github/workflows/pr-artifacts.yml`
-3. **Fork PRs**: Auto-cleanup cannot push to forks, so manual removal is required before merging
-
-### Important Notes
-
-- Do NOT put anything in `.pr/` that needs to be preserved after merge
-- The `.pr/` check passes (green ✅) during development — it only posts a notification, not a blocking error
-- For fork PRs: You must manually remove `.pr/` before the PR can be merged
-
-### When to Use
-
-- Complex refactoring that benefits from written design rationale
-- Debugging sessions where you want to document your investigation
-- E2E test results or logs that demonstrate a cross-repo feature works
-- Feature implementations that need temporary planning docs
-- Any analysis that helps reviewers understand the PR but isn't needed long-term
-
 ## Repository Structure
 Backend:
 - Located in the `openhands` directory
-- The current V1 application server lives in `openhands/app_server/`. `make start-backend` still launches `openhands.server.listen:app`, which includes the V1 routes by default unless `ENABLE_V1=0`.
-- For V1 web-app docs, LLM setup should point users to the Settings UI.
 - Testing:
   - All tests are in `tests/unit/test_*.py`
   - To test new code, run `poetry run pytest tests/unit/test_xxx.py` where `xxx` is the appropriate file for the current functionality
@@ -393,30 +342,3 @@ To add a new LLM model to OpenHands, you need to update multiple files across bo
 - Models appear in CLI provider selection based on the verified arrays
 - The `organize_models_and_providers` function groups models by provider
 - Default model selection prioritizes verified models for each provider
-
-### Sandbox Settings API (SDK Credential Inheritance)
-
-The sandbox settings API allows SDK-created conversations to inherit the user's SaaS credentials
-(LLM config, secrets) securely via `LookupSecret`. Raw secret values only flow SaaS→sandbox,
-never through the SDK client.
-
-#### User Credentials with Exposed Secrets (in `openhands/app_server/user/user_router.py`):
-- `GET /api/v1/users/me?expose_secrets=true` → Full user settings with unmasked secrets (e.g., `llm_api_key`)
-- `GET /api/v1/users/me` → Full user settings (secrets masked, Bearer only)
-
-Auth requirements for `expose_secrets=true`:
-- Bearer token (proves user identity via `OPENHANDS_API_KEY`)
-- `X-Session-API-Key` header (proves caller has an active sandbox owned by the authenticated user)
-
-Called by `workspace.get_llm()` in the SDK to retrieve LLM config with the API key.
-
-#### Sandbox-Scoped Secrets Endpoints (in `openhands/app_server/sandbox/sandbox_router.py`):
-- `GET /sandboxes/{id}/settings/secrets` → list secret names (no values)
-- `GET /sandboxes/{id}/settings/secrets/{name}` → raw secret value (called FROM sandbox)
-
-#### Auth: `X-Session-API-Key` header, validated via `SandboxService.get_sandbox_by_session_api_key()`
-
-#### Related SDK code (in `software-agent-sdk` repo):
-- `openhands/sdk/llm/llm.py`: `LLM.api_key` accepts `SecretSource` (including `LookupSecret`)
-- `openhands/workspace/cloud/workspace.py`: `get_llm()` and `get_secrets()` return LookupSecret-backed objects
-- Tests: `tests/sdk/llm/test_llm_secret_source_api_key.py`, `tests/workspace/test_cloud_workspace_sdk_settings.py`

CONTRIBUTING.md

@@ -1,105 +1,83 @@
 # Contributing
 
-Thanks for your interest in contributing to OpenHands! We're building the future of AI-powered software development, and we'd love for you to be part of this journey.
+Thanks for your interest in contributing to OpenHands! We welcome and appreciate contributions.
 
-## Our Vision
+## Understanding OpenHands's CodeBase
 
-The OpenHands community is built around the belief that AI and AI agents are going to fundamentally change the way we build software. If this is true, we should do everything we can to make sure that the benefits provided by such powerful technology are accessible to everyone.
+To understand the codebase, please refer to the README in each module:
+- [frontend](./frontend/README.md)
+- [openhands](./openhands/README.md)
+   - [agenthub](./openhands/agenthub/README.md)
+   - [server](./openhands/server/README.md)
 
-We believe in the power of open source to democratize access to cutting-edge AI technology. Just as the internet transformed how we share information, we envision a world where AI-powered development tools are available to every developer, regardless of their background or resources.
+For benchmarks and evaluation, see the [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks) repository.
 
-## Getting Started
+## Setting up Your Development Environment
 
-### Quick Ways to Contribute
+We have a separate doc [Development.md](https://github.com/OpenHands/OpenHands/blob/main/Development.md) that tells
+you how to set up a development workflow.
 
-- **Use OpenHands** and [report issues](https://github.com/OpenHands/OpenHands/issues) you encounter
-- **Give feedback** using the thumbs-up/thumbs-down buttons after each session
-- **Star our repository** on [GitHub](https://github.com/OpenHands/OpenHands)
-- **Share OpenHands** with other developers
+## How Can I Contribute?
 
-### Set Up Your Development Environment
+There are many ways that you can contribute:
 
-- **Requirements**: Linux/Mac/WSL, Docker, Python 3.12, Node.js 22+, Poetry 1.8+
-- **Quick setup**: `make build`
-- **Run locally**: `make run`
-- **LLM setup (V1 web app)**: configure your model and API key in the Settings UI after the app starts
+1. **Download and use** OpenHands, and send [issues](https://github.com/OpenHands/OpenHands/issues) when you encounter something that isn't working or a feature that you'd like to see.
+2. **Send feedback** after each session by [clicking the thumbs-up thumbs-down buttons](https://docs.openhands.dev/usage/feedback), so we can see where things are working and failing, and also build an open dataset for training code agents.
+3. **Improve the Codebase** by sending [PRs](#sending-pull-requests-to-openhands) (see details below). In particular, we have some [good first issues](https://github.com/OpenHands/OpenHands/labels/good%20first%20issue) that may be ones to start on.
 
-Full details in our [Development Guide](./Development.md).
+## What Can I Build?
 
-### Find Your First Issue
+Here are a few ways you can help improve the codebase.
 
-- Browse [good first issues](https://github.com/OpenHands/OpenHands/labels/good%20first%20issue)
-- Check our [project boards](https://github.com/OpenHands/OpenHands/projects) for organized tasks
-- Join our [Slack community](https://openhands.dev/joinslack) to ask what needs help
+#### UI/UX
 
-## Understanding the Codebase
+We're always looking to improve the look and feel of the application. If you've got a small fix
+for something that's bugging you, feel free to open up a PR that changes the [`./frontend`](./frontend) directory.
 
-- **[Frontend](./frontend/README.md)** - React application
-- **[App Server (V1)](./openhands/app_server/README.md)** - Current FastAPI application server and REST API modules
-- **[Agents](./openhands/agenthub/README.md)** - AI agent implementations
-- **[Runtime](./openhands/runtime/README.md)** - Execution environments
-- **[Evaluation](https://github.com/OpenHands/benchmarks)** - Testing and benchmarks
+If you're looking to make a bigger change, add a new UI element, or significantly alter the style
+of the application, please open an issue first, or better, join the #dev-ui-ux channel in our Slack
+to gather consensus from our design team first.
 
-## What Can You Build?
+#### Improving the agent
 
-### Frontend & UI/UX
-- React & TypeScript development
-- UI/UX improvements
-- Mobile responsiveness
-- Component libraries
+Our main agent is the CodeAct agent. You can [see its prompts here](https://github.com/OpenHands/OpenHands/tree/main/openhands/agenthub/codeact_agent).
 
-For bigger changes, join the #proj-gui channel in [Slack](https://openhands.dev/joinslack) first.
+Changes to these prompts, and to the underlying behavior in Python, can have a huge impact on user experience.
+You can try modifying the prompts to see how they change the behavior of the agent as you use the app
+locally, but we will need to do an end-to-end evaluation of any changes here to ensure that the agent
+is getting better over time.
 
-### Agent Development
-- Prompt engineering
-- New agent types
-- Agent evaluation
-- Multi-agent systems
+We use the [SWE-bench](https://www.swebench.com/) benchmark to test our agent. You can join the #evaluation
+channel in Slack to learn more.
 
-We use [SWE-bench](https://www.swebench.com/) to evaluate agents.
+#### Adding a new agent
 
-### Backend & Infrastructure
-- Python development
-- Runtime systems (Docker containers, sandboxes)
-- Cloud integrations
-- Performance optimization
+You may want to experiment with building new types of agents. You can add an agent to [`openhands/agenthub`](./openhands/agenthub)
+to help expand the capabilities of OpenHands.
 
-### Testing & Quality Assurance
-- Unit testing
-- Integration testing
-- Bug hunting
-- Performance testing
+#### Adding a new runtime
 
-### Documentation & Education
-- Technical documentation
-- Translation
-- Community support
+The agent needs a place to run code and commands. When you run OpenHands on your laptop, it uses a Docker container
+to do this by default. But there are other ways of creating a sandbox for the agent.
 
-## Pull Request Process
+If you work for a company that provides a cloud-based runtime, you could help us add support for that runtime
+by implementing the [interface specified here](https://github.com/OpenHands/OpenHands/blob/main/openhands/runtime/base.py).
 
-### Small Improvements
-- Quick review and approval
-- Ensure CI tests pass
-- Include clear description of changes
+#### Testing
 
-### Core Agent Changes
-These are evaluated based on:
-- **Accuracy** - Does it make the agent better at solving problems?
-- **Efficiency** - Does it improve speed or reduce resource usage?
-- **Code Quality** - Is the code maintainable and well-tested?
-
-Discuss major changes in [GitHub issues](https://github.com/OpenHands/OpenHands/issues) or [Slack](https://openhands.dev/joinslack) first.
+When you write code, it is also good to write tests. Please navigate to the [`./tests`](./tests) folder to see existing
+test suites. At the moment, we have these kinds of tests: [`unit`](./tests/unit), [`runtime`](./tests/runtime), and [`end-to-end (e2e)`](./tests/e2e).
+Please refer to the README for each test suite. These tests also run on GitHub's continuous integration to ensure
+quality of the project.
 
 ## Sending Pull Requests to OpenHands
 
 You'll need to fork our repository to send us a Pull Request. You can learn more
 about how to fork a GitHub repo and open a PR with your changes in [this article](https://medium.com/swlh/forks-and-pull-requests-how-to-contribute-to-github-repos-8843fac34ce8).
 
-You may also check out previous PRs in the [PR list](https://github.com/OpenHands/OpenHands/pulls).
+### Pull Request title
 
-### Pull Request Title Format
-
-As described [here](https://github.com/commitizen/conventional-commit-types/blob/master/index.json), a valid PR title should begin with one of the following prefixes:
+As described [here](https://github.com/commitizen/conventional-commit-types/blob/master/index.json), ideally a valid PR title should begin with one of the following prefixes:
 
 - `feat`: A new feature
 - `fix`: A bug fix
@@ -117,27 +95,45 @@ For example, a PR title could be:
 - `refactor: modify package path`
 - `feat(frontend): xxxx`, where `(frontend)` means that this PR mainly focuses on the frontend component.
 
-### Pull Request Description
+You may also check out previous PRs in the [PR list](https://github.com/OpenHands/OpenHands/pulls).
 
-- Explain what the PR does and why
-- Link to related issues
-- Include screenshots for UI changes
-- If your changes are user-facing (e.g. a new feature in the UI, a change in behavior, or a bugfix),
-  please include a short message that we can add to our changelog
+### Pull Request description
 
-## Becoming a Maintainer
+- If your PR is small (such as a typo fix), you can go brief.
+- If it contains a lot of changes, it's better to write more details.
 
-For contributors who have made significant and sustained contributions to the project, there is a possibility of joining the maintainer team.
-The process for this is as follows:
+If your changes are user-facing (e.g. a new feature in the UI, a change in behavior, or a bugfix)
+please include a short message that we can add to our changelog.
 
-1. Any contributor who has made sustained and high-quality contributions to the codebase can be nominated by any maintainer. If you feel that you may qualify you can reach out to any of the maintainers that have reviewed your PRs and ask if you can be nominated.
-2. Once a maintainer nominates a new maintainer, there will be a discussion period among the maintainers for at least 3 days.
-3. If no concerns are raised the nomination will be accepted by acclamation, and if concerns are raised there will be a discussion and possible vote.
+## How to Make Effective Contributions
 
-Note that just making many PRs does not immediately imply that you will become a maintainer. We will be looking at sustained high-quality contributions over a period of time, as well as good teamwork and adherence to our [Code of Conduct](./CODE_OF_CONDUCT.md).
+### Opening Issues
 
-## Need Help?
+If you notice any bugs or have any feature requests please open them via the [issues page](https://github.com/OpenHands/OpenHands/issues). We will triage
+based on how critical the bug is or how potentially useful the improvement is, discuss, and implement the ones that
+the community has interest/effort for.
 
-- **Slack**: [Join our community](https://openhands.dev/joinslack)
-- **GitHub Issues**: [Open an issue](https://github.com/OpenHands/OpenHands/issues)
-- **Email**: contact@openhands.dev
+Further, if you see an issue you like, please leave a "thumbs-up" or a comment, which will help us prioritize.
+
+### Making Pull Requests
+
+We're generally happy to consider all pull requests with the evaluation process varying based on the type of change:
+
+#### For Small Improvements
+
+Small improvements with few downsides are typically reviewed and approved quickly.
+One thing to check when making changes is to ensure that all continuous integration tests pass, which you can check
+before getting a review.
+
+#### For Core Agent Changes
+
+We need to be more careful with changes to the core agent, as it is imperative to maintain high quality. These PRs are
+evaluated based on three key metrics:
+
+1. **Accuracy**
+2. **Efficiency**
+3. **Code Complexity**
+
+If it improves accuracy, efficiency, or both with only a minimal change to code quality, that's great we're happy to merge it in!
+If there are bigger tradeoffs (e.g. helping efficiency a lot and hurting accuracy a little) we might want to put it behind a feature flag.
+Either way, please feel free to discuss on github issues or slack, and we will give guidance and preliminary feedback.

Development.md

@@ -6,196 +6,22 @@ If you wish to contribute your changes, check out the
 on how to clone and setup the project initially before moving on. Otherwise,
 you can clone the OpenHands project directly.
 
-## Choose Your Setup
+## Start the Server for Development
 
-Select your operating system to see the specific setup instructions:
+### 1. Requirements
 
-- [macOS](#macos-setup)
-- [Linux](#linux-setup)
-- [Windows WSL](#windows-wsl-setup)
-- [Dev Container](#dev-container)
-- [Developing in Docker](#developing-in-docker)
-- [No sudo access?](#develop-without-sudo-access)
+- Linux, Mac OS, or [WSL on Windows](https://learn.microsoft.com/en-us/windows/wsl/install) [Ubuntu >= 22.04]
+- [Docker](https://docs.docker.com/engine/install/) (For those on MacOS, make sure to allow the default Docker socket to be used from advanced settings!)
+- [Python](https://www.python.org/downloads/) = 3.12
+- [NodeJS](https://nodejs.org/en/download/package-manager) >= 22.x
+- [Poetry](https://python-poetry.org/docs/#installing-with-the-official-installer) >= 1.8
+- OS-specific dependencies:
+  - Ubuntu: build-essential => `sudo apt-get install build-essential python3.12-dev`
+  - WSL: netcat => `sudo apt-get install netcat`
 
----
+Make sure you have all these dependencies installed before moving on to `make build`.
 
-## macOS Setup
-
-### 1. Install Prerequisites
-
-You'll need the following installed:
-
-- **Python 3.12** — `brew install python@3.12` (see the [official Homebrew Python docs](https://docs.brew.sh/Homebrew-and-Python) for details). Make sure `python3.12` is available in your PATH (the `make build` step will verify this).
-- **Node.js >= 22** — `brew install node`
-- **Poetry >= 1.8** — `brew install poetry`
-- **Docker Desktop** — `brew install --cask docker`
-  - After installing, open Docker Desktop → **Settings → Advanced** → Enable **"Allow the default Docker socket to be used"**
-
-### 2. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 3. Configure the Language Model
-
-OpenHands supports a diverse array of Language Models (LMs) through the powerful [litellm](https://docs.litellm.ai) library.
-
-For the V1 web app, start OpenHands and configure your model and API key in the Settings UI.
-
-If you are running headless or CLI workflows, you can prepare local defaults with:
-
-```bash
-make setup-config
-```
-
-**Note on Alternative Models:**
-See [our documentation](https://docs.openhands.dev/usage/llms) for recommended models.
-
-### 4. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
-These targets serve the current OpenHands V1 API by default. In the codebase, `make start-backend` runs `openhands.server.listen:app`, and that app includes the `openhands/app_server` V1 routes unless `ENABLE_V1=0`.
-
----
-
-## Linux Setup
-
-This guide covers Ubuntu/Debian. For other distributions, adapt the package manager commands accordingly.
-
-### 1. Install Prerequisites
-
-```bash
-# Update package list
-sudo apt update
-
-# Install system dependencies
-sudo apt install -y build-essential curl netcat software-properties-common
-
-# Install Python 3.12
-# Ubuntu 24.04+ and Debian 13+ ship with Python 3.12 — skip the PPA step if
-# python3.12 --version already works on your system.
-# The deadsnakes PPA is Ubuntu-only and needed for Ubuntu 22.04 or older:
-sudo add-apt-repository -y ppa:deadsnakes/ppa
-sudo apt update
-sudo apt install -y python3.12 python3.12-dev python3.12-venv
-
-# Install Node.js 22.x
-curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
-sudo apt install -y nodejs
-
-# Install Poetry
-curl -sSL https://install.python-poetry.org | python3 -
-
-# Add Poetry to your PATH
-echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
-source ~/.bashrc
-
-# Install Docker
-# Follow the official guide: https://docs.docker.com/engine/install/ubuntu/
-# Quick version:
-sudo install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
-sudo chmod a+r /etc/apt/keyrings/docker.asc
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-sudo apt update
-sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-sudo usermod -aG docker $USER
-# Log out and back in for Docker group changes to take effect
-```
-
-### 2. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 3. Configure the Language Model
-
-See the [macOS section above](#3-configure-the-language-model) for guidance: configure your model and API key in the Settings UI.
-
-### 4. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
----
-
-## Windows WSL Setup
-
-WSL2 with Ubuntu is recommended. The setup is similar to Linux, with a few WSL-specific considerations.
-
-### 1. Install WSL2
-
-**Option A: Windows 11 (Microsoft Store)**
-The easiest way on Windows 11:
-1. Open the **Microsoft Store** app
-2. Search for **"Ubuntu 22.04 LTS"** or **"Ubuntu"**
-3. Click **Install**
-4. Launch Ubuntu from the Start menu
-
-**Option B: PowerShell**
-```powershell
-# Run this in PowerShell as Administrator
-wsl --install -d Ubuntu-22.04
-```
-
-After installation, restart your computer and open Ubuntu.
-
-### 2. Install Prerequisites (in WSL Ubuntu)
-
-Follow [Step 1 from the Linux setup](#1-install-prerequisites-1) to install system dependencies, Python 3.12, Node.js, and Poetry. Skip the Docker installation — Docker is provided through Docker Desktop below.
-
-### 3. Configure Docker for WSL2
-
-1. Install [Docker Desktop for Windows](https://www.docker.com/products/docker-desktop)
-2. Open Docker Desktop > Settings > General
-3. Enable: "Use the WSL 2 based engine"
-4. Go to Settings > Resources > WSL Integration
-5. Enable integration with your Ubuntu distribution
-
-**Important:** Keep your project files in the WSL filesystem (e.g., `~/workspace/openhands`), not in `/mnt/c`. Files accessed via `/mnt/c` will be significantly slower.
-
-### 4. Build and Setup the Environment
-
-```bash
-make build
-```
-
-### 5. Configure the Language Model
-
-See the [macOS section above](#3-configure-the-language-model) for the current V1 guidance: configure your model and API key in the Settings UI for the web app, and use `make setup-config` only for headless or CLI workflows.
-
-### 6. Run the Application
-
-```bash
-# Run both backend and frontend
-make run
-
-# Or run separately:
-make start-backend  # Backend only on port 3000
-make start-frontend # Frontend only on port 3001
-```
-
-Access the frontend at `http://localhost:3001` from your Windows browser.
-
----
-
-## Dev Container
+#### Dev container
 
 There is a [dev container](https://containers.dev/) available which provides a
 pre-configured environment with all the necessary dependencies installed if you
@@ -206,38 +32,7 @@ extension installed, you can open the project in a dev container by using the
 _Dev Container: Reopen in Container_ command from the Command Palette
 (Ctrl+Shift+P).
 
----
-
-## Developing in Docker
-
-If you don't want to install dependencies on your host machine, you can develop inside a Docker container.
-
-### Quick Start
-
-```bash
-make docker-dev
-```
-
-For more details, see the [dev container documentation](./containers/dev/README.md).
-
-### Alternative: Docker Run
-
-If you just want to run OpenHands without setting up a dev environment:
-
-```bash
-make docker-run
-```
-
-If you don't have `make` installed, run:
-
-```bash
-cd ./containers/dev
-./dev.sh
-```
-
----
-
-## Develop without sudo access
+#### Develop without sudo access
 
 If you want to develop without system admin/sudo access to upgrade/install `Python` and/or `NodeJS`, you can use
 `conda` or `mamba` to manage the packages for you:
@@ -253,90 +48,159 @@ mamba install conda-forge::nodejs
 mamba install conda-forge::poetry
 ```
 
----
+### 2. Build and Setup The Environment
 
-## Running OpenHands with OpenHands
-
-You can use OpenHands to develop and improve OpenHands itself!
-
-### Quick Start
+Begin by building the project which includes setting up the environment and installing dependencies. This step ensures
+that OpenHands is ready to run on your system:
 
 ```bash
-export INSTALL_DOCKER=0
-export RUNTIME=local
-make build && make run
+make build
 ```
 
-Access the interface at:
-- Local development: http://localhost:3001
-- Remote/cloud environments: Use the appropriate external URL
+### 3. Configuring the Language Model
 
-For external access:
-```bash
-make run FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0
-```
+OpenHands supports a diverse array of Language Models (LMs) through the powerful [litellm](https://docs.litellm.ai) library.
 
----
-
-## LLM Debugging
-
-If you encounter issues with the Language Model, enable debug logging:
+To configure the LM of your choice, run:
 
 ```bash
-export DEBUG=1
-# Restart the backend
-make start-backend
+make setup-config
 ```
 
-Logs will be saved to `logs/llm/CURRENT_DATE/` for troubleshooting.
+This command will prompt you to enter the LLM API key, model name, and other variables ensuring that OpenHands is
+tailored to your specific needs. Note that the model name will apply only when you run headless. If you use the UI,
+please set the model in the UI.
 
----
+Note: If you have previously run OpenHands using the docker command, you may have already set some environment
+variables in your terminal. The final configurations are set from highest to lowest priority:
+Environment variables > config.toml variables > default variables
 
-## Testing
+**Note on Alternative Models:**
+See [our documentation](https://docs.openhands.dev/usage/llms) for recommended models.
 
-### Unit Tests
+### 4. Running the application
+
+#### Option A: Run the Full Application
+
+Once the setup is complete, this command starts both the backend and frontend servers, allowing you to interact with OpenHands:
 
 ```bash
-poetry run pytest ./tests/unit/test_*.py
+make run
 ```
 
----
+#### Option B: Individual Server Startup
 
-## Adding Dependencies
+- **Start the Backend Server:** If you prefer, you can start the backend server independently to focus on
+  backend-related tasks or configurations.
 
-1. Add your dependency in `pyproject.toml` or use `poetry add xxx`
-2. Update the lock file: `poetry lock --no-update`
+  ```bash
+  make start-backend
+  ```
 
----
+- **Start the Frontend Server:** Similarly, you can start the frontend server on its own to work on frontend-related
+  components or interface enhancements.
+  ```bash
+  make start-frontend
+  ```
 
-## Using Existing Docker Images
+### 5. Running OpenHands with OpenHands
 
-To reduce build time, you can use an existing runtime image:
+You can use OpenHands to develop and improve OpenHands itself! This is a powerful way to leverage AI assistance for contributing to the project.
 
-```bash
-export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:1.2-nikolaik
-```
+#### Quick Start
 
----
+1. **Build and run OpenHands:**
 
-## Help
+   ```bash
+   export INSTALL_DOCKER=0
+   export RUNTIME=local
+   make build && make run
+   ```
+
+2. **Access the interface:**
+
+   - Local development: http://localhost:3001
+   - Remote/cloud environments: Use the appropriate external URL
+
+3. **Configure for external access (if needed):**
+   ```bash
+   # For external access (e.g., cloud environments)
+   make run FRONTEND_PORT=12000 FRONTEND_HOST=0.0.0.0 BACKEND_HOST=0.0.0.0
+   ```
+
+### 6. LLM Debugging
+
+If you encounter any issues with the Language Model (LM) or you're simply curious, export DEBUG=1 in the environment and restart the backend.
+OpenHands will log the prompts and responses in the logs/llm/CURRENT_DATE directory, allowing you to identify the causes.
+
+### 7. Help
+
+Need help or info on available targets and commands? Use the help command for all the guidance you need with OpenHands.
 
 ```bash
 make help
 ```
 
----
+### 8. Testing
+
+To run tests, refer to the following:
+
+#### Unit tests
+
+```bash
+poetry run pytest ./tests/unit/test_*.py
+```
+
+### 9. Add or update dependency
+
+1. Add your dependency in `pyproject.toml` or use `poetry add xxx`.
+2. Update the poetry.lock file via `poetry lock --no-update`.
+
+### 10. Use existing Docker image
+
+To reduce build time (e.g., if no changes were made to the client-runtime component), you can use an existing Docker
+container image by setting the SANDBOX_RUNTIME_CONTAINER_IMAGE environment variable to the desired Docker image.
+
+Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/openhands/runtime:1.2-nikolaik`
+
+## Develop inside Docker container
+
+TL;DR
+
+```bash
+make docker-dev
+```
+
+See more details [here](./containers/dev/README.md).
+
+If you are just interested in running `OpenHands` without installing all the required tools on your host.
+
+```bash
+make docker-run
+```
+
+If you do not have `make` on your host, run:
+
+```bash
+cd ./containers/dev
+./dev.sh
+```
+
+You do need [Docker](https://docs.docker.com/engine/install/) installed on your host though.
 
 ## Key Documentation Resources
 
+Here's a guide to the important documentation files in the repository:
+
 - [/README.md](./README.md): Main project overview, features, and basic setup instructions
 - [/Development.md](./Development.md) (this file): Comprehensive guide for developers working on OpenHands
 - [/CONTRIBUTING.md](./CONTRIBUTING.md): Guidelines for contributing to the project, including code style and PR process
 - [DOC_STYLE_GUIDE.md](https://github.com/OpenHands/docs/blob/main/openhands/DOC_STYLE_GUIDE.md): Standards for writing and maintaining project documentation
-- [/openhands/app_server/README.md](./openhands/app_server/README.md): Current V1 application server implementation and REST API modules
+- [/openhands/README.md](./openhands/README.md): Details about the backend Python implementation
 - [/frontend/README.md](./frontend/README.md): Frontend React application setup and development guide
 - [/containers/README.md](./containers/README.md): Information about Docker containers and deployment
 - [/tests/unit/README.md](./tests/unit/README.md): Guide to writing and running unit tests
 - [OpenHands/benchmarks](https://github.com/OpenHands/benchmarks): Documentation for the evaluation framework and benchmarks
 - [/skills/README.md](./skills/README.md): Information about the skills architecture and implementation
+- [/openhands/server/README.md](./openhands/server/README.md): Server implementation details and API documentation
 - [/openhands/runtime/README.md](./openhands/runtime/README.md): Documentation for the runtime environment and execution model

containers/app/Dockerfile

@@ -1,5 +1,5 @@
 ARG OPENHANDS_BUILD_VERSION=dev
-FROM node:25.8-trixie-slim AS frontend-builder
+FROM node:25.2-trixie-slim AS frontend-builder
 
 WORKDIR /app
 
@@ -22,7 +22,7 @@ ENV POETRY_NO_INTERACTION=1 \
 
 RUN apt-get update -y \
     && apt-get install -y curl make git build-essential jq gettext \
-    && python3 -m pip install "poetry>=2.3.0" --break-system-packages
+    && python3 -m pip install poetry --break-system-packages
 
 COPY pyproject.toml poetry.lock ./
 RUN touch README.md

enterprise/Dockerfile

@@ -10,7 +10,7 @@ LABEL com.datadoghq.tags.env="${DD_ENV}"
 # Apply security updates to fix CVEs
 RUN apt-get update && \
     apt-get install -y curl && \
-    curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
     apt-get install -y nodejs && \
     apt-get install -y jq gettext && \
     # Apply security updates for packages with available fixes
@@ -33,8 +33,7 @@ RUN cd /tmp/enterprise && \
     # Export only main dependencies with hashes for supply chain security
     /app/.venv/bin/poetry export --only main -o requirements.txt && \
     # Remove the local path dependency (openhands-ai is already in base image)
-    # and git-based SDK dependencies (already installed via the base app image)
-    sed -i '/^-e /d; /openhands-ai/d; /^openhands-.*@ git+/d' requirements.txt && \
+    sed -i '/^-e /d; /openhands-ai/d' requirements.txt && \
     # Install pinned dependencies from lock file
     /app/.venv/bin/pip install -r requirements.txt && \
     # Cleanup - return to /app before removing /tmp/enterprise

enterprise/README.md

@@ -51,6 +51,6 @@ NOTE: in the future we will simply replace the `GithubTokenManager` with keycloa
 ## User ID vs User Token
 
 - In OpenHands, the entire app revolves around the GitHub token the user sets. `openhands/server` uses `request.state.github_token` for the entire app
-- On Enterprise, the entire APP resolves around the Github User ID. This is because the cookie sets it, so `openhands/server` AND `enterprise/server` depend on it and completely ignore `request.state.github_token` (token is fetched from `GithubTokenManager` instead)
+- On Enterprise, the entire APP resolves around the Github User ID. This is because the cookie sets it, so `openhands/server` AND `enterprise/server` depend on it and completly ignore `request.state.github_token` (token is fetched from `GithubTokenManager` instead)
 
 Note that introducing GitHub User ID in OpenHands, for instance, will cause large breakages.

enterprise/doc/architecture/README.md

@@ -1,13 +0,0 @@
-# Enterprise Architecture Documentation
-
-Architecture diagrams specific to the OpenHands SaaS/Enterprise deployment.
-
-## Documentation
-
-- [Authentication Flow](./authentication.md) - Keycloak-based authentication for SaaS deployment
-- [External Integrations](./external-integrations.md) - GitHub, Slack, Jira, and other service integrations
-
-## Related Documentation
-
-For core OpenHands architecture (applicable to all deployments), see:
-- [Core Architecture Documentation](../../../openhands/architecture/README.md)

enterprise/doc/architecture/authentication.md

@@ -1,58 +0,0 @@
-# Authentication Flow (SaaS Deployment)
-
-OpenHands uses Keycloak for identity management in the SaaS deployment. The authentication flow involves multiple services:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant User as User (Browser)
-    participant App as App Server
-    participant KC as Keycloak
-    participant IdP as Identity Provider<br/>(GitHub, Google, etc.)
-    participant DB as User Database
-
-    Note over User,DB: OAuth 2.0 / OIDC Authentication Flow
-
-    User->>App: Access OpenHands
-    App->>User: Redirect to Keycloak
-    User->>KC: Login request
-    KC->>User: Show login options
-    User->>KC: Select provider (e.g., GitHub)
-    KC->>IdP: OAuth redirect
-    User->>IdP: Authenticate
-    IdP-->>KC: OAuth callback + tokens
-    Note over KC: Create/update user session
-    KC-->>User: Redirect with auth code
-    User->>App: Auth code
-    App->>KC: Exchange code for tokens
-    KC-->>App: Access token + Refresh token
-    Note over App: Create signed JWT cookie
-    App->>DB: Store/update user record
-    App-->>User: Set keycloak_auth cookie
-
-    Note over User,DB: Subsequent Requests
-
-    User->>App: Request with cookie
-    Note over App: Verify JWT signature
-    App->>KC: Validate token (if needed)
-    KC-->>App: Token valid
-    Note over App: Extract user context
-    App-->>User: Authorized response
-```
-
-### Authentication Components
-
-| Component | Purpose | Location |
-|-----------|---------|----------|
-| **Keycloak** | Identity provider, SSO, token management | External service |
-| **UserAuth** | Abstract auth interface | `openhands/server/user_auth/user_auth.py` |
-| **SaasUserAuth** | Keycloak implementation | `enterprise/server/auth/saas_user_auth.py` |
-| **JWT Service** | Token signing/verification | `openhands/app_server/services/jwt_service.py` |
-| **Auth Routes** | Login/logout endpoints | `enterprise/server/routes/auth.py` |
-
-### Token Flow
-
-1. **Keycloak Access Token**: Short-lived token for API access
-2. **Keycloak Refresh Token**: Long-lived token to obtain new access tokens
-3. **Signed JWT Cookie**: App Server's session cookie containing encrypted Keycloak tokens
-4. **Provider Tokens**: OAuth tokens for GitHub, GitLab, etc. (stored separately for git operations)

enterprise/doc/architecture/external-integrations.md

@@ -1,88 +0,0 @@
-# External Integrations
-
-OpenHands integrates with external services (GitHub, Slack, Jira, etc.) through webhook-based event handling:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant Ext as External Service<br/>(GitHub/Slack/Jira)
-    participant App as App Server
-    participant IntRouter as Integration Router
-    participant Manager as Integration Manager
-    participant Conv as Conversation Service
-    participant Sandbox as Sandbox
-
-    Note over Ext,Sandbox: Webhook Event Flow (e.g., GitHub Issue Created)
-
-    Ext->>App: POST /api/integration/{service}/events
-    App->>IntRouter: Route to service handler
-    Note over IntRouter: Verify signature (HMAC)
-
-    IntRouter->>Manager: Parse event payload
-    Note over Manager: Extract context (repo, issue, user)
-    Note over Manager: Map external user → OpenHands user
-
-    Manager->>Conv: Create conversation (with issue context)
-    Conv->>Sandbox: Provision sandbox
-    Sandbox-->>Conv: Ready
-
-    Manager->>Sandbox: Start agent with task
-
-    Note over Ext,Sandbox: Agent Works on Task...
-
-    Sandbox-->>Manager: Task complete
-    Manager->>Ext: POST result<br/>(PR, comment, etc.)
-
-    Note over Ext,Sandbox: Callback Flow (Agent → External Service)
-
-    Sandbox->>App: Webhook callback<br/>/api/v1/webhooks
-    App->>Manager: Process callback
-    Manager->>Ext: Update external service
-```
-
-### Supported Integrations
-
-| Integration | Trigger Events | Agent Actions |
-|-------------|----------------|---------------|
-| **GitHub** | Issue created, PR opened, @mention | Create PR, comment, push commits |
-| **GitLab** | Issue created, MR opened | Create MR, comment, push commits |
-| **Slack** | @mention in channel | Reply in thread, create tasks |
-| **Jira** | Issue created/updated | Update ticket, add comments |
-| **Linear** | Issue created | Update status, add comments |
-
-### Integration Components
-
-| Component | Purpose | Location |
-|-----------|---------|----------|
-| **Integration Routes** | Webhook endpoints per service | `enterprise/server/routes/integration/` |
-| **Integration Managers** | Business logic per service | `enterprise/integrations/{service}/` |
-| **Token Manager** | Store/retrieve OAuth tokens | `enterprise/server/auth/token_manager.py` |
-| **Callback Processor** | Handle agent → service updates | `enterprise/integrations/{service}/*_callback_processor.py` |
-
-### Integration Authentication
-
-```
-External Service (e.g., GitHub)
-        │
-        ▼
-┌─────────────────────────────────┐
-│ GitHub App Installation         │
-│ - Webhook secret for signature  │
-│ - App private key for API calls │
-└─────────────────────────────────┘
-        │
-        ▼
-┌─────────────────────────────────┐
-│ User Account Linking            │
-│ - Keycloak user ID              │
-│ - GitHub user ID                │
-│ - Stored OAuth tokens           │
-└─────────────────────────────────┘
-        │
-        ▼
-┌─────────────────────────────────┐
-│ Agent Execution                 │
-│ - Uses linked tokens for API    │
-│ - Can push, create PRs, comment │
-└─────────────────────────────────┘
-```

enterprise/integrations/resolver_context.py

@@ -60,9 +60,7 @@ class ResolverUserContext(UserContext):
                 return provider_token.token.get_secret_value()
         return None
 
-    async def get_provider_tokens(
-        self, as_env_vars: bool = False
-    ) -> PROVIDER_TOKEN_TYPE | dict[str, str] | None:
+    async def get_provider_tokens(self) -> PROVIDER_TOKEN_TYPE | None:
         return await self.saas_user_auth.get_provider_tokens()
 
     async def get_secrets(self) -> dict[str, SecretSource]:

enterprise/migrations/versions/100_add_sandbox_grouping_strategy.py

@@ -1,33 +0,0 @@
-"""Add sandbox_grouping_strategy column to user, org, and user_settings tables.
-
-Revision ID: 100
-Revises: 099
-Create Date: 2025-03-12
-"""
-
-import sqlalchemy as sa
-from alembic import op
-
-revision = '100'
-down_revision = '099'
-
-
-def upgrade() -> None:
-    op.add_column(
-        'user',
-        sa.Column('sandbox_grouping_strategy', sa.String, nullable=True),
-    )
-    op.add_column(
-        'org',
-        sa.Column('sandbox_grouping_strategy', sa.String, nullable=True),
-    )
-    op.add_column(
-        'user_settings',
-        sa.Column('sandbox_grouping_strategy', sa.String, nullable=True),
-    )
-
-
-def downgrade() -> None:
-    op.drop_column('user_settings', 'sandbox_grouping_strategy')
-    op.drop_column('org', 'sandbox_grouping_strategy')
-    op.drop_column('user', 'sandbox_grouping_strategy')

enterprise/migrations/versions/101_add_pending_messages_table.py

@@ -1,39 +0,0 @@
-"""Add pending_messages table for server-side message queuing
-
-Revision ID: 101
-Revises: 100
-Create Date: 2025-03-15 00:00:00.000000
-
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '101'
-down_revision: Union[str, None] = '100'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    """Create pending_messages table for storing messages before conversation is ready.
-
-    Messages are stored temporarily until the conversation becomes ready, then
-    delivered and deleted regardless of success or failure.
-    """
-    op.create_table(
-        'pending_messages',
-        sa.Column('id', sa.String(), primary_key=True),
-        sa.Column('conversation_id', sa.String(), nullable=False, index=True),
-        sa.Column('role', sa.String(20), nullable=False, server_default='user'),
-        sa.Column('content', sa.JSON, nullable=False),
-        sa.Column('created_at', sa.DateTime(timezone=True), nullable=False),
-    )
-
-
-def downgrade() -> None:
-    """Remove pending_messages table."""
-    op.drop_table('pending_messages')

enterprise/migrations/versions/102_add_agent_settings_to_enterprise_settings.py

@@ -1,142 +0,0 @@
-"""Add agent_settings columns to enterprise settings tables.
-
-Revision ID: 102
-Revises: 101
-Create Date: 2026-03-22 00:00:00.000000
-
-"""
-
-from typing import Sequence, Union
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision: str = '102'
-down_revision: Union[str, None] = '101'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-_EMPTY_JSON = sa.text("'{}'::json")
-
-
-def upgrade() -> None:
-    op.add_column(
-        'user_settings',
-        sa.Column(
-            'agent_settings', sa.JSON(), nullable=False, server_default=_EMPTY_JSON
-        ),
-    )
-    op.add_column(
-        'org_member',
-        sa.Column(
-            'agent_settings', sa.JSON(), nullable=False, server_default=_EMPTY_JSON
-        ),
-    )
-
-    op.execute(
-        sa.text(
-            """
-            UPDATE user_settings
-            SET agent_settings = jsonb_strip_nulls(
-                jsonb_build_object(
-                    'schema_version', 1,
-                    'agent', agent,
-                    'llm.model', llm_model,
-                    'llm.base_url', llm_base_url,
-                    'verification.confirmation_mode', confirmation_mode,
-                    'verification.security_analyzer', security_analyzer,
-                    'condenser.enabled', enable_default_condenser,
-                    'condenser.max_size', condenser_max_size,
-                    'max_iterations', max_iterations
-                ) || COALESCE(agent_settings::jsonb, '{}'::jsonb)
-            )::json
-            """
-        )
-    )
-    op.execute(
-        sa.text(
-            """
-            UPDATE org_member
-            SET agent_settings = jsonb_strip_nulls(
-                jsonb_build_object(
-                    'schema_version', 1,
-                    'llm.model', llm_model,
-                    'llm.base_url', llm_base_url,
-                    'max_iterations', max_iterations
-                ) || COALESCE(agent_settings::jsonb, '{}'::jsonb)
-            )::json
-            """
-        )
-    )
-
-    op.alter_column('user_settings', 'agent_settings', server_default=None)
-    op.alter_column('org_member', 'agent_settings', server_default=None)
-    op.drop_column('user_settings', 'agent')
-    op.drop_column('user_settings', 'max_iterations')
-    op.drop_column('user_settings', 'security_analyzer')
-    op.drop_column('user_settings', 'confirmation_mode')
-    op.drop_column('user_settings', 'llm_model')
-    op.drop_column('user_settings', 'llm_base_url')
-    op.drop_column('user_settings', 'enable_default_condenser')
-    op.drop_column('user_settings', 'condenser_max_size')
-
-
-def downgrade() -> None:
-    op.add_column('user_settings', sa.Column('agent', sa.String(), nullable=True))
-    op.add_column(
-        'user_settings', sa.Column('max_iterations', sa.Integer(), nullable=True)
-    )
-    op.add_column(
-        'user_settings', sa.Column('security_analyzer', sa.String(), nullable=True)
-    )
-    op.add_column(
-        'user_settings', sa.Column('confirmation_mode', sa.Boolean(), nullable=True)
-    )
-    op.add_column('user_settings', sa.Column('llm_model', sa.String(), nullable=True))
-    op.add_column(
-        'user_settings', sa.Column('llm_base_url', sa.String(), nullable=True)
-    )
-    op.add_column(
-        'user_settings',
-        sa.Column(
-            'enable_default_condenser',
-            sa.Boolean(),
-            nullable=False,
-            server_default=sa.true(),
-        ),
-    )
-    op.add_column(
-        'user_settings', sa.Column('condenser_max_size', sa.Integer(), nullable=True)
-    )
-
-    op.execute(
-        sa.text(
-            """
-            UPDATE user_settings
-            SET
-                agent = agent_settings ->> 'agent',
-                max_iterations = NULLIF(agent_settings ->> 'max_iterations', '')::integer,
-                security_analyzer =
-                    agent_settings ->> 'verification.security_analyzer',
-                confirmation_mode = CASE
-                    WHEN agent_settings::jsonb ? 'verification.confirmation_mode'
-                    THEN (agent_settings ->> 'verification.confirmation_mode')::boolean
-                    ELSE NULL
-                END,
-                llm_model = agent_settings ->> 'llm.model',
-                llm_base_url = agent_settings ->> 'llm.base_url',
-                enable_default_condenser = CASE
-                    WHEN agent_settings::jsonb ? 'condenser.enabled'
-                    THEN (agent_settings ->> 'condenser.enabled')::boolean
-                    ELSE TRUE
-                END,
-                condenser_max_size =
-                    NULLIF(agent_settings ->> 'condenser.max_size', '')::integer
-            """
-        )
-    )
-
-    op.drop_column('org_member', 'agent_settings')
-    op.drop_column('user_settings', 'agent_settings')

enterprise/run_automation_executor.py

@@ -0,0 +1,71 @@
+"""Entry point for the automation executor.
+
+Usage: python -m run_automation_executor
+
+This runs as a Kubernetes Deployment (long-running). It polls the automation_events
+inbox, matches events to automations, claims and executes runs, and monitors
+conversation completion.
+
+Environment variables:
+    OPENHANDS_API_URL        Base URL for the V1 API (default: http://openhands-service:3000)
+    MAX_CONCURRENT_RUNS      Max concurrent runs per executor (default: 5)
+    RUN_TIMEOUT_SECONDS      Max time for a single run (default: 7200)
+    POLL_INTERVAL_SECONDS    Fallback poll interval (default: 30)
+    HEARTBEAT_INTERVAL_SECONDS  Heartbeat update interval (default: 60)
+"""
+
+import asyncio
+import logging
+import signal
+import sys
+
+logger = logging.getLogger('saas.automation.executor')
+
+
+def _setup_logging() -> None:
+    """Configure logging, deferring to enterprise logger if available."""
+    try:
+        from server.logger import setup_all_loggers
+
+        setup_all_loggers()
+    except ImportError:
+        logging.basicConfig(
+            level=logging.INFO,
+            format='%(asctime)s %(name)s %(levelname)s %(message)s',
+            stream=sys.stdout,
+        )
+
+
+def _install_signal_handlers(loop: asyncio.AbstractEventLoop) -> None:
+    """Install signal handlers for graceful shutdown."""
+    from services.automation_executor import request_shutdown
+
+    def _handle_signal(signum: int, _frame: object) -> None:
+        sig_name = signal.Signals(signum).name
+        logger.info('Received %s, initiating graceful shutdown...', sig_name)
+        request_shutdown()
+
+    for sig in (signal.SIGTERM, signal.SIGINT):
+        signal.signal(sig, _handle_signal)
+
+
+async def main() -> None:
+    from services.automation_executor import executor_main
+
+    await executor_main()
+
+
+if __name__ == '__main__':
+    _setup_logging()
+
+    loop = asyncio.new_event_loop()
+    _install_signal_handlers(loop)
+
+    logger.info('Starting automation executor')
+    try:
+        loop.run_until_complete(main())
+    except KeyboardInterrupt:
+        logger.info('Interrupted by user')
+    finally:
+        loop.close()
+        logger.info('Automation executor process exiting')

enterprise/saas_server.py

@@ -46,7 +46,6 @@ from server.routes.org_invitations import (  # noqa: E402
 )
 from server.routes.orgs import org_router  # noqa: E402
 from server.routes.readiness import readiness_router  # noqa: E402
-from server.routes.service import service_router  # noqa: E402
 from server.routes.user import saas_user_router  # noqa: E402
 from server.routes.user_app_settings import user_app_settings_router  # noqa: E402
 from server.sharing.shared_conversation_router import (  # noqa: E402
@@ -113,7 +112,6 @@ if GITLAB_APP_CLIENT_ID:
     base_app.include_router(gitlab_integration_router)
 
 base_app.include_router(api_keys_router)  # Add routes for API key management
-base_app.include_router(service_router)  # Add routes for internal service API
 base_app.include_router(org_router)  # Add routes for organization management
 base_app.include_router(
     verified_models_router

enterprise/server/auth/authorization.py

@@ -35,7 +35,7 @@ Usage:
 from enum import Enum
 from uuid import UUID
 
-from fastapi import Depends, HTTPException, Request, status
+from fastapi import Depends, HTTPException, status
 from storage.org_member_store import OrgMemberStore
 from storage.role import Role
 from storage.role_store import RoleStore
@@ -214,19 +214,6 @@ def has_permission(user_role: Role, permission: Permission) -> bool:
     return permission in permissions
 
 
-async def get_api_key_org_id_from_request(request: Request) -> UUID | None:
-    """Get the org_id bound to the API key used for authentication.
-
-    Returns None if:
-    - Not authenticated via API key (cookie auth)
-    - API key is a legacy key without org binding
-    """
-    user_auth = getattr(request.state, 'user_auth', None)
-    if user_auth and hasattr(user_auth, 'get_api_key_org_id'):
-        return user_auth.get_api_key_org_id()
-    return None
-
-
 def require_permission(permission: Permission):
     """
     Factory function that creates a dependency to require a specific permission.
@@ -234,9 +221,8 @@ def require_permission(permission: Permission):
     This creates a FastAPI dependency that:
     1. Extracts org_id from the path parameter
     2. Gets the authenticated user_id
-    3. Validates API key org binding (if using API key auth)
-    4. Checks if the user has the required permission in the organization
-    5. Returns the user_id if authorized, raises HTTPException otherwise
+    3. Checks if the user has the required permission in the organization
+    4. Returns the user_id if authorized, raises HTTPException otherwise
 
     Usage:
         @router.get('/{org_id}/settings')
@@ -254,7 +240,6 @@ def require_permission(permission: Permission):
     """
 
     async def permission_checker(
-        request: Request,
         org_id: UUID | None = None,
         user_id: str | None = Depends(get_user_id),
     ) -> str:
@@ -264,23 +249,6 @@ def require_permission(permission: Permission):
                 detail='User not authenticated',
             )
 
-        # Validate API key organization binding
-        api_key_org_id = await get_api_key_org_id_from_request(request)
-        if api_key_org_id is not None and org_id is not None:
-            if api_key_org_id != org_id:
-                logger.warning(
-                    'API key organization mismatch',
-                    extra={
-                        'user_id': user_id,
-                        'api_key_org_id': str(api_key_org_id),
-                        'target_org_id': str(org_id),
-                    },
-                )
-                raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail='API key is not authorized for this organization',
-                )
-
         user_role = await get_user_org_role(user_id, org_id)
 
         if not user_role:

enterprise/server/auth/saas_user_auth.py

@@ -1,7 +1,6 @@
 import time
 from dataclasses import dataclass
 from types import MappingProxyType
-from uuid import UUID
 
 import jwt
 from fastapi import Request
@@ -60,19 +59,6 @@ class SaasUserAuth(UserAuth):
     _secrets: Secrets | None = None
     accepted_tos: bool | None = None
     auth_type: AuthType = AuthType.COOKIE
-    # API key context fields - populated when authenticated via API key
-    api_key_org_id: UUID | None = None  # Org bound to the API key used for auth
-    api_key_id: int | None = None
-    api_key_name: str | None = None
-
-    def get_api_key_org_id(self) -> UUID | None:
-        """Get the organization ID bound to the API key used for authentication.
-
-        Returns:
-            The org_id if authenticated via API key with org binding, None otherwise
-            (cookie auth or legacy API keys without org binding).
-        """
-        return self.api_key_org_id
 
     async def get_user_id(self) -> str | None:
         return self.user_id
@@ -297,19 +283,14 @@ async def saas_user_auth_from_bearer(request: Request) -> SaasUserAuth | None:
             return None
 
         api_key_store = ApiKeyStore.get_instance()
-        validation_result = await api_key_store.validate_api_key(api_key)
-        if not validation_result:
+        user_id = await api_key_store.validate_api_key(api_key)
+        if not user_id:
             return None
-        offline_token = await token_manager.load_offline_token(
-            validation_result.user_id
-        )
+        offline_token = await token_manager.load_offline_token(user_id)
         saas_user_auth = SaasUserAuth(
-            user_id=validation_result.user_id,
+            user_id=user_id,
             refresh_token=SecretStr(offline_token),
             auth_type=AuthType.BEARER,
-            api_key_org_id=validation_result.org_id,
-            api_key_id=validation_result.key_id,
-            api_key_name=validation_result.key_name,
         )
         await saas_user_auth.refresh()
         return saas_user_auth

enterprise/server/constants.py

@@ -77,9 +77,6 @@ PERMITTED_CORS_ORIGINS = [
     )
 ]
 
-# Controls whether new orgs/users default to V1 API (env: DEFAULT_V1_ENABLED)
-DEFAULT_V1_ENABLED = os.getenv('DEFAULT_V1_ENABLED', '1').lower() in ('1', 'true')
-
 
 def build_litellm_proxy_model_path(model_name: str) -> str:
     """Build the LiteLLM proxy model path based on model name.

enterprise/server/middleware.py

@@ -12,8 +12,11 @@ from server.auth.auth_error import (
 )
 from server.auth.gitlab_sync import schedule_gitlab_repo_sync
 from server.auth.saas_user_auth import SaasUserAuth, token_manager
-from server.routes.auth import set_response_cookie
-from server.utils.url_utils import get_cookie_domain, get_cookie_samesite
+from server.routes.auth import (
+    get_cookie_domain,
+    get_cookie_samesite,
+    set_response_cookie,
+)
 
 from openhands.core.logger import openhands_logger as logger
 from openhands.server.user_auth.user_auth import AuthType, UserAuth, get_user_auth
@@ -90,8 +93,8 @@ class SetAuthCookieMiddleware:
             if keycloak_auth_cookie:
                 response.delete_cookie(
                     key='keycloak_auth',
-                    domain=get_cookie_domain(),
-                    samesite=get_cookie_samesite(),
+                    domain=get_cookie_domain(request),
+                    samesite=get_cookie_samesite(request),
                 )
             return response
 
@@ -182,10 +185,6 @@ class SetAuthCookieMiddleware:
         if path.startswith('/api/v1/webhooks/'):
             return False
 
-        # Service API uses its own authentication (X-Service-API-Key header)
-        if path.startswith('/api/service/'):
-            return False
-
         is_mcp = path.startswith('/mcp')
         is_api_route = path.startswith('/api')
         return is_api_route or is_mcp

enterprise/server/routes/api_keys.py

@@ -1,9 +1,7 @@
 from datetime import UTC, datetime
-from typing import cast
 
-from fastapi import APIRouter, Depends, HTTPException, Request, status
+from fastapi import APIRouter, Depends, HTTPException, status
 from pydantic import BaseModel, field_validator
-from server.auth.saas_user_auth import SaasUserAuth
 from storage.api_key import ApiKey
 from storage.api_key_store import ApiKeyStore
 from storage.lite_llm_manager import LiteLlmManager
@@ -13,8 +11,7 @@ from storage.org_service import OrgService
 from storage.user_store import UserStore
 
 from openhands.core.logger import openhands_logger as logger
-from openhands.server.user_auth import get_user_auth, get_user_id
-from openhands.server.user_auth.user_auth import AuthType
+from openhands.server.user_auth import get_user_id
 
 
 # Helper functions for BYOR API key management
@@ -153,16 +150,6 @@ class MessageResponse(BaseModel):
     message: str
 
 
-class CurrentApiKeyResponse(BaseModel):
-    """Response model for the current API key endpoint."""
-
-    id: int
-    name: str | None
-    org_id: str
-    user_id: str
-    auth_type: str
-
-
 def api_key_to_response(key: ApiKey) -> ApiKeyResponse:
     """Convert an ApiKey model to an ApiKeyResponse."""
     return ApiKeyResponse(
@@ -275,46 +262,6 @@ async def delete_api_key(
         )
 
 
-@api_router.get('/current', tags=['Keys'])
-async def get_current_api_key(
-    request: Request,
-    user_id: str = Depends(get_user_id),
-) -> CurrentApiKeyResponse:
-    """Get information about the currently authenticated API key.
-
-    This endpoint returns metadata about the API key used for the current request,
-    including the org_id associated with the key. This is useful for API key
-    callers who need to know which organization context their key operates in.
-
-    Returns 400 if not authenticated via API key (e.g., using cookie auth).
-    """
-    user_auth = await get_user_auth(request)
-
-    # Check if authenticated via API key
-    if user_auth.get_auth_type() != AuthType.BEARER:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail='This endpoint requires API key authentication. Not available for cookie-based auth.',
-        )
-
-    # In SaaS context, bearer auth always produces SaasUserAuth
-    saas_user_auth = cast(SaasUserAuth, user_auth)
-
-    if saas_user_auth.api_key_org_id is None:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail='This API key was created before organization support. Please regenerate your API key to use this endpoint.',
-        )
-
-    return CurrentApiKeyResponse(
-        id=saas_user_auth.api_key_id,
-        name=saas_user_auth.api_key_name,
-        org_id=str(saas_user_auth.api_key_org_id),
-        user_id=user_id,
-        auth_type=saas_user_auth.auth_type.value,
-    )
-
-
 @api_router.get('/llm/byor', tags=['Keys'])
 async def get_llm_api_key_for_byor(
     user_id: str = Depends(get_user_id),

enterprise/server/routes/auth.py

@@ -3,7 +3,7 @@ import json
 import uuid
 import warnings
 from datetime import datetime, timezone
-from typing import Annotated, Optional, cast
+from typing import Annotated, Literal, Optional, cast
 from urllib.parse import quote, urlencode
 from uuid import UUID as parse_uuid
 
@@ -27,7 +27,7 @@ from server.auth.user.user_authorizer import (
     depends_user_authorizer,
 )
 from server.config import sign_token
-from server.constants import IS_FEATURE_ENV, IS_LOCAL_ENV
+from server.constants import IS_FEATURE_ENV
 from server.routes.event_webhook import _get_session_api_key, _get_user_id
 from server.services.org_invitation_service import (
     EmailMismatchError,
@@ -37,12 +37,12 @@ from server.services.org_invitation_service import (
     UserAlreadyMemberError,
 )
 from server.utils.rate_limit_utils import check_rate_limit_by_user_id
-from server.utils.url_utils import get_cookie_domain, get_cookie_samesite, get_web_url
 from sqlalchemy import select
 from storage.database import a_session_maker
 from storage.user import User
 from storage.user_store import UserStore
 
+from openhands.app_server.config import get_global_config
 from openhands.core.logger import openhands_logger as logger
 from openhands.integrations.provider import ProviderHandler
 from openhands.integrations.service_types import ProviderType, TokenResponse
@@ -77,7 +77,7 @@ def set_response_cookie(
     signed_token = sign_token(cookie_data, config.jwt_secret.get_secret_value())  # type: ignore
 
     # Set secure cookie with signed token
-    domain = get_cookie_domain()
+    domain = get_cookie_domain(request)
     if domain:
         response.set_cookie(
             key='keycloak_auth',
@@ -85,7 +85,7 @@ def set_response_cookie(
             domain=domain,
             httponly=True,
             secure=secure,
-            samesite=get_cookie_samesite(),
+            samesite=get_cookie_samesite(request),
         )
     else:
         response.set_cookie(
@@ -93,10 +93,30 @@ def set_response_cookie(
             value=signed_token,
             httponly=True,
             secure=secure,
-            samesite=get_cookie_samesite(),
+            samesite=get_cookie_samesite(request),
         )
 
 
+def get_cookie_domain(request: Request) -> str | None:
+    # for now just use the full hostname except for staging stacks.
+    return (
+        None
+        if not request.url.hostname
+        or request.url.hostname.endswith('staging.all-hands.dev')
+        else request.url.hostname
+    )
+
+
+def get_cookie_samesite(request: Request) -> Literal['lax', 'strict']:
+    # for localhost and feature/staging stacks we set it to 'lax' as the cookie domain won't allow 'strict'
+    return (
+        'lax'
+        if request.url.hostname == 'localhost'
+        or (request.url.hostname or '').endswith('staging.all-hands.dev')
+        else 'strict'
+    )
+
+
 def _extract_oauth_state(state: str | None) -> tuple[str, str | None, str | None]:
     """Extract redirect URL, reCAPTCHA token, and invitation token from OAuth state.
 
@@ -120,6 +140,19 @@ def _extract_oauth_state(state: str | None) -> tuple[str, str | None, str | None
         return state, None, None
 
 
+# Keep alias for backward compatibility
+def _extract_recaptcha_state(state: str | None) -> tuple[str, str | None]:
+    """Extract redirect URL and reCAPTCHA token from OAuth state.
+
+    Deprecated: Use _extract_oauth_state instead.
+
+    Returns:
+        Tuple of (redirect_url, recaptcha_token). Token may be None.
+    """
+    redirect_url, recaptcha_token, _ = _extract_oauth_state(state)
+    return redirect_url, recaptcha_token
+
+
 @oauth_router.get('/keycloak/callback')
 async def keycloak_callback(
     request: Request,
@@ -150,7 +183,10 @@ async def keycloak_callback(
             detail='Missing code in request params',
         )
 
-    web_url = get_web_url(request)
+    web_url = get_global_config().web_url
+    if not web_url:
+        scheme = 'http' if request.url.hostname == 'localhost' else 'https'
+        web_url = f'{scheme}://{request.url.netloc}'
     redirect_uri = web_url + request.url.path
 
     (
@@ -277,9 +313,7 @@ async def keycloak_callback(
             else:
                 raise
 
-        verification_redirect_url = (
-            f'{web_url}/login?email_verification_required=true&user_id={user_id}'
-        )
+        verification_redirect_url = f'{request.base_url}login?email_verification_required=true&user_id={user_id}'
         if rate_limited:
             verification_redirect_url = f'{verification_redirect_url}&rate_limited=true'
 
@@ -440,7 +474,9 @@ async def keycloak_callback(
     # If the user hasn't accepted the TOS, redirect to the TOS page
     if not has_accepted_tos:
         encoded_redirect_url = quote(redirect_url, safe='')
-        tos_redirect_url = f'{web_url}/accept-tos?redirect_url={encoded_redirect_url}'
+        tos_redirect_url = (
+            f'{request.base_url}accept-tos?redirect_url={encoded_redirect_url}'
+        )
         if invitation_token:
             tos_redirect_url = f'{tos_redirect_url}&invitation_success=true'
         response = RedirectResponse(tos_redirect_url, status_code=302)
@@ -472,9 +508,10 @@ async def keycloak_offline_callback(code: str, state: str, request: Request):
             status_code=status.HTTP_400_BAD_REQUEST,
             content={'error': 'Missing code in request params'},
         )
-
-    web_url = get_web_url(request)
-    redirect_uri = web_url + request.url.path
+    scheme = 'https'
+    if request.url.hostname == 'localhost':
+        scheme = 'http'
+    redirect_uri = f'{scheme}://{request.url.netloc}{request.url.path}'
     logger.debug(f'code: {code}, redirect_uri: {redirect_uri}')
 
     (
@@ -496,14 +533,15 @@ async def keycloak_offline_callback(code: str, state: str, request: Request):
     )
 
     redirect_url, _, _ = _extract_oauth_state(state)
-    return RedirectResponse(redirect_url if redirect_url else web_url, status_code=302)
+    return RedirectResponse(
+        redirect_url if redirect_url else request.base_url, status_code=302
+    )
 
 
 @oauth_router.get('/github/callback')
 async def github_dummy_callback(request: Request):
     """Callback for GitHub that just forwards the user to the app base URL."""
-    web_url = get_web_url(request)
-    return RedirectResponse(web_url, status_code=302)
+    return RedirectResponse(request.base_url, status_code=302)
 
 
 @api_router.post('/authenticate')
@@ -525,8 +563,8 @@ async def authenticate(request: Request):
         if keycloak_auth_cookie:
             response.delete_cookie(
                 key='keycloak_auth',
-                domain=get_cookie_domain(),
-                samesite=get_cookie_samesite(),
+                domain=get_cookie_domain(request),
+                samesite=get_cookie_samesite(request),
             )
 
         return response
@@ -550,8 +588,7 @@ async def accept_tos(request: Request):
 
     # Get redirect URL from request body
     body = await request.json()
-    web_url = get_web_url(request)
-    redirect_url = body.get('redirect_url', str(web_url))
+    redirect_url = body.get('redirect_url', str(request.base_url))
 
     # Update user settings with TOS acceptance
     accepted_tos: datetime = datetime.now(timezone.utc).replace(tzinfo=None)
@@ -581,7 +618,7 @@ async def accept_tos(request: Request):
         response=response,
         keycloak_access_token=access_token.get_secret_value(),
         keycloak_refresh_token=refresh_token.get_secret_value(),
-        secure=not IS_LOCAL_ENV,
+        secure=False if request.url.hostname == 'localhost' else True,
         accepted_tos=True,
     )
     return response
@@ -598,8 +635,8 @@ async def logout(request: Request):
     # Always delete the cookie regardless of what happens
     response.delete_cookie(
         key='keycloak_auth',
-        domain=get_cookie_domain(),
-        samesite=get_cookie_samesite(),
+        domain=get_cookie_domain(request),
+        samesite=get_cookie_samesite(request),
     )
 
     # Try to properly logout from Keycloak, but don't fail if it doesn't work

enterprise/server/routes/billing.py

@@ -11,8 +11,8 @@ from integrations import stripe_service
 from pydantic import BaseModel
 from server.constants import STRIPE_API_KEY
 from server.logger import logger
-from server.utils.url_utils import get_web_url
 from sqlalchemy import select
+from starlette.datastructures import URL
 from storage.billing_session import BillingSession
 from storage.database import a_session_maker
 from storage.lite_llm_manager import LiteLlmManager
@@ -151,7 +151,7 @@ async def create_customer_setup_session(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail='Could not find or create customer for user',
         )
-    base_url = get_web_url(request)
+    base_url = _get_base_url(request)
     checkout_session = await stripe.checkout.Session.create_async(
         customer=customer_info['customer_id'],
         mode='setup',
@@ -170,7 +170,7 @@ async def create_checkout_session(
     user_id: str = Depends(get_user_id),
 ) -> CreateBillingSessionResponse:
     await validate_billing_enabled()
-    base_url = get_web_url(request)
+    base_url = _get_base_url(request)
     customer_info = await stripe_service.find_or_create_customer_by_user_id(user_id)
     if not customer_info:
         raise HTTPException(
@@ -198,8 +198,8 @@ async def create_checkout_session(
         saved_payment_method_options={
             'payment_method_save': 'enabled',
         },
-        success_url=f'{base_url}/api/billing/success?session_id={{CHECKOUT_SESSION_ID}}',
-        cancel_url=f'{base_url}/api/billing/cancel?session_id={{CHECKOUT_SESSION_ID}}',
+        success_url=f'{base_url}api/billing/success?session_id={{CHECKOUT_SESSION_ID}}',
+        cancel_url=f'{base_url}api/billing/cancel?session_id={{CHECKOUT_SESSION_ID}}',
     )
     logger.info(
         'created_stripe_checkout_session',
@@ -300,7 +300,7 @@ async def success_callback(session_id: str, request: Request):
         await session.commit()
 
     return RedirectResponse(
-        f'{get_web_url(request)}/settings/billing?checkout=success', status_code=302
+        f'{_get_base_url(request)}settings/billing?checkout=success', status_code=302
     )
 
 
@@ -325,9 +325,17 @@ async def cancel_callback(session_id: str, request: Request):
             )
             billing_session.status = 'cancelled'
             billing_session.updated_at = datetime.now(UTC)
-            await session.merge(billing_session)
+            session.merge(billing_session)
             await session.commit()
 
     return RedirectResponse(
-        f'{get_web_url(request)}/settings/billing?checkout=cancel', status_code=302
+        f'{_get_base_url(request)}settings/billing?checkout=cancel', status_code=302
     )
+
+
+def _get_base_url(request: Request) -> URL:
+    # Never send any part of the credit card process over a non secure connection
+    base_url = request.base_url
+    if base_url.hostname != 'localhost':
+        base_url = base_url.replace(scheme='https')
+    return base_url

enterprise/server/routes/email.py

@@ -7,10 +7,8 @@ from pydantic import BaseModel, field_validator
 from server.auth.constants import KEYCLOAK_CLIENT_ID
 from server.auth.keycloak_manager import get_keycloak_admin
 from server.auth.saas_user_auth import SaasUserAuth
-from server.constants import IS_LOCAL_ENV
 from server.routes.auth import set_response_cookie
 from server.utils.rate_limit_utils import check_rate_limit_by_user_id
-from server.utils.url_utils import get_web_url
 from storage.user_store import UserStore
 
 from openhands.core.logger import openhands_logger as logger
@@ -89,7 +87,7 @@ async def update_email(
             response=response,
             keycloak_access_token=user_auth.access_token.get_secret_value(),
             keycloak_refresh_token=user_auth.refresh_token.get_secret_value(),
-            secure=not IS_LOCAL_ENV,
+            secure=False if request.url.hostname == 'localhost' else True,
             accepted_tos=user_auth.accepted_tos or False,
         )
 
@@ -158,8 +156,8 @@ async def verified_email(request: Request):
     await user_auth.refresh()  # refresh so access token has updated email
     user_auth.email_verified = True
     await UserStore.update_user_email(user_id=user_auth.user_id, email_verified=True)
-
-    redirect_uri = f'{get_web_url(request)}/settings/user'
+    scheme = 'http' if request.url.hostname == 'localhost' else 'https'
+    redirect_uri = f'{scheme}://{request.url.netloc}/settings/user'
     response = RedirectResponse(redirect_uri, status_code=302)
 
     # need to set auth cookie to the new tokens
@@ -182,10 +180,11 @@ async def verified_email(request: Request):
 
 async def verify_email(request: Request, user_id: str, is_auth_flow: bool = False):
     keycloak_admin = get_keycloak_admin()
+    scheme = 'http' if request.url.hostname == 'localhost' else 'https'
     if is_auth_flow:
-        redirect_uri = f'{get_web_url(request)}/login?email_verified=true'
+        redirect_uri = f'{scheme}://{request.url.netloc}/login?email_verified=true'
     else:
-        redirect_uri = f'{get_web_url(request)}/api/email/verified'
+        redirect_uri = f'{scheme}://{request.url.netloc}/api/email/verified'
     logger.info(f'Redirect URI: {redirect_uri}')
     await keycloak_admin.a_send_verify_email(
         user_id=user_id,

enterprise/server/routes/oauth_device.py

@@ -6,7 +6,6 @@ from typing import Optional
 from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
 from fastapi.responses import JSONResponse
 from pydantic import BaseModel
-from server.utils.url_utils import get_web_url
 from storage.api_key_store import ApiKeyStore
 from storage.device_code_store import DeviceCodeStore
 
@@ -94,7 +93,7 @@ async def device_authorization(
             expires_in=DEVICE_CODE_EXPIRES_IN,
         )
 
-        base_url = get_web_url(http_request)
+        base_url = str(http_request.base_url).rstrip('/')
         verification_uri = f'{base_url}/oauth/device/verify'
         verification_uri_complete = (
             f'{verification_uri}?user_code={device_code_entry.user_code}'

enterprise/server/routes/orgs.py

@@ -68,7 +68,7 @@ async def list_user_orgs(
     ] = None,
     limit: Annotated[
         int,
-        Query(title='The max number of results in the page', gt=0, le=100),
+        Query(title='The max number of results in the page', gt=0, lte=100),
     ] = 100,
     user_id: str = Depends(get_user_id),
 ) -> OrgPage:
@@ -734,7 +734,7 @@ async def get_org_members(
         Query(
             title='The max number of results in the page',
             gt=0,
-            le=100,
+            lte=100,
         ),
     ] = 10,
     email: Annotated[

enterprise/server/routes/service.py

@@ -1,270 +0,0 @@
-"""
-Service API routes for internal service-to-service communication.
-
-This module provides endpoints for trusted internal services (e.g., automations service)
-to perform privileged operations like creating API keys on behalf of users.
-
-Authentication is via a shared secret (X-Service-API-Key header) configured
-through the AUTOMATIONS_SERVICE_API_KEY environment variable.
-"""
-
-import os
-from uuid import UUID
-
-from fastapi import APIRouter, Header, HTTPException, status
-from pydantic import BaseModel, field_validator
-from storage.api_key_store import ApiKeyStore
-from storage.org_member_store import OrgMemberStore
-from storage.user_store import UserStore
-
-from openhands.core.logger import openhands_logger as logger
-
-# Environment variable for the service API key
-AUTOMATIONS_SERVICE_API_KEY = os.getenv('AUTOMATIONS_SERVICE_API_KEY', '').strip()
-
-service_router = APIRouter(prefix='/api/service', tags=['Service'])
-
-
-class CreateUserApiKeyRequest(BaseModel):
-    """Request model for creating an API key on behalf of a user."""
-
-    name: str  # Required - used to identify the key
-
-    @field_validator('name')
-    @classmethod
-    def validate_name(cls, v: str) -> str:
-        if not v or not v.strip():
-            raise ValueError('name is required and cannot be empty')
-        return v.strip()
-
-
-class CreateUserApiKeyResponse(BaseModel):
-    """Response model for created API key."""
-
-    key: str
-    user_id: str
-    org_id: str
-    name: str
-
-
-class ServiceInfoResponse(BaseModel):
-    """Response model for service info endpoint."""
-
-    service: str
-    authenticated: bool
-
-
-async def validate_service_api_key(
-    x_service_api_key: str | None = Header(default=None, alias='X-Service-API-Key'),
-) -> str:
-    """
-    Validate the service API key from the request header.
-
-    Args:
-        x_service_api_key: The service API key from the X-Service-API-Key header
-
-    Returns:
-        str: Service identifier for audit logging
-
-    Raises:
-        HTTPException: 401 if key is missing or invalid
-        HTTPException: 503 if service auth is not configured
-    """
-    if not AUTOMATIONS_SERVICE_API_KEY:
-        logger.warning(
-            'Service authentication not configured (AUTOMATIONS_SERVICE_API_KEY not set)'
-        )
-        raise HTTPException(
-            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
-            detail='Service authentication not configured',
-        )
-
-    if not x_service_api_key:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail='X-Service-API-Key header is required',
-        )
-
-    if x_service_api_key != AUTOMATIONS_SERVICE_API_KEY:
-        logger.warning('Invalid service API key attempted')
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail='Invalid service API key',
-        )
-
-    return 'automations-service'
-
-
-@service_router.get('/health')
-async def service_health() -> dict:
-    """Health check endpoint for the service API.
-
-    This endpoint does not require authentication and can be used
-    to verify the service routes are accessible.
-    """
-    return {
-        'status': 'ok',
-        'service_auth_configured': bool(AUTOMATIONS_SERVICE_API_KEY),
-    }
-
-
-@service_router.post('/users/{user_id}/orgs/{org_id}/api-keys')
-async def get_or_create_api_key_for_user(
-    user_id: str,
-    org_id: UUID,
-    request: CreateUserApiKeyRequest,
-    x_service_api_key: str | None = Header(default=None, alias='X-Service-API-Key'),
-) -> CreateUserApiKeyResponse:
-    """
-    Get or create an API key for a user on behalf of the automations service.
-
-    If a key with the given name already exists for the user/org and is not expired,
-    returns the existing key. Otherwise, creates a new key.
-
-    The created/returned keys are system keys and are:
-    - Not visible to the user in their API keys list
-    - Not deletable by the user
-    - Never expire
-
-    Args:
-        user_id: The user ID
-        org_id: The organization ID
-        request: Request body containing name (required)
-        x_service_api_key: Service API key header for authentication
-
-    Returns:
-        CreateUserApiKeyResponse: The API key and metadata
-
-    Raises:
-        HTTPException: 401 if service key is invalid
-        HTTPException: 404 if user not found
-        HTTPException: 403 if user is not a member of the specified org
-    """
-    # Validate service API key
-    service_id = await validate_service_api_key(x_service_api_key)
-
-    # Verify user exists
-    user = await UserStore.get_user_by_id(user_id)
-    if not user:
-        logger.warning(
-            'Service attempted to create key for non-existent user',
-            extra={'user_id': user_id},
-        )
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail=f'User {user_id} not found',
-        )
-
-    # Verify user is a member of the specified org
-    org_member = await OrgMemberStore.get_org_member(org_id, UUID(user_id))
-    if not org_member:
-        logger.warning(
-            'Service attempted to create key for user not in org',
-            extra={
-                'user_id': user_id,
-                'org_id': str(org_id),
-            },
-        )
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail=f'User {user_id} is not a member of org {org_id}',
-        )
-
-    # Get or create the system API key
-    api_key_store = ApiKeyStore.get_instance()
-
-    try:
-        api_key = await api_key_store.get_or_create_system_api_key(
-            user_id=user_id,
-            org_id=org_id,
-            name=request.name,
-        )
-    except Exception as e:
-        logger.exception(
-            'Failed to get or create system API key',
-            extra={
-                'user_id': user_id,
-                'org_id': str(org_id),
-                'error': str(e),
-            },
-        )
-        raise HTTPException(
-            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail='Failed to get or create API key',
-        )
-
-    logger.info(
-        'Service created API key for user',
-        extra={
-            'service_id': service_id,
-            'user_id': user_id,
-            'org_id': str(org_id),
-            'key_name': request.name,
-        },
-    )
-
-    return CreateUserApiKeyResponse(
-        key=api_key,
-        user_id=user_id,
-        org_id=str(org_id),
-        name=request.name,
-    )
-
-
-@service_router.delete('/users/{user_id}/orgs/{org_id}/api-keys/{key_name}')
-async def delete_user_api_key(
-    user_id: str,
-    org_id: UUID,
-    key_name: str,
-    x_service_api_key: str | None = Header(default=None, alias='X-Service-API-Key'),
-) -> dict:
-    """
-    Delete a system API key created by the service.
-
-    This endpoint allows the automations service to clean up API keys
-    it previously created for users.
-
-    Args:
-        user_id: The user ID
-        org_id: The organization ID
-        key_name: The name of the key to delete (without __SYSTEM__: prefix)
-        x_service_api_key: Service API key header for authentication
-
-    Returns:
-        dict: Success message
-
-    Raises:
-        HTTPException: 401 if service key is invalid
-        HTTPException: 404 if key not found
-    """
-    # Validate service API key
-    service_id = await validate_service_api_key(x_service_api_key)
-
-    api_key_store = ApiKeyStore.get_instance()
-
-    # Delete the key by name (wrap with system key prefix since service creates system keys)
-    system_key_name = api_key_store.make_system_key_name(key_name)
-    success = await api_key_store.delete_api_key_by_name(
-        user_id=user_id,
-        org_id=org_id,
-        name=system_key_name,
-        allow_system=True,
-    )
-
-    if not success:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail=f'API key with name "{key_name}" not found for user {user_id} in org {org_id}',
-        )
-
-    logger.info(
-        'Service deleted API key for user',
-        extra={
-            'service_id': service_id,
-            'user_id': user_id,
-            'org_id': str(org_id),
-            'key_name': key_name,
-        },
-    )
-
-    return {'message': 'API key deleted successfully'}

enterprise/server/services/org_invitation_service.py

@@ -365,12 +365,14 @@ class OrgInvitationService:
                 'Failed to set up organization access. Please try again.'
             )
 
-        # Step 4.5: Fetch organization to get its LLM settings
-        org = await OrgStore.get_org_by_id(invitation.org_id)
-        if not org:
-            raise InvitationInvalidError('Organization not found')
+        # Step 5: Add user to organization
+        from storage.org_member_store import OrgMemberStore as OMS
+
+        org_member_kwargs = OMS.get_kwargs_from_settings(settings)
+        # Don't override with org defaults - use invitation-specified role
+        org_member_kwargs.pop('llm_model', None)
+        org_member_kwargs.pop('llm_base_url', None)
 
-        # Step 5: Add user to organization with inherited org LLM settings
         # Get the llm_api_key as string (it's SecretStr | None in Settings)
         llm_api_key = (
             settings.llm_api_key.get_secret_value() if settings.llm_api_key else ''
@@ -382,9 +384,6 @@ class OrgInvitationService:
             role_id=invitation.role_id,
             llm_api_key=llm_api_key,
             status='active',
-            llm_model=org.default_llm_model,
-            llm_base_url=org.default_llm_base_url,
-            max_iterations=org.default_max_iterations,
         )
 
         # Step 6: Mark invitation as accepted

enterprise/server/sharing/aws_shared_event_service.py

@@ -1,171 +0,0 @@
-"""Implementation of SharedEventService for AWS S3.
-
-This implementation provides read-only access to events from shared conversations:
-- Validates that the conversation is shared before returning events
-- Uses existing EventService for actual event retrieval
-- Uses SharedConversationInfoService for shared conversation validation
-
-Uses role-based authentication (no credentials needed).
-"""
-
-from __future__ import annotations
-
-import logging
-import os
-from dataclasses import dataclass
-from datetime import datetime
-from pathlib import Path
-from typing import Any, AsyncGenerator
-from uuid import UUID
-
-import boto3
-from fastapi import Request
-from pydantic import Field
-from server.sharing.shared_conversation_info_service import (
-    SharedConversationInfoService,
-)
-from server.sharing.shared_event_service import (
-    SharedEventService,
-    SharedEventServiceInjector,
-)
-from server.sharing.sql_shared_conversation_info_service import (
-    SQLSharedConversationInfoService,
-)
-
-from openhands.agent_server.models import EventPage, EventSortOrder
-from openhands.app_server.event.aws_event_service import AwsEventService
-from openhands.app_server.event.event_service import EventService
-from openhands.app_server.event_callback.event_callback_models import EventKind
-from openhands.app_server.services.injector import InjectorState
-from openhands.sdk import Event
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass
-class AwsSharedEventService(SharedEventService):
-    """Implementation of SharedEventService for AWS S3 that validates shared access.
-
-    Uses role-based authentication (no credentials needed).
-    """
-
-    shared_conversation_info_service: SharedConversationInfoService
-    s3_client: Any
-    bucket_name: str
-
-    async def get_event_service(self, conversation_id: UUID) -> EventService | None:
-        shared_conversation_info = (
-            await self.shared_conversation_info_service.get_shared_conversation_info(
-                conversation_id
-            )
-        )
-        if shared_conversation_info is None:
-            return None
-
-        return AwsEventService(
-            s3_client=self.s3_client,
-            bucket_name=self.bucket_name,
-            prefix=Path('users'),
-            user_id=shared_conversation_info.created_by_user_id,
-            app_conversation_info_service=None,
-            app_conversation_info_load_tasks={},
-        )
-
-    async def get_shared_event(
-        self, conversation_id: UUID, event_id: UUID
-    ) -> Event | None:
-        """Given a conversation_id and event_id, retrieve an event if the conversation is shared."""
-        # First check if the conversation is shared
-        event_service = await self.get_event_service(conversation_id)
-        if event_service is None:
-            return None
-
-        # If conversation is shared, get the event
-        return await event_service.get_event(conversation_id, event_id)
-
-    async def search_shared_events(
-        self,
-        conversation_id: UUID,
-        kind__eq: EventKind | None = None,
-        timestamp__gte: datetime | None = None,
-        timestamp__lt: datetime | None = None,
-        sort_order: EventSortOrder = EventSortOrder.TIMESTAMP,
-        page_id: str | None = None,
-        limit: int = 100,
-    ) -> EventPage:
-        """Search events for a specific shared conversation."""
-        # First check if the conversation is shared
-        event_service = await self.get_event_service(conversation_id)
-        if event_service is None:
-            # Return empty page if conversation is not shared
-            return EventPage(items=[], next_page_id=None)
-
-        # If conversation is shared, search events for this conversation
-        return await event_service.search_events(
-            conversation_id=conversation_id,
-            kind__eq=kind__eq,
-            timestamp__gte=timestamp__gte,
-            timestamp__lt=timestamp__lt,
-            sort_order=sort_order,
-            page_id=page_id,
-            limit=limit,
-        )
-
-    async def count_shared_events(
-        self,
-        conversation_id: UUID,
-        kind__eq: EventKind | None = None,
-        timestamp__gte: datetime | None = None,
-        timestamp__lt: datetime | None = None,
-    ) -> int:
-        """Count events for a specific shared conversation."""
-        # First check if the conversation is shared
-        event_service = await self.get_event_service(conversation_id)
-        if event_service is None:
-            # Return empty page if conversation is not shared
-            return 0
-
-        # If conversation is shared, count events for this conversation
-        return await event_service.count_events(
-            conversation_id=conversation_id,
-            kind__eq=kind__eq,
-            timestamp__gte=timestamp__gte,
-            timestamp__lt=timestamp__lt,
-        )
-
-
-class AwsSharedEventServiceInjector(SharedEventServiceInjector):
-    bucket_name: str | None = Field(
-        default_factory=lambda: os.environ.get('FILE_STORE_PATH')
-    )
-
-    async def inject(
-        self, state: InjectorState, request: Request | None = None
-    ) -> AsyncGenerator[SharedEventService, None]:
-        # Define inline to prevent circular lookup
-        from openhands.app_server.config import get_db_session
-
-        async with get_db_session(state, request) as db_session:
-            shared_conversation_info_service = SQLSharedConversationInfoService(
-                db_session=db_session
-            )
-
-            bucket_name = self.bucket_name
-            if bucket_name is None:
-                raise ValueError(
-                    'bucket_name is required. Set FILE_STORE_PATH environment variable.'
-                )
-
-            # Use role-based authentication - boto3 will automatically
-            # use IAM role credentials when running in AWS
-            s3_client = boto3.client(
-                's3',
-                endpoint_url=os.getenv('AWS_S3_ENDPOINT'),
-            )
-
-            service = AwsSharedEventService(
-                shared_conversation_info_service=shared_conversation_info_service,
-                s3_client=s3_client,
-                bucket_name=bucket_name,
-            )
-            yield service

enterprise/server/sharing/shared_conversation_router.py

@@ -4,7 +4,7 @@ from datetime import datetime
 from typing import Annotated
 from uuid import UUID
 
-from fastapi import APIRouter, Depends, HTTPException, Query
+from fastapi import APIRouter, Depends, Query
 from server.sharing.shared_conversation_info_service import (
     SharedConversationInfoService,
 )
@@ -60,7 +60,7 @@ async def search_shared_conversations(
         Query(
             title='The max number of results in the page',
             gt=0,
-            le=100,
+            lte=100,
         ),
     ] = 100,
     include_sub_conversations: Annotated[
@@ -72,6 +72,8 @@ async def search_shared_conversations(
     shared_conversation_service: SharedConversationInfoService = shared_conversation_info_service_dependency,
 ) -> SharedConversationPage:
     """Search / List shared conversations."""
+    assert limit > 0
+    assert limit <= 100
     return await shared_conversation_service.search_shared_conversation_info(
         title__contains=title__contains,
         created_at__gte=created_at__gte,
@@ -125,11 +127,7 @@ async def batch_get_shared_conversations(
     shared_conversation_service: SharedConversationInfoService = shared_conversation_info_service_dependency,
 ) -> list[SharedConversation | None]:
     """Get a batch of shared conversations given their ids. Return None for any missing or non-shared."""
-    if len(ids) > 100:
-        raise HTTPException(
-            status_code=400,
-            detail=f'Cannot request more than 100 conversations at once, got {len(ids)}',
-        )
+    assert len(ids) <= 100
     uuids = [UUID(id_) for id_ in ids]
     shared_conversation_info = (
         await shared_conversation_service.batch_get_shared_conversation_info(uuids)

enterprise/server/sharing/shared_event_router.py

@@ -4,46 +4,20 @@ from datetime import datetime
 from typing import Annotated
 from uuid import UUID
 
-from fastapi import APIRouter, Depends, HTTPException, Query
-from server.sharing.shared_event_service import (
-    SharedEventService,
-    SharedEventServiceInjector,
+from fastapi import APIRouter, Depends, Query
+from server.sharing.google_cloud_shared_event_service import (
+    GoogleCloudSharedEventServiceInjector,
 )
+from server.sharing.shared_event_service import SharedEventService
 
 from openhands.agent_server.models import EventPage, EventSortOrder
 from openhands.app_server.event_callback.event_callback_models import EventKind
 from openhands.sdk import Event
-from openhands.utils.environment import StorageProvider, get_storage_provider
-
-
-def get_shared_event_service_injector() -> SharedEventServiceInjector:
-    """Get the appropriate SharedEventServiceInjector based on configuration.
-
-    Uses get_storage_provider() to determine the storage backend.
-    See openhands.utils.environment for supported environment variables.
-
-    Note: Shared events only support AWS and GCP storage. Filesystem storage
-    falls back to GCP for shared events.
-    """
-    provider = get_storage_provider()
-
-    if provider == StorageProvider.AWS:
-        from server.sharing.aws_shared_event_service import (
-            AwsSharedEventServiceInjector,
-        )
-
-        return AwsSharedEventServiceInjector()
-    else:
-        # GCP is the default for shared events (including filesystem fallback)
-        from server.sharing.google_cloud_shared_event_service import (
-            GoogleCloudSharedEventServiceInjector,
-        )
-
-        return GoogleCloudSharedEventServiceInjector()
-
 
 router = APIRouter(prefix='/api/shared-events', tags=['Sharing'])
-shared_event_service_dependency = Depends(get_shared_event_service_injector().depends)
+shared_event_service_dependency = Depends(
+    GoogleCloudSharedEventServiceInjector().depends
+)
 
 
 # Read methods
@@ -77,11 +51,13 @@ async def search_shared_events(
     ] = None,
     limit: Annotated[
         int,
-        Query(title='The max number of results in the page', gt=0, le=100),
+        Query(title='The max number of results in the page', gt=0, lte=100),
     ] = 100,
     shared_event_service: SharedEventService = shared_event_service_dependency,
 ) -> EventPage:
     """Search / List events for a shared conversation."""
+    assert limit > 0
+    assert limit <= 100
     return await shared_event_service.search_shared_events(
         conversation_id=UUID(conversation_id),
         kind__eq=kind__eq,
@@ -132,11 +108,7 @@ async def batch_get_shared_events(
     shared_event_service: SharedEventService = shared_event_service_dependency,
 ) -> list[Event | None]:
     """Get a batch of events for a shared conversation given their ids, returning null for any missing event."""
-    if len(id) > 100:
-        raise HTTPException(
-            status_code=400,
-            detail=f'Cannot request more than 100 events at once, got {len(id)}',
-        )
+    assert len(id) <= 100
     event_ids = [UUID(id_) for id_ in id]
     events = await shared_event_service.batch_get_shared_events(
         UUID(conversation_id), event_ids

enterprise/server/utils/saas_app_conversation_info_injector.py

@@ -119,7 +119,6 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
         created_at__lt: datetime | None = None,
         updated_at__gte: datetime | None = None,
         updated_at__lt: datetime | None = None,
-        sandbox_id__eq: str | None = None,
         sort_order: AppConversationSortOrder = AppConversationSortOrder.CREATED_AT_DESC,
         page_id: str | None = None,
         limit: int = 100,
@@ -142,7 +141,6 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
             created_at__lt=created_at__lt,
             updated_at__gte=updated_at__gte,
             updated_at__lt=updated_at__lt,
-            sandbox_id__eq=sandbox_id__eq,
         )
 
         # Add sort order
@@ -200,7 +198,6 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
         created_at__lt: datetime | None = None,
         updated_at__gte: datetime | None = None,
         updated_at__lt: datetime | None = None,
-        sandbox_id__eq: str | None = None,
     ) -> int:
         """Count conversations matching the given filters with SAAS metadata."""
         query = (
@@ -223,7 +220,6 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
             created_at__lt=created_at__lt,
             updated_at__gte=updated_at__gte,
             updated_at__lt=updated_at__lt,
-            sandbox_id__eq=sandbox_id__eq,
         )
 
         result = await self.db_session.execute(query)
@@ -238,7 +234,6 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
         created_at__lt: datetime | None = None,
         updated_at__gte: datetime | None = None,
         updated_at__lt: datetime | None = None,
-        sandbox_id__eq: str | None = None,
     ):
         """Apply filters to query that includes SAAS metadata."""
         # Apply the same filters as the base class
@@ -264,9 +259,6 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
                 StoredConversationMetadata.last_updated_at < updated_at__lt
             )
 
-        if sandbox_id__eq is not None:
-            conditions.append(StoredConversationMetadata.sandbox_id == sandbox_id__eq)
-
         if conditions:
             query = query.where(*conditions)
         return query
@@ -342,10 +334,7 @@ class SaasSQLAppConversationInfoService(SQLAppConversationInfoService):
         await super().save_app_conversation_info(info)
 
         # Get current user_id for SAAS metadata
-        # Fall back to info.created_by_user_id for webhook callbacks (which use ADMIN context)
         user_id_str = await self.user_context.get_user_id()
-        if not user_id_str and info.created_by_user_id:
-            user_id_str = info.created_by_user_id
         if user_id_str:
             # Convert string user_id to UUID
             user_id_uuid = UUID(user_id_str)

enterprise/server/utils/saas_pending_message_injector.py

@@ -1,172 +0,0 @@
-"""Enterprise injector for PendingMessageService with SAAS filtering."""
-
-from typing import AsyncGenerator
-from uuid import UUID
-
-from fastapi import Request
-from sqlalchemy import select
-from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas
-from storage.user import User
-
-from openhands.agent_server.models import ImageContent, TextContent
-from openhands.app_server.errors import AuthError
-from openhands.app_server.pending_messages.pending_message_models import (
-    PendingMessageResponse,
-)
-from openhands.app_server.pending_messages.pending_message_service import (
-    PendingMessageService,
-    PendingMessageServiceInjector,
-    SQLPendingMessageService,
-)
-from openhands.app_server.services.injector import InjectorState
-from openhands.app_server.user.specifiy_user_context import ADMIN
-from openhands.app_server.user.user_context import UserContext
-
-
-class SaasSQLPendingMessageService(SQLPendingMessageService):
-    """Extended SQLPendingMessageService with user and organization-based filtering.
-
-    This enterprise version ensures that:
-    - Users can only queue messages for conversations they own
-    - Organization isolation is enforced for multi-tenant deployments
-    """
-
-    def __init__(self, db_session, user_context: UserContext):
-        super().__init__(db_session=db_session)
-        self.user_context = user_context
-
-    async def _get_current_user(self) -> User | None:
-        """Get the current user using the existing db_session.
-
-        Returns:
-            User object or None if no user_id is available
-        """
-        user_id_str = await self.user_context.get_user_id()
-        if not user_id_str:
-            return None
-
-        user_id_uuid = UUID(user_id_str)
-        result = await self.db_session.execute(
-            select(User).where(User.id == user_id_uuid)
-        )
-        return result.scalars().first()
-
-    async def _validate_conversation_ownership(self, conversation_id: str) -> None:
-        """Validate that the current user owns the conversation.
-
-        This ensures multi-tenant isolation by checking:
-        - The conversation belongs to the current user
-        - The conversation belongs to the user's current organization
-
-        Args:
-            conversation_id: The conversation ID to validate (can be task-id or UUID)
-
-        Raises:
-            AuthError: If user doesn't own the conversation or authentication fails
-        """
-        # For internal operations (e.g., processing pending messages during startup)
-        # we need a mode that bypasses filtering. The ADMIN context enables this.
-        if self.user_context == ADMIN:
-            return
-
-        user_id_str = await self.user_context.get_user_id()
-        if not user_id_str:
-            raise AuthError('User authentication required')
-
-        user_id_uuid = UUID(user_id_str)
-
-        # Check conversation ownership via SAAS metadata
-        query = select(StoredConversationMetadataSaas).where(
-            StoredConversationMetadataSaas.conversation_id == conversation_id
-        )
-        result = await self.db_session.execute(query)
-        saas_metadata = result.scalar_one_or_none()
-
-        # If no SAAS metadata exists, the conversation might be a new task-id
-        # that hasn't been linked to a conversation yet. Allow access in this case
-        # as the message will be validated when the conversation is created.
-        if saas_metadata is None:
-            return
-
-        # Verify user ownership
-        if saas_metadata.user_id != user_id_uuid:
-            raise AuthError('You do not have access to this conversation')
-
-        # Verify organization ownership if applicable
-        user = await self._get_current_user()
-        if user and user.current_org_id is not None:
-            if saas_metadata.org_id != user.current_org_id:
-                raise AuthError('Conversation belongs to a different organization')
-
-    async def add_message(
-        self,
-        conversation_id: str,
-        content: list[TextContent | ImageContent],
-        role: str = 'user',
-    ) -> PendingMessageResponse:
-        """Queue a message with ownership validation.
-
-        Args:
-            conversation_id: The conversation ID to queue the message for
-            content: Message content
-            role: Message role (default: 'user')
-
-        Returns:
-            PendingMessageResponse with the queued message info
-
-        Raises:
-            AuthError: If user doesn't own the conversation
-        """
-        await self._validate_conversation_ownership(conversation_id)
-        return await super().add_message(conversation_id, content, role)
-
-    async def get_pending_messages(self, conversation_id: str):
-        """Get pending messages with ownership validation.
-
-        Args:
-            conversation_id: The conversation ID to get messages for
-
-        Returns:
-            List of pending messages
-
-        Raises:
-            AuthError: If user doesn't own the conversation
-        """
-        await self._validate_conversation_ownership(conversation_id)
-        return await super().get_pending_messages(conversation_id)
-
-    async def count_pending_messages(self, conversation_id: str) -> int:
-        """Count pending messages with ownership validation.
-
-        Args:
-            conversation_id: The conversation ID to count messages for
-
-        Returns:
-            Number of pending messages
-
-        Raises:
-            AuthError: If user doesn't own the conversation
-        """
-        await self._validate_conversation_ownership(conversation_id)
-        return await super().count_pending_messages(conversation_id)
-
-
-class SaasPendingMessageServiceInjector(PendingMessageServiceInjector):
-    """Enterprise injector for PendingMessageService with SAAS filtering."""
-
-    async def inject(
-        self, state: InjectorState, request: Request | None = None
-    ) -> AsyncGenerator[PendingMessageService, None]:
-        from openhands.app_server.config import (
-            get_db_session,
-            get_user_context,
-        )
-
-        async with (
-            get_user_context(state, request) as user_context,
-            get_db_session(state, request) as db_session,
-        ):
-            service = SaasSQLPendingMessageService(
-                db_session=db_session, user_context=user_context
-            )
-            yield service

enterprise/server/utils/url_utils.py

@@ -1,38 +0,0 @@
-from typing import Literal
-
-from fastapi import Request
-from server.constants import IS_FEATURE_ENV, IS_LOCAL_ENV, IS_STAGING_ENV
-from starlette.datastructures import URL
-
-from openhands.app_server.config import get_global_config
-
-
-def get_web_url(request: Request):
-    web_url = get_global_config().web_url
-    if not web_url:
-        scheme = 'http' if request.url.hostname == 'localhost' else 'https'
-        web_url = f'{scheme}://{request.url.netloc}'
-    else:
-        web_url = web_url.rstrip('/')
-    return web_url
-
-
-def get_cookie_domain() -> str | None:
-    config = get_global_config()
-    web_url = config.web_url
-    # for now just use the full hostname except for staging stacks.
-    return (
-        URL(web_url).hostname
-        if web_url and not (IS_FEATURE_ENV or IS_STAGING_ENV or IS_LOCAL_ENV)
-        else None
-    )
-
-
-def get_cookie_samesite() -> Literal['lax', 'strict']:
-    # for localhost and feature/staging stacks we set it to 'lax' as the cookie domain won't allow 'strict'
-    web_url = get_global_config().web_url
-    return (
-        'strict'
-        if web_url and not (IS_FEATURE_ENV or IS_STAGING_ENV or IS_LOCAL_ENV)
-        else 'lax'
-    )

enterprise/services/automation_executor.py

@@ -0,0 +1,555 @@
+"""Automation executor — processes events, claims and executes runs.
+
+The executor is a long-running process with three phases:
+  1. Process inbox: match NEW events to automations, create PENDING runs
+  2. Claim and execute: claim PENDING runs, submit to V1 API, heartbeat
+  3. Stale recovery: recover RUNNING runs with expired heartbeats
+"""
+
+import asyncio
+import logging
+import os
+import socket
+from datetime import datetime, timedelta, timezone
+from uuid import uuid4
+
+from services.openhands_api_client import OpenHandsAPIClient
+from sqlalchemy import or_, select, update
+from sqlalchemy.ext.asyncio import AsyncSession
+from storage.automation import Automation, AutomationRun
+from storage.automation_event import AutomationEvent
+
+logger = logging.getLogger('saas.automation.executor')
+
+# Environment-configurable settings
+POLL_INTERVAL_SECONDS = float(os.getenv('POLL_INTERVAL_SECONDS', '30'))
+HEARTBEAT_INTERVAL_SECONDS = float(os.getenv('HEARTBEAT_INTERVAL_SECONDS', '60'))
+RUN_TIMEOUT_SECONDS = float(os.getenv('RUN_TIMEOUT_SECONDS', '7200'))
+MAX_CONCURRENT_RUNS = int(os.getenv('MAX_CONCURRENT_RUNS', '5'))
+STALE_THRESHOLD_MINUTES = 5
+MAX_EVENTS_PER_BATCH = 50
+MAX_RETRIES_DEFAULT = 3
+
+# Terminal conversation statuses
+TERMINAL_STATUSES = frozenset({'STOPPED', 'ERROR', 'COMPLETED', 'CANCELLED'})
+
+# Shutdown flag — set by signal handlers
+_shutdown_event: asyncio.Event | None = None
+
+# Background task tracking for graceful shutdown
+_pending_tasks: set[asyncio.Task] = set()
+
+
+def utc_now() -> datetime:
+    return datetime.now(timezone.utc)
+
+
+def get_shutdown_event() -> asyncio.Event:
+    global _shutdown_event
+    if _shutdown_event is None:
+        _shutdown_event = asyncio.Event()
+    return _shutdown_event
+
+
+def should_continue() -> bool:
+    return not get_shutdown_event().is_set()
+
+
+def request_shutdown() -> None:
+    get_shutdown_event().set()
+
+
+# ---------------------------------------------------------------------------
+# Phase 1: Process inbox (event matching)
+# ---------------------------------------------------------------------------
+
+
+async def find_matching_automations(
+    session: AsyncSession, event: AutomationEvent
+) -> list[Automation]:
+    """Find automations that match the given event.
+
+    Phase 1 supports cron and manual triggers only — both carry
+    ``automation_id`` in the event payload.
+    """
+    source_type = event.source_type
+    payload = event.payload
+    if payload is None:
+        logger.error('Event %s has None payload — possible data corruption', event.id)
+        return []
+
+    if source_type in ('cron', 'manual'):
+        automation_id = payload.get('automation_id')
+        if not automation_id:
+            logger.warning(
+                'Event %s (source=%s) missing automation_id in payload',
+                event.id,
+                source_type,
+            )
+            return []
+
+        result = await session.execute(
+            select(Automation).where(
+                Automation.id == automation_id,
+                Automation.enabled.is_(True),
+            )
+        )
+        automation = result.scalar_one_or_none()
+        return [automation] if automation else []
+
+    logger.debug('Unhandled event source_type=%s for event %s', source_type, event.id)
+    return []
+
+
+async def process_new_events(session: AsyncSession) -> int:
+    """Claim NEW events from inbox, match to automations, create runs.
+
+    Returns the number of events processed.
+    """
+    result = await session.execute(
+        select(AutomationEvent)
+        .where(AutomationEvent.status == 'NEW')
+        .order_by(AutomationEvent.created_at)
+        .limit(MAX_EVENTS_PER_BATCH)
+        .with_for_update(skip_locked=True)
+    )
+    events = list(result.scalars())
+
+    processed = 0
+    for event in events:
+        try:
+            automations = await find_matching_automations(session, event)
+            if not automations:
+                event.status = 'NO_MATCH'
+                event.processed_at = utc_now()
+            else:
+                for automation in automations:
+                    run = AutomationRun(
+                        id=uuid4().hex,
+                        automation_id=automation.id,
+                        event_id=event.id,
+                        status='PENDING',
+                        event_payload=event.payload,
+                    )
+                    session.add(run)
+                event.status = 'PROCESSED'
+                event.processed_at = utc_now()
+            processed += 1
+        except Exception as e:
+            logger.exception('Error processing event %s', event.id)
+            event.status = 'ERROR'
+            event.error_detail = f'Failed during event matching: {type(e).__name__}: {e}'
+            event.processed_at = utc_now()
+
+    if processed:
+        await session.commit()
+        logger.info('Processed %d events', processed)
+
+    return processed
+
+
+# ---------------------------------------------------------------------------
+# Phase 2: Claim and execute runs
+# ---------------------------------------------------------------------------
+
+
+async def resolve_user_api_key(session: AsyncSession, user_id: str) -> str | None:
+    """Look up a user's API key from the api_keys table.
+
+    Returns the first active key found, or None.
+    """
+    from storage.api_key import ApiKey
+
+    result = await session.execute(
+        select(ApiKey.key).where(ApiKey.user_id == user_id).limit(1)
+    )
+    row = result.scalar_one_or_none()
+    return row
+
+
+async def download_automation_file(file_store_key: str) -> bytes:
+    """Download the automation .py file from object storage."""
+    try:
+        from openhands.server.shared import file_store
+    except ImportError as exc:
+        raise RuntimeError(
+            'file_store is not available — ensure the enterprise server '
+            'has been initialised before calling download_automation_file'
+        ) from exc
+
+    content = file_store.read(file_store_key)
+    if isinstance(content, str):
+        return content.encode('utf-8')
+    return content
+
+
+def is_terminal(conversation: dict) -> bool:
+    """Check if a conversation has reached a terminal status."""
+    status = (conversation.get('status') or '').upper()
+    return status in TERMINAL_STATUSES
+
+
+async def _prepare_run(
+    run: AutomationRun,
+    automation: Automation,
+    session_factory: object,
+) -> tuple[str, bytes]:
+    """Resolve the user's API key and download the automation file.
+
+    Returns:
+        (api_key, automation_file) tuple ready for submission.
+
+    Raises:
+        ValueError: If no API key is found.
+        RuntimeError: If file_store is unavailable.
+    """
+    async with session_factory() as key_session:
+        api_key = await resolve_user_api_key(key_session, automation.user_id)
+
+    if not api_key:
+        raise ValueError(f'No API key found for user {automation.user_id}')
+
+    automation_file = await download_automation_file(automation.file_store_key)
+    return api_key, automation_file
+
+
+async def _monitor_conversation(
+    run: AutomationRun,
+    conversation_id: str,
+    api_client: OpenHandsAPIClient,
+    api_key: str,
+    session_factory: object,
+) -> bool:
+    """Monitor a conversation until completion or timeout.
+
+    Returns True if completed successfully, False if shutdown requested.
+
+    Raises:
+        TimeoutError: If the run exceeds RUN_TIMEOUT_SECONDS.
+    """
+    start_time = utc_now()
+    while should_continue():
+        elapsed = (utc_now() - start_time).total_seconds()
+        if elapsed > RUN_TIMEOUT_SECONDS:
+            raise TimeoutError(f'Run exceeded {RUN_TIMEOUT_SECONDS}s timeout')
+
+        await asyncio.sleep(HEARTBEAT_INTERVAL_SECONDS)
+
+        # Update heartbeat
+        async with session_factory() as session:
+            run_obj = await session.get(AutomationRun, run.id)
+            if run_obj:
+                run_obj.heartbeat_at = utc_now()
+                await session.commit()
+
+        # Check conversation status
+        conversation = (
+            await api_client.get_conversation(api_key, conversation_id) or {}
+        )
+        if is_terminal(conversation):
+            return True
+
+    return False  # shutdown requested
+
+
+async def _submit_and_monitor(
+    run: AutomationRun,
+    api_key: str,
+    automation_file: bytes,
+    automation: Automation,
+    api_client: OpenHandsAPIClient,
+    session_factory: object,
+) -> None:
+    """Submit the automation to the V1 API and monitor until completion.
+
+    Updates the run's conversation_id, sends heartbeats, and marks the
+    final status when the conversation reaches a terminal state.
+    """
+    conversation = await api_client.start_conversation(
+        api_key=api_key,
+        automation_file=automation_file,
+        title=f'Automation: {automation.name}',
+        event_payload=run.event_payload,
+    )
+
+    conversation_id = conversation.get('app_conversation_id') or conversation.get(
+        'conversation_id'
+    )
+
+    # Persist conversation ID
+    async with session_factory() as update_session:
+        run_obj = await update_session.get(AutomationRun, run.id)
+        if run_obj:
+            run_obj.conversation_id = conversation_id
+            await update_session.commit()
+
+    # Monitor with heartbeats
+    completed = await _monitor_conversation(
+        run, conversation_id, api_client, api_key, session_factory
+    )
+
+    # Update final status
+    async with session_factory() as final_session:
+        run_obj = await final_session.get(AutomationRun, run.id)
+        if run_obj:
+            if not completed:
+                # Leave as RUNNING — stale recovery will handle it if needed.
+                # The conversation may still be running on the API side.
+                logger.info(
+                    'Run %s left as RUNNING due to executor shutdown', run.id
+                )
+            else:
+                run_obj.status = 'COMPLETED'
+                run_obj.completed_at = utc_now()
+                logger.info('Run %s completed successfully', run.id)
+            await final_session.commit()
+
+
+async def execute_run(
+    run: AutomationRun,
+    automation: Automation,
+    api_client: OpenHandsAPIClient,
+    session_factory: object,
+) -> None:
+    """Execute a single automation run end-to-end.
+
+    Orchestrates preparation (API key + file download) and submission/monitoring.
+    On failure, marks the run for retry or dead-letter.
+    """
+    try:
+        api_key, automation_file = await _prepare_run(
+            run, automation, session_factory
+        )
+        await _submit_and_monitor(
+            run, api_key, automation_file, automation, api_client, session_factory
+        )
+    except Exception as e:
+        logger.exception('Run %s failed: %s', run.id, e)
+        await _mark_run_failed(run, str(e), session_factory)
+
+
+async def _mark_run_failed(
+    run: AutomationRun, error: str, session_factory: object
+) -> None:
+    """Mark a run as FAILED or return to PENDING for retry."""
+    async with session_factory() as session:
+        run_obj = await session.get(AutomationRun, run.id)
+        if not run_obj:
+            return
+
+        run_obj.retry_count = (run_obj.retry_count or 0) + 1
+        run_obj.error_detail = error
+
+        if run_obj.retry_count >= (run_obj.max_retries or MAX_RETRIES_DEFAULT):
+            run_obj.status = 'DEAD_LETTER'
+            run_obj.completed_at = utc_now()
+            logger.error(
+                'Run %s moved to DEAD_LETTER after %d retries',
+                run.id,
+                run_obj.retry_count,
+            )
+        else:
+            run_obj.status = 'PENDING'
+            run_obj.claimed_by = None
+            backoff_seconds = 30 * (2 ** (run_obj.retry_count - 1))
+            run_obj.next_retry_at = utc_now() + timedelta(seconds=backoff_seconds)
+            logger.warning(
+                'Run %s returned to PENDING, retry %d/%d in %ds',
+                run.id,
+                run_obj.retry_count,
+                run_obj.max_retries or MAX_RETRIES_DEFAULT,
+                backoff_seconds,
+            )
+
+        await session.commit()
+
+
+async def claim_and_execute_runs(
+    session: AsyncSession,
+    executor_id: str,
+    api_client: OpenHandsAPIClient,
+    session_factory: object,
+) -> bool:
+    """Claim a PENDING run and start executing it.
+
+    Returns True if a run was claimed, False otherwise.
+    """
+    result = await session.execute(
+        select(AutomationRun)
+        .where(
+            AutomationRun.status == 'PENDING',
+            or_(
+                AutomationRun.next_retry_at.is_(None),
+                AutomationRun.next_retry_at <= utc_now(),
+            ),
+        )
+        .order_by(AutomationRun.created_at)
+        .limit(1)
+        .with_for_update(skip_locked=True)
+    )
+    run = result.scalar_one_or_none()
+    if not run:
+        return False
+
+    # Claim the run
+    run.status = 'RUNNING'
+    run.claimed_by = executor_id
+    run.claimed_at = utc_now()
+    run.heartbeat_at = utc_now()
+    run.started_at = utc_now()
+    await session.commit()
+
+    # Load automation for the run
+    auto_result = await session.execute(
+        select(Automation).where(Automation.id == run.automation_id)
+    )
+    automation = auto_result.scalar_one_or_none()
+    if not automation:
+        logger.error('Automation %s not found for run %s', run.automation_id, run.id)
+        await _mark_run_failed(
+            run, f'Automation {run.automation_id} not found', session_factory
+        )
+        return True
+
+    # Execute in background (long-running) with task tracking
+    task = asyncio.create_task(
+        execute_run(run, automation, api_client, session_factory),
+        name=f'execute-run-{run.id}',
+    )
+    _pending_tasks.add(task)
+    task.add_done_callback(_pending_tasks.discard)
+
+    logger.info(
+        'Claimed run %s (automation=%s) by executor %s',
+        run.id,
+        run.automation_id,
+        executor_id,
+    )
+    return True
+
+
+# ---------------------------------------------------------------------------
+# Phase 3: Stale run recovery
+# ---------------------------------------------------------------------------
+
+
+async def recover_stale_runs(session: AsyncSession) -> int:
+    """Mark RUNNING runs with expired heartbeats as PENDING for retry.
+
+    Returns the number of recovered runs.
+    """
+    stale_threshold = utc_now() - timedelta(minutes=STALE_THRESHOLD_MINUTES)
+    timeout_threshold = utc_now() - timedelta(seconds=RUN_TIMEOUT_SECONDS)
+
+    # Recover stale runs (heartbeat expired)
+    result = await session.execute(
+        update(AutomationRun)
+        .where(
+            AutomationRun.status == 'RUNNING',
+            AutomationRun.heartbeat_at < stale_threshold,
+            AutomationRun.heartbeat_at >= timeout_threshold,
+        )
+        .values(
+            status='PENDING',
+            claimed_by=None,
+            retry_count=AutomationRun.retry_count + 1,
+            next_retry_at=utc_now() + timedelta(seconds=30),
+        )
+        .returning(AutomationRun.id)
+    )
+    recovered_rows = result.fetchall()
+
+    # Mark truly timed-out runs as DEAD_LETTER
+    timeout_result = await session.execute(
+        update(AutomationRun)
+        .where(
+            AutomationRun.status == 'RUNNING',
+            AutomationRun.heartbeat_at < timeout_threshold,
+        )
+        .values(
+            status='DEAD_LETTER',
+            error_detail='Run exceeded timeout',
+            completed_at=utc_now(),
+        )
+        .returning(AutomationRun.id)
+    )
+    timed_out_rows = timeout_result.fetchall()
+
+    await session.commit()
+
+    recovered_count = len(recovered_rows)
+    timed_out_count = len(timed_out_rows)
+
+    if recovered_count:
+        logger.warning('Recovered %d stale automation runs', recovered_count)
+    if timed_out_count:
+        logger.warning(
+            'Marked %d automation runs as DEAD_LETTER (timeout)', timed_out_count
+        )
+
+    return recovered_count + timed_out_count
+
+
+# ---------------------------------------------------------------------------
+# Main executor loop
+# ---------------------------------------------------------------------------
+
+
+async def executor_main(session_factory: object | None = None) -> None:
+    """Main executor loop.
+
+    Args:
+        session_factory: Async context manager that yields AsyncSession instances.
+            If None, uses the default ``a_session_maker`` from database module.
+    """
+    if session_factory is None:
+        from storage.database import a_session_maker
+
+        session_factory = a_session_maker
+
+    executor_id = f'executor-{socket.gethostname()}-{os.getpid()}'
+    api_url = os.getenv('OPENHANDS_API_URL', 'http://openhands-service:3000')
+    api_client = OpenHandsAPIClient(base_url=api_url)
+
+    logger.info(
+        'Automation executor %s starting (api_url=%s, poll=%ss, heartbeat=%ss)',
+        executor_id,
+        api_url,
+        POLL_INTERVAL_SECONDS,
+        HEARTBEAT_INTERVAL_SECONDS,
+    )
+
+    try:
+        while should_continue():
+            try:
+                async with session_factory() as session:
+                    await process_new_events(session)
+
+                async with session_factory() as session:
+                    await claim_and_execute_runs(
+                        session, executor_id, api_client, session_factory
+                    )
+
+                async with session_factory() as session:
+                    await recover_stale_runs(session)
+
+            except Exception:
+                logger.exception('Error in executor main loop iteration')
+
+            # Wait for next poll interval (or early wakeup on shutdown)
+            try:
+                await asyncio.wait_for(
+                    get_shutdown_event().wait(),
+                    timeout=POLL_INTERVAL_SECONDS,
+                )
+            except asyncio.TimeoutError:
+                pass  # Normal — poll interval elapsed
+
+    finally:
+        if _pending_tasks:
+            logger.info(
+                'Waiting for %d running tasks to complete...', len(_pending_tasks)
+            )
+            await asyncio.gather(*_pending_tasks, return_exceptions=True)
+        await api_client.close()
+        logger.info('Automation executor %s shut down', executor_id)

enterprise/services/openhands_api_client.py

@@ -0,0 +1,93 @@
+"""HTTP client for the main OpenHands V1 API (internal cluster calls).
+
+Used by the automation executor to create and monitor conversations
+in the main OpenHands server.
+"""
+
+import base64
+import logging
+
+import httpx
+
+logger = logging.getLogger('saas.automation.api_client')
+
+
+def _raise_with_body(resp: httpx.Response) -> None:
+    """Call raise_for_status, enriching the error with the response body."""
+    try:
+        resp.raise_for_status()
+    except httpx.HTTPStatusError as e:
+        error_body = resp.text[:500] if resp.text else 'no response body'
+        raise httpx.HTTPStatusError(
+            f'{e.args[0]} — Response: {error_body}',
+            request=e.request,
+            response=e.response,
+        ) from e
+
+
+class OpenHandsAPIClient:
+    """Async HTTP client for the OpenHands V1 API."""
+
+    def __init__(self, base_url: str = 'http://openhands-service:3000'):
+        self.base_url = base_url.rstrip('/')
+        self.client = httpx.AsyncClient(base_url=self.base_url, timeout=30.0)
+
+    async def start_conversation(
+        self,
+        api_key: str,
+        automation_file: bytes,
+        title: str,
+        event_payload: dict | None = None,
+    ) -> dict:
+        """Submit an SDK script for sandboxed execution via V1 API.
+
+        Args:
+            api_key: User's API key for authentication.
+            automation_file: Raw bytes of the .py automation script.
+            title: Display title for the conversation.
+            event_payload: Optional trigger event data (injected as env var).
+
+        Returns:
+            Parsed JSON response containing conversation details.
+
+        Raises:
+            httpx.HTTPStatusError: If the API returns a non-2xx status.
+        """
+        resp = await self.client.post(
+            '/api/v1/app-conversations',
+            json={
+                'automation_file': base64.b64encode(automation_file).decode(),
+                'trigger': 'automation',
+                'title': title,
+                'event_payload': event_payload,
+            },
+            headers={'Authorization': f'Bearer {api_key}'},
+        )
+        _raise_with_body(resp)
+        return resp.json()
+
+    async def get_conversation(self, api_key: str, conversation_id: str) -> dict | None:
+        """Get conversation status.
+
+        Args:
+            api_key: User's API key for authentication.
+            conversation_id: The conversation ID to look up.
+
+        Returns:
+            Conversation data dict, or None if not found.
+
+        Raises:
+            httpx.HTTPStatusError: If the API returns a non-2xx status.
+        """
+        resp = await self.client.get(
+            '/api/v1/app-conversations',
+            params={'ids': [conversation_id]},
+            headers={'Authorization': f'Bearer {api_key}'},
+        )
+        _raise_with_body(resp)
+        conversations = resp.json()
+        return conversations[0] if conversations else None
+
+    async def close(self) -> None:
+        """Close the underlying HTTP client."""
+        await self.client.aclose()

enterprise/storage/api_key_store.py

@@ -4,7 +4,6 @@ import secrets
 import string
 from dataclasses import dataclass
 from datetime import UTC, datetime
-from uuid import UUID
 
 from sqlalchemy import select, update
 from storage.api_key import ApiKey
@@ -14,22 +13,9 @@ from storage.user_store import UserStore
 from openhands.core.logger import openhands_logger as logger
 
 
-@dataclass
-class ApiKeyValidationResult:
-    """Result of API key validation containing user and organization info."""
-
-    user_id: str
-    org_id: UUID | None  # None for legacy API keys without org binding
-    key_id: int
-    key_name: str | None
-
-
 @dataclass
 class ApiKeyStore:
     API_KEY_PREFIX = 'sk-oh-'
-    # Prefix for system keys created by internal services (e.g., automations)
-    # Keys with this prefix are hidden from users and cannot be deleted by users
-    SYSTEM_KEY_NAME_PREFIX = '__SYSTEM__:'
 
     def generate_api_key(self, length: int = 32) -> str:
         """Generate a random API key with the sk-oh- prefix."""
@@ -37,19 +23,6 @@ class ApiKeyStore:
         random_part = ''.join(secrets.choice(alphabet) for _ in range(length))
         return f'{self.API_KEY_PREFIX}{random_part}'
 
-    @classmethod
-    def is_system_key_name(cls, name: str | None) -> bool:
-        """Check if a key name indicates a system key."""
-        return name is not None and name.startswith(cls.SYSTEM_KEY_NAME_PREFIX)
-
-    @classmethod
-    def make_system_key_name(cls, name: str) -> str:
-        """Create a system key name with the appropriate prefix.
-
-        Format: __SYSTEM__:<name>
-        """
-        return f'{cls.SYSTEM_KEY_NAME_PREFIX}{name}'
-
     async def create_api_key(
         self, user_id: str, name: str | None = None, expires_at: datetime | None = None
     ) -> str:
@@ -87,120 +60,8 @@ class ApiKeyStore:
 
         return api_key
 
-    async def get_or_create_system_api_key(
-        self,
-        user_id: str,
-        org_id: UUID,
-        name: str,
-    ) -> str:
-        """Get or create a system API key for a user on behalf of an internal service.
-
-        If a key with the given name already exists for this user/org and is not expired,
-        returns the existing key. Otherwise, creates a new key (and deletes any expired one).
-
-        System keys are:
-        - Not visible to users in their API keys list (filtered by name prefix)
-        - Not deletable by users (protected by name prefix check)
-        - Associated with a specific org (not the user's current org)
-        - Never expire (no expiration date)
-
-        Args:
-            user_id: The ID of the user to create the key for
-            org_id: The organization ID to associate the key with
-            name: Required name for the key (will be prefixed with __SYSTEM__:)
-
-        Returns:
-            The API key (existing or newly created)
-        """
-        # Create system key name with prefix
-        system_key_name = self.make_system_key_name(name)
-
-        async with a_session_maker() as session:
-            # Check if key already exists for this user/org/name
-            result = await session.execute(
-                select(ApiKey).filter(
-                    ApiKey.user_id == user_id,
-                    ApiKey.org_id == org_id,
-                    ApiKey.name == system_key_name,
-                )
-            )
-            existing_key = result.scalars().first()
-
-            if existing_key:
-                # Check if expired
-                if existing_key.expires_at:
-                    now = datetime.now(UTC)
-                    expires_at = existing_key.expires_at
-                    if expires_at.tzinfo is None:
-                        expires_at = expires_at.replace(tzinfo=UTC)
-
-                    if expires_at < now:
-                        # Key is expired, delete it and create new one
-                        logger.info(
-                            'System API key expired, re-issuing',
-                            extra={
-                                'user_id': user_id,
-                                'org_id': str(org_id),
-                                'key_name': system_key_name,
-                            },
-                        )
-                        await session.delete(existing_key)
-                        await session.commit()
-                    else:
-                        # Key exists and is not expired, return it
-                        logger.debug(
-                            'Returning existing system API key',
-                            extra={
-                                'user_id': user_id,
-                                'org_id': str(org_id),
-                                'key_name': system_key_name,
-                            },
-                        )
-                        return existing_key.key
-                else:
-                    # Key exists and has no expiration, return it
-                    logger.debug(
-                        'Returning existing system API key',
-                        extra={
-                            'user_id': user_id,
-                            'org_id': str(org_id),
-                            'key_name': system_key_name,
-                        },
-                    )
-                    return existing_key.key
-
-        # Create new key (no expiration)
-        api_key = self.generate_api_key()
-
-        async with a_session_maker() as session:
-            key_record = ApiKey(
-                key=api_key,
-                user_id=user_id,
-                org_id=org_id,
-                name=system_key_name,
-                expires_at=None,  # System keys never expire
-            )
-            session.add(key_record)
-            await session.commit()
-
-        logger.info(
-            'Created system API key',
-            extra={
-                'user_id': user_id,
-                'org_id': str(org_id),
-                'key_name': system_key_name,
-            },
-        )
-
-        return api_key
-
-    async def validate_api_key(self, api_key: str) -> ApiKeyValidationResult | None:
-        """Validate an API key and return the associated user_id and org_id if valid.
-
-        Returns:
-            ApiKeyValidationResult if the key is valid, None otherwise.
-            The org_id may be None for legacy API keys that weren't bound to an organization.
-        """
+    async def validate_api_key(self, api_key: str) -> str | None:
+        """Validate an API key and return the associated user_id if valid."""
         now = datetime.now(UTC)
 
         async with a_session_maker() as session:
@@ -228,12 +89,7 @@ class ApiKeyStore:
             )
             await session.commit()
 
-            return ApiKeyValidationResult(
-                user_id=key_record.user_id,
-                org_id=key_record.org_id,
-                key_id=key_record.id,
-                key_name=key_record.name,
-            )
+            return key_record.user_id
 
     async def delete_api_key(self, api_key: str) -> bool:
         """Delete an API key by the key value."""
@@ -249,18 +105,8 @@ class ApiKeyStore:
 
             return True
 
-    async def delete_api_key_by_id(
-        self, key_id: int, allow_system: bool = False
-    ) -> bool:
-        """Delete an API key by its ID.
-
-        Args:
-            key_id: The ID of the key to delete
-            allow_system: If False (default), system keys cannot be deleted
-
-        Returns:
-            True if the key was deleted, False if not found or is a protected system key
-        """
+    async def delete_api_key_by_id(self, key_id: int) -> bool:
+        """Delete an API key by its ID."""
         async with a_session_maker() as session:
             result = await session.execute(select(ApiKey).filter(ApiKey.id == key_id))
             key_record = result.scalars().first()
@@ -268,26 +114,13 @@ class ApiKeyStore:
             if not key_record:
                 return False
 
-            # Protect system keys from deletion unless explicitly allowed
-            if self.is_system_key_name(key_record.name) and not allow_system:
-                logger.warning(
-                    'Attempted to delete system API key',
-                    extra={'key_id': key_id, 'user_id': key_record.user_id},
-                )
-                return False
-
             await session.delete(key_record)
             await session.commit()
 
             return True
 
     async def list_api_keys(self, user_id: str) -> list[ApiKey]:
-        """List all user-visible API keys for a user.
-
-        This excludes:
-        - System keys (name starts with __SYSTEM__:) - created by internal services
-        - MCP_API_KEY - internal MCP key
-        """
+        """List all API keys for a user."""
         user = await UserStore.get_user_by_id(user_id)
         if user is None:
             raise ValueError(f'User not found: {user_id}')
@@ -296,17 +129,11 @@ class ApiKeyStore:
         async with a_session_maker() as session:
             result = await session.execute(
                 select(ApiKey).filter(
-                    ApiKey.user_id == user_id,
-                    ApiKey.org_id == org_id,
+                    ApiKey.user_id == user_id, ApiKey.org_id == org_id
                 )
             )
             keys = result.scalars().all()
-            # Filter out system keys and MCP_API_KEY
-            return [
-                key
-                for key in keys
-                if key.name != 'MCP_API_KEY' and not self.is_system_key_name(key.name)
-            ]
+            return [key for key in keys if key.name != 'MCP_API_KEY']
 
     async def retrieve_mcp_api_key(self, user_id: str) -> str | None:
         user = await UserStore.get_user_by_id(user_id)
@@ -336,44 +163,17 @@ class ApiKeyStore:
             key_record = result.scalars().first()
             return key_record.key if key_record else None
 
-    async def delete_api_key_by_name(
-        self,
-        user_id: str,
-        name: str,
-        org_id: UUID | None = None,
-        allow_system: bool = False,
-    ) -> bool:
-        """Delete an API key by name for a specific user.
-
-        Args:
-            user_id: The ID of the user whose key to delete
-            name: The name of the key to delete
-            org_id: Optional organization ID to filter by (required for system keys)
-            allow_system: If False (default), system keys cannot be deleted
-
-        Returns:
-            True if the key was deleted, False if not found or is a protected system key
-        """
+    async def delete_api_key_by_name(self, user_id: str, name: str) -> bool:
+        """Delete an API key by name for a specific user."""
         async with a_session_maker() as session:
-            # Build the query filters
-            filters = [ApiKey.user_id == user_id, ApiKey.name == name]
-            if org_id is not None:
-                filters.append(ApiKey.org_id == org_id)
-
-            result = await session.execute(select(ApiKey).filter(*filters))
+            result = await session.execute(
+                select(ApiKey).filter(ApiKey.user_id == user_id, ApiKey.name == name)
+            )
             key_record = result.scalars().first()
 
             if not key_record:
                 return False
 
-            # Protect system keys from deletion unless explicitly allowed
-            if self.is_system_key_name(key_record.name) and not allow_system:
-                logger.warning(
-                    'Attempted to delete system API key',
-                    extra={'user_id': user_id, 'key_name': name},
-                )
-                return False
-
             await session.delete(key_record)
             await session.commit()
 

enterprise/storage/automation.py

@@ -0,0 +1,77 @@
+"""SQLAlchemy models for automations and automation runs.
+
+Stub for Task 1 (Data Foundation). These models will be replaced when Task 1
+is merged into automations-phase1.
+"""
+
+from sqlalchemy import (
+    Boolean,
+    Column,
+    DateTime,
+    ForeignKey,
+    Integer,
+    String,
+    Text,
+    text,
+)
+from sqlalchemy.orm import relationship
+from sqlalchemy.types import JSON
+from storage.base import Base
+
+
+class Automation(Base):
+    __tablename__ = 'automations'
+
+    id = Column(String, primary_key=True)
+    user_id = Column(String, nullable=False, index=True)
+    org_id = Column(String, nullable=True, index=True)
+
+    name = Column(String, nullable=False)
+    enabled = Column(Boolean, nullable=False, server_default=text('true'))
+
+    config = Column(JSON, nullable=False)
+    trigger_type = Column(String, nullable=False)
+    file_store_key = Column(String, nullable=False)
+
+    last_triggered_at = Column(DateTime(timezone=True), nullable=True)
+    created_at = Column(
+        DateTime(timezone=True),
+        nullable=False,
+        server_default=text('CURRENT_TIMESTAMP'),
+    )
+    updated_at = Column(
+        DateTime(timezone=True),
+        nullable=False,
+        server_default=text('CURRENT_TIMESTAMP'),
+    )
+
+    runs = relationship('AutomationRun', back_populates='automation')
+
+
+class AutomationRun(Base):
+    __tablename__ = 'automation_runs'
+
+    id = Column(String, primary_key=True)
+    automation_id = Column(
+        String, ForeignKey('automations.id', ondelete='CASCADE'), nullable=False
+    )
+    event_id = Column(Integer, ForeignKey('automation_events.id'), nullable=True)
+    conversation_id = Column(String, nullable=True)
+    status = Column(String, nullable=False, server_default=text("'PENDING'"))
+    claimed_by = Column(String, nullable=True)
+    claimed_at = Column(DateTime(timezone=True), nullable=True)
+    heartbeat_at = Column(DateTime(timezone=True), nullable=True)
+    retry_count = Column(Integer, nullable=False, server_default=text('0'))
+    max_retries = Column(Integer, nullable=False, server_default=text('3'))
+    next_retry_at = Column(DateTime(timezone=True), nullable=True)
+    event_payload = Column(JSON, nullable=True)
+    error_detail = Column(Text, nullable=True)
+    started_at = Column(DateTime(timezone=True), nullable=True)
+    completed_at = Column(DateTime(timezone=True), nullable=True)
+    created_at = Column(
+        DateTime(timezone=True),
+        nullable=False,
+        server_default=text('CURRENT_TIMESTAMP'),
+    )
+
+    automation = relationship('Automation', back_populates='runs')

enterprise/storage/automation_event.py

@@ -0,0 +1,27 @@
+"""SQLAlchemy model for automation events (the inbox).
+
+Stub for Task 1 (Data Foundation). This model will be replaced when Task 1
+is merged into automations-phase1.
+"""
+
+from sqlalchemy import Column, DateTime, Integer, String, Text, text
+from sqlalchemy.types import JSON
+from storage.base import Base
+
+
+class AutomationEvent(Base):
+    __tablename__ = 'automation_events'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    source_type = Column(String, nullable=False)
+    payload = Column(JSON, nullable=False)
+    metadata_ = Column('metadata', JSON, nullable=True)
+    dedup_key = Column(String, nullable=False, unique=True)
+    status = Column(String, nullable=False, server_default=text("'NEW'"))
+    error_detail = Column(Text, nullable=True)
+    created_at = Column(
+        DateTime(timezone=True),
+        nullable=False,
+        server_default=text('CURRENT_TIMESTAMP'),
+    )
+    processed_at = Column(DateTime(timezone=True), nullable=True)

enterprise/storage/lite_llm_manager.py

@@ -29,38 +29,6 @@ KEY_VERIFICATION_TIMEOUT = 5.0
 # A very large number to represent "unlimited" until LiteLLM fixes their unlimited update bug.
 UNLIMITED_BUDGET_SETTING = 1000000000.0
 
-# Check if billing is enabled (defaults to false for enterprise deployments)
-ENABLE_BILLING = os.environ.get('ENABLE_BILLING', 'false').lower() == 'true'
-
-
-def _get_default_initial_budget() -> float | None:
-    """Get the default initial budget for new teams.
-
-    When billing is disabled (ENABLE_BILLING=false), returns None to disable
-    budget enforcement in LiteLLM. When billing is enabled, returns the
-    DEFAULT_INITIAL_BUDGET environment variable value (default 0.0).
-
-    Returns:
-        float | None: The default budget, or None to disable budget enforcement.
-    """
-    if not ENABLE_BILLING:
-        return None
-
-    try:
-        budget = float(os.environ.get('DEFAULT_INITIAL_BUDGET', 0.0))
-        if budget < 0:
-            raise ValueError(
-                f'DEFAULT_INITIAL_BUDGET must be non-negative, got {budget}'
-            )
-        return budget
-    except ValueError as e:
-        raise ValueError(
-            f'Invalid DEFAULT_INITIAL_BUDGET environment variable: {e}'
-        ) from e
-
-
-DEFAULT_INITIAL_BUDGET: float | None = _get_default_initial_budget()
-
 
 def get_openhands_cloud_key_alias(keycloak_user_id: str, org_id: str) -> str:
     """Generate the key alias for OpenHands Cloud managed keys."""
@@ -133,15 +101,12 @@ class LiteLlmManager:
             ) as client:
                 # Check if team already exists and get its budget
                 # New users joining existing orgs should inherit the team's budget
-                # When billing is disabled, DEFAULT_INITIAL_BUDGET is None
-                team_budget: float | None = DEFAULT_INITIAL_BUDGET
+                team_budget = 0.0
                 try:
                     existing_team = await LiteLlmManager._get_team(client, org_id)
                     if existing_team:
                         team_info = existing_team.get('team_info', {})
-                        # Preserve None from existing team (no budget enforcement)
-                        existing_budget = team_info.get('max_budget')
-                        team_budget = existing_budget
+                        team_budget = team_info.get('max_budget', 0.0) or 0.0
                         logger.info(
                             'LiteLlmManager:create_entries:existing_team_budget',
                             extra={
@@ -164,33 +129,9 @@ class LiteLlmManager:
                 )
 
                 if create_user:
-                    user_created = await LiteLlmManager._create_user(
+                    await LiteLlmManager._create_user(
                         client, keycloak_user_info.get('email'), keycloak_user_id
                     )
-                    if not user_created:
-                        logger.error(
-                            'create_entries_failed_user_creation',
-                            extra={
-                                'org_id': org_id,
-                                'user_id': keycloak_user_id,
-                            },
-                        )
-                        return None
-
-                # Verify user exists before proceeding with key generation
-                user_exists = await LiteLlmManager._user_exists(
-                    client, keycloak_user_id
-                )
-                if not user_exists:
-                    logger.error(
-                        'create_entries_user_not_found_before_key_generation',
-                        extra={
-                            'org_id': org_id,
-                            'user_id': keycloak_user_id,
-                            'create_user_flag': create_user,
-                        },
-                    )
-                    return None
 
                 await LiteLlmManager._add_user_to_team(
                     client, keycloak_user_id, org_id, team_budget
@@ -354,12 +295,10 @@ class LiteLlmManager:
                 # Check if the database key exists in LiteLLM
                 # If not, generate a new key to prevent verification failures later
                 db_key = None
-                legacy_settings = user_settings.to_settings() if user_settings else None
                 if (
                     user_settings
                     and user_settings.llm_api_key
-                    and legacy_settings
-                    and legacy_settings.llm_base_url == LITE_LLM_API_URL
+                    and user_settings.llm_base_url == LITE_LLM_API_URL
                 ):
                     db_key = user_settings.llm_api_key
                     if hasattr(db_key, 'get_secret_value'):
@@ -577,40 +516,25 @@ class LiteLlmManager:
         client: httpx.AsyncClient,
         team_alias: str,
         team_id: str,
-        max_budget: float | None,
+        max_budget: float,
     ):
-        """Create a new team in LiteLLM.
-
-        Args:
-            client: The HTTP client to use.
-            team_alias: The alias for the team.
-            team_id: The ID for the team.
-            max_budget: The maximum budget for the team. When None, budget
-                enforcement is disabled (unlimited usage).
-        """
         if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None:
             logger.warning('LiteLLM API configuration not found')
             return
-
-        json_data: dict[str, Any] = {
-            'team_id': team_id,
-            'team_alias': team_alias,
-            'models': [],
-            'spend': 0,
-            'metadata': {
-                'version': ORG_SETTINGS_VERSION,
-                'model': get_default_litellm_model(),
-            },
-        }
-
-        if max_budget is not None:
-            json_data['max_budget'] = max_budget
-
         response = await client.post(
             f'{LITE_LLM_API_URL}/team/new',
-            json=json_data,
+            json={
+                'team_id': team_id,
+                'team_alias': team_alias,
+                'models': [],
+                'max_budget': max_budget,
+                'spend': 0,
+                'metadata': {
+                    'version': ORG_SETTINGS_VERSION,
+                    'model': get_default_litellm_model(),
+                },
+            },
         )
-
         # Team failed to create in litellm - this is an unforseen error state...
         if not response.is_success:
             if (
@@ -687,48 +611,15 @@ class LiteLlmManager:
             )
         response.raise_for_status()
 
-    @staticmethod
-    async def _user_exists(
-        client: httpx.AsyncClient,
-        user_id: str,
-    ) -> bool:
-        """Check if a user exists in LiteLLM.
-
-        Returns True if the user exists, False otherwise.
-        """
-        if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None:
-            return False
-        try:
-            response = await client.get(
-                f'{LITE_LLM_API_URL}/user/info?user_id={user_id}',
-            )
-            if response.is_success:
-                user_data = response.json()
-                # Check that user_info exists and has the user_id
-                user_info = user_data.get('user_info', {})
-                return user_info.get('user_id') == user_id
-            return False
-        except Exception as e:
-            logger.warning(
-                'litellm_user_exists_check_failed',
-                extra={'user_id': user_id, 'error': str(e)},
-            )
-            return False
-
     @staticmethod
     async def _create_user(
         client: httpx.AsyncClient,
         email: str | None,
         keycloak_user_id: str,
-    ) -> bool:
-        """Create a user in LiteLLM.
-
-        Returns True if the user was created or already exists and is verified,
-        False if creation failed and user does not exist.
-        """
+    ):
         if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None:
             logger.warning('LiteLLM API configuration not found')
-            return False
+            return
         response = await client.post(
             f'{LITE_LLM_API_URL}/user/new',
             json={
@@ -781,33 +672,17 @@ class LiteLlmManager:
                             'user_id': keycloak_user_id,
                         },
                     )
-                    # Verify the user actually exists before returning success
-                    user_exists = await LiteLlmManager._user_exists(
-                        client, keycloak_user_id
-                    )
-                    if not user_exists:
-                        logger.error(
-                            'litellm_user_claimed_exists_but_not_found',
-                            extra={
-                                'user_id': keycloak_user_id,
-                                'status_code': response.status_code,
-                                'text': response.text,
-                            },
-                        )
-                        return False
-                    return True
+                    return
                 logger.error(
                     'error_creating_litellm_user',
                     extra={
                         'status_code': response.status_code,
                         'text': response.text,
-                        'user_id': keycloak_user_id,
+                        'user_id': [keycloak_user_id],
                         'email': None,
                     },
                 )
-                return False
             response.raise_for_status()
-        return True
 
     @staticmethod
     async def _get_user(client: httpx.AsyncClient, user_id: str) -> dict | None:
@@ -1034,34 +909,19 @@ class LiteLlmManager:
         client: httpx.AsyncClient,
         keycloak_user_id: str,
         team_id: str,
-        max_budget: float | None,
+        max_budget: float,
     ):
-        """Add a user to a team in LiteLLM.
-
-        Args:
-            client: The HTTP client to use.
-            keycloak_user_id: The user's Keycloak ID.
-            team_id: The team ID.
-            max_budget: The maximum budget for the user in the team. When None,
-                budget enforcement is disabled (unlimited usage).
-        """
         if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None:
             logger.warning('LiteLLM API configuration not found')
             return
-
-        json_data: dict[str, Any] = {
-            'team_id': team_id,
-            'member': {'user_id': keycloak_user_id, 'role': 'user'},
-        }
-
-        if max_budget is not None:
-            json_data['max_budget_in_team'] = max_budget
-
         response = await client.post(
             f'{LITE_LLM_API_URL}/team/member_add',
-            json=json_data,
+            json={
+                'team_id': team_id,
+                'member': {'user_id': keycloak_user_id, 'role': 'user'},
+                'max_budget_in_team': max_budget,
+            },
         )
-
         # Failed to add user to team - this is an unforseen error state...
         if not response.is_success:
             if (
@@ -1129,34 +989,19 @@ class LiteLlmManager:
         client: httpx.AsyncClient,
         keycloak_user_id: str,
         team_id: str,
-        max_budget: float | None,
+        max_budget: float,
     ):
-        """Update a user's budget in a team.
-
-        Args:
-            client: The HTTP client to use.
-            keycloak_user_id: The user's Keycloak ID.
-            team_id: The team ID.
-            max_budget: The maximum budget for the user in the team. When None,
-                budget enforcement is disabled (unlimited usage).
-        """
         if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None:
             logger.warning('LiteLLM API configuration not found')
             return
-
-        json_data: dict[str, Any] = {
-            'team_id': team_id,
-            'user_id': keycloak_user_id,
-        }
-
-        if max_budget is not None:
-            json_data['max_budget_in_team'] = max_budget
-
         response = await client.post(
             f'{LITE_LLM_API_URL}/team/member_update',
-            json=json_data,
+            json={
+                'team_id': team_id,
+                'user_id': keycloak_user_id,
+                'max_budget_in_team': max_budget,
+            },
         )
-
         # Failed to update user in team - this is an unforseen error state...
         if not response.is_success:
             logger.error(
@@ -1543,7 +1388,6 @@ class LiteLlmManager:
     create_team = staticmethod(with_http_client(_create_team))
     get_team = staticmethod(with_http_client(_get_team))
     update_team = staticmethod(with_http_client(_update_team))
-    user_exists = staticmethod(with_http_client(_user_exists))
     create_user = staticmethod(with_http_client(_create_user))
     get_user = staticmethod(with_http_client(_get_user))
     update_user = staticmethod(with_http_client(_update_user))

enterprise/storage/org.py

@@ -47,7 +47,6 @@ class Org(Base):  # type: ignore
     conversation_expiration = Column(Integer, nullable=True)
     condenser_max_size = Column(Integer, nullable=True)
     byor_export_enabled = Column(Boolean, nullable=False, default=False)
-    sandbox_grouping_strategy = Column(String, nullable=True)
 
     # Relationships
     org_members = relationship('OrgMember', back_populates='org')

enterprise/storage/org_member.py

@@ -3,7 +3,7 @@ SQLAlchemy model for Organization-Member relationship.
 """
 
 from pydantic import SecretStr
-from sqlalchemy import JSON, UUID, Column, ForeignKey, Integer, String
+from sqlalchemy import UUID, Column, ForeignKey, Integer, String
 from sqlalchemy.orm import relationship
 from storage.base import Base
 from storage.encrypt_utils import decrypt_value, encrypt_value
@@ -22,8 +22,6 @@ class OrgMember(Base):  # type: ignore
     llm_model = Column(String, nullable=True)
     _llm_api_key_for_byor = Column(String, nullable=True)
     llm_base_url = Column(String, nullable=True)
-    agent_settings = Column(JSON, nullable=False, default=dict)
-
     status = Column(String, nullable=True)
 
     # Relationships

enterprise/storage/org_member_store.py

@@ -17,14 +17,6 @@ from storage.user_settings import UserSettings
 
 from openhands.storage.data_models.settings import Settings
 
-# Only these agent_settings keys are stored per member; org-wide settings live on Org.
-_MEMBER_SCOPED_AGENT_SETTINGS_KEYS = {
-    'schema_version',
-    'llm.model',
-    'llm.base_url',
-    'max_iterations',
-}
-
 
 class OrgMemberStore:
     """Store for managing organization-member relationships."""
@@ -36,9 +28,6 @@ class OrgMemberStore:
         role_id: int,
         llm_api_key: str,
         status: Optional[str] = None,
-        llm_model: Optional[str] = None,
-        llm_base_url: Optional[str] = None,
-        max_iterations: Optional[int] = None,
     ) -> OrgMember:
         """Add a user to an organization with a specific role."""
         async with a_session_maker() as session:
@@ -48,9 +37,6 @@ class OrgMemberStore:
                 role_id=role_id,
                 llm_api_key=llm_api_key,
                 status=status,
-                llm_model=llm_model,
-                llm_base_url=llm_base_url,
-                max_iterations=max_iterations,
             )
             session.add(org_member)
             await session.commit()
@@ -167,21 +153,12 @@ class OrgMemberStore:
 
     @staticmethod
     def get_kwargs_from_user_settings(user_settings: UserSettings):
-        settings = user_settings.to_settings()
-        return {
-            'llm_api_key': user_settings.llm_api_key,
-            'llm_model': settings.llm_model,
-            'llm_api_key_for_byor': user_settings.llm_api_key_for_byor,
-            'llm_base_url': settings.llm_base_url,
-            'max_iterations': settings.max_iterations,
-            'agent_settings': {
-                key: value
-                for key, value in settings.normalized_agent_settings(
-                    strip_secret_values=True
-                ).items()
-                if key in _MEMBER_SCOPED_AGENT_SETTINGS_KEYS
-            },
+        kwargs = {
+            normalized: getattr(user_settings, normalized)
+            for c in OrgMember.__table__.columns
+            if (normalized := c.name.lstrip('_')) and hasattr(user_settings, normalized)
         }
+        return kwargs
 
     @staticmethod
     async def get_org_members_count(

enterprise/storage/org_store.py

@@ -6,7 +6,6 @@ from typing import Optional
 from uuid import UUID
 
 from server.constants import (
-    DEFAULT_V1_ENABLED,
     LITE_LLM_API_URL,
     ORG_SETTINGS_VERSION,
     get_default_litellm_model,
@@ -37,8 +36,6 @@ class OrgStore:
             org = Org(**kwargs)
             org.org_version = ORG_SETTINGS_VERSION
             org.default_llm_model = get_default_litellm_model()
-            if org.v1_enabled is None:
-                org.v1_enabled = DEFAULT_V1_ENABLED
             session.add(org)
             await session.commit()
             await session.refresh(org)
@@ -212,30 +209,26 @@ class OrgStore:
 
     @staticmethod
     def get_kwargs_from_user_settings(user_settings: UserSettings):
-        settings = user_settings.to_settings()
-        return {
-            'agent': settings.agent,
-            'default_max_iterations': settings.max_iterations,
-            'security_analyzer': settings.security_analyzer,
-            'confirmation_mode': settings.confirmation_mode,
-            'default_llm_model': settings.llm_model,
-            'default_llm_base_url': settings.llm_base_url,
-            'remote_runtime_resource_factor': user_settings.remote_runtime_resource_factor,
-            'enable_default_condenser': settings.enable_default_condenser,
-            'billing_margin': user_settings.billing_margin,
-            'enable_proactive_conversation_starters': user_settings.enable_proactive_conversation_starters,
-            'sandbox_base_container_image': user_settings.sandbox_base_container_image,
-            'sandbox_runtime_container_image': user_settings.sandbox_runtime_container_image,
-            'org_version': user_settings.user_version,
-            'mcp_config': user_settings.mcp_config,
-            'search_api_key': user_settings.search_api_key,
-            'sandbox_api_key': user_settings.sandbox_api_key,
-            'max_budget_per_task': user_settings.max_budget_per_task,
-            'enable_solvability_analysis': user_settings.enable_solvability_analysis,
-            'v1_enabled': user_settings.v1_enabled,
-            'condenser_max_size': settings.condenser_max_size,
-            'sandbox_grouping_strategy': user_settings.sandbox_grouping_strategy,
-        }
+        kwargs = {}
+
+        for c in Org.__table__.columns:
+            # Normalize for lookup
+            normalized = (
+                c.name.removeprefix('_default_').removeprefix('default_').lstrip('_')
+            )
+
+            if not hasattr(user_settings, normalized):
+                continue
+
+            # ---- FIX: Output key should drop *only* leading "_" but preserve "default" ----
+            key = c.name
+            if key.startswith('_'):
+                key = key[1:]  # remove only the very first leading underscore
+
+            kwargs[key] = getattr(user_settings, normalized)
+
+        kwargs['org_version'] = user_settings.user_version
+        return kwargs
 
     @staticmethod
     async def persist_org_with_owner(

enterprise/storage/saas_conversation_validator.py

@@ -15,27 +15,25 @@ class SaasConversationValidator(ConversationValidator):
 
     async def _validate_api_key(self, api_key: str) -> str | None:
         """
-        Validate an API key and return the user_id if valid.
+        Validate an API key and return the user_id and github_user_id if valid.
 
         Args:
             api_key: The API key to validate
 
         Returns:
-            The user_id if the API key is valid, None otherwise
+            A tuple of (user_id, github_user_id) if the API key is valid, None otherwise
         """
         try:
             token_manager = TokenManager()
 
             # Validate the API key and get the user_id
             api_key_store = ApiKeyStore.get_instance()
-            validation_result = await api_key_store.validate_api_key(api_key)
+            user_id = await api_key_store.validate_api_key(api_key)
 
-            if not validation_result:
+            if not user_id:
                 logger.warning('Invalid API key')
                 return None
 
-            user_id = validation_result.user_id
-
             # Get the offline token for the user
             offline_token = await token_manager.load_offline_token(user_id)
             if not offline_token:

enterprise/storage/saas_secrets_store.py

@@ -59,15 +59,12 @@ class SaasSecretsStore(SecretsStore):
 
         async with a_session_maker() as session:
             # Incoming secrets are always the most updated ones
-            # Delete existing records for this user AND organization only
-            delete_query = delete(StoredCustomSecrets).filter(
-                StoredCustomSecrets.keycloak_user_id == self.user_id
+            # Delete all existing records and override with incoming ones
+            await session.execute(
+                delete(StoredCustomSecrets).filter(
+                    StoredCustomSecrets.keycloak_user_id == self.user_id
+                )
             )
-            if org_id is not None:
-                delete_query = delete_query.filter(StoredCustomSecrets.org_id == org_id)
-            else:
-                delete_query = delete_query.filter(StoredCustomSecrets.org_id.is_(None))
-            await session.execute(delete_query)
 
             # Prepare the new secrets data
             kwargs = item.model_dump(context={'expose_secrets': True})

enterprise/storage/saas_settings_store.py

@@ -28,14 +28,6 @@ from openhands.server.settings import Settings
 from openhands.storage.settings.settings_store import SettingsStore
 from openhands.utils.llm import is_openhands_model
 
-# Only these agent_settings keys are persisted on org_member; org-wide values live on Org.
-_MEMBER_SCOPED_AGENT_SETTINGS_KEYS = {
-    'schema_version',
-    'llm.model',
-    'llm.base_url',
-    'max_iterations',
-}
-
 
 @dataclass
 class SaasSettingsStore(SettingsStore):
@@ -77,29 +69,6 @@ class SaasSettingsStore(SettingsStore):
                 )
                 return result.scalars().first()
 
-    @staticmethod
-    def _member_scoped_agent_settings(agent_settings: dict) -> dict:
-        return {
-            key: value
-            for key, value in agent_settings.items()
-            if key in _MEMBER_SCOPED_AGENT_SETTINGS_KEYS
-        }
-
-    async def _persist_agent_settings_async(
-        self, org_id: uuid.UUID, agent_settings: dict
-    ) -> None:
-        async with a_session_maker() as session:
-            stmt = (
-                update(OrgMember)
-                .where(
-                    OrgMember.org_id == org_id,
-                    OrgMember.user_id == uuid.UUID(self.user_id),
-                )
-                .values(agent_settings=agent_settings)
-            )
-            await session.execute(stmt)
-            await session.commit()
-
     async def load(self) -> Settings | None:
         user = await UserStore.get_user_by_id(self.user_id)
         if not user:
@@ -146,19 +115,10 @@ class SaasSettingsStore(SettingsStore):
             kwargs['llm_api_key_for_byor'] = org_member.llm_api_key_for_byor
         if org_member.llm_base_url:
             kwargs['llm_base_url'] = org_member.llm_base_url
-        kwargs['agent_settings'] = org_member.agent_settings or {}
         if org.v1_enabled is None:
             kwargs['v1_enabled'] = True
-        # Apply default if sandbox_grouping_strategy is None in the database
-        if kwargs.get('sandbox_grouping_strategy') is None:
-            kwargs.pop('sandbox_grouping_strategy', None)
 
         settings = Settings(**kwargs)
-        persisted_agent_settings = self._member_scoped_agent_settings(
-            settings.normalized_agent_settings(strip_secret_values=True)
-        )
-        if persisted_agent_settings != (org_member.agent_settings or {}):
-            await self._persist_agent_settings_async(org_id, persisted_agent_settings)
         return settings
 
     async def store(self, item: Settings):
@@ -222,24 +182,11 @@ class SaasSettingsStore(SettingsStore):
                 )
 
             kwargs = item.model_dump(context={'expose_secrets': True})
-            kwargs['agent_settings'] = self._member_scoped_agent_settings(
-                item.normalized_agent_settings(strip_secret_values=True)
-            )
             for model in (user, org, org_member):
                 for key, value in kwargs.items():
                     if hasattr(model, key):
                         setattr(model, key, value)
 
-            # Map explicitly provided SDK-managed settings onto Org defaults.
-            # These values now live in item.agent_settings, so inspect the
-            # dotted keys directly instead of relying on model_dump().
-            if 'llm.model' in item.agent_settings:
-                org.default_llm_model = item.llm_model
-            if 'llm.base_url' in item.agent_settings:
-                org.default_llm_base_url = item.llm_base_url
-            if 'max_iterations' in item.agent_settings:
-                org.default_max_iterations = item.max_iterations
-
             # Propagate LLM settings to all org members
             # This ensures all members see the same LLM configuration when an admin saves
             # Note: Concurrent saves by multiple admins will result in last-write-wins.

enterprise/storage/slack_conversation_store.py

@@ -25,10 +25,10 @@ class SlackConversationStore:
             return result.scalar_one_or_none()
 
     async def create_slack_conversation(
-        self, slack_conversation: SlackConversation
+        self, slack_converstion: SlackConversation
     ) -> None:
         async with a_session_maker() as session:
-            await session.merge(slack_conversation)
+            session.merge(slack_converstion)
             await session.commit()
 
     @classmethod

enterprise/storage/user.py

@@ -33,7 +33,6 @@ class User(Base):  # type: ignore
     email_verified = Column(Boolean, nullable=True)
     git_user_name = Column(String, nullable=True)
     git_user_email = Column(String, nullable=True)
-    sandbox_grouping_strategy = Column(String, nullable=True)
 
     # Relationships
     role = relationship('Role', back_populates='users')

enterprise/storage/user_settings.py

@@ -1,5 +1,3 @@
-from __future__ import annotations
-
 from server.constants import DEFAULT_BILLING_MARGIN
 from sqlalchemy import JSON, Boolean, Column, DateTime, Float, Identity, Integer, String
 from storage.base import Base
@@ -10,9 +8,17 @@ class UserSettings(Base):  # type: ignore
     id = Column(Integer, Identity(), primary_key=True)
     keycloak_user_id = Column(String, nullable=True, index=True)
     language = Column(String, nullable=True)
+    agent = Column(String, nullable=True)
+    max_iterations = Column(Integer, nullable=True)
+    security_analyzer = Column(String, nullable=True)
+    confirmation_mode = Column(Boolean, nullable=True, default=False)
+    llm_model = Column(String, nullable=True)
     llm_api_key = Column(String, nullable=True)
     llm_api_key_for_byor = Column(String, nullable=True)
+    llm_base_url = Column(String, nullable=True)
     remote_runtime_resource_factor = Column(Integer, nullable=True)
+    enable_default_condenser = Column(Boolean, nullable=False, default=True)
+    condenser_max_size = Column(Integer, nullable=True)
     user_consents_to_analytics = Column(Boolean, nullable=True)
     billing_margin = Column(Float, nullable=True, default=DEFAULT_BILLING_MARGIN)
     enable_sound_notifications = Column(Boolean, nullable=True, default=False)
@@ -21,7 +27,6 @@ class UserSettings(Base):  # type: ignore
     )
     sandbox_base_container_image = Column(String, nullable=True)
     sandbox_runtime_container_image = Column(String, nullable=True)
-    sandbox_grouping_strategy = Column(String, nullable=True)
     user_version = Column(Integer, nullable=False, default=0)
     accepted_tos = Column(DateTime, nullable=True)
     mcp_config = Column(JSON, nullable=True)
@@ -34,16 +39,6 @@ class UserSettings(Base):  # type: ignore
     git_user_name = Column(String, nullable=True)
     git_user_email = Column(String, nullable=True)
     v1_enabled = Column(Boolean, nullable=True)
-    agent_settings = Column(JSON, nullable=False, default=dict)
-
     already_migrated = Column(
         Boolean, nullable=True, default=False
     )  # False = not migrated, True = migrated
-
-    def to_settings(self):
-        from openhands.storage.data_models.settings import Settings
-
-        return Settings(
-            agent_settings=dict(self.agent_settings or {}),
-            llm_api_key=self.llm_api_key,
-        )

enterprise/storage/user_store.py

@@ -7,7 +7,6 @@ from uuid import UUID
 
 from server.auth.token_manager import TokenManager
 from server.constants import (
-    DEFAULT_V1_ENABLED,
     LITE_LLM_API_URL,
     ORG_SETTINGS_VERSION,
     PERSONAL_WORKSPACE_VERSION_TO_MODEL,
@@ -235,17 +234,13 @@ class UserStore:
             # if user has custom settings, set org defaults to current version
             if custom_settings:
                 org_kwargs['default_llm_model'] = get_default_litellm_model()
-                org_kwargs['default_llm_base_url'] = LITE_LLM_API_URL
+                org_kwargs['llm_base_url'] = LITE_LLM_API_URL
                 org_kwargs['org_version'] = ORG_SETTINGS_VERSION
 
             for key, value in org_kwargs.items():
                 if hasattr(org, key):
                     setattr(org, key, value)
 
-            # Apply DEFAULT_V1_ENABLED for migrated orgs if v1_enabled was not set
-            if org.v1_enabled is None:
-                org.v1_enabled = DEFAULT_V1_ENABLED
-
             user_kwargs = UserStore.get_kwargs_from_user_settings(
                 decrypted_user_settings
             )
@@ -897,8 +892,6 @@ class UserStore:
             language='en', enable_proactive_conversation_starters=True
         )
 
-        default_settings.v1_enabled = DEFAULT_V1_ENABLED
-
         from storage.lite_llm_manager import LiteLlmManager
 
         settings = await LiteLlmManager.create_entries(
@@ -975,31 +968,19 @@ class UserStore:
             'max_iterations', org_member.max_iterations
         )
 
-        from openhands.storage.data_models.settings import Settings
-
-        agent_settings = Settings(
-            agent=org.agent,
-            llm_model=llm_model,
-            llm_api_key=org_member.llm_api_key.get_secret_value()
-            if org_member.llm_api_key
-            else None,
-            llm_base_url=llm_base_url,
-            max_iterations=max_iterations,
-            confirmation_mode=org.confirmation_mode,
-            security_analyzer=org.security_analyzer,
-            enable_default_condenser=org.enable_default_condenser,
-            condenser_max_size=org.condenser_max_size,
-            agent_settings=org_member.agent_settings or {},
-        ).normalized_agent_settings(strip_secret_values=True)
-
         return UserSettings(
             keycloak_user_id=user_id,
+            # OrgMember fields
             llm_api_key=org_member.llm_api_key.get_secret_value()
             if org_member.llm_api_key
             else None,
             llm_api_key_for_byor=org_member.llm_api_key_for_byor.get_secret_value()
             if org_member.llm_api_key_for_byor
             else None,
+            llm_model=llm_model,
+            llm_base_url=llm_base_url,
+            max_iterations=max_iterations,
+            # User fields
             accepted_tos=user.accepted_tos,
             enable_sound_notifications=user.enable_sound_notifications,
             language=user.language,
@@ -1008,7 +989,12 @@ class UserStore:
             email_verified=user.email_verified,
             git_user_name=user.git_user_name,
             git_user_email=user.git_user_email,
+            # Org fields
+            agent=org.agent,
+            security_analyzer=org.security_analyzer,
+            confirmation_mode=org.confirmation_mode,
             remote_runtime_resource_factor=org.remote_runtime_resource_factor,
+            enable_default_condenser=org.enable_default_condenser,
             billing_margin=org.billing_margin,
             enable_proactive_conversation_starters=org.enable_proactive_conversation_starters,
             sandbox_base_container_image=org.sandbox_base_container_image,
@@ -1024,8 +1010,7 @@ class UserStore:
             max_budget_per_task=org.max_budget_per_task,
             enable_solvability_analysis=org.enable_solvability_analysis,
             v1_enabled=org.v1_enabled,
-            sandbox_grouping_strategy=org.sandbox_grouping_strategy,
-            agent_settings=agent_settings,
+            condenser_max_size=org.condenser_max_size,
             already_migrated=False,
         )
 
@@ -1043,12 +1028,15 @@ class UserStore:
         Returns:
             True if user has custom settings, False if using old defaults
         """
-        settings = user_settings.to_settings()
-
-        user_model = settings.llm_model.strip() or None if settings.llm_model else None
+        # Normalize values
+        user_model = (
+            user_settings.llm_model.strip() or None if user_settings.llm_model else None
+        )
         user_base_url = (
-            settings.llm_base_url.strip() if settings.llm_base_url else None
-        ) or None
+            user_settings.llm_base_url.strip() or None
+            if user_settings.llm_base_url
+            else None
+        )
 
         # Custom base_url = definitely custom settings (BYOK)
         if user_base_url and user_base_url != LITE_LLM_API_URL:

enterprise/sync/common_room_sync.py

@@ -0,0 +1,562 @@
+#!/usr/bin/env python3
+"""
+Common Room Sync
+
+This script queries the database to count conversations created by each user,
+then creates or updates a signal in Common Room for each user with their
+conversation count.
+"""
+
+import asyncio
+import logging
+import os
+import sys
+import time
+from datetime import UTC, datetime
+from typing import Any, Dict, List, Optional, Set
+
+import requests
+from sqlalchemy import text
+
+# Add the parent directory to the path so we can import from storage
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+from server.auth.token_manager import get_keycloak_admin
+from storage.database import get_engine
+
+# Configure logging
+logging.basicConfig(
+    level=logging.INFO, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger('common_room_sync')
+
+# Common Room API configuration
+COMMON_ROOM_API_KEY = os.environ.get('COMMON_ROOM_API_KEY')
+COMMON_ROOM_DESTINATION_SOURCE_ID = os.environ.get('COMMON_ROOM_DESTINATION_SOURCE_ID')
+COMMON_ROOM_API_BASE_URL = 'https://api.commonroom.io/community/v1'
+
+# Sync configuration
+BATCH_SIZE = int(os.environ.get('BATCH_SIZE', '100'))
+KEYCLOAK_BATCH_SIZE = int(os.environ.get('KEYCLOAK_BATCH_SIZE', '20'))
+MAX_RETRIES = int(os.environ.get('MAX_RETRIES', '3'))
+INITIAL_BACKOFF_SECONDS = float(os.environ.get('INITIAL_BACKOFF_SECONDS', '1'))
+MAX_BACKOFF_SECONDS = float(os.environ.get('MAX_BACKOFF_SECONDS', '60'))
+BACKOFF_FACTOR = float(os.environ.get('BACKOFF_FACTOR', '2'))
+RATE_LIMIT = float(os.environ.get('RATE_LIMIT', '2'))  # Requests per second
+
+
+class CommonRoomSyncError(Exception):
+    """Base exception for Common Room sync errors."""
+
+
+class DatabaseError(CommonRoomSyncError):
+    """Exception for database errors."""
+
+
+class CommonRoomAPIError(CommonRoomSyncError):
+    """Exception for Common Room API errors."""
+
+
+class KeycloakClientError(CommonRoomSyncError):
+    """Exception for Keycloak client errors."""
+
+
+def get_recent_conversations(minutes: int = 60) -> List[Dict[str, Any]]:
+    """Get conversations created in the past N minutes.
+
+    Args:
+        minutes: Number of minutes to look back for new conversations.
+
+    Returns:
+        A list of dictionaries, each containing conversation details.
+
+    Raises:
+        DatabaseError: If the database query fails.
+    """
+    try:
+        # Use a different syntax for the interval that works with pg8000
+        query = text("""
+            SELECT
+                conversation_id, user_id, title, created_at
+            FROM
+                conversation_metadata
+            WHERE
+                created_at >= NOW() - (INTERVAL '1 minute' * :minutes)
+            ORDER BY
+                created_at DESC
+        """)
+
+        with get_engine().connect() as connection:
+            result = connection.execute(query, {'minutes': minutes})
+            conversations = [
+                {
+                    'conversation_id': row[0],
+                    'user_id': row[1],
+                    'title': row[2],
+                    'created_at': row[3].isoformat() if row[3] else None,
+                }
+                for row in result
+            ]
+
+        logger.info(
+            f'Retrieved {len(conversations)} conversations created in the past {minutes} minutes'
+        )
+        return conversations
+    except Exception as e:
+        logger.exception(f'Error querying recent conversations: {e}')
+        raise DatabaseError(f'Failed to query recent conversations: {e}')
+
+
+async def get_users_from_keycloak(user_ids: Set[str]) -> Dict[str, Dict[str, Any]]:
+    """Get user information from Keycloak for a set of user IDs.
+
+    Args:
+        user_ids: A set of user IDs to look up.
+
+    Returns:
+        A dictionary mapping user IDs to user information dictionaries.
+
+    Raises:
+        KeycloakClientError: If the Keycloak API call fails.
+    """
+    try:
+        # Get Keycloak admin client
+        keycloak_admin = get_keycloak_admin()
+
+        # Create a dictionary to store user information
+        user_info_dict = {}
+
+        # Convert set to list for easier batching
+        user_id_list = list(user_ids)
+
+        # Process user IDs in batches
+        for i in range(0, len(user_id_list), KEYCLOAK_BATCH_SIZE):
+            batch = user_id_list[i : i + KEYCLOAK_BATCH_SIZE]
+            batch_tasks = []
+
+            # Create tasks for each user ID in the batch
+            for user_id in batch:
+                # Use the Keycloak admin client to get user by ID
+                batch_tasks.append(get_user_by_id(keycloak_admin, user_id))
+
+            # Run the batch of tasks concurrently
+            batch_results = await asyncio.gather(*batch_tasks, return_exceptions=True)
+
+            # Process the results
+            for user_id, result in zip(batch, batch_results):
+                if isinstance(result, Exception):
+                    logger.warning(f'Error getting user {user_id}: {result}')
+                    continue
+
+                if result and isinstance(result, dict):
+                    user_info_dict[user_id] = {
+                        'username': result.get('username'),
+                        'email': result.get('email'),
+                        'id': result.get('id'),
+                    }
+
+        logger.info(
+            f'Retrieved information for {len(user_info_dict)} users from Keycloak'
+        )
+        return user_info_dict
+
+    except Exception as e:
+        error_msg = f'Error getting users from Keycloak: {e}'
+        logger.exception(error_msg)
+        raise KeycloakClientError(error_msg)
+
+
+async def get_user_by_id(keycloak_admin, user_id: str) -> Optional[Dict[str, Any]]:
+    """Get a user from Keycloak by ID.
+
+    Args:
+        keycloak_admin: The Keycloak admin client.
+        user_id: The user ID to look up.
+
+    Returns:
+        A dictionary with the user's information, or None if not found.
+    """
+    try:
+        # Use the Keycloak admin client to get user by ID
+        user = keycloak_admin.get_user(user_id)
+        if user:
+            logger.debug(
+                f"Found user in Keycloak: {user.get('username')}, {user.get('email')}"
+            )
+            return user
+        else:
+            logger.warning(f'User {user_id} not found in Keycloak')
+            return None
+    except Exception as e:
+        logger.warning(f'Error getting user {user_id} from Keycloak: {e}')
+        return None
+
+
+def get_user_info(
+    user_id: str, user_info_cache: Dict[str, Dict[str, Any]]
+) -> Optional[Dict[str, str]]:
+    """Get the email address and GitHub username for a user from the cache.
+
+    Args:
+        user_id: The user ID to look up.
+        user_info_cache: A dictionary mapping user IDs to user information.
+
+    Returns:
+        A dictionary with the user's email and username, or None if not found.
+    """
+    # Check if the user is in the cache
+    if user_id in user_info_cache:
+        user_info = user_info_cache[user_id]
+        logger.debug(
+            f"Found user info in cache: {user_info.get('username')}, {user_info.get('email')}"
+        )
+        return user_info
+    else:
+        logger.warning(f'User {user_id} not found in user info cache')
+        return None
+
+
+def register_user_in_common_room(
+    user_id: str, email: str, github_username: str
+) -> Dict[str, Any]:
+    """Create or update a user in Common Room.
+
+    Args:
+        user_id: The user ID.
+        email: The user's email address.
+        github_username: The user's GitHub username.
+
+    Returns:
+        The API response from Common Room.
+
+    Raises:
+        CommonRoomAPIError: If the Common Room API request fails.
+    """
+    if not COMMON_ROOM_API_KEY:
+        raise CommonRoomAPIError('COMMON_ROOM_API_KEY environment variable not set')
+
+    if not COMMON_ROOM_DESTINATION_SOURCE_ID:
+        raise CommonRoomAPIError(
+            'COMMON_ROOM_DESTINATION_SOURCE_ID environment variable not set'
+        )
+
+    try:
+        headers = {
+            'Authorization': f'Bearer {COMMON_ROOM_API_KEY}',
+            'Content-Type': 'application/json',
+        }
+
+        # Create or update user in Common Room
+        user_data = {
+            'id': user_id,
+            'email': email,
+            'username': github_username,
+            'github': {'type': 'handle', 'value': github_username},
+        }
+
+        user_url = f'{COMMON_ROOM_API_BASE_URL}/source/{COMMON_ROOM_DESTINATION_SOURCE_ID}/user'
+        user_response = requests.post(user_url, headers=headers, json=user_data)
+
+        if user_response.status_code not in (200, 202):
+            logger.error(
+                f'Failed to create/update user in Common Room: {user_response.text}'
+            )
+            logger.error(f'Response status code: {user_response.status_code}')
+            raise CommonRoomAPIError(
+                f'Failed to create/update user: {user_response.text}'
+            )
+
+        logger.info(
+            f'Registered/updated user {user_id} (GitHub: {github_username}) in Common Room'
+        )
+        return user_response.json()
+    except requests.RequestException as e:
+        logger.exception(f'Error communicating with Common Room API: {e}')
+        raise CommonRoomAPIError(f'Failed to communicate with Common Room API: {e}')
+
+
+def register_conversation_activity(
+    user_id: str,
+    conversation_id: str,
+    conversation_title: str,
+    created_at: datetime,
+    email: str,
+    github_username: str,
+) -> Dict[str, Any]:
+    """Create an activity in Common Room for a new conversation.
+
+    Args:
+        user_id: The user ID who created the conversation.
+        conversation_id: The ID of the conversation.
+        conversation_title: The title of the conversation.
+        created_at: The datetime object when the conversation was created.
+        email: The user's email address.
+        github_username: The user's GitHub username.
+
+    Returns:
+        The API response from Common Room.
+
+    Raises:
+        CommonRoomAPIError: If the Common Room API request fails.
+    """
+    if not COMMON_ROOM_API_KEY:
+        raise CommonRoomAPIError('COMMON_ROOM_API_KEY environment variable not set')
+
+    if not COMMON_ROOM_DESTINATION_SOURCE_ID:
+        raise CommonRoomAPIError(
+            'COMMON_ROOM_DESTINATION_SOURCE_ID environment variable not set'
+        )
+
+    try:
+        headers = {
+            'Authorization': f'Bearer {COMMON_ROOM_API_KEY}',
+            'Content-Type': 'application/json',
+        }
+
+        # Format the datetime object to the expected ISO format
+        formatted_timestamp = (
+            created_at.strftime('%Y-%m-%dT%H:%M:%SZ')
+            if created_at
+            else time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())
+        )
+
+        # Create activity for the conversation
+        activity_data = {
+            'id': f'conversation_{conversation_id}',  # Use conversation ID to ensure uniqueness
+            'activityType': 'started_session',
+            'user': {
+                'id': user_id,
+                'email': email,
+                'github': {'type': 'handle', 'value': github_username},
+                'username': github_username,
+            },
+            'activityTitle': {
+                'type': 'text',
+                'value': conversation_title or 'New Conversation',
+            },
+            'content': {
+                'type': 'text',
+                'value': f'Started a new conversation: {conversation_title or "Untitled"}',
+            },
+            'timestamp': formatted_timestamp,
+            'url': f'https://app.all-hands.dev/conversations/{conversation_id}',
+        }
+
+        # Log the activity data for debugging
+        logger.info(f'Activity data payload: {activity_data}')
+
+        activity_url = f'{COMMON_ROOM_API_BASE_URL}/source/{COMMON_ROOM_DESTINATION_SOURCE_ID}/activity'
+        activity_response = requests.post(
+            activity_url, headers=headers, json=activity_data
+        )
+
+        if activity_response.status_code not in (200, 202):
+            logger.error(
+                f'Failed to create activity in Common Room: {activity_response.text}'
+            )
+            logger.error(f'Response status code: {activity_response.status_code}')
+            raise CommonRoomAPIError(
+                f'Failed to create activity: {activity_response.text}'
+            )
+
+        logger.info(
+            f'Registered conversation activity for user {user_id}, conversation {conversation_id}'
+        )
+        return activity_response.json()
+    except requests.RequestException as e:
+        logger.exception(f'Error communicating with Common Room API: {e}')
+        raise CommonRoomAPIError(f'Failed to communicate with Common Room API: {e}')
+
+
+def retry_with_backoff(func, *args, **kwargs):
+    """Retry a function with exponential backoff.
+
+    Args:
+        func: The function to retry.
+        *args: Positional arguments to pass to the function.
+        **kwargs: Keyword arguments to pass to the function.
+
+    Returns:
+        The result of the function call.
+
+    Raises:
+        The last exception raised by the function.
+    """
+    backoff = INITIAL_BACKOFF_SECONDS
+    last_exception = None
+
+    for attempt in range(MAX_RETRIES):
+        try:
+            return func(*args, **kwargs)
+        except Exception as e:
+            last_exception = e
+            logger.warning(f'Attempt {attempt + 1}/{MAX_RETRIES} failed: {e}')
+
+            if attempt < MAX_RETRIES - 1:
+                sleep_time = min(backoff, MAX_BACKOFF_SECONDS)
+                logger.info(f'Retrying in {sleep_time:.2f} seconds...')
+                time.sleep(sleep_time)
+                backoff *= BACKOFF_FACTOR
+            else:
+                logger.exception(f'All {MAX_RETRIES} attempts failed')
+                raise last_exception
+
+
+async def retry_with_backoff_async(func, *args, **kwargs):
+    """Retry an async function with exponential backoff.
+
+    Args:
+        func: The async function to retry.
+        *args: Positional arguments to pass to the function.
+        **kwargs: Keyword arguments to pass to the function.
+
+    Returns:
+        The result of the function call.
+
+    Raises:
+        The last exception raised by the function.
+    """
+    backoff = INITIAL_BACKOFF_SECONDS
+    last_exception = None
+
+    for attempt in range(MAX_RETRIES):
+        try:
+            return await func(*args, **kwargs)
+        except Exception as e:
+            last_exception = e
+            logger.warning(f'Attempt {attempt + 1}/{MAX_RETRIES} failed: {e}')
+
+            if attempt < MAX_RETRIES - 1:
+                sleep_time = min(backoff, MAX_BACKOFF_SECONDS)
+                logger.info(f'Retrying in {sleep_time:.2f} seconds...')
+                await asyncio.sleep(sleep_time)
+                backoff *= BACKOFF_FACTOR
+            else:
+                logger.exception(f'All {MAX_RETRIES} attempts failed')
+                raise last_exception
+
+
+async def async_sync_recent_conversations_to_common_room(minutes: int = 60):
+    """Async main function to sync recent conversations to Common Room.
+
+    Args:
+        minutes: Number of minutes to look back for new conversations.
+    """
+    logger.info(
+        f'Starting Common Room recent conversations sync (past {minutes} minutes)'
+    )
+
+    stats = {
+        'total_conversations': 0,
+        'registered_users': 0,
+        'registered_activities': 0,
+        'errors': 0,
+        'missing_user_info': 0,
+    }
+
+    try:
+        # Get conversations created in the past N minutes
+        recent_conversations = retry_with_backoff(get_recent_conversations, minutes)
+        stats['total_conversations'] = len(recent_conversations)
+
+        logger.info(f'Processing {len(recent_conversations)} recent conversations')
+
+        if not recent_conversations:
+            logger.info('No recent conversations found, exiting')
+            return
+
+        # Extract all unique user IDs
+        user_ids = {conv['user_id'] for conv in recent_conversations if conv['user_id']}
+
+        # Get user information for all users in batches
+        user_info_cache = await retry_with_backoff_async(
+            get_users_from_keycloak, user_ids
+        )
+
+        # Track registered users to avoid duplicate registrations
+        registered_users = set()
+
+        # Process each conversation
+        for conversation in recent_conversations:
+            conversation_id = conversation['conversation_id']
+            user_id = conversation['user_id']
+            title = conversation['title']
+            created_at = conversation[
+                'created_at'
+            ]  # This might be a string or datetime object
+
+            try:
+                # Get user info from cache
+                user_info = get_user_info(user_id, user_info_cache)
+                if not user_info:
+                    logger.warning(
+                        f'Could not find user info for user {user_id}, skipping conversation {conversation_id}'
+                    )
+                    stats['missing_user_info'] += 1
+                    continue
+
+                email = user_info['email']
+                github_username = user_info['username']
+
+                if not email:
+                    logger.warning(
+                        f'User {user_id} has no email, skipping conversation {conversation_id}'
+                    )
+                    stats['errors'] += 1
+                    continue
+
+                # Register user in Common Room if not already registered in this run
+                if user_id not in registered_users:
+                    register_user_in_common_room(user_id, email, github_username)
+                    registered_users.add(user_id)
+                    stats['registered_users'] += 1
+
+                # If created_at is a string, parse it to a datetime object
+                # If it's already a datetime object, use it as is
+                # If it's None, use current time
+                created_at_datetime = (
+                    created_at
+                    if isinstance(created_at, datetime)
+                    else datetime.fromisoformat(created_at.replace('Z', '+00:00'))
+                    if created_at
+                    else datetime.now(UTC)
+                )
+
+                # Register conversation activity with email and github username
+                register_conversation_activity(
+                    user_id,
+                    conversation_id,
+                    title,
+                    created_at_datetime,
+                    email,
+                    github_username,
+                )
+                stats['registered_activities'] += 1
+
+                # Sleep to respect rate limit
+                await asyncio.sleep(1 / RATE_LIMIT)
+            except Exception as e:
+                logger.exception(
+                    f'Error processing conversation {conversation_id} for user {user_id}: {e}'
+                )
+                stats['errors'] += 1
+    except Exception as e:
+        logger.exception(f'Sync failed: {e}')
+        raise
+    finally:
+        logger.info(f'Sync completed. Stats: {stats}')
+
+
+def sync_recent_conversations_to_common_room(minutes: int = 60):
+    """Main function to sync recent conversations to Common Room.
+
+    Args:
+        minutes: Number of minutes to look back for new conversations.
+    """
+    # Run the async function in the event loop
+    asyncio.run(async_sync_recent_conversations_to_common_room(minutes))
+
+
+if __name__ == '__main__':
+    # Default to looking back 60 minutes for new conversations
+    minutes = int(os.environ.get('SYNC_MINUTES', '60'))
+    sync_recent_conversations_to_common_room(minutes)

enterprise/sync/test_common_room_sync.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+"""
+Test script for Common Room conversation count sync.
+
+This script tests the functionality of the Common Room sync script
+without making any API calls to Common Room or database connections.
+"""
+
+import os
+import sys
+import unittest
+from unittest.mock import MagicMock, patch
+
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+from sync.common_room_sync import (
+    retry_with_backoff,
+)
+
+
+class TestCommonRoomSync(unittest.TestCase):
+    """Test cases for Common Room sync functionality."""
+
+    def test_retry_with_backoff(self):
+        """Test the retry_with_backoff function."""
+        # Mock function that succeeds on the second attempt
+        mock_func = MagicMock(
+            side_effect=[Exception('First attempt failed'), 'success']
+        )
+
+        # Set environment variables for testing
+        with patch.dict(
+            os.environ,
+            {
+                'MAX_RETRIES': '3',
+                'INITIAL_BACKOFF_SECONDS': '0.01',
+                'BACKOFF_FACTOR': '2',
+                'MAX_BACKOFF_SECONDS': '1',
+            },
+        ):
+            result = retry_with_backoff(mock_func, 'arg1', 'arg2', kwarg1='kwarg1')
+
+            # Check that the function was called twice
+            self.assertEqual(mock_func.call_count, 2)
+            # Check that the function was called with the correct arguments
+            mock_func.assert_called_with('arg1', 'arg2', kwarg1='kwarg1')
+            # Check that the function returned the expected result
+            self.assertEqual(result, 'success')
+
+
+if __name__ == '__main__':
+    unittest.main()

enterprise/sync/test_conversation_count_query.py

@@ -0,0 +1,83 @@
+#!/usr/bin/env python3
+"""Test script to verify the conversation count query.
+
+This script tests the database query to count conversations by user,
+without making any API calls to Common Room.
+"""
+
+import os
+import sys
+
+from sqlalchemy import text
+
+# Add the parent directory to the path so we can import from storage
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from storage.database import get_engine
+
+
+def test_conversation_count_query():
+    """Test the query to count conversations by user."""
+    try:
+        # Query to count conversations by user
+        count_query = text("""
+            SELECT
+                user_id, COUNT(*) as conversation_count
+            FROM
+                conversation_metadata
+            GROUP BY
+                user_id
+        """)
+
+        engine = get_engine()
+
+        with engine.connect() as connection:
+            count_result = connection.execute(count_query)
+            user_counts = [
+                {'user_id': row[0], 'conversation_count': row[1]}
+                for row in count_result
+            ]
+
+        print(f'Found {len(user_counts)} users with conversations')
+
+        # Print the first 5 results
+        for i, user_data in enumerate(user_counts[:5]):
+            print(
+                f"User {i+1}: {user_data['user_id']} - {user_data['conversation_count']} conversations"
+            )
+
+        # Test the user_entity query for the first user (if any)
+        if user_counts:
+            first_user_id = user_counts[0]['user_id']
+
+            user_query = text("""
+                SELECT username, email, id
+                FROM user_entity
+                WHERE id = :user_id
+            """)
+
+            with engine.connect() as connection:
+                user_result = connection.execute(user_query, {'user_id': first_user_id})
+                user_row = user_result.fetchone()
+
+                if user_row:
+                    print(f'\nUser details for {first_user_id}:')
+                    print(f'  GitHub Username: {user_row[0]}')
+                    print(f'  Email: {user_row[1]}')
+                    print(f'  ID: {user_row[2]}')
+                else:
+                    print(
+                        f'\nNo user details found for {first_user_id} in user_entity table'
+                    )
+
+        print('\nTest completed successfully')
+    except Exception as e:
+        print(f'Error: {str(e)}')
+        import traceback
+
+        traceback.print_exc()
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    test_conversation_count_query()

enterprise/tests/unit/conftest.py

@@ -28,7 +28,6 @@ from storage.org import Org
 from storage.org_invitation import OrgInvitation  # noqa: F401
 from storage.org_member import OrgMember
 from storage.role import Role
-from storage.slack_conversation import SlackConversation  # noqa: F401
 from storage.stored_conversation_metadata import StoredConversationMetadata
 from storage.stored_conversation_metadata_saas import (
     StoredConversationMetadataSaas,

enterprise/tests/unit/routes/test_service.py

@@ -1,331 +0,0 @@
-"""Unit tests for service API routes."""
-
-import uuid
-from unittest.mock import AsyncMock, MagicMock, patch
-
-import pytest
-from fastapi import HTTPException
-from server.routes.service import (
-    CreateUserApiKeyRequest,
-    delete_user_api_key,
-    get_or_create_api_key_for_user,
-    validate_service_api_key,
-)
-
-
-class TestValidateServiceApiKey:
-    """Test cases for validate_service_api_key."""
-
-    @pytest.mark.asyncio
-    async def test_valid_service_key(self):
-        """Test validation with valid service API key."""
-        with patch(
-            'server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-service-key'
-        ):
-            result = await validate_service_api_key('test-service-key')
-        assert result == 'automations-service'
-
-    @pytest.mark.asyncio
-    async def test_missing_service_key(self):
-        """Test validation with missing service API key header."""
-        with patch(
-            'server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-service-key'
-        ):
-            with pytest.raises(HTTPException) as exc_info:
-                await validate_service_api_key(None)
-        assert exc_info.value.status_code == 401
-        assert 'X-Service-API-Key header is required' in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    async def test_invalid_service_key(self):
-        """Test validation with invalid service API key."""
-        with patch(
-            'server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-service-key'
-        ):
-            with pytest.raises(HTTPException) as exc_info:
-                await validate_service_api_key('wrong-key')
-        assert exc_info.value.status_code == 401
-        assert 'Invalid service API key' in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    async def test_service_auth_not_configured(self):
-        """Test validation when service auth is not configured."""
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', ''):
-            with pytest.raises(HTTPException) as exc_info:
-                await validate_service_api_key('any-key')
-        assert exc_info.value.status_code == 503
-        assert 'Service authentication not configured' in exc_info.value.detail
-
-
-class TestCreateUserApiKeyRequest:
-    """Test cases for CreateUserApiKeyRequest validation."""
-
-    def test_valid_request(self):
-        """Test valid request with all fields."""
-        request = CreateUserApiKeyRequest(
-            name='automation',
-        )
-        assert request.name == 'automation'
-
-    def test_name_is_required(self):
-        """Test that name field is required."""
-        with pytest.raises(ValueError):
-            CreateUserApiKeyRequest(
-                name='',  # Empty name should fail
-            )
-
-    def test_name_is_stripped(self):
-        """Test that name field is stripped of whitespace."""
-        request = CreateUserApiKeyRequest(
-            name='  automation  ',
-        )
-        assert request.name == 'automation'
-
-    def test_whitespace_only_name_fails(self):
-        """Test that whitespace-only name fails validation."""
-        with pytest.raises(ValueError):
-            CreateUserApiKeyRequest(
-                name='   ',
-            )
-
-
-class TestGetOrCreateApiKeyForUser:
-    """Test cases for get_or_create_api_key_for_user endpoint."""
-
-    @pytest.fixture
-    def valid_user_id(self):
-        """Return a valid user ID."""
-        return '5594c7b6-f959-4b81-92e9-b09c206f5081'
-
-    @pytest.fixture
-    def valid_org_id(self):
-        """Return a valid org ID."""
-        return uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-
-    @pytest.fixture
-    def valid_request(self):
-        """Create a valid request object."""
-        return CreateUserApiKeyRequest(
-            name='automation',
-        )
-
-    @pytest.mark.asyncio
-    async def test_user_not_found(self, valid_user_id, valid_org_id, valid_request):
-        """Test error when user doesn't exist."""
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with patch(
-                'server.routes.service.UserStore.get_user_by_id', new_callable=AsyncMock
-            ) as mock_get_user:
-                mock_get_user.return_value = None
-                with pytest.raises(HTTPException) as exc_info:
-                    await get_or_create_api_key_for_user(
-                        user_id=valid_user_id,
-                        org_id=valid_org_id,
-                        request=valid_request,
-                        x_service_api_key='test-key',
-                    )
-        assert exc_info.value.status_code == 404
-        assert 'not found' in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    async def test_user_not_in_org(self, valid_user_id, valid_org_id, valid_request):
-        """Test error when user is not a member of the org."""
-        mock_user = MagicMock()
-
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with patch(
-                'server.routes.service.UserStore.get_user_by_id', new_callable=AsyncMock
-            ) as mock_get_user:
-                with patch(
-                    'server.routes.service.OrgMemberStore.get_org_member',
-                    new_callable=AsyncMock,
-                ) as mock_get_member:
-                    mock_get_user.return_value = mock_user
-                    mock_get_member.return_value = None
-                    with pytest.raises(HTTPException) as exc_info:
-                        await get_or_create_api_key_for_user(
-                            user_id=valid_user_id,
-                            org_id=valid_org_id,
-                            request=valid_request,
-                            x_service_api_key='test-key',
-                        )
-        assert exc_info.value.status_code == 403
-        assert 'not a member of org' in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    async def test_successful_key_creation(
-        self, valid_user_id, valid_org_id, valid_request
-    ):
-        """Test successful API key creation."""
-        mock_user = MagicMock()
-        mock_org_member = MagicMock()
-        mock_api_key_store = MagicMock()
-        mock_api_key_store.get_or_create_system_api_key = AsyncMock(
-            return_value='sk-oh-test-key-12345678901234567890'
-        )
-
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with patch(
-                'server.routes.service.UserStore.get_user_by_id', new_callable=AsyncMock
-            ) as mock_get_user:
-                with patch(
-                    'server.routes.service.OrgMemberStore.get_org_member',
-                    new_callable=AsyncMock,
-                ) as mock_get_member:
-                    with patch(
-                        'server.routes.service.ApiKeyStore.get_instance'
-                    ) as mock_get_store:
-                        mock_get_user.return_value = mock_user
-                        mock_get_member.return_value = mock_org_member
-                        mock_get_store.return_value = mock_api_key_store
-
-                        response = await get_or_create_api_key_for_user(
-                            user_id=valid_user_id,
-                            org_id=valid_org_id,
-                            request=valid_request,
-                            x_service_api_key='test-key',
-                        )
-
-        assert response.key == 'sk-oh-test-key-12345678901234567890'
-        assert response.user_id == valid_user_id
-        assert response.org_id == str(valid_org_id)
-        assert response.name == 'automation'
-
-        # Verify the store was called with correct arguments
-        mock_api_key_store.get_or_create_system_api_key.assert_called_once_with(
-            user_id=valid_user_id,
-            org_id=valid_org_id,
-            name='automation',
-        )
-
-    @pytest.mark.asyncio
-    async def test_store_exception_handling(
-        self, valid_user_id, valid_org_id, valid_request
-    ):
-        """Test error handling when store raises exception."""
-        mock_user = MagicMock()
-        mock_org_member = MagicMock()
-        mock_api_key_store = MagicMock()
-        mock_api_key_store.get_or_create_system_api_key = AsyncMock(
-            side_effect=Exception('Database error')
-        )
-
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with patch(
-                'server.routes.service.UserStore.get_user_by_id', new_callable=AsyncMock
-            ) as mock_get_user:
-                with patch(
-                    'server.routes.service.OrgMemberStore.get_org_member',
-                    new_callable=AsyncMock,
-                ) as mock_get_member:
-                    with patch(
-                        'server.routes.service.ApiKeyStore.get_instance'
-                    ) as mock_get_store:
-                        mock_get_user.return_value = mock_user
-                        mock_get_member.return_value = mock_org_member
-                        mock_get_store.return_value = mock_api_key_store
-
-                        with pytest.raises(HTTPException) as exc_info:
-                            await get_or_create_api_key_for_user(
-                                user_id=valid_user_id,
-                                org_id=valid_org_id,
-                                request=valid_request,
-                                x_service_api_key='test-key',
-                            )
-
-        assert exc_info.value.status_code == 500
-        assert 'Failed to get or create API key' in exc_info.value.detail
-
-
-class TestDeleteUserApiKey:
-    """Test cases for delete_user_api_key endpoint."""
-
-    @pytest.fixture
-    def valid_org_id(self):
-        """Return a valid org ID."""
-        return uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-
-    @pytest.mark.asyncio
-    async def test_successful_delete(self, valid_org_id):
-        """Test successful deletion of a system API key."""
-        mock_api_key_store = MagicMock()
-        mock_api_key_store.make_system_key_name.return_value = '__SYSTEM__:automation'
-        mock_api_key_store.delete_api_key_by_name = AsyncMock(return_value=True)
-
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with patch(
-                'server.routes.service.ApiKeyStore.get_instance'
-            ) as mock_get_store:
-                mock_get_store.return_value = mock_api_key_store
-
-                response = await delete_user_api_key(
-                    user_id='user-123',
-                    org_id=valid_org_id,
-                    key_name='automation',
-                    x_service_api_key='test-key',
-                )
-
-        assert response == {'message': 'API key deleted successfully'}
-
-        # Verify the store was called with correct arguments
-        mock_api_key_store.make_system_key_name.assert_called_once_with('automation')
-        mock_api_key_store.delete_api_key_by_name.assert_called_once_with(
-            user_id='user-123',
-            org_id=valid_org_id,
-            name='__SYSTEM__:automation',
-            allow_system=True,
-        )
-
-    @pytest.mark.asyncio
-    async def test_delete_key_not_found(self, valid_org_id):
-        """Test error when key to delete is not found."""
-        mock_api_key_store = MagicMock()
-        mock_api_key_store.make_system_key_name.return_value = '__SYSTEM__:nonexistent'
-        mock_api_key_store.delete_api_key_by_name = AsyncMock(return_value=False)
-
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with patch(
-                'server.routes.service.ApiKeyStore.get_instance'
-            ) as mock_get_store:
-                mock_get_store.return_value = mock_api_key_store
-
-                with pytest.raises(HTTPException) as exc_info:
-                    await delete_user_api_key(
-                        user_id='user-123',
-                        org_id=valid_org_id,
-                        key_name='nonexistent',
-                        x_service_api_key='test-key',
-                    )
-
-        assert exc_info.value.status_code == 404
-        assert 'not found' in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    async def test_delete_invalid_service_key(self, valid_org_id):
-        """Test error when service API key is invalid."""
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with pytest.raises(HTTPException) as exc_info:
-                await delete_user_api_key(
-                    user_id='user-123',
-                    org_id=valid_org_id,
-                    key_name='automation',
-                    x_service_api_key='wrong-key',
-                )
-
-        assert exc_info.value.status_code == 401
-        assert 'Invalid service API key' in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    async def test_delete_missing_service_key(self, valid_org_id):
-        """Test error when service API key header is missing."""
-        with patch('server.routes.service.AUTOMATIONS_SERVICE_API_KEY', 'test-key'):
-            with pytest.raises(HTTPException) as exc_info:
-                await delete_user_api_key(
-                    user_id='user-123',
-                    org_id=valid_org_id,
-                    key_name='automation',
-                    x_service_api_key=None,
-                )
-
-        assert exc_info.value.status_code == 401
-        assert 'X-Service-API-Key header is required' in exc_info.value.detail

enterprise/tests/unit/server/routes/test_api_keys.py

@@ -1,26 +1,19 @@
 """Unit tests for API keys routes, focusing on BYOR key validation and retrieval."""
 
-import uuid
 from unittest.mock import AsyncMock, MagicMock, patch
 
 import httpx
 import pytest
 from fastapi import HTTPException
-from pydantic import SecretStr
-from server.auth.saas_user_auth import SaasUserAuth
 from server.routes.api_keys import (
     ByorPermittedResponse,
-    CurrentApiKeyResponse,
     LlmApiKeyResponse,
     check_byor_permitted,
     delete_byor_key_from_litellm,
-    get_current_api_key,
     get_llm_api_key_for_byor,
 )
 from storage.lite_llm_manager import LiteLlmManager
 
-from openhands.server.user_auth.user_auth import AuthType
-
 
 class TestVerifyByorKeyInLitellm:
     """Test the verify_byor_key_in_litellm function."""
@@ -519,81 +512,3 @@ class TestCheckByorPermitted:
 
         assert exc_info.value.status_code == 500
         assert 'Failed to check BYOR export permission' in exc_info.value.detail
-
-
-class TestGetCurrentApiKey:
-    """Test the get_current_api_key endpoint."""
-
-    @pytest.mark.asyncio
-    @patch('server.routes.api_keys.get_user_auth')
-    async def test_returns_api_key_info_for_bearer_auth(self, mock_get_user_auth):
-        """Test that API key metadata including org_id is returned for bearer token auth."""
-        # Arrange
-        user_id = 'user-123'
-        org_id = uuid.uuid4()
-        mock_request = MagicMock()
-
-        user_auth = SaasUserAuth(
-            refresh_token=SecretStr('mock-token'),
-            user_id=user_id,
-            auth_type=AuthType.BEARER,
-            api_key_org_id=org_id,
-            api_key_id=42,
-            api_key_name='My Production Key',
-        )
-        mock_get_user_auth.return_value = user_auth
-
-        # Act
-        result = await get_current_api_key(request=mock_request, user_id=user_id)
-
-        # Assert
-        assert isinstance(result, CurrentApiKeyResponse)
-        assert result.org_id == str(org_id)
-        assert result.id == 42
-        assert result.name == 'My Production Key'
-        assert result.user_id == user_id
-        assert result.auth_type == 'bearer'
-
-    @pytest.mark.asyncio
-    @patch('server.routes.api_keys.get_user_auth')
-    async def test_returns_400_for_cookie_auth(self, mock_get_user_auth):
-        """Test that 400 Bad Request is returned when using cookie authentication."""
-        # Arrange
-        user_id = 'user-123'
-        mock_request = MagicMock()
-
-        mock_user_auth = MagicMock()
-        mock_user_auth.get_auth_type.return_value = AuthType.COOKIE
-        mock_get_user_auth.return_value = mock_user_auth
-
-        # Act & Assert
-        with pytest.raises(HTTPException) as exc_info:
-            await get_current_api_key(request=mock_request, user_id=user_id)
-
-        assert exc_info.value.status_code == 400
-        assert 'API key authentication' in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    @patch('server.routes.api_keys.get_user_auth')
-    async def test_returns_400_when_api_key_org_id_is_none(self, mock_get_user_auth):
-        """Test that 400 is returned when API key has no org_id (legacy key)."""
-        # Arrange
-        user_id = 'user-123'
-        mock_request = MagicMock()
-
-        user_auth = SaasUserAuth(
-            refresh_token=SecretStr('mock-token'),
-            user_id=user_id,
-            auth_type=AuthType.BEARER,
-            api_key_org_id=None,  # No org_id - legacy key
-            api_key_id=42,
-            api_key_name='Legacy Key',
-        )
-        mock_get_user_auth.return_value = user_auth
-
-        # Act & Assert
-        with pytest.raises(HTTPException) as exc_info:
-            await get_current_api_key(request=mock_request, user_id=user_id)
-
-        assert exc_info.value.status_code == 400
-        assert 'created before organization support' in exc_info.value.detail

enterprise/tests/unit/services/conftest.py

@@ -0,0 +1,68 @@
+"""Shared fixtures for services tests.
+
+Note: We pre-load ``storage`` as a namespace package to avoid the heavy
+``storage/__init__.py`` that imports the entire enterprise model graph.
+This must happen *before* any ``from storage.…`` import.
+"""
+
+import contextlib
+import sys
+import types
+
+# Prevent storage/__init__.py from loading the full model graph.
+# We only need the lightweight automation models for these tests.
+if 'storage' not in sys.modules:
+    import pathlib
+
+    _storage_dir = str(pathlib.Path(__file__).resolve().parents[3] / 'storage')
+    _mod = types.ModuleType('storage')
+    _mod.__path__ = [_storage_dir]
+    sys.modules['storage'] = _mod
+
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
+from sqlalchemy.pool import StaticPool
+from storage.automation import Automation, AutomationRun  # noqa: F401
+from storage.automation_event import AutomationEvent  # noqa: F401
+from storage.base import Base
+
+
+@pytest.fixture
+async def async_engine():
+    """Create an async SQLite engine for testing."""
+    engine = create_async_engine(
+        'sqlite+aiosqlite:///:memory:',
+        poolclass=StaticPool,
+        connect_args={'check_same_thread': False},
+        echo=False,
+    )
+
+    async with engine.begin() as conn:
+        await conn.run_sync(Base.metadata.create_all)
+
+    yield engine
+    await engine.dispose()
+
+
+@pytest.fixture
+async def async_session_factory(async_engine):
+    """Create an async session factory that yields context-managed sessions."""
+    factory = async_sessionmaker(
+        bind=async_engine,
+        class_=AsyncSession,
+        expire_on_commit=False,
+    )
+
+    @contextlib.asynccontextmanager
+    async def _session_ctx():
+        async with factory() as session:
+            yield session
+
+    return _session_ctx
+
+
+@pytest.fixture
+async def async_session(async_session_factory):
+    """Create a single async session for testing."""
+    async with async_session_factory() as session:
+        yield session

enterprise/tests/unit/services/test_automation_executor.py

@@ -0,0 +1,624 @@
+"""Tests for the automation executor.
+
+Uses real SQLite database operations for event processing, run claiming,
+and stale run recovery. HTTP calls to the V1 API are mocked.
+"""
+
+from datetime import datetime, timedelta
+from unittest.mock import AsyncMock, patch
+from uuid import uuid4
+
+import pytest
+from services.automation_executor import (
+    _mark_run_failed,
+    claim_and_execute_runs,
+    find_matching_automations,
+    is_terminal,
+    process_new_events,
+    recover_stale_runs,
+    utc_now,
+)
+from sqlalchemy import select
+from storage.automation import Automation, AutomationRun
+from storage.automation_event import AutomationEvent
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def make_automation(
+    automation_id: str = 'auto-1',
+    user_id: str = 'user-1',
+    enabled: bool = True,
+    trigger_type: str = 'cron',
+    name: str = 'Test Automation',
+) -> Automation:
+    return Automation(
+        id=automation_id,
+        user_id=user_id,
+        org_id='org-1',
+        name=name,
+        enabled=enabled,
+        config={'triggers': {'cron': {'schedule': '0 9 * * 5'}}},
+        trigger_type=trigger_type,
+        file_store_key=f'automations/{automation_id}/script.py',
+    )
+
+
+def make_event(
+    source_type: str = 'cron',
+    payload: dict | None = None,
+    status: str = 'NEW',
+    dedup_key: str | None = None,
+) -> AutomationEvent:
+    return AutomationEvent(
+        source_type=source_type,
+        payload=payload or {'automation_id': 'auto-1'},
+        dedup_key=dedup_key or f'dedup-{uuid4().hex[:8]}',
+        status=status,
+        created_at=utc_now(),
+    )
+
+
+def make_run(
+    run_id: str | None = None,
+    automation_id: str = 'auto-1',
+    status: str = 'PENDING',
+    claimed_by: str | None = None,
+    heartbeat_at: datetime | None = None,
+    retry_count: int = 0,
+    max_retries: int = 3,
+    next_retry_at: datetime | None = None,
+) -> AutomationRun:
+    return AutomationRun(
+        id=run_id or uuid4().hex,
+        automation_id=automation_id,
+        status=status,
+        claimed_by=claimed_by,
+        heartbeat_at=heartbeat_at,
+        retry_count=retry_count,
+        max_retries=max_retries,
+        next_retry_at=next_retry_at,
+        event_payload={'automation_id': automation_id},
+        created_at=utc_now(),
+    )
+
+
+# ---------------------------------------------------------------------------
+# find_matching_automations
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_find_matching_automations_cron_event(async_session):
+    """Cron events match by automation_id in payload."""
+    automation = make_automation()
+    async_session.add(automation)
+    await async_session.commit()
+
+    event = make_event(source_type='cron', payload={'automation_id': 'auto-1'})
+    async_session.add(event)
+    await async_session.commit()
+
+    result = await find_matching_automations(async_session, event)
+
+    assert len(result) == 1
+    assert result[0].id == 'auto-1'
+
+
+@pytest.mark.asyncio
+async def test_find_matching_automations_manual_event(async_session):
+    """Manual events also match by automation_id in payload."""
+    automation = make_automation()
+    async_session.add(automation)
+    await async_session.commit()
+
+    event = make_event(source_type='manual', payload={'automation_id': 'auto-1'})
+    async_session.add(event)
+    await async_session.commit()
+
+    result = await find_matching_automations(async_session, event)
+
+    assert len(result) == 1
+    assert result[0].id == 'auto-1'
+
+
+@pytest.mark.asyncio
+async def test_find_matching_automations_disabled_automation(async_session):
+    """Disabled automations are not matched."""
+    automation = make_automation(enabled=False)
+    async_session.add(automation)
+    await async_session.commit()
+
+    event = make_event(payload={'automation_id': 'auto-1'})
+    async_session.add(event)
+    await async_session.commit()
+
+    result = await find_matching_automations(async_session, event)
+
+    assert len(result) == 0
+
+
+@pytest.mark.asyncio
+async def test_find_matching_automations_missing_automation_id(async_session):
+    """Events without automation_id in payload return empty list."""
+    event = make_event(payload={'something_else': 'value'})
+    async_session.add(event)
+    await async_session.commit()
+
+    result = await find_matching_automations(async_session, event)
+
+    assert len(result) == 0
+
+
+@pytest.mark.asyncio
+async def test_find_matching_automations_nonexistent_automation(async_session):
+    """Events referencing a non-existent automation return empty list."""
+    event = make_event(payload={'automation_id': 'nonexistent'})
+    async_session.add(event)
+    await async_session.commit()
+
+    result = await find_matching_automations(async_session, event)
+
+    assert len(result) == 0
+
+
+@pytest.mark.asyncio
+async def test_find_matching_automations_unknown_source_type(async_session):
+    """Unknown source types return empty list."""
+    event = make_event(source_type='unknown', payload={'automation_id': 'auto-1'})
+    async_session.add(event)
+    await async_session.commit()
+
+    result = await find_matching_automations(async_session, event)
+
+    assert len(result) == 0
+
+
+# ---------------------------------------------------------------------------
+# process_new_events
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_process_new_events_creates_runs(async_session):
+    """Processing NEW events creates PENDING runs and marks events PROCESSED."""
+    automation = make_automation()
+    event = make_event(payload={'automation_id': 'auto-1'})
+    async_session.add_all([automation, event])
+    await async_session.commit()
+
+    count = await process_new_events(async_session)
+
+    assert count == 1
+
+    # Event should be PROCESSED
+    await async_session.refresh(event)
+    assert event.status == 'PROCESSED'
+    assert event.processed_at is not None
+
+    # A run should have been created
+    runs = (await async_session.execute(select(AutomationRun))).scalars().all()
+    assert len(runs) == 1
+    assert runs[0].automation_id == 'auto-1'
+    assert runs[0].status == 'PENDING'
+    assert runs[0].event_payload == {'automation_id': 'auto-1'}
+
+
+@pytest.mark.asyncio
+async def test_process_new_events_no_match(async_session):
+    """Events with no matching automation are marked NO_MATCH."""
+    event = make_event(payload={'automation_id': 'nonexistent'})
+    async_session.add(event)
+    await async_session.commit()
+
+    count = await process_new_events(async_session)
+
+    assert count == 1
+
+    await async_session.refresh(event)
+    assert event.status == 'NO_MATCH'
+    assert event.processed_at is not None
+
+    # No runs created
+    runs = (await async_session.execute(select(AutomationRun))).scalars().all()
+    assert len(runs) == 0
+
+
+@pytest.mark.asyncio
+async def test_process_new_events_skips_processed(async_session):
+    """Already processed events are not re-processed."""
+    event = make_event(status='PROCESSED')
+    async_session.add(event)
+    await async_session.commit()
+
+    count = await process_new_events(async_session)
+
+    assert count == 0
+
+
+@pytest.mark.asyncio
+async def test_process_new_events_multiple_events(async_session):
+    """Multiple NEW events are processed in one batch."""
+    auto1 = make_automation(automation_id='auto-1')
+    auto2 = make_automation(automation_id='auto-2', name='Auto 2')
+    event1 = make_event(payload={'automation_id': 'auto-1'}, dedup_key='dedup-1')
+    event2 = make_event(payload={'automation_id': 'auto-2'}, dedup_key='dedup-2')
+    event3 = make_event(payload={'automation_id': 'nonexistent'}, dedup_key='dedup-3')
+    async_session.add_all([auto1, auto2, event1, event2, event3])
+    await async_session.commit()
+
+    count = await process_new_events(async_session)
+
+    assert count == 3
+
+    # Two runs created (for auto-1 and auto-2), none for nonexistent
+    runs = (await async_session.execute(select(AutomationRun))).scalars().all()
+    assert len(runs) == 2
+
+    await async_session.refresh(event1)
+    await async_session.refresh(event2)
+    await async_session.refresh(event3)
+    assert event1.status == 'PROCESSED'
+    assert event2.status == 'PROCESSED'
+    assert event3.status == 'NO_MATCH'
+
+
+# ---------------------------------------------------------------------------
+# claim_and_execute_runs
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_claim_and_execute_runs_claims_pending(
+    async_session, async_session_factory
+):
+    """Claims a PENDING run and transitions to RUNNING."""
+    automation = make_automation()
+    run = make_run(run_id='run-1')
+    async_session.add_all([automation, run])
+    await async_session.commit()
+
+    api_client = AsyncMock()
+
+    with patch('services.automation_executor.execute_run', new_callable=AsyncMock):
+        claimed = await claim_and_execute_runs(
+            async_session, 'executor-test-1', api_client, async_session_factory
+        )
+
+    assert claimed is True
+
+    await async_session.refresh(run)
+    assert run.status == 'RUNNING'
+    assert run.claimed_by == 'executor-test-1'
+    assert run.claimed_at is not None
+    assert run.heartbeat_at is not None
+    assert run.started_at is not None
+
+
+@pytest.mark.asyncio
+async def test_claim_and_execute_runs_no_pending(async_session, async_session_factory):
+    """Returns False when no PENDING runs exist."""
+    api_client = AsyncMock()
+
+    claimed = await claim_and_execute_runs(
+        async_session, 'executor-test-1', api_client, async_session_factory
+    )
+
+    assert claimed is False
+
+
+@pytest.mark.asyncio
+async def test_claim_and_execute_runs_respects_next_retry_at(
+    async_session, async_session_factory
+):
+    """Runs with future next_retry_at are not claimed."""
+    automation = make_automation()
+    run = make_run(
+        run_id='run-retry',
+        next_retry_at=utc_now() + timedelta(hours=1),
+    )
+    async_session.add_all([automation, run])
+    await async_session.commit()
+
+    api_client = AsyncMock()
+
+    claimed = await claim_and_execute_runs(
+        async_session, 'executor-test-1', api_client, async_session_factory
+    )
+
+    assert claimed is False
+
+
+@pytest.mark.asyncio
+async def test_claim_and_execute_runs_past_retry_at(
+    async_session, async_session_factory
+):
+    """Runs with past next_retry_at are claimable."""
+    automation = make_automation()
+    run = make_run(
+        run_id='run-retry-past',
+        next_retry_at=utc_now() - timedelta(minutes=5),
+    )
+    async_session.add_all([automation, run])
+    await async_session.commit()
+
+    api_client = AsyncMock()
+
+    with patch('services.automation_executor.execute_run', new_callable=AsyncMock):
+        claimed = await claim_and_execute_runs(
+            async_session, 'executor-test-1', api_client, async_session_factory
+        )
+
+    assert claimed is True
+
+
+@pytest.mark.asyncio
+async def test_claim_skips_running_runs(async_session, async_session_factory):
+    """RUNNING runs are not claimed."""
+    automation = make_automation()
+    run = make_run(run_id='run-running', status='RUNNING', claimed_by='other-executor')
+    async_session.add_all([automation, run])
+    await async_session.commit()
+
+    api_client = AsyncMock()
+
+    claimed = await claim_and_execute_runs(
+        async_session, 'executor-test-1', api_client, async_session_factory
+    )
+
+    assert claimed is False
+
+
+# ---------------------------------------------------------------------------
+# recover_stale_runs
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_recover_stale_runs_recovers_stale(async_session):
+    """RUNNING runs with expired heartbeats are recovered to PENDING."""
+    automation = make_automation()
+    stale_run = make_run(
+        run_id='stale-1',
+        status='RUNNING',
+        claimed_by='crashed-executor',
+        heartbeat_at=utc_now() - timedelta(minutes=10),
+        retry_count=0,
+    )
+    async_session.add_all([automation, stale_run])
+    await async_session.commit()
+
+    count = await recover_stale_runs(async_session)
+
+    assert count >= 1
+
+    await async_session.refresh(stale_run)
+    assert stale_run.status == 'PENDING'
+    assert stale_run.claimed_by is None
+    assert stale_run.retry_count == 1
+    assert stale_run.next_retry_at is not None
+
+
+@pytest.mark.asyncio
+async def test_recover_stale_runs_ignores_fresh(async_session):
+    """RUNNING runs with recent heartbeats are not recovered."""
+    automation = make_automation()
+    fresh_run = make_run(
+        run_id='fresh-1',
+        status='RUNNING',
+        claimed_by='active-executor',
+        heartbeat_at=utc_now() - timedelta(seconds=30),
+    )
+    async_session.add_all([automation, fresh_run])
+    await async_session.commit()
+
+    count = await recover_stale_runs(async_session)
+
+    assert count == 0
+
+    await async_session.refresh(fresh_run)
+    assert fresh_run.status == 'RUNNING'
+    assert fresh_run.claimed_by == 'active-executor'
+
+
+@pytest.mark.asyncio
+async def test_recover_stale_runs_ignores_pending(async_session):
+    """PENDING runs are not affected by recovery."""
+    automation = make_automation()
+    pending_run = make_run(run_id='pending-1', status='PENDING')
+    async_session.add_all([automation, pending_run])
+    await async_session.commit()
+
+    count = await recover_stale_runs(async_session)
+
+    assert count == 0
+
+    await async_session.refresh(pending_run)
+    assert pending_run.status == 'PENDING'
+
+
+@pytest.mark.asyncio
+async def test_recover_stale_runs_increments_retry_count(async_session):
+    """Recovery increments the retry_count."""
+    automation = make_automation()
+    stale_run = make_run(
+        run_id='stale-retry',
+        status='RUNNING',
+        claimed_by='old-executor',
+        heartbeat_at=utc_now() - timedelta(minutes=10),
+        retry_count=2,
+    )
+    async_session.add_all([automation, stale_run])
+    await async_session.commit()
+
+    await recover_stale_runs(async_session)
+
+    await async_session.refresh(stale_run)
+    assert stale_run.retry_count == 3
+
+
+# ---------------------------------------------------------------------------
+# _mark_run_failed (error handling)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_mark_run_failed_retries(async_session_factory):
+    """Failed runs with retries left return to PENDING."""
+    async with async_session_factory() as session:
+        automation = make_automation()
+        run = make_run(run_id='fail-retry', retry_count=0, max_retries=3)
+        session.add_all([automation, run])
+        await session.commit()
+
+    async with async_session_factory() as session:
+        run_obj = await session.get(AutomationRun, 'fail-retry')
+        await _mark_run_failed(run_obj, 'API error', async_session_factory)
+
+    async with async_session_factory() as session:
+        run_obj = await session.get(AutomationRun, 'fail-retry')
+        assert run_obj.status == 'PENDING'
+        assert run_obj.retry_count == 1
+        assert run_obj.error_detail == 'API error'
+        assert run_obj.next_retry_at is not None
+        assert run_obj.claimed_by is None
+
+
+@pytest.mark.asyncio
+async def test_mark_run_failed_dead_letter(async_session_factory):
+    """Failed runs that exceed max_retries go to DEAD_LETTER."""
+    async with async_session_factory() as session:
+        automation = make_automation()
+        run = make_run(run_id='fail-dead', retry_count=2, max_retries=3)
+        session.add_all([automation, run])
+        await session.commit()
+
+    async with async_session_factory() as session:
+        run_obj = await session.get(AutomationRun, 'fail-dead')
+        await _mark_run_failed(run_obj, 'Final failure', async_session_factory)
+
+    async with async_session_factory() as session:
+        run_obj = await session.get(AutomationRun, 'fail-dead')
+        assert run_obj.status == 'DEAD_LETTER'
+        assert run_obj.retry_count == 3
+        assert run_obj.error_detail == 'Final failure'
+        assert run_obj.completed_at is not None
+
+
+# ---------------------------------------------------------------------------
+# is_terminal
+# ---------------------------------------------------------------------------
+
+
+def test_is_terminal_stopped():
+    assert is_terminal({'status': 'STOPPED'}) is True
+
+
+def test_is_terminal_error():
+    assert is_terminal({'status': 'ERROR'}) is True
+
+
+def test_is_terminal_completed():
+    assert is_terminal({'status': 'COMPLETED'}) is True
+
+
+def test_is_terminal_cancelled():
+    assert is_terminal({'status': 'CANCELLED'}) is True
+
+
+def test_is_terminal_running():
+    assert is_terminal({'status': 'RUNNING'}) is False
+
+
+def test_is_terminal_empty():
+    assert is_terminal({}) is False
+
+
+def test_is_terminal_case_insensitive():
+    assert is_terminal({'status': 'stopped'}) is True
+    assert is_terminal({'status': 'Completed'}) is True
+
+
+# ---------------------------------------------------------------------------
+# find_matching_automations — None payload
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_find_matching_automations_none_payload(async_session):
+    """Events with None payload return empty list (data corruption guard)."""
+    event = make_event(source_type='cron')
+    event.payload = None
+    async_session.add(event)
+    await async_session.commit()
+
+    result = await find_matching_automations(async_session, event)
+
+    assert result == []
+
+
+# ---------------------------------------------------------------------------
+# Integration: event → run creation → claim
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_integration_event_to_run_to_claim(
+    async_session_factory,
+):
+    """Full flow: create event + automation → process_new_events → claim_and_execute_runs.
+
+    Uses a real SQLite database; only the external API client is mocked.
+    """
+    # 1. Seed an automation and a NEW event
+    async with async_session_factory() as session:
+        automation = make_automation(automation_id='integ-auto')
+        event = make_event(
+            source_type='cron',
+            payload={'automation_id': 'integ-auto'},
+            dedup_key='integ-dedup',
+        )
+        session.add_all([automation, event])
+        await session.commit()
+        event_id = event.id
+
+    # 2. Process inbox — should match and create a PENDING run
+    async with async_session_factory() as session:
+        processed = await process_new_events(session)
+
+    assert processed == 1
+
+    # Verify event is PROCESSED and run was created
+    async with async_session_factory() as session:
+        evt = await session.get(AutomationEvent, event_id)
+        assert evt.status == 'PROCESSED'
+
+        runs = (await session.execute(select(AutomationRun))).scalars().all()
+        assert len(runs) == 1
+        run = runs[0]
+        assert run.automation_id == 'integ-auto'
+        assert run.status == 'PENDING'
+        assert run.event_payload == {'automation_id': 'integ-auto'}
+
+    # 3. Claim the run — mock execute_run to avoid real API calls
+    api_client = AsyncMock()
+
+    with patch('services.automation_executor.execute_run', new_callable=AsyncMock):
+        async with async_session_factory() as session:
+            claimed = await claim_and_execute_runs(
+                session, 'executor-integ', api_client, async_session_factory
+            )
+
+    assert claimed is True
+
+    # 4. Verify the run moved to RUNNING with correct executor
+    async with async_session_factory() as session:
+        runs = (await session.execute(select(AutomationRun))).scalars().all()
+        assert len(runs) == 1
+        run = runs[0]
+        assert run.status == 'RUNNING'
+        assert run.claimed_by == 'executor-integ'
+        assert run.started_at is not None
+        assert run.heartbeat_at is not None

enterprise/tests/unit/services/test_openhands_api_client.py

@@ -0,0 +1,185 @@
+"""Tests for OpenHandsAPIClient with mocked HTTP responses."""
+
+import base64
+
+import httpx
+import pytest
+from services.openhands_api_client import OpenHandsAPIClient
+
+
+@pytest.fixture
+def api_client():
+    client = OpenHandsAPIClient(base_url='http://test-server:3000')
+    yield client
+    # close handled in tests that need it
+
+
+# ---------------------------------------------------------------------------
+# start_conversation
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_start_conversation_sends_correct_request(api_client, respx_mock):
+    """start_conversation sends properly formatted POST with auth header."""
+    automation_file = b'print("hello")'
+    expected_b64 = base64.b64encode(automation_file).decode()
+
+    route = respx_mock.post('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(
+            200,
+            json={
+                'app_conversation_id': 'conv-123',
+                'status': 'RUNNING',
+            },
+        )
+    )
+
+    result = await api_client.start_conversation(
+        api_key='sk-oh-test123',
+        automation_file=automation_file,
+        title='Test Automation',
+        event_payload={'automation_id': 'auto-1'},
+    )
+
+    assert route.called
+    request = route.calls[0].request
+
+    assert request.headers['Authorization'] == 'Bearer sk-oh-test123'
+
+    import json
+
+    body = json.loads(request.content)
+    assert body['automation_file'] == expected_b64
+    assert body['trigger'] == 'automation'
+    assert body['title'] == 'Test Automation'
+    assert body['event_payload'] == {'automation_id': 'auto-1'}
+
+    assert result == {'app_conversation_id': 'conv-123', 'status': 'RUNNING'}
+
+
+@pytest.mark.asyncio
+async def test_start_conversation_without_event_payload(api_client, respx_mock):
+    """start_conversation works with event_payload=None."""
+    respx_mock.post('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(200, json={'app_conversation_id': 'conv-456'})
+    )
+
+    result = await api_client.start_conversation(
+        api_key='sk-oh-test',
+        automation_file=b'code',
+        title='Test',
+        event_payload=None,
+    )
+
+    assert result['app_conversation_id'] == 'conv-456'
+
+
+@pytest.mark.asyncio
+async def test_start_conversation_http_error(api_client, respx_mock):
+    """start_conversation raises on HTTP errors."""
+    respx_mock.post('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(500, json={'error': 'Internal Server Error'})
+    )
+
+    with pytest.raises(httpx.HTTPStatusError) as exc_info:
+        await api_client.start_conversation(
+            api_key='sk-oh-test',
+            automation_file=b'code',
+            title='Test',
+        )
+
+    assert exc_info.value.response.status_code == 500
+
+
+@pytest.mark.asyncio
+async def test_start_conversation_auth_error(api_client, respx_mock):
+    """start_conversation raises on 401 Unauthorized."""
+    respx_mock.post('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(401, json={'error': 'Unauthorized'})
+    )
+
+    with pytest.raises(httpx.HTTPStatusError) as exc_info:
+        await api_client.start_conversation(
+            api_key='bad-key',
+            automation_file=b'code',
+            title='Test',
+        )
+
+    assert exc_info.value.response.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# get_conversation
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_get_conversation_returns_data(api_client, respx_mock):
+    """get_conversation returns the first conversation from the list."""
+    respx_mock.get('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(
+            200,
+            json=[
+                {
+                    'conversation_id': 'conv-123',
+                    'status': 'RUNNING',
+                    'title': 'My Automation',
+                }
+            ],
+        )
+    )
+
+    result = await api_client.get_conversation('sk-oh-test', 'conv-123')
+
+    assert result is not None
+    assert result['conversation_id'] == 'conv-123'
+    assert result['status'] == 'RUNNING'
+
+
+@pytest.mark.asyncio
+async def test_get_conversation_returns_none_when_empty(api_client, respx_mock):
+    """get_conversation returns None when API returns empty list."""
+    respx_mock.get('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(200, json=[])
+    )
+
+    result = await api_client.get_conversation('sk-oh-test', 'nonexistent')
+
+    assert result is None
+
+
+@pytest.mark.asyncio
+async def test_get_conversation_sends_auth_header(api_client, respx_mock):
+    """get_conversation sends the correct authorization header."""
+    route = respx_mock.get('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(200, json=[])
+    )
+
+    await api_client.get_conversation('sk-oh-mykey', 'conv-1')
+
+    assert route.called
+    request = route.calls[0].request
+    assert request.headers['Authorization'] == 'Bearer sk-oh-mykey'
+
+
+@pytest.mark.asyncio
+async def test_get_conversation_http_error(api_client, respx_mock):
+    """get_conversation raises on HTTP errors."""
+    respx_mock.get('http://test-server:3000/api/v1/app-conversations').mock(
+        return_value=httpx.Response(503, text='Service Unavailable')
+    )
+
+    with pytest.raises(httpx.HTTPStatusError):
+        await api_client.get_conversation('sk-oh-test', 'conv-1')
+
+
+# ---------------------------------------------------------------------------
+# close
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_close(api_client):
+    """close() shuts down the HTTP client without errors."""
+    await api_client.close()

enterprise/tests/unit/storage/test_api_key_store.py

@@ -1,314 +0,0 @@
-"""Unit tests for ApiKeyStore system key functionality."""
-
-import uuid
-from datetime import UTC, datetime, timedelta
-from unittest.mock import AsyncMock, MagicMock, patch
-
-import pytest
-from sqlalchemy import select
-from storage.api_key import ApiKey
-from storage.api_key_store import ApiKeyStore
-
-
-@pytest.fixture
-def api_key_store():
-    """Create ApiKeyStore instance."""
-    return ApiKeyStore()
-
-
-class TestApiKeyStoreSystemKeys:
-    """Test cases for system API key functionality."""
-
-    def test_is_system_key_name_with_prefix(self, api_key_store):
-        """Test that names with __SYSTEM__: prefix are identified as system keys."""
-        assert api_key_store.is_system_key_name('__SYSTEM__:automation') is True
-        assert api_key_store.is_system_key_name('__SYSTEM__:test-key') is True
-        assert api_key_store.is_system_key_name('__SYSTEM__:') is True
-
-    def test_is_system_key_name_without_prefix(self, api_key_store):
-        """Test that names without __SYSTEM__: prefix are not system keys."""
-        assert api_key_store.is_system_key_name('my-key') is False
-        assert api_key_store.is_system_key_name('automation') is False
-        assert api_key_store.is_system_key_name('MCP_API_KEY') is False
-        assert api_key_store.is_system_key_name('') is False
-
-    def test_is_system_key_name_none(self, api_key_store):
-        """Test that None is not a system key."""
-        assert api_key_store.is_system_key_name(None) is False
-
-    def test_make_system_key_name(self, api_key_store):
-        """Test system key name generation."""
-        assert (
-            api_key_store.make_system_key_name('automation') == '__SYSTEM__:automation'
-        )
-        assert api_key_store.make_system_key_name('test-key') == '__SYSTEM__:test-key'
-
-    @pytest.mark.asyncio
-    async def test_get_or_create_system_api_key_creates_new(
-        self, api_key_store, async_session_maker
-    ):
-        """Test creating a new system API key when none exists."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-        key_name = 'automation'
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            api_key = await api_key_store.get_or_create_system_api_key(
-                user_id=user_id,
-                org_id=org_id,
-                name=key_name,
-            )
-
-        assert api_key.startswith('sk-oh-')
-        assert len(api_key) == len('sk-oh-') + 32
-
-        # Verify the key was created in the database
-        async with async_session_maker() as session:
-            result = await session.execute(select(ApiKey).filter(ApiKey.key == api_key))
-            key_record = result.scalars().first()
-            assert key_record is not None
-            assert key_record.user_id == user_id
-            assert key_record.org_id == org_id
-            assert key_record.name == '__SYSTEM__:automation'
-            assert key_record.expires_at is None  # System keys never expire
-
-    @pytest.mark.asyncio
-    async def test_get_or_create_system_api_key_returns_existing(
-        self, api_key_store, async_session_maker
-    ):
-        """Test that existing valid system key is returned."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-        key_name = 'automation'
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            # Create the first key
-            first_key = await api_key_store.get_or_create_system_api_key(
-                user_id=user_id,
-                org_id=org_id,
-                name=key_name,
-            )
-
-            # Request again - should return the same key
-            second_key = await api_key_store.get_or_create_system_api_key(
-                user_id=user_id,
-                org_id=org_id,
-                name=key_name,
-            )
-
-        assert first_key == second_key
-
-    @pytest.mark.asyncio
-    async def test_get_or_create_system_api_key_different_names(
-        self, api_key_store, async_session_maker
-    ):
-        """Test that different names create different keys."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            key1 = await api_key_store.get_or_create_system_api_key(
-                user_id=user_id,
-                org_id=org_id,
-                name='automation-1',
-            )
-
-            key2 = await api_key_store.get_or_create_system_api_key(
-                user_id=user_id,
-                org_id=org_id,
-                name='automation-2',
-            )
-
-        assert key1 != key2
-
-    @pytest.mark.asyncio
-    async def test_get_or_create_system_api_key_reissues_expired(
-        self, api_key_store, async_session_maker
-    ):
-        """Test that expired system key is replaced with a new one."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-        key_name = 'automation'
-        system_key_name = '__SYSTEM__:automation'
-
-        # First, manually create an expired key
-        expired_time = datetime.now(UTC) - timedelta(hours=1)
-        async with async_session_maker() as session:
-            expired_key = ApiKey(
-                key='sk-oh-expired-key-12345678901234567890',
-                user_id=user_id,
-                org_id=org_id,
-                name=system_key_name,
-                expires_at=expired_time.replace(tzinfo=None),
-            )
-            session.add(expired_key)
-            await session.commit()
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            # Request the key - should create a new one
-            new_key = await api_key_store.get_or_create_system_api_key(
-                user_id=user_id,
-                org_id=org_id,
-                name=key_name,
-            )
-
-        assert new_key != 'sk-oh-expired-key-12345678901234567890'
-        assert new_key.startswith('sk-oh-')
-
-        # Verify old key was deleted and new key exists
-        async with async_session_maker() as session:
-            result = await session.execute(
-                select(ApiKey).filter(ApiKey.name == system_key_name)
-            )
-            keys = result.scalars().all()
-            assert len(keys) == 1
-            assert keys[0].key == new_key
-            assert keys[0].expires_at is None
-
-    @pytest.mark.asyncio
-    async def test_list_api_keys_excludes_system_keys(
-        self, api_key_store, async_session_maker
-    ):
-        """Test that list_api_keys excludes system keys."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-
-        # Create a user key and a system key
-        async with async_session_maker() as session:
-            user_key = ApiKey(
-                key='sk-oh-user-key-123456789012345678901',
-                user_id=user_id,
-                org_id=org_id,
-                name='my-user-key',
-            )
-            system_key = ApiKey(
-                key='sk-oh-system-key-12345678901234567890',
-                user_id=user_id,
-                org_id=org_id,
-                name='__SYSTEM__:automation',
-            )
-            mcp_key = ApiKey(
-                key='sk-oh-mcp-key-1234567890123456789012',
-                user_id=user_id,
-                org_id=org_id,
-                name='MCP_API_KEY',
-            )
-            session.add(user_key)
-            session.add(system_key)
-            session.add(mcp_key)
-            await session.commit()
-
-        # Mock UserStore.get_user_by_id to return a user with the correct org
-        mock_user = MagicMock()
-        mock_user.current_org_id = org_id
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            with patch(
-                'storage.api_key_store.UserStore.get_user_by_id', new_callable=AsyncMock
-            ) as mock_get_user:
-                mock_get_user.return_value = mock_user
-                keys = await api_key_store.list_api_keys(user_id)
-
-        # Should only return the user key
-        assert len(keys) == 1
-        assert keys[0].name == 'my-user-key'
-
-    @pytest.mark.asyncio
-    async def test_delete_api_key_by_id_protects_system_keys(
-        self, api_key_store, async_session_maker
-    ):
-        """Test that system keys cannot be deleted by users."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-
-        # Create a system key
-        async with async_session_maker() as session:
-            system_key = ApiKey(
-                key='sk-oh-system-key-12345678901234567890',
-                user_id=user_id,
-                org_id=org_id,
-                name='__SYSTEM__:automation',
-            )
-            session.add(system_key)
-            await session.commit()
-            key_id = system_key.id
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            # Attempt to delete without allow_system flag
-            result = await api_key_store.delete_api_key_by_id(
-                key_id, allow_system=False
-            )
-
-        assert result is False
-
-        # Verify the key still exists
-        async with async_session_maker() as session:
-            result = await session.execute(select(ApiKey).filter(ApiKey.id == key_id))
-            key_record = result.scalars().first()
-            assert key_record is not None
-
-    @pytest.mark.asyncio
-    async def test_delete_api_key_by_id_allows_system_with_flag(
-        self, api_key_store, async_session_maker
-    ):
-        """Test that system keys can be deleted with allow_system=True."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-
-        # Create a system key
-        async with async_session_maker() as session:
-            system_key = ApiKey(
-                key='sk-oh-system-key-12345678901234567890',
-                user_id=user_id,
-                org_id=org_id,
-                name='__SYSTEM__:automation',
-            )
-            session.add(system_key)
-            await session.commit()
-            key_id = system_key.id
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            # Delete with allow_system=True
-            result = await api_key_store.delete_api_key_by_id(key_id, allow_system=True)
-
-        assert result is True
-
-        # Verify the key was deleted
-        async with async_session_maker() as session:
-            result = await session.execute(select(ApiKey).filter(ApiKey.id == key_id))
-            key_record = result.scalars().first()
-            assert key_record is None
-
-    @pytest.mark.asyncio
-    async def test_delete_api_key_by_id_allows_regular_keys(
-        self, api_key_store, async_session_maker
-    ):
-        """Test that regular keys can be deleted normally."""
-        user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081'
-        org_id = uuid.UUID('5594c7b6-f959-4b81-92e9-b09c206f5081')
-
-        # Create a regular key
-        async with async_session_maker() as session:
-            regular_key = ApiKey(
-                key='sk-oh-regular-key-1234567890123456789',
-                user_id=user_id,
-                org_id=org_id,
-                name='my-regular-key',
-            )
-            session.add(regular_key)
-            await session.commit()
-            key_id = regular_key.id
-
-        with patch('storage.api_key_store.a_session_maker', async_session_maker):
-            # Delete without allow_system flag - should work for regular keys
-            result = await api_key_store.delete_api_key_by_id(
-                key_id, allow_system=False
-            )
-
-        assert result is True
-
-        # Verify the key was deleted
-        async with async_session_maker() as session:
-            result = await session.execute(select(ApiKey).filter(ApiKey.id == key_id))
-            key_record = result.scalars().first()
-            assert key_record is None

enterprise/tests/unit/storage/test_saas_sql_app_conversation_info_service.py

@@ -10,9 +10,6 @@ from unittest.mock import AsyncMock, MagicMock
 from uuid import UUID, uuid4
 
 import pytest
-from server.utils.saas_app_conversation_info_injector import (
-    SaasSQLAppConversationInfoService,
-)
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
 from sqlalchemy.pool import StaticPool
@@ -20,6 +17,9 @@ from storage.base import Base
 from storage.org import Org
 from storage.user import User
 
+from enterprise.server.utils.saas_app_conversation_info_injector import (
+    SaasSQLAppConversationInfoService,
+)
 from openhands.app_server.app_conversation.app_conversation_models import (
     AppConversationInfo,
 )
@@ -663,330 +663,3 @@ class TestSaasSQLAppConversationInfoServiceAdminContext:
 
         admin_page = await admin_service.search_app_conversation_info()
         assert len(admin_page.items) == 5
-
-
-class TestSaasSQLAppConversationInfoServiceWebhookFallback:
-    """Test suite for webhook callback fallback using info.created_by_user_id."""
-
-    @pytest.mark.asyncio
-    async def test_save_with_admin_context_uses_created_by_user_id_fallback(
-        self,
-        async_session_with_users: AsyncSession,
-    ):
-        """Test that save_app_conversation_info uses info.created_by_user_id when user_context returns None.
-
-        This is the key fix for SDK-created conversations: when the webhook endpoint
-        uses ADMIN context (user_id=None), the service should fall back to using
-        the created_by_user_id from the AppConversationInfo object.
-        """
-        from storage.stored_conversation_metadata_saas import (
-            StoredConversationMetadataSaas,
-        )
-
-        from openhands.app_server.user.specifiy_user_context import ADMIN
-
-        # Arrange: Create service with ADMIN context (user_id=None)
-        admin_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=ADMIN,
-        )
-
-        # Create conversation info with created_by_user_id set (as would come from sandbox_info)
-        conv_id = uuid4()
-        conv_info = AppConversationInfo(
-            id=conv_id,
-            created_by_user_id=str(USER1_ID),  # This should be used as fallback
-            sandbox_id='sandbox_webhook_test',
-            title='Webhook Created Conversation',
-        )
-
-        # Act: Save using ADMIN context
-        await admin_service.save_app_conversation_info(conv_info)
-
-        # Assert: SAAS metadata should be created with user_id from info.created_by_user_id
-        saas_query = select(StoredConversationMetadataSaas).where(
-            StoredConversationMetadataSaas.conversation_id == str(conv_id)
-        )
-        result = await async_session_with_users.execute(saas_query)
-        saas_metadata = result.scalar_one_or_none()
-
-        assert saas_metadata is not None, 'SAAS metadata should be created'
-        assert (
-            saas_metadata.user_id == USER1_ID
-        ), 'user_id should match info.created_by_user_id'
-        assert saas_metadata.org_id == ORG1_ID, 'org_id should match user current org'
-
-    @pytest.mark.asyncio
-    async def test_save_with_admin_context_no_user_id_skips_saas_metadata(
-        self,
-        async_session_with_users: AsyncSession,
-    ):
-        """Test that save_app_conversation_info skips SAAS metadata when both user_context and info have no user_id."""
-        from storage.stored_conversation_metadata_saas import (
-            StoredConversationMetadataSaas,
-        )
-
-        from openhands.app_server.user.specifiy_user_context import ADMIN
-
-        # Arrange: Create service with ADMIN context (user_id=None)
-        admin_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=ADMIN,
-        )
-
-        # Create conversation info without created_by_user_id
-        conv_id = uuid4()
-        conv_info = AppConversationInfo(
-            id=conv_id,
-            created_by_user_id=None,  # No user_id available
-            sandbox_id='sandbox_no_user',
-            title='No User Conversation',
-        )
-
-        # Act: Save using ADMIN context with no user_id fallback
-        await admin_service.save_app_conversation_info(conv_info)
-
-        # Assert: SAAS metadata should NOT be created
-        saas_query = select(StoredConversationMetadataSaas).where(
-            StoredConversationMetadataSaas.conversation_id == str(conv_id)
-        )
-        result = await async_session_with_users.execute(saas_query)
-        saas_metadata = result.scalar_one_or_none()
-
-        assert (
-            saas_metadata is None
-        ), 'SAAS metadata should not be created without user_id'
-
-    @pytest.mark.asyncio
-    async def test_webhook_created_conversation_visible_to_user(
-        self,
-        async_session_with_users: AsyncSession,
-    ):
-        """Test end-to-end: conversation saved via webhook is visible to the owning user."""
-        from openhands.app_server.user.specifiy_user_context import ADMIN
-
-        # Arrange: Save conversation using ADMIN context (simulating webhook)
-        admin_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=ADMIN,
-        )
-
-        conv_id = uuid4()
-        conv_info = AppConversationInfo(
-            id=conv_id,
-            created_by_user_id=str(USER1_ID),
-            sandbox_id='sandbox_webhook_e2e',
-            title='E2E Webhook Conversation',
-        )
-        await admin_service.save_app_conversation_info(conv_info)
-
-        # Act: Query as the owning user
-        user1_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
-        )
-        user1_page = await user1_service.search_app_conversation_info()
-
-        # Assert: User should see the webhook-created conversation
-        assert len(user1_page.items) == 1
-        assert user1_page.items[0].id == conv_id
-        assert user1_page.items[0].title == 'E2E Webhook Conversation'
-
-
-class TestSandboxIdFilterSaas:
-    """Test suite for sandbox_id__eq filter parameter in SAAS service."""
-
-    @pytest.mark.asyncio
-    async def test_search_by_sandbox_id(
-        self,
-        async_session_with_users: AsyncSession,
-    ):
-        """Test searching conversations by exact sandbox_id match with SAAS user filtering."""
-        # Create service for user1
-        user1_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
-        )
-
-        # Create conversations with different sandbox IDs for user1
-        conv1 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER1_ID),
-            sandbox_id='sandbox_alpha',
-            title='Conversation Alpha',
-            created_at=datetime(2024, 1, 1, 12, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 12, 30, 0, tzinfo=timezone.utc),
-        )
-        conv2 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER1_ID),
-            sandbox_id='sandbox_beta',
-            title='Conversation Beta',
-            created_at=datetime(2024, 1, 1, 13, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 13, 30, 0, tzinfo=timezone.utc),
-        )
-        conv3 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER1_ID),
-            sandbox_id='sandbox_alpha',
-            title='Conversation Gamma',
-            created_at=datetime(2024, 1, 1, 14, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 14, 30, 0, tzinfo=timezone.utc),
-        )
-
-        # Save all conversations
-        await user1_service.save_app_conversation_info(conv1)
-        await user1_service.save_app_conversation_info(conv2)
-        await user1_service.save_app_conversation_info(conv3)
-
-        # Search for sandbox_alpha - should return 2 conversations
-        page = await user1_service.search_app_conversation_info(
-            sandbox_id__eq='sandbox_alpha'
-        )
-        assert len(page.items) == 2
-        sandbox_ids = {item.sandbox_id for item in page.items}
-        assert sandbox_ids == {'sandbox_alpha'}
-        conversation_ids = {item.id for item in page.items}
-        assert conv1.id in conversation_ids
-        assert conv3.id in conversation_ids
-
-        # Search for sandbox_beta - should return 1 conversation
-        page = await user1_service.search_app_conversation_info(
-            sandbox_id__eq='sandbox_beta'
-        )
-        assert len(page.items) == 1
-        assert page.items[0].id == conv2.id
-
-        # Search for non-existent sandbox - should return 0 conversations
-        page = await user1_service.search_app_conversation_info(
-            sandbox_id__eq='sandbox_nonexistent'
-        )
-        assert len(page.items) == 0
-
-    @pytest.mark.asyncio
-    async def test_count_by_sandbox_id(
-        self,
-        async_session_with_users: AsyncSession,
-    ):
-        """Test counting conversations by exact sandbox_id match with SAAS user filtering."""
-        # Create service for user1
-        user1_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
-        )
-
-        # Create conversations with different sandbox IDs
-        conv1 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER1_ID),
-            sandbox_id='sandbox_x',
-            title='Conversation X1',
-            created_at=datetime(2024, 1, 1, 12, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 12, 30, 0, tzinfo=timezone.utc),
-        )
-        conv2 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER1_ID),
-            sandbox_id='sandbox_y',
-            title='Conversation Y1',
-            created_at=datetime(2024, 1, 1, 13, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 13, 30, 0, tzinfo=timezone.utc),
-        )
-        conv3 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER1_ID),
-            sandbox_id='sandbox_x',
-            title='Conversation X2',
-            created_at=datetime(2024, 1, 1, 14, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 14, 30, 0, tzinfo=timezone.utc),
-        )
-
-        # Save all conversations
-        await user1_service.save_app_conversation_info(conv1)
-        await user1_service.save_app_conversation_info(conv2)
-        await user1_service.save_app_conversation_info(conv3)
-
-        # Count for sandbox_x - should be 2
-        count = await user1_service.count_app_conversation_info(
-            sandbox_id__eq='sandbox_x'
-        )
-        assert count == 2
-
-        # Count for sandbox_y - should be 1
-        count = await user1_service.count_app_conversation_info(
-            sandbox_id__eq='sandbox_y'
-        )
-        assert count == 1
-
-        # Count for non-existent sandbox - should be 0
-        count = await user1_service.count_app_conversation_info(
-            sandbox_id__eq='sandbox_nonexistent'
-        )
-        assert count == 0
-
-    @pytest.mark.asyncio
-    async def test_sandbox_id_filter_respects_user_isolation(
-        self,
-        async_session_with_users: AsyncSession,
-    ):
-        """Test that sandbox_id filter respects user isolation in SAAS environment."""
-        # Create services for both users
-        user1_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=SpecifyUserContext(user_id=str(USER1_ID)),
-        )
-        user2_service = SaasSQLAppConversationInfoService(
-            db_session=async_session_with_users,
-            user_context=SpecifyUserContext(user_id=str(USER2_ID)),
-        )
-
-        # Create conversation with same sandbox_id for both users
-        shared_sandbox_id = 'sandbox_shared'
-
-        conv_user1 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER1_ID),
-            sandbox_id=shared_sandbox_id,
-            title='User1 Conversation',
-            created_at=datetime(2024, 1, 1, 12, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 12, 30, 0, tzinfo=timezone.utc),
-        )
-        conv_user2 = AppConversationInfo(
-            id=uuid4(),
-            created_by_user_id=str(USER2_ID),
-            sandbox_id=shared_sandbox_id,
-            title='User2 Conversation',
-            created_at=datetime(2024, 1, 1, 13, 0, 0, tzinfo=timezone.utc),
-            updated_at=datetime(2024, 1, 1, 13, 30, 0, tzinfo=timezone.utc),
-        )
-
-        # Save conversations
-        await user1_service.save_app_conversation_info(conv_user1)
-        await user2_service.save_app_conversation_info(conv_user2)
-
-        # User1 should only see their own conversation with this sandbox_id
-        page = await user1_service.search_app_conversation_info(
-            sandbox_id__eq=shared_sandbox_id
-        )
-        assert len(page.items) == 1
-        assert page.items[0].id == conv_user1.id
-        assert page.items[0].title == 'User1 Conversation'
-
-        # User2 should only see their own conversation with this sandbox_id
-        page = await user2_service.search_app_conversation_info(
-            sandbox_id__eq=shared_sandbox_id
-        )
-        assert len(page.items) == 1
-        assert page.items[0].id == conv_user2.id
-        assert page.items[0].title == 'User2 Conversation'
-
-        # Count should also respect user isolation
-        count = await user1_service.count_app_conversation_info(
-            sandbox_id__eq=shared_sandbox_id
-        )
-        assert count == 1
-
-        count = await user2_service.count_app_conversation_info(
-            sandbox_id__eq=shared_sandbox_id
-        )
-        assert count == 1

enterprise/tests/unit/storage/test_slack_conversation_store.py

@@ -1,75 +0,0 @@
-"""Unit tests for SlackConversationStore."""
-
-from unittest.mock import patch
-
-import pytest
-from sqlalchemy import select
-from storage.slack_conversation import SlackConversation
-from storage.slack_conversation_store import SlackConversationStore
-
-
-@pytest.fixture
-def slack_conversation_store():
-    """Create SlackConversationStore instance."""
-    return SlackConversationStore()
-
-
-class TestSlackConversationStore:
-    """Test cases for SlackConversationStore."""
-
-    @pytest.mark.asyncio
-    async def test_create_slack_conversation_persists_to_database(
-        self, slack_conversation_store, async_session_maker
-    ):
-        """Test that create_slack_conversation actually stores data in the database.
-
-        This test verifies that the await statement is present before session.merge().
-        Without the await, the data won't be persisted and subsequent lookups will
-        return None even though we just created the conversation.
-        """
-        channel_id = 'C123456'
-        parent_id = '1234567890.123456'
-        conversation_id = 'conv-test-123'
-        keycloak_user_id = 'user-123'
-
-        slack_conversation = SlackConversation(
-            conversation_id=conversation_id,
-            channel_id=channel_id,
-            keycloak_user_id=keycloak_user_id,
-            parent_id=parent_id,
-        )
-
-        with patch(
-            'storage.slack_conversation_store.a_session_maker', async_session_maker
-        ):
-            # Create the slack conversation
-            await slack_conversation_store.create_slack_conversation(slack_conversation)
-
-            # Verify we can retrieve the conversation using the store method
-            result = await slack_conversation_store.get_slack_conversation(
-                channel_id=channel_id,
-                parent_id=parent_id,
-            )
-
-        # This assertion would fail if the await was missing before session.merge()
-        # because the data wouldn't be persisted to the database
-        assert result is not None, (
-            'Slack conversation was not persisted to the database. '
-            'Ensure await is used before session.merge() in create_slack_conversation.'
-        )
-        assert result.conversation_id == conversation_id
-        assert result.channel_id == channel_id
-        assert result.parent_id == parent_id
-        assert result.keycloak_user_id == keycloak_user_id
-
-        # Also verify directly in the database
-        async with async_session_maker() as session:
-            db_result = await session.execute(
-                select(SlackConversation).where(
-                    SlackConversation.channel_id == channel_id,
-                    SlackConversation.parent_id == parent_id,
-                )
-            )
-            db_conversation = db_result.scalar_one_or_none()
-            assert db_conversation is not None
-            assert db_conversation.conversation_id == conversation_id

enterprise/tests/unit/test_api_key_store.py

@@ -5,7 +5,7 @@ from unittest.mock import AsyncMock, MagicMock, patch
 import pytest
 from sqlalchemy import select
 from storage.api_key import ApiKey
-from storage.api_key_store import ApiKeyStore, ApiKeyValidationResult
+from storage.api_key_store import ApiKeyStore
 
 
 @pytest.fixture
@@ -110,8 +110,8 @@ async def test_create_api_key(
 
 @pytest.mark.asyncio
 async def test_validate_api_key_valid(api_key_store, async_session_maker):
-    """Test validating a valid API key returns user_id and org_id."""
-    # Arrange
+    """Test validating a valid API key."""
+    # Setup - create an API key in the database
     user_id = str(uuid.uuid4())
     org_id = uuid.uuid4()
     api_key_value = 'test-api-key'
@@ -126,19 +126,13 @@ async def test_validate_api_key_valid(api_key_store, async_session_maker):
         )
         session.add(key_record)
         await session.commit()
-        key_id = key_record.id
 
-    # Act
+    # Execute - patch a_session_maker to use test's async session maker
     with patch('storage.api_key_store.a_session_maker', async_session_maker):
         result = await api_key_store.validate_api_key(api_key_value)
 
-    # Assert
-    assert isinstance(result, ApiKeyValidationResult)
-    assert result is not None
-    assert result.user_id == user_id
-    assert result.org_id == org_id
-    assert result.key_id == key_id
-    assert result.key_name == 'Test Key'
+    # Verify
+    assert result == user_id
 
 
 @pytest.mark.asyncio
@@ -203,7 +197,7 @@ async def test_validate_api_key_valid_timezone_naive(
     api_key_store, async_session_maker
 ):
     """Test validating a valid API key with timezone-naive datetime from database."""
-    # Arrange
+    # Setup - create a valid API key with timezone-naive datetime (future date)
     user_id = str(uuid.uuid4())
     org_id = uuid.uuid4()
     api_key_value = 'test-valid-naive-key'
@@ -220,44 +214,12 @@ async def test_validate_api_key_valid_timezone_naive(
         session.add(key_record)
         await session.commit()
 
-    # Act
+    # Execute - patch a_session_maker to use test's async session maker
     with patch('storage.api_key_store.a_session_maker', async_session_maker):
         result = await api_key_store.validate_api_key(api_key_value)
 
-    # Assert
-    assert isinstance(result, ApiKeyValidationResult)
-    assert result.user_id == user_id
-    assert result.org_id == org_id
-
-
-@pytest.mark.asyncio
-async def test_validate_api_key_legacy_without_org_id(
-    api_key_store, async_session_maker
-):
-    """Test validating a legacy API key without org_id returns None for org_id."""
-    # Arrange
-    user_id = str(uuid.uuid4())
-    api_key_value = 'test-legacy-key-no-org'
-
-    async with async_session_maker() as session:
-        key_record = ApiKey(
-            key=api_key_value,
-            user_id=user_id,
-            org_id=None,  # Legacy key without org binding
-            name='Legacy Key',
-        )
-        session.add(key_record)
-        await session.commit()
-
-    # Act
-    with patch('storage.api_key_store.a_session_maker', async_session_maker):
-        result = await api_key_store.validate_api_key(api_key_value)
-
-    # Assert
-    assert isinstance(result, ApiKeyValidationResult)
-    assert result is not None
-    assert result.user_id == user_id
-    assert result.org_id is None
+    # Verify
+    assert result == user_id
 
 
 @pytest.mark.asyncio

enterprise/tests/unit/test_auth_routes.py

@@ -11,6 +11,7 @@ from server.auth.auth_error import AuthError
 from server.auth.saas_user_auth import SaasUserAuth
 from server.auth.user.user_authorizer import UserAuthorizationResponse, UserAuthorizer
 from server.routes.auth import (
+    _extract_recaptcha_state,
     accept_tos,
     authenticate,
     keycloak_callback,
@@ -54,12 +55,11 @@ def mock_response():
 def test_set_response_cookie(mock_response, mock_request):
     """Test setting the auth cookie on a response."""
 
-    with (
-        patch('server.routes.auth.config') as mock_config,
-        patch('server.utils.url_utils.get_global_config') as get_global_config,
-    ):
+    with patch('server.routes.auth.config') as mock_config:
         mock_config.jwt_secret.get_secret_value.return_value = 'test_secret'
-        get_global_config.return_value = MagicMock(web_url='https://example.com')
+
+        # Configure mock_request.url.hostname
+        mock_request.url.hostname = 'example.com'
 
         set_response_cookie(
             request=mock_request,
@@ -1036,6 +1036,79 @@ async def test_keycloak_callback_no_email_in_user_info(
         mock_token_manager.check_duplicate_base_email.assert_not_called()
 
 
+class TestExtractRecaptchaState:
+    """Tests for _extract_recaptcha_state() helper function."""
+
+    def test_should_extract_redirect_url_and_token_from_new_json_format(self):
+        """Test extraction from new base64-encoded JSON format."""
+        # Arrange
+        state_data = {
+            'redirect_url': 'https://example.com',
+            'recaptcha_token': 'test-token',
+        }
+        encoded_state = base64.urlsafe_b64encode(
+            json.dumps(state_data).encode()
+        ).decode()
+
+        # Act
+        redirect_url, token = _extract_recaptcha_state(encoded_state)
+
+        # Assert
+        assert redirect_url == 'https://example.com'
+        assert token == 'test-token'
+
+    def test_should_handle_old_format_plain_redirect_url(self):
+        """Test handling of old format (plain redirect URL string)."""
+        # Arrange
+        state = 'https://example.com'
+
+        # Act
+        redirect_url, token = _extract_recaptcha_state(state)
+
+        # Assert
+        assert redirect_url == 'https://example.com'
+        assert token is None
+
+    def test_should_handle_none_state(self):
+        """Test handling of None state."""
+        # Arrange
+        state = None
+
+        # Act
+        redirect_url, token = _extract_recaptcha_state(state)
+
+        # Assert
+        assert redirect_url == ''
+        assert token is None
+
+    def test_should_handle_invalid_base64_gracefully(self):
+        """Test handling of invalid base64/JSON (fallback to old format)."""
+        # Arrange
+        state = 'not-valid-base64!!!'
+
+        # Act
+        redirect_url, token = _extract_recaptcha_state(state)
+
+        # Assert
+        assert redirect_url == state
+        assert token is None
+
+    def test_should_handle_missing_redirect_url_in_json(self):
+        """Test handling when redirect_url is missing in JSON."""
+        # Arrange
+        state_data = {'recaptcha_token': 'test-token'}
+        encoded_state = base64.urlsafe_b64encode(
+            json.dumps(state_data).encode()
+        ).decode()
+
+        # Act
+        redirect_url, token = _extract_recaptcha_state(encoded_state)
+
+        # Assert
+        assert redirect_url == ''
+        assert token == 'test-token'
+
+
 class TestKeycloakCallbackRecaptcha:
     """Tests for reCAPTCHA integration in keycloak_callback()."""
 

enterprise/tests/unit/test_authorization.py

@@ -13,7 +13,6 @@ from server.auth.authorization import (
     ROLE_PERMISSIONS,
     Permission,
     RoleName,
-    get_api_key_org_id_from_request,
     get_role_permissions,
     get_user_org_role,
     has_permission,
@@ -445,15 +444,6 @@ class TestGetUserOrgRole:
 # =============================================================================
 
 
-def _create_mock_request(api_key_org_id=None):
-    """Helper to create a mock request with optional api_key_org_id."""
-    mock_request = MagicMock()
-    mock_user_auth = MagicMock()
-    mock_user_auth.get_api_key_org_id.return_value = api_key_org_id
-    mock_request.state.user_auth = mock_user_auth
-    return mock_request
-
-
 class TestRequirePermission:
     """Tests for require_permission dependency factory."""
 
@@ -466,7 +456,6 @@ class TestRequirePermission:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'admin'
@@ -476,9 +465,7 @@ class TestRequirePermission:
             AsyncMock(return_value=mock_role),
         ):
             permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
+            result = await permission_checker(org_id=org_id, user_id=user_id)
             assert result == user_id
 
     @pytest.mark.asyncio
@@ -489,11 +476,10 @@ class TestRequirePermission:
         THEN: 401 Unauthorized is raised
         """
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
         with pytest.raises(HTTPException) as exc_info:
-            await permission_checker(request=mock_request, org_id=org_id, user_id=None)
+            await permission_checker(org_id=org_id, user_id=None)
 
         assert exc_info.value.status_code == 401
         assert 'not authenticated' in exc_info.value.detail.lower()
@@ -507,7 +493,6 @@ class TestRequirePermission:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         with patch(
             'server.auth.authorization.get_user_org_role',
@@ -515,9 +500,7 @@ class TestRequirePermission:
         ):
             permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
             with pytest.raises(HTTPException) as exc_info:
-                await permission_checker(
-                    request=mock_request, org_id=org_id, user_id=user_id
-                )
+                await permission_checker(org_id=org_id, user_id=user_id)
 
             assert exc_info.value.status_code == 403
             assert 'not a member' in exc_info.value.detail.lower()
@@ -531,7 +514,6 @@ class TestRequirePermission:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'member'
@@ -542,9 +524,7 @@ class TestRequirePermission:
         ):
             permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
             with pytest.raises(HTTPException) as exc_info:
-                await permission_checker(
-                    request=mock_request, org_id=org_id, user_id=user_id
-                )
+                await permission_checker(org_id=org_id, user_id=user_id)
 
             assert exc_info.value.status_code == 403
             assert 'delete_organization' in exc_info.value.detail.lower()
@@ -558,7 +538,6 @@ class TestRequirePermission:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'owner'
@@ -568,9 +547,7 @@ class TestRequirePermission:
             AsyncMock(return_value=mock_role),
         ):
             permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
+            result = await permission_checker(org_id=org_id, user_id=user_id)
             assert result == user_id
 
     @pytest.mark.asyncio
@@ -582,7 +559,6 @@ class TestRequirePermission:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'admin'
@@ -593,9 +569,7 @@ class TestRequirePermission:
         ):
             permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
             with pytest.raises(HTTPException) as exc_info:
-                await permission_checker(
-                    request=mock_request, org_id=org_id, user_id=user_id
-                )
+                await permission_checker(org_id=org_id, user_id=user_id)
 
             assert exc_info.value.status_code == 403
 
@@ -608,7 +582,6 @@ class TestRequirePermission:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'member'
@@ -622,9 +595,7 @@ class TestRequirePermission:
         ):
             permission_checker = require_permission(Permission.DELETE_ORGANIZATION)
             with pytest.raises(HTTPException):
-                await permission_checker(
-                    request=mock_request, org_id=org_id, user_id=user_id
-                )
+                await permission_checker(org_id=org_id, user_id=user_id)
 
             mock_logger.warning.assert_called()
             call_args = mock_logger.warning.call_args
@@ -640,7 +611,6 @@ class TestRequirePermission:
         THEN: User ID is returned
         """
         user_id = str(uuid4())
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'admin'
@@ -650,9 +620,7 @@ class TestRequirePermission:
             AsyncMock(return_value=mock_role),
         ) as mock_get_role:
             permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
-            result = await permission_checker(
-                request=mock_request, org_id=None, user_id=user_id
-            )
+            result = await permission_checker(org_id=None, user_id=user_id)
             assert result == user_id
             mock_get_role.assert_called_once_with(user_id, None)
 
@@ -664,7 +632,6 @@ class TestRequirePermission:
         THEN: HTTPException with 403 status is raised
         """
         user_id = str(uuid4())
-        mock_request = _create_mock_request()
 
         with patch(
             'server.auth.authorization.get_user_org_role',
@@ -672,9 +639,7 @@ class TestRequirePermission:
         ):
             permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
             with pytest.raises(HTTPException) as exc_info:
-                await permission_checker(
-                    request=mock_request, org_id=None, user_id=user_id
-                )
+                await permission_checker(org_id=None, user_id=user_id)
 
             assert exc_info.value.status_code == 403
             assert 'not a member' in exc_info.value.detail
@@ -697,7 +662,6 @@ class TestPermissionScenarios:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'member'
@@ -707,9 +671,7 @@ class TestPermissionScenarios:
             AsyncMock(return_value=mock_role),
         ):
             permission_checker = require_permission(Permission.MANAGE_SECRETS)
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
+            result = await permission_checker(org_id=org_id, user_id=user_id)
             assert result == user_id
 
     @pytest.mark.asyncio
@@ -721,7 +683,6 @@ class TestPermissionScenarios:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'member'
@@ -734,9 +695,7 @@ class TestPermissionScenarios:
                 Permission.INVITE_USER_TO_ORGANIZATION
             )
             with pytest.raises(HTTPException) as exc_info:
-                await permission_checker(
-                    request=mock_request, org_id=org_id, user_id=user_id
-                )
+                await permission_checker(org_id=org_id, user_id=user_id)
 
             assert exc_info.value.status_code == 403
 
@@ -749,7 +708,6 @@ class TestPermissionScenarios:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'admin'
@@ -761,9 +719,7 @@ class TestPermissionScenarios:
             permission_checker = require_permission(
                 Permission.INVITE_USER_TO_ORGANIZATION
             )
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
+            result = await permission_checker(org_id=org_id, user_id=user_id)
             assert result == user_id
 
     @pytest.mark.asyncio
@@ -775,7 +731,6 @@ class TestPermissionScenarios:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'admin'
@@ -786,9 +741,7 @@ class TestPermissionScenarios:
         ):
             permission_checker = require_permission(Permission.CHANGE_USER_ROLE_OWNER)
             with pytest.raises(HTTPException) as exc_info:
-                await permission_checker(
-                    request=mock_request, org_id=org_id, user_id=user_id
-                )
+                await permission_checker(org_id=org_id, user_id=user_id)
 
             assert exc_info.value.status_code == 403
 
@@ -801,7 +754,6 @@ class TestPermissionScenarios:
         """
         user_id = str(uuid4())
         org_id = uuid4()
-        mock_request = _create_mock_request()
 
         mock_role = MagicMock()
         mock_role.name = 'owner'
@@ -811,200 +763,5 @@ class TestPermissionScenarios:
             AsyncMock(return_value=mock_role),
         ):
             permission_checker = require_permission(Permission.CHANGE_USER_ROLE_OWNER)
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
+            result = await permission_checker(org_id=org_id, user_id=user_id)
             assert result == user_id
-
-
-# =============================================================================
-# Tests for API key organization validation
-# =============================================================================
-
-
-class TestApiKeyOrgValidation:
-    """Tests for API key organization binding validation in require_permission."""
-
-    @pytest.mark.asyncio
-    async def test_allows_access_when_api_key_org_matches_target_org(self):
-        """
-        GIVEN: API key with org_id that matches the target org_id in the request
-        WHEN: Permission checker is called
-        THEN: User ID is returned (access allowed)
-        """
-        # Arrange
-        user_id = str(uuid4())
-        org_id = uuid4()
-        mock_request = _create_mock_request(api_key_org_id=org_id)
-
-        mock_role = MagicMock()
-        mock_role.name = 'admin'
-
-        # Act & Assert
-        with patch(
-            'server.auth.authorization.get_user_org_role',
-            AsyncMock(return_value=mock_role),
-        ):
-            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
-            assert result == user_id
-
-    @pytest.mark.asyncio
-    async def test_denies_access_when_api_key_org_mismatches_target_org(self):
-        """
-        GIVEN: API key created for Org A, but user tries to access Org B
-        WHEN: Permission checker is called
-        THEN: 403 Forbidden is raised with org mismatch message
-        """
-        # Arrange
-        user_id = str(uuid4())
-        api_key_org_id = uuid4()  # Org A - where API key was created
-        target_org_id = uuid4()  # Org B - where user is trying to access
-        mock_request = _create_mock_request(api_key_org_id=api_key_org_id)
-
-        # Act & Assert
-        permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
-        with pytest.raises(HTTPException) as exc_info:
-            await permission_checker(
-                request=mock_request, org_id=target_org_id, user_id=user_id
-            )
-
-        assert exc_info.value.status_code == 403
-        assert (
-            'API key is not authorized for this organization' in exc_info.value.detail
-        )
-
-    @pytest.mark.asyncio
-    async def test_allows_access_for_legacy_api_key_without_org_binding(self):
-        """
-        GIVEN: Legacy API key without org_id binding (org_id is None)
-        WHEN: Permission checker is called
-        THEN: Falls through to normal permission check (backward compatible)
-        """
-        # Arrange
-        user_id = str(uuid4())
-        org_id = uuid4()
-        mock_request = _create_mock_request(api_key_org_id=None)
-
-        mock_role = MagicMock()
-        mock_role.name = 'admin'
-
-        # Act & Assert
-        with patch(
-            'server.auth.authorization.get_user_org_role',
-            AsyncMock(return_value=mock_role),
-        ):
-            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
-            assert result == user_id
-
-    @pytest.mark.asyncio
-    async def test_allows_access_for_cookie_auth_without_api_key_org_id(self):
-        """
-        GIVEN: Cookie-based authentication (no api_key_org_id in user_auth)
-        WHEN: Permission checker is called
-        THEN: Falls through to normal permission check
-        """
-        # Arrange
-        user_id = str(uuid4())
-        org_id = uuid4()
-        mock_request = _create_mock_request(api_key_org_id=None)
-
-        mock_role = MagicMock()
-        mock_role.name = 'admin'
-
-        # Act & Assert
-        with patch(
-            'server.auth.authorization.get_user_org_role',
-            AsyncMock(return_value=mock_role),
-        ):
-            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
-            result = await permission_checker(
-                request=mock_request, org_id=org_id, user_id=user_id
-            )
-            assert result == user_id
-
-    @pytest.mark.asyncio
-    async def test_logs_warning_on_api_key_org_mismatch(self):
-        """
-        GIVEN: API key org_id doesn't match target org_id
-        WHEN: Permission checker is called
-        THEN: Warning is logged with org mismatch details
-        """
-        # Arrange
-        user_id = str(uuid4())
-        api_key_org_id = uuid4()
-        target_org_id = uuid4()
-        mock_request = _create_mock_request(api_key_org_id=api_key_org_id)
-
-        # Act & Assert
-        with patch('server.auth.authorization.logger') as mock_logger:
-            permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS)
-            with pytest.raises(HTTPException):
-                await permission_checker(
-                    request=mock_request, org_id=target_org_id, user_id=user_id
-                )
-
-            mock_logger.warning.assert_called()
-            call_args = mock_logger.warning.call_args
-            assert call_args[1]['extra']['user_id'] == user_id
-            assert call_args[1]['extra']['api_key_org_id'] == str(api_key_org_id)
-            assert call_args[1]['extra']['target_org_id'] == str(target_org_id)
-
-
-class TestGetApiKeyOrgIdFromRequest:
-    """Tests for get_api_key_org_id_from_request helper function."""
-
-    @pytest.mark.asyncio
-    async def test_returns_org_id_when_user_auth_has_api_key_org_id(self):
-        """
-        GIVEN: Request with user_auth that has api_key_org_id
-        WHEN: get_api_key_org_id_from_request is called
-        THEN: Returns the api_key_org_id
-        """
-        # Arrange
-        org_id = uuid4()
-        mock_request = _create_mock_request(api_key_org_id=org_id)
-
-        # Act
-        result = await get_api_key_org_id_from_request(mock_request)
-
-        # Assert
-        assert result == org_id
-
-    @pytest.mark.asyncio
-    async def test_returns_none_when_user_auth_has_no_api_key_org_id(self):
-        """
-        GIVEN: Request with user_auth that has no api_key_org_id (cookie auth)
-        WHEN: get_api_key_org_id_from_request is called
-        THEN: Returns None
-        """
-        # Arrange
-        mock_request = _create_mock_request(api_key_org_id=None)
-
-        # Act
-        result = await get_api_key_org_id_from_request(mock_request)
-
-        # Assert
-        assert result is None
-
-    @pytest.mark.asyncio
-    async def test_returns_none_when_no_user_auth_in_request(self):
-        """
-        GIVEN: Request without user_auth in state
-        WHEN: get_api_key_org_id_from_request is called
-        THEN: Returns None
-        """
-        # Arrange
-        mock_request = MagicMock()
-        mock_request.state.user_auth = None
-
-        # Act
-        result = await get_api_key_org_id_from_request(mock_request)
-
-        # Assert
-        assert result is None

enterprise/tests/unit/test_billing.py

@@ -48,7 +48,7 @@ def mock_checkout_request():
             'server': ('test.com', 80),
         }
     )
-    request._url = URL('http://test.com/')
+    request._base_url = URL('http://test.com/')
     return request
 
 
@@ -62,7 +62,7 @@ def mock_subscription_request():
             'server': ('test.com', 80),
         }
     )
-    request._url = URL('http://test.com/')
+    request._base_url = URL('http://test.com/')
     return request
 
 
@@ -264,7 +264,7 @@ async def test_create_checkout_session_success(
 async def test_success_callback_session_not_found(async_session_maker):
     """Test success callback when billing session is not found."""
     mock_request = Request(scope={'type': 'http'})
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     with (
         patch('server.routes.billing.a_session_maker', async_session_maker),
@@ -281,7 +281,7 @@ async def test_success_callback_stripe_incomplete(
 ):
     """Test success callback when Stripe session is not complete."""
     mock_request = Request(scope={'type': 'http'})
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     session_id = 'test_incomplete_session'
     async with async_session_maker() as session:
@@ -319,7 +319,7 @@ async def test_success_callback_stripe_incomplete(
 async def test_success_callback_success(async_session_maker, test_org, test_user):
     """Test successful payment completion and credit update."""
     mock_request = Request(scope={'type': 'http'})
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     session_id = 'test_success_session'
     async with async_session_maker() as session:
@@ -391,7 +391,7 @@ async def test_success_callback_lite_llm_error(
 ):
     """Test handling of LiteLLM API errors during success callback."""
     mock_request = Request(scope={'type': 'http'})
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     session_id = 'test_litellm_error_session'
     async with async_session_maker() as session:
@@ -445,7 +445,7 @@ async def test_success_callback_lite_llm_update_budget_error_rollback(
     the database transaction rolls back.
     """
     mock_request = Request(scope={'type': 'http'})
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     session_id = 'test_budget_rollback_session'
     async with async_session_maker() as session:
@@ -502,7 +502,7 @@ async def test_success_callback_lite_llm_update_budget_error_rollback(
 async def test_cancel_callback_session_not_found(async_session_maker):
     """Test cancel callback when billing session is not found."""
     mock_request = Request(scope={'type': 'http'})
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     with patch('server.routes.billing.a_session_maker', async_session_maker):
         response = await cancel_callback('nonexistent_session_id', mock_request)
@@ -517,7 +517,7 @@ async def test_cancel_callback_session_not_found(async_session_maker):
 async def test_cancel_callback_success(async_session_maker, test_org, test_user):
     """Test successful cancellation of billing session."""
     mock_request = Request(scope={'type': 'http'})
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     session_id = 'test_cancel_session'
     async with async_session_maker() as session:
@@ -588,7 +588,7 @@ async def test_create_customer_setup_session_success():
             'headers': [],
         }
     )
-    mock_request._url = URL('http://test.com/')
+    mock_request._base_url = URL('http://test.com/')
 
     mock_customer_info = {'customer_id': 'mock-customer-id', 'org_id': 'mock-org-id'}
     mock_session = MagicMock()
@@ -613,6 +613,6 @@ async def test_create_customer_setup_session_success():
             customer='mock-customer-id',
             mode='setup',
             payment_method_types=['card'],
-            success_url='https://test.com?setup=success',
-            cancel_url='https://test.com',
+            success_url='https://test.com/?setup=success',
+            cancel_url='https://test.com/',
         )

enterprise/tests/unit/test_lite_llm_manager.py

@@ -2,9 +2,7 @@
 Unit tests for LiteLlmManager class.
 """
 
-import importlib
 import os
-import sys
 from unittest.mock import AsyncMock, MagicMock, patch
 
 import httpx
@@ -23,98 +21,6 @@ from storage.user_settings import UserSettings
 from openhands.server.settings import Settings
 
 
-class TestDefaultInitialBudget:
-    """Test cases for DEFAULT_INITIAL_BUDGET configuration."""
-
-    @pytest.fixture(autouse=True)
-    def restore_module_state(self):
-        """Ensure module is properly restored after each test."""
-        # Save original module if it exists
-        original_module = sys.modules.get('storage.lite_llm_manager')
-
-        yield
-
-        # Restore module state after each test
-        if 'storage.lite_llm_manager' in sys.modules:
-            del sys.modules['storage.lite_llm_manager']
-
-        # Clear the env vars
-        os.environ.pop('DEFAULT_INITIAL_BUDGET', None)
-        os.environ.pop('ENABLE_BILLING', None)
-
-        # Restore original module or reimport fresh
-        if original_module is not None:
-            sys.modules['storage.lite_llm_manager'] = original_module
-        else:
-            importlib.import_module('storage.lite_llm_manager')
-
-    def test_default_initial_budget_none_when_billing_disabled(self):
-        """Test that DEFAULT_INITIAL_BUDGET is None when billing is disabled."""
-        # Temporarily remove the module so we can reimport with different env vars
-        if 'storage.lite_llm_manager' in sys.modules:
-            del sys.modules['storage.lite_llm_manager']
-
-        # Ensure billing is disabled (default) and reimport
-        os.environ.pop('ENABLE_BILLING', None)
-        os.environ.pop('DEFAULT_INITIAL_BUDGET', None)
-        module = importlib.import_module('storage.lite_llm_manager')
-        assert module.DEFAULT_INITIAL_BUDGET is None
-
-    def test_default_initial_budget_defaults_to_zero_when_billing_enabled(self):
-        """Test that DEFAULT_INITIAL_BUDGET defaults to 0.0 when billing is enabled."""
-        # Temporarily remove the module so we can reimport with different env vars
-        if 'storage.lite_llm_manager' in sys.modules:
-            del sys.modules['storage.lite_llm_manager']
-
-        # Enable billing and reimport
-        os.environ['ENABLE_BILLING'] = 'true'
-        os.environ.pop('DEFAULT_INITIAL_BUDGET', None)
-        module = importlib.import_module('storage.lite_llm_manager')
-        assert module.DEFAULT_INITIAL_BUDGET == 0.0
-
-    def test_default_initial_budget_uses_env_var_when_billing_enabled(self):
-        """Test that DEFAULT_INITIAL_BUDGET uses value from environment variable when billing enabled."""
-        if 'storage.lite_llm_manager' in sys.modules:
-            del sys.modules['storage.lite_llm_manager']
-
-        os.environ['ENABLE_BILLING'] = 'true'
-        os.environ['DEFAULT_INITIAL_BUDGET'] = '100.0'
-        module = importlib.import_module('storage.lite_llm_manager')
-        assert module.DEFAULT_INITIAL_BUDGET == 100.0
-
-    def test_default_initial_budget_ignores_env_var_when_billing_disabled(self):
-        """Test that DEFAULT_INITIAL_BUDGET returns None when billing disabled, ignoring env var."""
-        if 'storage.lite_llm_manager' in sys.modules:
-            del sys.modules['storage.lite_llm_manager']
-
-        os.environ.pop('ENABLE_BILLING', None)  # billing disabled by default
-        os.environ['DEFAULT_INITIAL_BUDGET'] = '100.0'
-        module = importlib.import_module('storage.lite_llm_manager')
-        assert module.DEFAULT_INITIAL_BUDGET is None
-
-    def test_default_initial_budget_rejects_invalid_value(self):
-        """Test that DEFAULT_INITIAL_BUDGET raises ValueError for invalid values."""
-        if 'storage.lite_llm_manager' in sys.modules:
-            del sys.modules['storage.lite_llm_manager']
-
-        os.environ['ENABLE_BILLING'] = 'true'
-        os.environ['DEFAULT_INITIAL_BUDGET'] = 'abc'
-        with pytest.raises(ValueError) as exc_info:
-            importlib.import_module('storage.lite_llm_manager')
-        assert 'Invalid DEFAULT_INITIAL_BUDGET' in str(exc_info.value)
-
-    def test_default_initial_budget_rejects_negative_value(self):
-        """Test that DEFAULT_INITIAL_BUDGET raises ValueError for negative values."""
-        if 'storage.lite_llm_manager' in sys.modules:
-            del sys.modules['storage.lite_llm_manager']
-
-        os.environ['ENABLE_BILLING'] = 'true'
-        os.environ['DEFAULT_INITIAL_BUDGET'] = '-10.0'
-        with pytest.raises(ValueError) as exc_info:
-            importlib.import_module('storage.lite_llm_manager')
-        assert 'must be non-negative' in str(exc_info.value)
-
-
 class TestLiteLlmManager:
     """Test cases for LiteLlmManager class."""
 
@@ -132,12 +38,10 @@ class TestLiteLlmManager:
     def mock_user_settings(self):
         """Create a mock UserSettings object."""
         user_settings = UserSettings()
-        user_settings.agent_settings = {
-            'agent': 'TestAgent',
-            'llm.model': 'test-model',
-            'llm.base_url': 'http://test.com',
-        }
+        user_settings.agent = 'TestAgent'
+        user_settings.llm_model = 'test-model'
         user_settings.llm_api_key = SecretStr('test-key')
+        user_settings.llm_base_url = 'http://test.com'
         user_settings.user_version = 4  # Set version to avoid None comparison
         return user_settings
 
@@ -241,16 +145,6 @@ class TestLiteLlmManager:
         mock_404_response = MagicMock()
         mock_404_response.status_code = 404
         mock_404_response.is_success = False
-        mock_404_response.raise_for_status.side_effect = httpx.HTTPStatusError(
-            message='Not Found', request=MagicMock(), response=mock_404_response
-        )
-
-        # Mock user exists check response
-        mock_user_exists_response = MagicMock()
-        mock_user_exists_response.is_success = True
-        mock_user_exists_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id'}
-        }
 
         mock_token_manager = MagicMock()
         mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
@@ -258,8 +152,12 @@ class TestLiteLlmManager:
         )
 
         mock_client = AsyncMock()
-        # First GET is for _get_team (404), second GET is for _user_exists (success)
-        mock_client.get.side_effect = [mock_404_response, mock_user_exists_response]
+        mock_client.get.return_value = mock_404_response
+        mock_client.get.return_value.raise_for_status.side_effect = (
+            httpx.HTTPStatusError(
+                message='Not Found', request=MagicMock(), response=mock_404_response
+            )
+        )
         mock_client.post.return_value = mock_response
 
         mock_client_class = MagicMock()
@@ -282,8 +180,8 @@ class TestLiteLlmManager:
             assert result.llm_api_key.get_secret_value() == 'test-api-key'
             assert result.llm_base_url == 'http://test.com'
 
-            # Verify API calls were made (get_team + user_exists + 4 posts)
-            assert mock_client.get.call_count == 2  # get_team + user_exists
+            # Verify API calls were made (get_team + 4 posts)
+            assert mock_client.get.call_count == 1  # get_team
             assert (
                 mock_client.post.call_count == 4
             )  # create_team, add_user_to_team, delete_key_by_alias, generate_key
@@ -302,21 +200,13 @@ class TestLiteLlmManager:
         }
         mock_team_response.raise_for_status = MagicMock()
 
-        # Mock user exists check response
-        mock_user_exists_response = MagicMock()
-        mock_user_exists_response.is_success = True
-        mock_user_exists_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id'}
-        }
-
         mock_token_manager = MagicMock()
         mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
             return_value={'email': 'test@example.com'}
         )
 
         mock_client = AsyncMock()
-        # First GET is for _get_team (success), second GET is for _user_exists (success)
-        mock_client.get.side_effect = [mock_team_response, mock_user_exists_response]
+        mock_client.get.return_value = mock_team_response
         mock_client.post.return_value = mock_response
 
         mock_client_class = MagicMock()
@@ -336,8 +226,8 @@ class TestLiteLlmManager:
             assert result is not None
 
             # Verify _get_team was called first
-            assert mock_client.get.call_count == 2  # get_team + user_exists
-            get_call_url = mock_client.get.call_args_list[0][0][0]
+            mock_client.get.assert_called_once()
+            get_call_url = mock_client.get.call_args[0][0]
             assert 'team/info' in get_call_url
             assert 'test-org-id' in get_call_url
 
@@ -352,32 +242,26 @@ class TestLiteLlmManager:
             assert add_user_call[1]['json']['max_budget_in_team'] == 30.0
 
     @pytest.mark.asyncio
-    async def test_create_entries_new_org_uses_default_initial_budget(
+    async def test_create_entries_new_org_uses_zero_budget(
         self, mock_settings, mock_response
     ):
-        """Test that create_entries uses DEFAULT_INITIAL_BUDGET for new org."""
+        """Test that create_entries uses budget=0 for new org (team doesn't exist)."""
         mock_404_response = MagicMock()
         mock_404_response.status_code = 404
         mock_404_response.is_success = False
-        mock_404_response.raise_for_status.side_effect = httpx.HTTPStatusError(
-            message='Not Found', request=MagicMock(), response=mock_404_response
-        )
 
         mock_token_manager = MagicMock()
         mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
             return_value={'email': 'test@example.com'}
         )
 
-        # Mock user exists check response
-        mock_user_exists_response = MagicMock()
-        mock_user_exists_response.is_success = True
-        mock_user_exists_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id'}
-        }
-
         mock_client = AsyncMock()
-        # First GET is for _get_team (404), second GET is for _user_exists (success)
-        mock_client.get.side_effect = [mock_404_response, mock_user_exists_response]
+        mock_client.get.return_value = mock_404_response
+        mock_client.get.return_value.raise_for_status.side_effect = (
+            httpx.HTTPStatusError(
+                message='Not Found', request=MagicMock(), response=mock_404_response
+            )
+        )
         mock_client.post.return_value = mock_response
 
         mock_client_class = MagicMock()
@@ -389,7 +273,6 @@ class TestLiteLlmManager:
             patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'),
             patch('storage.lite_llm_manager.TokenManager', mock_token_manager),
             patch('httpx.AsyncClient', mock_client_class),
-            patch('storage.lite_llm_manager.DEFAULT_INITIAL_BUDGET', 0.0),
         ):
             result = await LiteLlmManager.create_entries(
                 'test-org-id', 'test-user-id', mock_settings, create_user=False
@@ -397,73 +280,16 @@ class TestLiteLlmManager:
 
             assert result is not None
 
-            # Verify _create_team was called with DEFAULT_INITIAL_BUDGET (0.0)
+            # Verify _create_team was called with budget=0
             create_team_call = mock_client.post.call_args_list[0]
             assert 'team/new' in create_team_call[0][0]
             assert create_team_call[1]['json']['max_budget'] == 0.0
 
-            # Verify _add_user_to_team was called with DEFAULT_INITIAL_BUDGET (0.0)
+            # Verify _add_user_to_team was called with budget=0
             add_user_call = mock_client.post.call_args_list[1]
             assert 'team/member_add' in add_user_call[0][0]
             assert add_user_call[1]['json']['max_budget_in_team'] == 0.0
 
-    @pytest.mark.asyncio
-    async def test_create_entries_new_org_uses_custom_default_budget(
-        self, mock_settings, mock_response
-    ):
-        """Test that create_entries uses custom DEFAULT_INITIAL_BUDGET for new org."""
-        mock_404_response = MagicMock()
-        mock_404_response.status_code = 404
-        mock_404_response.is_success = False
-        mock_404_response.raise_for_status.side_effect = httpx.HTTPStatusError(
-            message='Not Found', request=MagicMock(), response=mock_404_response
-        )
-
-        # Mock user exists check response
-        mock_user_exists_response = MagicMock()
-        mock_user_exists_response.is_success = True
-        mock_user_exists_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id'}
-        }
-
-        mock_token_manager = MagicMock()
-        mock_token_manager.return_value.get_user_info_from_user_id = AsyncMock(
-            return_value={'email': 'test@example.com'}
-        )
-
-        mock_client = AsyncMock()
-        # First GET is for _get_team (404), second GET is for _user_exists (success)
-        mock_client.get.side_effect = [mock_404_response, mock_user_exists_response]
-        mock_client.post.return_value = mock_response
-
-        mock_client_class = MagicMock()
-        mock_client_class.return_value.__aenter__.return_value = mock_client
-
-        custom_budget = 50.0
-        with (
-            patch.dict(os.environ, {'LOCAL_DEPLOYMENT': ''}),
-            patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'),
-            patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'),
-            patch('storage.lite_llm_manager.TokenManager', mock_token_manager),
-            patch('httpx.AsyncClient', mock_client_class),
-            patch('storage.lite_llm_manager.DEFAULT_INITIAL_BUDGET', custom_budget),
-        ):
-            result = await LiteLlmManager.create_entries(
-                'test-org-id', 'test-user-id', mock_settings, create_user=False
-            )
-
-            assert result is not None
-
-            # Verify _create_team was called with custom DEFAULT_INITIAL_BUDGET
-            create_team_call = mock_client.post.call_args_list[0]
-            assert 'team/new' in create_team_call[0][0]
-            assert create_team_call[1]['json']['max_budget'] == custom_budget
-
-            # Verify _add_user_to_team was called with custom DEFAULT_INITIAL_BUDGET
-            add_user_call = mock_client.post.call_args_list[1]
-            assert 'team/member_add' in add_user_call[0][0]
-            assert add_user_call[1]['json']['max_budget_in_team'] == custom_budget
-
     @pytest.mark.asyncio
     async def test_create_entries_propagates_non_404_errors(self, mock_settings):
         """Test that create_entries propagates non-404 errors from _get_team."""
@@ -532,11 +358,10 @@ class TestLiteLlmManager:
 
                     # migrate_entries returns the user_settings unchanged
                     assert result is not None
-                    effective_settings = result.to_settings()
-                    assert effective_settings.agent == 'TestAgent'
-                    assert effective_settings.llm_model == 'test-model'
+                    assert result.agent == 'TestAgent'
+                    assert result.llm_model == 'test-model'
                     assert result.llm_api_key.get_secret_value() == 'test-key'
-                    assert effective_settings.llm_base_url == 'http://test.com'
+                    assert result.llm_base_url == 'http://test.com'
 
     @pytest.mark.asyncio
     async def test_migrate_entries_no_user_found(self, mock_user_settings):
@@ -657,11 +482,10 @@ class TestLiteLlmManager:
 
                             # migrate_entries returns the user_settings unchanged
                             assert result is not None
-                            effective_settings = result.to_settings()
-                            assert effective_settings.agent == 'TestAgent'
-                            assert effective_settings.llm_model == 'test-model'
+                            assert result.agent == 'TestAgent'
+                            assert result.llm_model == 'test-model'
                             assert result.llm_api_key.get_secret_value() == 'test-key'
-                            assert effective_settings.llm_base_url == 'http://test.com'
+                            assert result.llm_base_url == 'http://test.com'
 
                             # Verify migration steps were called:
                             # - 2 GET requests: _get_user, _get_user_keys
@@ -863,16 +687,15 @@ class TestLiteLlmManager:
 
     @pytest.mark.asyncio
     async def test_create_user_success(self, mock_http_client, mock_response):
-        """Test successful _create_user operation returns True."""
+        """Test successful _create_user operation."""
         mock_http_client.post.return_value = mock_response
 
         with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'):
             with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                result = await LiteLlmManager._create_user(
+                await LiteLlmManager._create_user(
                     mock_http_client, 'test@example.com', 'test-user-id'
                 )
 
-                assert result is True
                 mock_http_client.post.assert_called_once()
                 call_args = mock_http_client.post.call_args
                 assert 'http://test.com/user/new' in call_args[0]
@@ -881,7 +704,7 @@ class TestLiteLlmManager:
 
     @pytest.mark.asyncio
     async def test_create_user_duplicate_email(self, mock_http_client, mock_response):
-        """Test _create_user with duplicate email handling returns True."""
+        """Test _create_user with duplicate email handling."""
         # First call fails with duplicate email
         error_response = MagicMock()
         error_response.is_success = False
@@ -893,192 +716,15 @@ class TestLiteLlmManager:
 
         with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'):
             with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                result = await LiteLlmManager._create_user(
+                await LiteLlmManager._create_user(
                     mock_http_client, 'test@example.com', 'test-user-id'
                 )
 
-                assert result is True
                 assert mock_http_client.post.call_count == 2
                 # Second call should have None email
                 second_call_args = mock_http_client.post.call_args_list[1]
                 assert second_call_args[1]['json']['user_email'] is None
 
-    @pytest.mark.asyncio
-    @patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key')
-    async def test_user_exists_returns_true(self, mock_http_client):
-        """Test _user_exists returns True when user exists in LiteLLM."""
-        # Arrange
-        user_response = MagicMock()
-        user_response.is_success = True
-        user_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id', 'email': 'test@example.com'}
-        }
-        mock_http_client.get.return_value = user_response
-
-        # Act
-        result = await LiteLlmManager._user_exists(mock_http_client, 'test-user-id')
-
-        # Assert
-        assert result is True
-        mock_http_client.get.assert_called_once()
-
-    @pytest.mark.asyncio
-    @patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key')
-    async def test_user_exists_returns_false_when_not_found(self, mock_http_client):
-        """Test _user_exists returns False when user not found."""
-        # Arrange
-        user_response = MagicMock()
-        user_response.is_success = False
-        mock_http_client.get.return_value = user_response
-
-        # Act
-        result = await LiteLlmManager._user_exists(mock_http_client, 'test-user-id')
-
-        # Assert
-        assert result is False
-
-    @pytest.mark.asyncio
-    @patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key')
-    async def test_user_exists_returns_false_on_mismatched_user_id(
-        self, mock_http_client
-    ):
-        """Test _user_exists returns False when returned user_id doesn't match."""
-        # Arrange
-        user_response = MagicMock()
-        user_response.is_success = True
-        user_response.json.return_value = {
-            'user_info': {'user_id': 'different-user-id'}
-        }
-        mock_http_client.get.return_value = user_response
-
-        # Act
-        result = await LiteLlmManager._user_exists(mock_http_client, 'test-user-id')
-
-        # Assert
-        assert result is False
-
-    @pytest.mark.asyncio
-    @patch('storage.lite_llm_manager.logger')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key')
-    async def test_create_user_already_exists_and_verified(
-        self, mock_logger, mock_http_client
-    ):
-        """Test _create_user returns True when user already exists and is verified."""
-        # Arrange
-        first_response = MagicMock()
-        first_response.is_success = False
-        first_response.status_code = 400
-        first_response.text = 'duplicate email'
-
-        second_response = MagicMock()
-        second_response.is_success = False
-        second_response.status_code = 409
-        second_response.text = 'User with id test-user-id already exists'
-
-        user_exists_response = MagicMock()
-        user_exists_response.is_success = True
-        user_exists_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id'}
-        }
-
-        mock_http_client.post.side_effect = [first_response, second_response]
-        mock_http_client.get.return_value = user_exists_response
-
-        # Act
-        result = await LiteLlmManager._create_user(
-            mock_http_client, 'test@example.com', 'test-user-id'
-        )
-
-        # Assert
-        assert result is True
-        mock_logger.warning.assert_any_call(
-            'litellm_user_already_exists',
-            extra={'user_id': 'test-user-id'},
-        )
-
-    @pytest.mark.asyncio
-    @patch('storage.lite_llm_manager.logger')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key')
-    async def test_create_user_already_exists_but_not_found_returns_false(
-        self, mock_logger, mock_http_client
-    ):
-        """Test _create_user returns False when LiteLLM claims user exists but verification fails."""
-        # Arrange
-        first_response = MagicMock()
-        first_response.is_success = False
-        first_response.status_code = 400
-        first_response.text = 'duplicate email'
-
-        second_response = MagicMock()
-        second_response.is_success = False
-        second_response.status_code = 409
-        second_response.text = 'User with id test-user-id already exists'
-
-        user_not_exists_response = MagicMock()
-        user_not_exists_response.is_success = False
-
-        mock_http_client.post.side_effect = [first_response, second_response]
-        mock_http_client.get.return_value = user_not_exists_response
-
-        # Act
-        result = await LiteLlmManager._create_user(
-            mock_http_client, 'test@example.com', 'test-user-id'
-        )
-
-        # Assert
-        assert result is False
-        mock_logger.error.assert_any_call(
-            'litellm_user_claimed_exists_but_not_found',
-            extra={
-                'user_id': 'test-user-id',
-                'status_code': 409,
-                'text': 'User with id test-user-id already exists',
-            },
-        )
-
-    @pytest.mark.asyncio
-    @patch('storage.lite_llm_manager.logger')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com')
-    @patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key')
-    async def test_create_user_failure_returns_false(
-        self, mock_logger, mock_http_client
-    ):
-        """Test _create_user returns False when creation fails with non-'already exists' error."""
-        # Arrange
-        first_response = MagicMock()
-        first_response.is_success = False
-        first_response.status_code = 400
-        first_response.text = 'duplicate email'
-
-        second_response = MagicMock()
-        second_response.is_success = False
-        second_response.status_code = 500
-        second_response.text = 'Internal server error'
-
-        mock_http_client.post.side_effect = [first_response, second_response]
-
-        # Act
-        result = await LiteLlmManager._create_user(
-            mock_http_client, 'test@example.com', 'test-user-id'
-        )
-
-        # Assert
-        assert result is False
-        mock_logger.error.assert_any_call(
-            'error_creating_litellm_user',
-            extra={
-                'status_code': 500,
-                'text': 'Internal server error',
-                'user_id': 'test-user-id',
-                'email': None,
-            },
-        )
-
     @pytest.mark.asyncio
     @patch('storage.lite_llm_manager.logger')
     @patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com')
@@ -1086,7 +732,7 @@ class TestLiteLlmManager:
     async def test_create_user_already_exists_with_409_status_code(
         self, mock_logger, mock_http_client
     ):
-        """Test _create_user handles 409 Conflict when user already exists and verifies."""
+        """Test _create_user handles 409 Conflict when user already exists."""
         # Arrange
         first_response = MagicMock()
         first_response.is_success = False
@@ -1098,22 +744,14 @@ class TestLiteLlmManager:
         second_response.status_code = 409
         second_response.text = 'User with id test-user-id already exists'
 
-        user_exists_response = MagicMock()
-        user_exists_response.is_success = True
-        user_exists_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id'}
-        }
-
         mock_http_client.post.side_effect = [first_response, second_response]
-        mock_http_client.get.return_value = user_exists_response
 
         # Act
-        result = await LiteLlmManager._create_user(
+        await LiteLlmManager._create_user(
             mock_http_client, 'test@example.com', 'test-user-id'
         )
 
         # Assert
-        assert result is True
         mock_logger.warning.assert_any_call(
             'litellm_user_already_exists',
             extra={'user_id': 'test-user-id'},
@@ -1126,7 +764,7 @@ class TestLiteLlmManager:
     async def test_create_user_already_exists_with_400_status_code(
         self, mock_logger, mock_http_client
     ):
-        """Test _create_user handles 400 Bad Request when user already exists and verifies."""
+        """Test _create_user handles 400 Bad Request when user already exists."""
         # Arrange
         first_response = MagicMock()
         first_response.is_success = False
@@ -1138,22 +776,14 @@ class TestLiteLlmManager:
         second_response.status_code = 400
         second_response.text = 'User already exists'
 
-        user_exists_response = MagicMock()
-        user_exists_response.is_success = True
-        user_exists_response.json.return_value = {
-            'user_info': {'user_id': 'test-user-id'}
-        }
-
         mock_http_client.post.side_effect = [first_response, second_response]
-        mock_http_client.get.return_value = user_exists_response
 
         # Act
-        result = await LiteLlmManager._create_user(
+        await LiteLlmManager._create_user(
             mock_http_client, 'test@example.com', 'test-user-id'
         )
 
         # Assert
-        assert result is True
         mock_logger.warning.assert_any_call(
             'litellm_user_already_exists',
             extra={'user_id': 'test-user-id'},
@@ -2035,7 +1665,7 @@ class TestLiteLlmManager:
 
                             # downgrade_entries returns the user_settings
                             assert result is not None
-                            assert result.to_settings().agent == 'TestAgent'
+                            assert result.agent == 'TestAgent'
 
                             # Verify downgrade steps were called:
                             # GET requests:
@@ -2069,7 +1699,7 @@ class TestLiteLlmManager:
                     # In local deployment, should return user_settings without
                     # making any LiteLLM calls
                     assert result is not None
-                    assert result.to_settings().agent == 'TestAgent'
+                    assert result.agent == 'TestAgent'
 
 
 class TestGetAllKeysForUser:
@@ -2388,195 +2018,3 @@ class TestVerifyExistingKey:
                 openhands_type=True,
             )
             assert result is False
-
-
-class TestBudgetPayloadHandling:
-    """Test cases for budget field handling in API payloads.
-
-    These tests verify that when max_budget is None, the budget field is NOT
-    included in the JSON payload (which tells LiteLLM to disable budget
-    enforcement), and when max_budget has a value, it IS included.
-    """
-
-    @pytest.mark.asyncio
-    async def test_create_team_excludes_max_budget_when_none(self):
-        """Test that _create_team does NOT include max_budget when it is None."""
-        mock_client = AsyncMock(spec=httpx.AsyncClient)
-        mock_response = MagicMock()
-        mock_response.is_success = True
-        mock_response.status_code = 200
-        mock_client.post.return_value = mock_response
-
-        with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-api-key'):
-            with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                await LiteLlmManager._create_team(
-                    mock_client,
-                    team_alias='test-team',
-                    team_id='test-team-id',
-                    max_budget=None,  # None = no budget limit
-                )
-
-        # Verify the call was made
-        mock_client.post.assert_called_once()
-        call_args = mock_client.post.call_args
-
-        # Verify URL
-        assert call_args[0][0] == 'http://test.com/team/new'
-
-        # Verify that max_budget is NOT in the JSON payload
-        json_payload = call_args[1]['json']
-        assert 'max_budget' not in json_payload, (
-            'max_budget should NOT be in payload when None '
-            '(omitting it tells LiteLLM to disable budget enforcement)'
-        )
-
-    @pytest.mark.asyncio
-    async def test_create_team_includes_max_budget_when_set(self):
-        """Test that _create_team includes max_budget when it has a value."""
-        mock_client = AsyncMock(spec=httpx.AsyncClient)
-        mock_response = MagicMock()
-        mock_response.is_success = True
-        mock_response.status_code = 200
-        mock_client.post.return_value = mock_response
-
-        with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-api-key'):
-            with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                await LiteLlmManager._create_team(
-                    mock_client,
-                    team_alias='test-team',
-                    team_id='test-team-id',
-                    max_budget=100.0,  # Explicit budget limit
-                )
-
-        # Verify the call was made
-        mock_client.post.assert_called_once()
-        call_args = mock_client.post.call_args
-
-        # Verify that max_budget IS in the JSON payload with the correct value
-        json_payload = call_args[1]['json']
-        assert (
-            'max_budget' in json_payload
-        ), 'max_budget should be in payload when set to a value'
-        assert json_payload['max_budget'] == 100.0
-
-    @pytest.mark.asyncio
-    async def test_add_user_to_team_excludes_max_budget_when_none(self):
-        """Test that _add_user_to_team does NOT include max_budget_in_team when None."""
-        mock_client = AsyncMock(spec=httpx.AsyncClient)
-        mock_response = MagicMock()
-        mock_response.is_success = True
-        mock_response.status_code = 200
-        mock_client.post.return_value = mock_response
-
-        with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-api-key'):
-            with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                await LiteLlmManager._add_user_to_team(
-                    mock_client,
-                    keycloak_user_id='test-user-id',
-                    team_id='test-team-id',
-                    max_budget=None,  # None = no budget limit
-                )
-
-        # Verify the call was made
-        mock_client.post.assert_called_once()
-        call_args = mock_client.post.call_args
-
-        # Verify URL
-        assert call_args[0][0] == 'http://test.com/team/member_add'
-
-        # Verify that max_budget_in_team is NOT in the JSON payload
-        json_payload = call_args[1]['json']
-        assert 'max_budget_in_team' not in json_payload, (
-            'max_budget_in_team should NOT be in payload when None '
-            '(omitting it tells LiteLLM to disable budget enforcement)'
-        )
-
-    @pytest.mark.asyncio
-    async def test_add_user_to_team_includes_max_budget_when_set(self):
-        """Test that _add_user_to_team includes max_budget_in_team when set."""
-        mock_client = AsyncMock(spec=httpx.AsyncClient)
-        mock_response = MagicMock()
-        mock_response.is_success = True
-        mock_response.status_code = 200
-        mock_client.post.return_value = mock_response
-
-        with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-api-key'):
-            with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                await LiteLlmManager._add_user_to_team(
-                    mock_client,
-                    keycloak_user_id='test-user-id',
-                    team_id='test-team-id',
-                    max_budget=50.0,  # Explicit budget limit
-                )
-
-        # Verify the call was made
-        mock_client.post.assert_called_once()
-        call_args = mock_client.post.call_args
-
-        # Verify that max_budget_in_team IS in the JSON payload
-        json_payload = call_args[1]['json']
-        assert (
-            'max_budget_in_team' in json_payload
-        ), 'max_budget_in_team should be in payload when set to a value'
-        assert json_payload['max_budget_in_team'] == 50.0
-
-    @pytest.mark.asyncio
-    async def test_update_user_in_team_excludes_max_budget_when_none(self):
-        """Test that _update_user_in_team does NOT include max_budget_in_team when None."""
-        mock_client = AsyncMock(spec=httpx.AsyncClient)
-        mock_response = MagicMock()
-        mock_response.is_success = True
-        mock_response.status_code = 200
-        mock_client.post.return_value = mock_response
-
-        with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-api-key'):
-            with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                await LiteLlmManager._update_user_in_team(
-                    mock_client,
-                    keycloak_user_id='test-user-id',
-                    team_id='test-team-id',
-                    max_budget=None,  # None = no budget limit
-                )
-
-        # Verify the call was made
-        mock_client.post.assert_called_once()
-        call_args = mock_client.post.call_args
-
-        # Verify URL
-        assert call_args[0][0] == 'http://test.com/team/member_update'
-
-        # Verify that max_budget_in_team is NOT in the JSON payload
-        json_payload = call_args[1]['json']
-        assert 'max_budget_in_team' not in json_payload, (
-            'max_budget_in_team should NOT be in payload when None '
-            '(omitting it tells LiteLLM to disable budget enforcement)'
-        )
-
-    @pytest.mark.asyncio
-    async def test_update_user_in_team_includes_max_budget_when_set(self):
-        """Test that _update_user_in_team includes max_budget_in_team when set."""
-        mock_client = AsyncMock(spec=httpx.AsyncClient)
-        mock_response = MagicMock()
-        mock_response.is_success = True
-        mock_response.status_code = 200
-        mock_client.post.return_value = mock_response
-
-        with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-api-key'):
-            with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'):
-                await LiteLlmManager._update_user_in_team(
-                    mock_client,
-                    keycloak_user_id='test-user-id',
-                    team_id='test-team-id',
-                    max_budget=75.0,  # Explicit budget limit
-                )
-
-        # Verify the call was made
-        mock_client.post.assert_called_once()
-        call_args = mock_client.post.call_args
-
-        # Verify that max_budget_in_team IS in the JSON payload
-        json_payload = call_args[1]['json']
-        assert (
-            'max_budget_in_team' in json_payload
-        ), 'max_budget_in_team should be in payload when set to a value'
-        assert json_payload['max_budget_in_team'] == 75.0

enterprise/tests/unit/test_org_invitation_service.py

@@ -98,11 +98,6 @@ class TestAcceptInvitationEmailValidation:
 
         mock_keycloak_user_info = {'email': 'alice@example.com'}  # Email from Keycloak
 
-        mock_org = MagicMock()
-        mock_org.default_llm_model = 'test-model'
-        mock_org.default_llm_base_url = None
-        mock_org.default_max_iterations = None
-
         with (
             patch(
                 'server.services.org_invitation_service.OrgInvitationStore.get_invitation_by_token',
@@ -126,10 +121,6 @@ class TestAcceptInvitationEmailValidation:
                 'server.services.org_invitation_service.OrgService.create_litellm_integration',
                 new_callable=AsyncMock,
             ) as mock_create_litellm,
-            patch(
-                'server.services.org_invitation_service.OrgStore.get_org_by_id',
-                new_callable=AsyncMock,
-            ) as mock_get_org,
             patch(
                 'server.services.org_invitation_service.OrgMemberStore.add_user_to_org',
                 new_callable=AsyncMock,
@@ -154,7 +145,6 @@ class TestAcceptInvitationEmailValidation:
             mock_settings = MagicMock()
             mock_settings.llm_api_key = SecretStr('test-key')
             mock_create_litellm.return_value = mock_settings
-            mock_get_org.return_value = mock_org
             mock_update_status.return_value = mock_invitation
 
             # Act - should not raise error because Keycloak email matches
@@ -224,11 +214,6 @@ class TestAcceptInvitationEmailValidation:
 
         mock_invitation.email = 'alice@example.com'  # Lowercase in invitation
 
-        mock_org = MagicMock()
-        mock_org.default_llm_model = 'test-model'
-        mock_org.default_llm_base_url = None
-        mock_org.default_max_iterations = None
-
         with (
             patch(
                 'server.services.org_invitation_service.OrgInvitationStore.get_invitation_by_token',
@@ -249,10 +234,6 @@ class TestAcceptInvitationEmailValidation:
                 'server.services.org_invitation_service.OrgService.create_litellm_integration',
                 new_callable=AsyncMock,
             ) as mock_create_litellm,
-            patch(
-                'server.services.org_invitation_service.OrgStore.get_org_by_id',
-                new_callable=AsyncMock,
-            ) as mock_get_org,
             patch(
                 'server.services.org_invitation_service.OrgMemberStore.add_user_to_org',
                 new_callable=AsyncMock,
@@ -269,7 +250,6 @@ class TestAcceptInvitationEmailValidation:
             mock_settings = MagicMock()
             mock_settings.llm_api_key = SecretStr('test-key')
             mock_create_litellm.return_value = mock_settings
-            mock_get_org.return_value = mock_org
             mock_update_status.return_value = mock_invitation
 
             # Act - should not raise error because emails match case-insensitively
@@ -278,75 +258,6 @@ class TestAcceptInvitationEmailValidation:
             # Assert - invitation was accepted (update_invitation_status was called)
             mock_update_status.assert_called_once()
 
-    @pytest.mark.asyncio
-    async def test_accept_invitation_inherits_org_llm_settings(self, mock_invitation):
-        """Test that new members inherit the organization's LLM settings when accepting invitation."""
-        # Arrange
-        user_id = UUID('87654321-4321-8765-4321-876543218765')
-        token = 'inv-test-token-12345'
-
-        mock_user = MagicMock()
-        mock_user.id = user_id
-        mock_user.email = 'alice@example.com'
-
-        mock_org = MagicMock()
-        mock_org.default_llm_model = 'claude-sonnet-4'
-        mock_org.default_llm_base_url = 'https://api.anthropic.com'
-        mock_org.default_max_iterations = 100
-
-        with (
-            patch(
-                'server.services.org_invitation_service.OrgInvitationStore.get_invitation_by_token',
-                new_callable=AsyncMock,
-            ) as mock_get_invitation,
-            patch(
-                'server.services.org_invitation_service.OrgInvitationStore.is_token_expired'
-            ) as mock_is_expired,
-            patch(
-                'server.services.org_invitation_service.UserStore.get_user_by_id',
-                new_callable=AsyncMock,
-            ) as mock_get_user,
-            patch(
-                'server.services.org_invitation_service.OrgMemberStore.get_org_member',
-                new_callable=AsyncMock,
-            ) as mock_get_member,
-            patch(
-                'server.services.org_invitation_service.OrgService.create_litellm_integration',
-                new_callable=AsyncMock,
-            ) as mock_create_litellm,
-            patch(
-                'server.services.org_invitation_service.OrgStore.get_org_by_id',
-                new_callable=AsyncMock,
-            ) as mock_get_org,
-            patch(
-                'server.services.org_invitation_service.OrgMemberStore.add_user_to_org',
-                new_callable=AsyncMock,
-            ) as mock_add_user,
-            patch(
-                'server.services.org_invitation_service.OrgInvitationStore.update_invitation_status',
-                new_callable=AsyncMock,
-            ) as mock_update_status,
-        ):
-            mock_get_invitation.return_value = mock_invitation
-            mock_is_expired.return_value = False
-            mock_get_user.return_value = mock_user
-            mock_get_member.return_value = None
-            mock_settings = MagicMock()
-            mock_settings.llm_api_key = SecretStr('test-key')
-            mock_create_litellm.return_value = mock_settings
-            mock_get_org.return_value = mock_org
-            mock_update_status.return_value = mock_invitation
-
-            # Act
-            await OrgInvitationService.accept_invitation(token, user_id)
-
-            # Assert - verify add_user_to_org was called with org's LLM settings
-            mock_add_user.assert_called_once()
-            call_kwargs = mock_add_user.call_args.kwargs
-            assert call_kwargs['llm_model'] == 'claude-sonnet-4'
-            assert call_kwargs['llm_base_url'] == 'https://api.anthropic.com'
-            assert call_kwargs['max_iterations'] == 100
-
 
 class TestCreateInvitationsBatch:
     """Test cases for batch invitation creation."""

enterprise/tests/unit/test_org_member_store.py

@@ -10,37 +10,6 @@ from storage.org_member import OrgMember
 from storage.org_member_store import OrgMemberStore
 from storage.role import Role
 from storage.user import User
-from storage.user_settings import UserSettings
-
-
-def test_get_kwargs_from_user_settings_uses_agent_settings_as_source_of_truth():
-    user_settings = UserSettings(
-        llm_api_key='legacy-secret',
-        agent_settings={
-            'schema_version': 1,
-            'agent': 'CodeActAgent',
-            'verification.confirmation_mode': True,
-            'verification.security_analyzer': 'llm',
-            'condenser.enabled': False,
-            'condenser.max_size': 128,
-            'llm.model': 'anthropic/claude-sonnet-4-5-20250929',
-            'llm.base_url': 'https://api.example.com',
-            'max_iterations': 42,
-        },
-    )
-
-    kwargs = OrgMemberStore.get_kwargs_from_user_settings(user_settings)
-
-    assert kwargs['llm_api_key'] == 'legacy-secret'
-    assert kwargs['llm_model'] == 'anthropic/claude-sonnet-4-5-20250929'
-    assert kwargs['llm_base_url'] == 'https://api.example.com'
-    assert kwargs['max_iterations'] == 42
-    assert kwargs['agent_settings'] == {
-        'schema_version': 1,
-        'llm.model': 'anthropic/claude-sonnet-4-5-20250929',
-        'llm.base_url': 'https://api.example.com',
-        'max_iterations': 42,
-    }
 
 
 @pytest.fixture
@@ -277,43 +246,6 @@ async def test_add_user_to_org(async_session_maker):
         assert org_member.status == 'active'
 
 
-@pytest.mark.asyncio
-async def test_add_user_to_org_with_llm_settings(async_session_maker):
-    """Test that add_user_to_org correctly sets inherited LLM settings from organization."""
-    # Arrange
-    async with async_session_maker() as session:
-        org = Org(name='test-org-llm')
-        session.add(org)
-        await session.flush()
-
-        user = User(id=uuid.uuid4(), current_org_id=org.id)
-        role = Role(name='member', rank=2)
-        session.add_all([user, role])
-        await session.commit()
-        org_id = org.id
-        user_id = user.id
-        role_id = role.id
-
-    # Act
-    with patch('storage.org_member_store.a_session_maker', async_session_maker):
-        org_member = await OrgMemberStore.add_user_to_org(
-            org_id=org_id,
-            user_id=user_id,
-            role_id=role_id,
-            llm_api_key='test-api-key',
-            status='active',
-            llm_model='claude-sonnet-4',
-            llm_base_url='https://api.example.com',
-            max_iterations=50,
-        )
-
-    # Assert
-    assert org_member is not None
-    assert org_member.llm_model == 'claude-sonnet-4'
-    assert org_member.llm_base_url == 'https://api.example.com'
-    assert org_member.max_iterations == 50
-
-
 @pytest.mark.asyncio
 async def test_update_user_role_in_org(async_session_maker):
     # Test updating user role in org

enterprise/tests/unit/test_org_store.py

@@ -144,86 +144,6 @@ async def test_create_org(async_session_maker, mock_litellm_api):
         assert org.id is not None
 
 
-@pytest.mark.asyncio
-async def test_create_org_v1_enabled_defaults_to_true_when_default_is_true(
-    async_session_maker, mock_litellm_api
-):
-    """
-    GIVEN: DEFAULT_V1_ENABLED is True and org.v1_enabled is not specified (None)
-    WHEN: create_org is called
-    THEN: org.v1_enabled should be set to True
-    """
-    with (
-        patch('storage.org_store.a_session_maker', async_session_maker),
-        patch('storage.org_store.DEFAULT_V1_ENABLED', True),
-    ):
-        org = await OrgStore.create_org(kwargs={'name': 'test-org-v1-default-true'})
-
-        assert org is not None
-        assert org.v1_enabled is True
-
-
-@pytest.mark.asyncio
-async def test_create_org_v1_enabled_defaults_to_false_when_default_is_false(
-    async_session_maker, mock_litellm_api
-):
-    """
-    GIVEN: DEFAULT_V1_ENABLED is False and org.v1_enabled is not specified (None)
-    WHEN: create_org is called
-    THEN: org.v1_enabled should be set to False
-    """
-    with (
-        patch('storage.org_store.a_session_maker', async_session_maker),
-        patch('storage.org_store.DEFAULT_V1_ENABLED', False),
-    ):
-        org = await OrgStore.create_org(kwargs={'name': 'test-org-v1-default-false'})
-
-        assert org is not None
-        assert org.v1_enabled is False
-
-
-@pytest.mark.asyncio
-async def test_create_org_v1_enabled_explicit_false_overrides_default_true(
-    async_session_maker, mock_litellm_api
-):
-    """
-    GIVEN: DEFAULT_V1_ENABLED is True but org.v1_enabled is explicitly set to False
-    WHEN: create_org is called
-    THEN: org.v1_enabled should stay False (explicit value wins over default)
-    """
-    with (
-        patch('storage.org_store.a_session_maker', async_session_maker),
-        patch('storage.org_store.DEFAULT_V1_ENABLED', True),
-    ):
-        org = await OrgStore.create_org(
-            kwargs={'name': 'test-org-v1-explicit-false', 'v1_enabled': False}
-        )
-
-        assert org is not None
-        assert org.v1_enabled is False
-
-
-@pytest.mark.asyncio
-async def test_create_org_v1_enabled_explicit_true_overrides_default_false(
-    async_session_maker, mock_litellm_api
-):
-    """
-    GIVEN: DEFAULT_V1_ENABLED is False but org.v1_enabled is explicitly set to True
-    WHEN: create_org is called
-    THEN: org.v1_enabled should stay True (explicit value wins over default)
-    """
-    with (
-        patch('storage.org_store.a_session_maker', async_session_maker),
-        patch('storage.org_store.DEFAULT_V1_ENABLED', False),
-    ):
-        org = await OrgStore.create_org(
-            kwargs={'name': 'test-org-v1-explicit-true', 'v1_enabled': True}
-        )
-
-        assert org is not None
-        assert org.v1_enabled is True
-
-
 @pytest.mark.asyncio
 async def test_get_org_by_name(async_session_maker, mock_litellm_api):
     # Test getting org by name

enterprise/tests/unit/test_saas_secrets_store.py

@@ -246,82 +246,3 @@ class TestSaasSecretsStore:
         assert isinstance(store, SaasSecretsStore)
         assert store.user_id == 'test-user-id'
         assert store.config == mock_config
-
-    @pytest.mark.asyncio
-    @patch(
-        'storage.saas_secrets_store.UserStore.get_user_by_id',
-        new_callable=AsyncMock,
-    )
-    async def test_secrets_isolation_between_organizations(
-        self, mock_get_user, secrets_store, mock_user
-    ):
-        """Test that secrets from one organization are not deleted when storing
-        secrets in another organization. This reproduces a bug where switching
-        organizations and creating a secret would delete all secrets from the
-        user's personal workspace."""
-        org1_id = UUID('a1111111-1111-1111-1111-111111111111')
-        org2_id = UUID('b2222222-2222-2222-2222-222222222222')
-
-        # Store secrets in org1 (personal workspace)
-        mock_user.current_org_id = org1_id
-        mock_get_user.return_value = mock_user
-        org1_secrets = Secrets(
-            custom_secrets=MappingProxyType(
-                {
-                    'personal_secret': CustomSecret.from_value(
-                        {
-                            'secret': 'personal_secret_value',
-                            'description': 'My personal secret',
-                        }
-                    ),
-                }
-            )
-        )
-        await secrets_store.store(org1_secrets)
-
-        # Verify org1 secrets are stored
-        loaded_org1 = await secrets_store.load()
-        assert loaded_org1 is not None
-        assert 'personal_secret' in loaded_org1.custom_secrets
-        assert (
-            loaded_org1.custom_secrets['personal_secret'].secret.get_secret_value()
-            == 'personal_secret_value'
-        )
-
-        # Switch to org2 and store secrets there
-        mock_user.current_org_id = org2_id
-        mock_get_user.return_value = mock_user
-        org2_secrets = Secrets(
-            custom_secrets=MappingProxyType(
-                {
-                    'org2_secret': CustomSecret.from_value(
-                        {'secret': 'org2_secret_value', 'description': 'Org2 secret'}
-                    ),
-                }
-            )
-        )
-        await secrets_store.store(org2_secrets)
-
-        # Verify org2 secrets are stored
-        loaded_org2 = await secrets_store.load()
-        assert loaded_org2 is not None
-        assert 'org2_secret' in loaded_org2.custom_secrets
-        assert (
-            loaded_org2.custom_secrets['org2_secret'].secret.get_secret_value()
-            == 'org2_secret_value'
-        )
-
-        # Switch back to org1 and verify secrets are still there
-        mock_user.current_org_id = org1_id
-        mock_get_user.return_value = mock_user
-        loaded_org1_again = await secrets_store.load()
-        assert loaded_org1_again is not None
-        assert 'personal_secret' in loaded_org1_again.custom_secrets
-        assert (
-            loaded_org1_again.custom_secrets[
-                'personal_secret'
-            ].secret.get_secret_value()
-            == 'personal_secret_value'
-        )
-        # Verify org2 secrets are NOT visible in org1
-        assert 'org2_secret' not in loaded_org1_again.custom_secrets

enterprise/tests/unit/test_saas_settings_store.py

@@ -26,29 +26,6 @@ def mock_config():
     return config
 
 
-def test_member_scoped_agent_settings_filters_effective_settings(mock_config):
-    store = SaasSettingsStore('test-user-id', mock_config)
-    effective_settings = Settings(
-        agent='CodeActAgent',
-        llm_model='anthropic/claude-sonnet-4-5-20250929',
-        llm_base_url='https://api.example.com',
-        max_iterations=42,
-        confirmation_mode=True,
-        security_analyzer='llm',
-        enable_default_condenser=False,
-        condenser_max_size=128,
-    )
-
-    assert store._member_scoped_agent_settings(
-        effective_settings.normalized_agent_settings(strip_secret_values=True)
-    ) == {
-        'schema_version': 1,
-        'llm.model': 'anthropic/claude-sonnet-4-5-20250929',
-        'llm.base_url': 'https://api.example.com',
-        'max_iterations': 42,
-    }
-
-
 @pytest.fixture
 def settings_store(async_session_maker, mock_config):
     store = SaasSettingsStore('5594c7b6-f959-4b81-92e9-b09c206f5081', mock_config)
@@ -102,7 +79,6 @@ def settings_store(async_session_maker, mock_config):
 
             # Encrypt the data before storing
             store._encrypt_kwargs(item_dict)
-            item_dict['agent_settings'] = item.agent_settings
 
             # Continue with the original implementation
             from sqlalchemy import select
@@ -143,10 +119,6 @@ async def test_store_and_load_keycloak_user(settings_store):
         agent='smith',
         email='test@example.com',
         email_verified=True,
-        agent_settings={
-            'critic_mode': 'all_actions',
-            'enable_critic': True,
-        },
     )
 
     await settings_store.store(settings)
@@ -154,8 +126,6 @@ async def test_store_and_load_keycloak_user(settings_store):
     # Load and verify settings
     loaded_settings = await settings_store.load()
     assert loaded_settings is not None
-    assert loaded_settings.agent_settings['critic_mode'] == 'all_actions'
-    assert loaded_settings.agent_settings['enable_critic'] is True
     assert loaded_settings.llm_api_key.get_secret_value() == 'secret_key'
     assert loaded_settings.agent == 'smith'
 
@@ -170,7 +140,7 @@ async def test_store_and_load_keycloak_user(settings_store):
         )
         stored = result.scalars().first()
         assert stored is not None
-        assert stored.agent_settings['agent'] == 'smith'
+        assert stored.agent == 'smith'
 
 
 @pytest.mark.asyncio
@@ -426,44 +396,3 @@ async def test_store_propagates_llm_settings_to_all_org_members(
             assert (
                 decrypted_key == 'new-shared-api-key'
             ), f'Expected llm_api_key to decrypt to new-shared-api-key for member {member.user_id}'
-
-
-@pytest.mark.asyncio
-async def test_store_updates_org_default_llm_settings(
-    session_maker, async_session_maker, mock_config, org_with_multiple_members_fixture
-):
-    """When admin saves LLM settings, org's default_llm_model/base_url/max_iterations should be updated.
-
-    This test verifies that the Org table's default settings are updated so that
-    new members joining later will inherit the correct LLM configuration.
-    """
-    from sqlalchemy import select
-    from storage.org import Org
-
-    # Arrange
-    fixture = org_with_multiple_members_fixture
-    org_id = fixture['org_id']
-    admin_user_id = str(fixture['admin_user_id'])
-
-    store = SaasSettingsStore(admin_user_id, mock_config)
-
-    new_settings = DataSettings(
-        llm_model='anthropic/claude-sonnet-4',
-        llm_base_url='https://api.anthropic.com/v1',
-        max_iterations=75,
-        llm_api_key=SecretStr('test-api-key'),
-    )
-
-    # Act
-    with patch('storage.saas_settings_store.a_session_maker', async_session_maker):
-        await store.store(new_settings)
-
-    # Assert - verify org's default fields were updated
-    with session_maker() as session:
-        result = session.execute(select(Org).where(Org.id == org_id))
-        org = result.scalars().first()
-
-        assert org is not None
-        assert org.default_llm_model == 'anthropic/claude-sonnet-4'
-        assert org.default_llm_base_url == 'https://api.anthropic.com/v1'
-        assert org.default_max_iterations == 75

enterprise/tests/unit/test_saas_user_auth.py

@@ -1,5 +1,4 @@
 import time
-import uuid
 from unittest.mock import AsyncMock, MagicMock, patch
 
 import jwt
@@ -19,7 +18,6 @@ from server.auth.saas_user_auth import (
     saas_user_auth_from_cookie,
     saas_user_auth_from_signed_token,
 )
-from storage.api_key_store import ApiKeyValidationResult
 from storage.user_authorization import UserAuthorizationType
 
 from openhands.integrations.provider import ProviderToken, ProviderType
@@ -459,8 +457,7 @@ async def test_get_instance_no_auth(mock_request):
 
 @pytest.mark.asyncio
 async def test_saas_user_auth_from_bearer_success():
-    """Test successful authentication from bearer token sets user_id and api_key_org_id."""
-    # Arrange
+    """Test successful authentication from bearer token."""
     mock_request = MagicMock()
     mock_request.headers = {'Authorization': 'Bearer test_api_key'}
 
@@ -471,22 +468,12 @@ async def test_saas_user_auth_from_bearer_success():
         algorithm='HS256',
     )
 
-    mock_org_id = uuid.uuid4()
-    mock_validation_result = ApiKeyValidationResult(
-        user_id='test_user_id',
-        org_id=mock_org_id,
-        key_id=42,
-        key_name='Test Key',
-    )
-
     with (
         patch('server.auth.saas_user_auth.ApiKeyStore') as mock_api_key_store_cls,
         patch('server.auth.saas_user_auth.token_manager') as mock_token_manager,
     ):
         mock_api_key_store = MagicMock()
-        mock_api_key_store.validate_api_key = AsyncMock(
-            return_value=mock_validation_result
-        )
+        mock_api_key_store.validate_api_key = AsyncMock(return_value='test_user_id')
         mock_api_key_store_cls.get_instance.return_value = mock_api_key_store
 
         mock_token_manager.load_offline_token = AsyncMock(return_value=offline_token)
@@ -498,9 +485,6 @@ async def test_saas_user_auth_from_bearer_success():
 
         assert isinstance(result, SaasUserAuth)
         assert result.user_id == 'test_user_id'
-        assert result.api_key_org_id == mock_org_id
-        assert result.api_key_id == 42
-        assert result.api_key_name == 'Test Key'
         mock_api_key_store.validate_api_key.assert_called_once_with('test_api_key')
         mock_token_manager.load_offline_token.assert_called_once_with('test_user_id')
         mock_token_manager.refresh.assert_called_once_with(offline_token)

enterprise/tests/unit/test_sharing/test_aws_shared_event_service.py

@@ -1,555 +0,0 @@
-"""Tests for AwsSharedEventService."""
-
-import os
-from datetime import UTC, datetime
-from unittest.mock import AsyncMock, MagicMock, patch
-from uuid import uuid4
-
-import pytest
-from server.sharing.aws_shared_event_service import (
-    AwsSharedEventService,
-    AwsSharedEventServiceInjector,
-)
-from server.sharing.shared_conversation_info_service import (
-    SharedConversationInfoService,
-)
-from server.sharing.shared_conversation_models import SharedConversation
-
-from openhands.agent_server.models import EventPage, EventSortOrder
-from openhands.app_server.event.event_service import EventService
-from openhands.sdk.llm import MetricsSnapshot
-from openhands.sdk.llm.utils.metrics import TokenUsage
-
-
-@pytest.fixture
-def mock_shared_conversation_info_service():
-    """Create a mock SharedConversationInfoService."""
-    return AsyncMock(spec=SharedConversationInfoService)
-
-
-@pytest.fixture
-def mock_s3_client():
-    """Create a mock S3 client."""
-    return MagicMock()
-
-
-@pytest.fixture
-def mock_event_service():
-    """Create a mock EventService for returned by get_event_service."""
-    return AsyncMock(spec=EventService)
-
-
-@pytest.fixture
-def aws_shared_event_service(mock_shared_conversation_info_service, mock_s3_client):
-    """Create an AwsSharedEventService for testing."""
-    return AwsSharedEventService(
-        shared_conversation_info_service=mock_shared_conversation_info_service,
-        s3_client=mock_s3_client,
-        bucket_name='test-bucket',
-    )
-
-
-@pytest.fixture
-def sample_public_conversation():
-    """Create a sample public conversation."""
-    return SharedConversation(
-        id=uuid4(),
-        created_by_user_id='test_user',
-        sandbox_id='test_sandbox',
-        title='Test Public Conversation',
-        created_at=datetime.now(UTC),
-        updated_at=datetime.now(UTC),
-        metrics=MetricsSnapshot(
-            accumulated_cost=0.0,
-            max_budget_per_task=10.0,
-            accumulated_token_usage=TokenUsage(),
-        ),
-    )
-
-
-@pytest.fixture
-def sample_event():
-    """Create a sample event."""
-    # For testing purposes, we'll just use a mock that the EventPage can accept
-    # The actual event creation is complex and not the focus of these tests
-    return None
-
-
-class TestAwsSharedEventService:
-    """Test cases for AwsSharedEventService."""
-
-    async def test_get_shared_event_returns_event_for_public_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        mock_event_service,
-        sample_public_conversation,
-        sample_event,
-    ):
-        """Test that get_shared_event returns an event for a public conversation."""
-        conversation_id = sample_public_conversation.id
-        event_id = uuid4()
-
-        # Mock the public conversation service to return a public conversation
-        mock_shared_conversation_info_service.get_shared_conversation_info.return_value = sample_public_conversation
-
-        # Mock get_event_service to return our mock event service
-        aws_shared_event_service.get_event_service = AsyncMock(
-            return_value=mock_event_service
-        )
-
-        # Mock the event service to return an event
-        mock_event_service.get_event.return_value = sample_event
-
-        # Call the method
-        result = await aws_shared_event_service.get_shared_event(
-            conversation_id, event_id
-        )
-
-        # Verify the result
-        assert result == sample_event
-        aws_shared_event_service.get_event_service.assert_called_once_with(
-            conversation_id
-        )
-        mock_event_service.get_event.assert_called_once_with(conversation_id, event_id)
-
-    async def test_get_shared_event_returns_none_for_private_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        mock_event_service,
-    ):
-        """Test that get_shared_event returns None for a private conversation."""
-        conversation_id = uuid4()
-        event_id = uuid4()
-
-        # Mock get_event_service to return None (private conversation)
-        aws_shared_event_service.get_event_service = AsyncMock(return_value=None)
-
-        # Call the method
-        result = await aws_shared_event_service.get_shared_event(
-            conversation_id, event_id
-        )
-
-        # Verify the result
-        assert result is None
-        aws_shared_event_service.get_event_service.assert_called_once_with(
-            conversation_id
-        )
-        # Event service should not be called since get_event_service returns None
-        mock_event_service.get_event.assert_not_called()
-
-    async def test_search_shared_events_returns_events_for_public_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        mock_event_service,
-        sample_public_conversation,
-        sample_event,
-    ):
-        """Test that search_shared_events returns events for a public conversation."""
-        conversation_id = sample_public_conversation.id
-
-        # Mock get_event_service to return our mock event service
-        aws_shared_event_service.get_event_service = AsyncMock(
-            return_value=mock_event_service
-        )
-
-        # Mock the event service to return events
-        mock_event_page = EventPage(items=[], next_page_id=None)
-        mock_event_service.search_events.return_value = mock_event_page
-
-        # Call the method
-        result = await aws_shared_event_service.search_shared_events(
-            conversation_id=conversation_id,
-            kind__eq='ActionEvent',
-            limit=10,
-        )
-
-        # Verify the result
-        assert result == mock_event_page
-        assert len(result.items) == 0  # Empty list as we mocked
-
-        aws_shared_event_service.get_event_service.assert_called_once_with(
-            conversation_id
-        )
-        mock_event_service.search_events.assert_called_once_with(
-            conversation_id=conversation_id,
-            kind__eq='ActionEvent',
-            timestamp__gte=None,
-            timestamp__lt=None,
-            sort_order=EventSortOrder.TIMESTAMP,
-            page_id=None,
-            limit=10,
-        )
-
-    async def test_search_shared_events_returns_empty_for_private_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        mock_event_service,
-    ):
-        """Test that search_shared_events returns empty page for a private conversation."""
-        conversation_id = uuid4()
-
-        # Mock get_event_service to return None (private conversation)
-        aws_shared_event_service.get_event_service = AsyncMock(return_value=None)
-
-        # Call the method
-        result = await aws_shared_event_service.search_shared_events(
-            conversation_id=conversation_id,
-            limit=10,
-        )
-
-        # Verify the result
-        assert isinstance(result, EventPage)
-        assert len(result.items) == 0
-        assert result.next_page_id is None
-
-        aws_shared_event_service.get_event_service.assert_called_once_with(
-            conversation_id
-        )
-        # Event service should not be called
-        mock_event_service.search_events.assert_not_called()
-
-    async def test_count_shared_events_returns_count_for_public_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        mock_event_service,
-        sample_public_conversation,
-    ):
-        """Test that count_shared_events returns count for a public conversation."""
-        conversation_id = sample_public_conversation.id
-
-        # Mock get_event_service to return our mock event service
-        aws_shared_event_service.get_event_service = AsyncMock(
-            return_value=mock_event_service
-        )
-
-        # Mock the event service to return a count
-        mock_event_service.count_events.return_value = 5
-
-        # Call the method
-        result = await aws_shared_event_service.count_shared_events(
-            conversation_id=conversation_id,
-            kind__eq='ActionEvent',
-        )
-
-        # Verify the result
-        assert result == 5
-
-        aws_shared_event_service.get_event_service.assert_called_once_with(
-            conversation_id
-        )
-        mock_event_service.count_events.assert_called_once_with(
-            conversation_id=conversation_id,
-            kind__eq='ActionEvent',
-            timestamp__gte=None,
-            timestamp__lt=None,
-        )
-
-    async def test_count_shared_events_returns_zero_for_private_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        mock_event_service,
-    ):
-        """Test that count_shared_events returns 0 for a private conversation."""
-        conversation_id = uuid4()
-
-        # Mock get_event_service to return None (private conversation)
-        aws_shared_event_service.get_event_service = AsyncMock(return_value=None)
-
-        # Call the method
-        result = await aws_shared_event_service.count_shared_events(
-            conversation_id=conversation_id,
-        )
-
-        # Verify the result
-        assert result == 0
-
-        aws_shared_event_service.get_event_service.assert_called_once_with(
-            conversation_id
-        )
-        # Event service should not be called
-        mock_event_service.count_events.assert_not_called()
-
-    async def test_batch_get_shared_events_returns_events_for_public_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        mock_event_service,
-        sample_public_conversation,
-        sample_event,
-    ):
-        """Test that batch_get_shared_events returns events for a public conversation."""
-        conversation_id = sample_public_conversation.id
-        event_ids = [uuid4() for _ in range(3)]
-
-        # Mock get_event_service to return our mock event service
-        aws_shared_event_service.get_event_service = AsyncMock(
-            return_value=mock_event_service
-        )
-
-        # Mock the event service to return events
-        mock_event_service.get_event.return_value = sample_event
-
-        # Call the method
-        results = await aws_shared_event_service.batch_get_shared_events(
-            conversation_id, event_ids
-        )
-
-        # Verify the results
-        assert len(results) == 3
-        assert all(result == sample_event for result in results)
-
-
-class TestAwsSharedEventServiceGetEventService:
-    """Test cases for AwsSharedEventService.get_event_service method."""
-
-    async def test_get_event_service_returns_event_service_for_shared_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-        sample_public_conversation,
-    ):
-        """Test that get_event_service returns an EventService for a shared conversation."""
-        conversation_id = sample_public_conversation.id
-
-        # Mock the shared conversation info service to return a shared conversation
-        mock_shared_conversation_info_service.get_shared_conversation_info.return_value = sample_public_conversation
-
-        # Call the method
-        result = await aws_shared_event_service.get_event_service(conversation_id)
-
-        # Verify the result
-        assert result is not None
-        mock_shared_conversation_info_service.get_shared_conversation_info.assert_called_once_with(
-            conversation_id
-        )
-
-    async def test_get_event_service_returns_none_for_non_shared_conversation(
-        self,
-        aws_shared_event_service,
-        mock_shared_conversation_info_service,
-    ):
-        """Test that get_event_service returns None for a non-shared conversation."""
-        conversation_id = uuid4()
-
-        # Mock the shared conversation info service to return None
-        mock_shared_conversation_info_service.get_shared_conversation_info.return_value = None
-
-        # Call the method
-        result = await aws_shared_event_service.get_event_service(conversation_id)
-
-        # Verify the result
-        assert result is None
-        mock_shared_conversation_info_service.get_shared_conversation_info.assert_called_once_with(
-            conversation_id
-        )
-
-
-class TestAwsSharedEventServiceInjector:
-    """Test cases for AwsSharedEventServiceInjector."""
-
-    def test_bucket_name_from_environment_variable(self):
-        """Test that bucket_name is read from FILE_STORE_PATH environment variable."""
-        test_bucket_name = 'test-bucket-name'
-        with patch.dict(os.environ, {'FILE_STORE_PATH': test_bucket_name}):
-            # Create a new injector instance to pick up the environment variable
-            # Note: The class attribute is evaluated at class definition time,
-            # so we need to test that the attribute exists and can be overridden
-            injector = AwsSharedEventServiceInjector()
-            injector.bucket_name = os.environ.get('FILE_STORE_PATH')
-            assert injector.bucket_name == test_bucket_name
-
-    def test_bucket_name_default_value_when_env_not_set(self):
-        """Test that bucket_name is None when FILE_STORE_PATH is not set."""
-        with patch.dict(os.environ, {}, clear=True):
-            # Remove FILE_STORE_PATH if it exists
-            os.environ.pop('FILE_STORE_PATH', None)
-            injector = AwsSharedEventServiceInjector()
-            # The bucket_name will be whatever was set at class definition time
-            # or None if FILE_STORE_PATH was not set when the class was defined
-            assert hasattr(injector, 'bucket_name')
-
-    async def test_injector_yields_aws_shared_event_service(self):
-        """Test that the injector yields an AwsSharedEventService instance."""
-        mock_state = MagicMock()
-        mock_request = MagicMock()
-        mock_db_session = AsyncMock()
-
-        # Create the injector
-        injector = AwsSharedEventServiceInjector()
-        injector.bucket_name = 'test-bucket'
-
-        # Mock the get_db_session context manager
-        mock_db_context = AsyncMock()
-        mock_db_context.__aenter__.return_value = mock_db_session
-        mock_db_context.__aexit__.return_value = None
-
-        # Mock boto3.client
-        mock_s3_client = MagicMock()
-
-        with (
-            patch(
-                'server.sharing.aws_shared_event_service.boto3.client',
-                return_value=mock_s3_client,
-            ),
-            patch(
-                'openhands.app_server.config.get_db_session',
-                return_value=mock_db_context,
-            ),
-        ):
-            # Call the inject method
-            async for service in injector.inject(mock_state, mock_request):
-                # Verify the service is an instance of AwsSharedEventService
-                assert isinstance(service, AwsSharedEventService)
-                assert service.s3_client == mock_s3_client
-                assert service.bucket_name == 'test-bucket'
-
-    async def test_injector_uses_bucket_name_from_instance(self):
-        """Test that the injector uses the bucket_name from the instance."""
-        mock_state = MagicMock()
-        mock_request = MagicMock()
-        mock_db_session = AsyncMock()
-
-        # Create the injector with a specific bucket name
-        injector = AwsSharedEventServiceInjector()
-        injector.bucket_name = 'my-custom-bucket'
-
-        # Mock the get_db_session context manager
-        mock_db_context = AsyncMock()
-        mock_db_context.__aenter__.return_value = mock_db_session
-        mock_db_context.__aexit__.return_value = None
-
-        # Mock boto3.client
-        mock_s3_client = MagicMock()
-
-        with (
-            patch(
-                'server.sharing.aws_shared_event_service.boto3.client',
-                return_value=mock_s3_client,
-            ),
-            patch(
-                'openhands.app_server.config.get_db_session',
-                return_value=mock_db_context,
-            ),
-        ):
-            # Call the inject method
-            async for service in injector.inject(mock_state, mock_request):
-                assert service.bucket_name == 'my-custom-bucket'
-
-    async def test_injector_creates_sql_shared_conversation_info_service(self):
-        """Test that the injector creates SQLSharedConversationInfoService with db_session."""
-        mock_state = MagicMock()
-        mock_request = MagicMock()
-        mock_db_session = AsyncMock()
-
-        # Create the injector
-        injector = AwsSharedEventServiceInjector()
-        injector.bucket_name = 'test-bucket'
-
-        # Mock the get_db_session context manager
-        mock_db_context = AsyncMock()
-        mock_db_context.__aenter__.return_value = mock_db_session
-        mock_db_context.__aexit__.return_value = None
-
-        # Mock boto3.client
-        mock_s3_client = MagicMock()
-
-        with (
-            patch(
-                'server.sharing.aws_shared_event_service.boto3.client',
-                return_value=mock_s3_client,
-            ),
-            patch(
-                'openhands.app_server.config.get_db_session',
-                return_value=mock_db_context,
-            ),
-            patch(
-                'server.sharing.aws_shared_event_service.SQLSharedConversationInfoService'
-            ) as mock_sql_service_class,
-        ):
-            mock_sql_service = MagicMock()
-            mock_sql_service_class.return_value = mock_sql_service
-
-            # Call the inject method
-            async for service in injector.inject(mock_state, mock_request):
-                # Verify the service has the correct shared_conversation_info_service
-                assert service.shared_conversation_info_service == mock_sql_service
-
-            # Verify SQLSharedConversationInfoService was created with db_session
-            mock_sql_service_class.assert_called_once_with(db_session=mock_db_session)
-
-    async def test_injector_works_without_request(self):
-        """Test that the injector works when request is None."""
-        mock_state = MagicMock()
-        mock_db_session = AsyncMock()
-
-        # Create the injector
-        injector = AwsSharedEventServiceInjector()
-        injector.bucket_name = 'test-bucket'
-
-        # Mock the get_db_session context manager
-        mock_db_context = AsyncMock()
-        mock_db_context.__aenter__.return_value = mock_db_session
-        mock_db_context.__aexit__.return_value = None
-
-        # Mock boto3.client
-        mock_s3_client = MagicMock()
-
-        with (
-            patch(
-                'server.sharing.aws_shared_event_service.boto3.client',
-                return_value=mock_s3_client,
-            ),
-            patch(
-                'openhands.app_server.config.get_db_session',
-                return_value=mock_db_context,
-            ),
-        ):
-            # Call the inject method with request=None
-            async for service in injector.inject(mock_state, request=None):
-                assert isinstance(service, AwsSharedEventService)
-
-    async def test_injector_uses_role_based_authentication(self):
-        """Test that the injector uses role-based authentication (no explicit credentials)."""
-        mock_state = MagicMock()
-        mock_request = MagicMock()
-        mock_db_session = AsyncMock()
-
-        # Create the injector
-        injector = AwsSharedEventServiceInjector()
-        injector.bucket_name = 'test-bucket'
-
-        # Mock the get_db_session context manager
-        mock_db_context = AsyncMock()
-        mock_db_context.__aenter__.return_value = mock_db_session
-        mock_db_context.__aexit__.return_value = None
-
-        # Mock boto3.client
-        mock_s3_client = MagicMock()
-
-        with (
-            patch(
-                'server.sharing.aws_shared_event_service.boto3.client',
-                return_value=mock_s3_client,
-            ) as mock_boto3_client,
-            patch(
-                'openhands.app_server.config.get_db_session',
-                return_value=mock_db_context,
-            ),
-            patch.dict(os.environ, {'AWS_S3_ENDPOINT': 'https://s3.example.com'}),
-        ):
-            # Call the inject method
-            async for service in injector.inject(mock_state, mock_request):
-                pass
-
-            # Verify boto3.client was called with 's3' and endpoint_url
-            # but without explicit credentials (role-based auth)
-            mock_boto3_client.assert_called_once_with(
-                's3',
-                endpoint_url='https://s3.example.com',
-            )

enterprise/tests/unit/test_sharing/test_shared_event_router.py

@@ -1,171 +0,0 @@
-"""Tests for shared_event_router provider selection.
-
-This module tests the get_shared_event_service_injector function which
-determines which SharedEventServiceInjector to use based on environment variables.
-"""
-
-import os
-from unittest.mock import patch
-
-from server.sharing.aws_shared_event_service import AwsSharedEventServiceInjector
-from server.sharing.google_cloud_shared_event_service import (
-    GoogleCloudSharedEventServiceInjector,
-)
-from server.sharing.shared_event_router import get_shared_event_service_injector
-
-
-class TestGetSharedEventServiceInjector:
-    """Test cases for get_shared_event_service_injector function."""
-
-    def test_defaults_to_google_cloud_when_no_env_set(self):
-        """Test that GoogleCloudSharedEventServiceInjector is used when no env is set."""
-        with patch.dict(
-            os.environ,
-            {},
-            clear=True,
-        ):
-            os.environ.pop('SHARED_EVENT_STORAGE_PROVIDER', None)
-            os.environ.pop('FILE_STORE', None)
-
-            injector = get_shared_event_service_injector()
-
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)
-
-    def test_uses_google_cloud_when_file_store_google_cloud(self):
-        """Test that GoogleCloudSharedEventServiceInjector is used when FILE_STORE=google_cloud."""
-        with patch.dict(
-            os.environ,
-            {
-                'FILE_STORE': 'google_cloud',
-            },
-            clear=True,
-        ):
-            os.environ.pop('SHARED_EVENT_STORAGE_PROVIDER', None)
-
-            injector = get_shared_event_service_injector()
-
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)
-
-    def test_uses_aws_when_provider_aws(self):
-        """Test that AwsSharedEventServiceInjector is used when SHARED_EVENT_STORAGE_PROVIDER=aws."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'aws',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            assert isinstance(injector, AwsSharedEventServiceInjector)
-
-    def test_uses_gcp_when_provider_gcp(self):
-        """Test that GoogleCloudSharedEventServiceInjector is used when SHARED_EVENT_STORAGE_PROVIDER=gcp."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'gcp',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)
-
-    def test_uses_gcp_when_provider_google_cloud(self):
-        """Test that GoogleCloudSharedEventServiceInjector is used when SHARED_EVENT_STORAGE_PROVIDER=google_cloud."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'google_cloud',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)
-
-    def test_provider_takes_precedence_over_file_store(self):
-        """Test that SHARED_EVENT_STORAGE_PROVIDER takes precedence over FILE_STORE."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'aws',
-                'FILE_STORE': 'google_cloud',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            # Should use AWS because SHARED_EVENT_STORAGE_PROVIDER takes precedence
-            assert isinstance(injector, AwsSharedEventServiceInjector)
-
-    def test_provider_gcp_takes_precedence_over_file_store_s3(self):
-        """Test that SHARED_EVENT_STORAGE_PROVIDER=gcp takes precedence over FILE_STORE=s3."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'gcp',
-                'FILE_STORE': 's3',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            # Should use GCP because SHARED_EVENT_STORAGE_PROVIDER takes precedence
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)
-
-    def test_provider_is_case_insensitive_aws(self):
-        """Test that SHARED_EVENT_STORAGE_PROVIDER is case insensitive for AWS."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'AWS',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            assert isinstance(injector, AwsSharedEventServiceInjector)
-
-    def test_provider_is_case_insensitive_gcp(self):
-        """Test that SHARED_EVENT_STORAGE_PROVIDER is case insensitive for GCP."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'GCP',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)
-
-    def test_unknown_provider_defaults_to_google_cloud(self):
-        """Test that unknown provider defaults to GoogleCloudSharedEventServiceInjector."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': 'unknown_provider',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            # Should default to GCP for unknown providers
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)
-
-    def test_empty_provider_falls_back_to_file_store(self):
-        """Test that empty SHARED_EVENT_STORAGE_PROVIDER falls back to FILE_STORE."""
-        with patch.dict(
-            os.environ,
-            {
-                'SHARED_EVENT_STORAGE_PROVIDER': '',
-                'FILE_STORE': 'google_cloud',
-            },
-            clear=True,
-        ):
-            injector = get_shared_event_service_injector()
-
-            # Should default to GCP for unknown providers
-            assert isinstance(injector, GoogleCloudSharedEventServiceInjector)

enterprise/tests/unit/test_user_store.py

@@ -101,72 +101,6 @@ async def test_create_default_settings_with_litellm(mock_litellm_api):
     assert settings.llm_base_url == 'http://test.url'
 
 
-@pytest.mark.asyncio
-async def test_create_default_settings_v1_enabled_true_when_default_is_true(
-    mock_litellm_api,
-):
-    """
-    GIVEN: DEFAULT_V1_ENABLED is True
-    WHEN: create_default_settings is called
-    THEN: The default_settings.v1_enabled should be set to True
-    """
-    org_id = str(uuid.uuid4())
-    user_id = str(uuid.uuid4())
-
-    # Track the settings passed to LiteLlmManager.create_entries
-    captured_settings = None
-
-    async def capture_create_entries(_org_id, _user_id, settings, _create_user):
-        nonlocal captured_settings
-        captured_settings = settings
-        return settings
-
-    with (
-        patch('storage.user_store.DEFAULT_V1_ENABLED', True),
-        patch(
-            'storage.lite_llm_manager.LiteLlmManager.create_entries',
-            side_effect=capture_create_entries,
-        ),
-    ):
-        await UserStore.create_default_settings(org_id, user_id)
-
-    assert captured_settings is not None
-    assert captured_settings.v1_enabled is True
-
-
-@pytest.mark.asyncio
-async def test_create_default_settings_v1_enabled_false_when_default_is_false(
-    mock_litellm_api,
-):
-    """
-    GIVEN: DEFAULT_V1_ENABLED is False
-    WHEN: create_default_settings is called
-    THEN: The default_settings.v1_enabled should be set to False
-    """
-    org_id = str(uuid.uuid4())
-    user_id = str(uuid.uuid4())
-
-    # Track the settings passed to LiteLlmManager.create_entries
-    captured_settings = None
-
-    async def capture_create_entries(_org_id, _user_id, settings, _create_user):
-        nonlocal captured_settings
-        captured_settings = settings
-        return settings
-
-    with (
-        patch('storage.user_store.DEFAULT_V1_ENABLED', False),
-        patch(
-            'storage.lite_llm_manager.LiteLlmManager.create_entries',
-            side_effect=capture_create_entries,
-        ),
-    ):
-        await UserStore.create_default_settings(org_id, user_id)
-
-    assert captured_settings is not None
-    assert captured_settings.v1_enabled is False
-
-
 # --- Tests for get_user_by_id ---
 
 
@@ -688,10 +622,8 @@ def test_has_custom_settings_custom_base_url():
 
     user_settings = UserSettings(
         keycloak_user_id='test',
-        agent_settings={
-            'llm.base_url': 'https://custom.api.example.com',
-            'llm.model': 'some-model',
-        },
+        llm_base_url='https://custom.api.example.com',
+        llm_model='some-model',
     )
 
     result = UserStore._has_custom_settings(user_settings, old_user_version=1)
@@ -703,7 +635,11 @@ def test_has_custom_settings_no_model():
     """Test that no model set means using defaults."""
     from storage.user_settings import UserSettings
 
-    user_settings = UserSettings(keycloak_user_id='test', agent_settings={})
+    user_settings = UserSettings(
+        keycloak_user_id='test',
+        llm_base_url=None,
+        llm_model=None,
+    )
 
     result = UserStore._has_custom_settings(user_settings, old_user_version=1)
 
@@ -716,7 +652,8 @@ def test_has_custom_settings_empty_model():
 
     user_settings = UserSettings(
         keycloak_user_id='test',
-        agent_settings={'llm.model': '   '},
+        llm_base_url=None,
+        llm_model='   ',  # whitespace only
     )
 
     result = UserStore._has_custom_settings(user_settings, old_user_version=1)
@@ -777,10 +714,7 @@ def test_create_user_settings_from_entities():
 
     assert result.keycloak_user_id == user_id
     assert result.llm_api_key == 'test-api-key'
-    assert result.agent_settings['llm.model'] == 'claude-3-5-sonnet'
-    assert result.agent_settings['llm.base_url'] == 'https://api.example.com'
-    assert result.agent_settings['max_iterations'] == 50
-    assert result.agent_settings['agent'] == 'CodeActAgent'
+    assert result.llm_model == 'claude-3-5-sonnet'
     assert result.language == 'en'
     assert result.email == 'test@example.com'
 
@@ -835,10 +769,9 @@ def test_create_user_settings_from_entities_with_org_fallback():
     )
 
     # Should have fallen back to org defaults
-    assert result.agent_settings['llm.model'] == 'default-model'
-    assert result.agent_settings['llm.base_url'] == 'https://default.api.com'
-    assert result.agent_settings['max_iterations'] == 100
-    assert result.agent_settings['agent'] == 'CodeActAgent'
+    assert result.llm_model == 'default-model'
+    assert result.llm_base_url == 'https://default.api.com'
+    assert result.max_iterations == 100
     assert result.language == 'es'
     assert result.search_api_key == 'search-key'
 
@@ -1310,19 +1243,3 @@ async def test_migrate_user_sql_multiple_conversations(async_session_maker):
             assert (
                 row.org_id == user_uuid_str
             ), f'org_id should match: {row.org_id} vs {user_uuid_str}'
-
-
-# Note: The v1_enabled logic in migrate_user follows the same pattern as OrgStore.create_org:
-#   if org.v1_enabled is None:
-#       org.v1_enabled = DEFAULT_V1_ENABLED
-#
-# This behavior is tested in test_org_store.py via:
-#   - test_create_org_v1_enabled_defaults_to_true_when_default_is_true
-#   - test_create_org_v1_enabled_defaults_to_false_when_default_is_false
-#   - test_create_org_v1_enabled_explicit_false_overrides_default_true
-#   - test_create_org_v1_enabled_explicit_true_overrides_default_false
-#
-# Testing migrate_user directly is impractical due to its complex raw SQL migration
-# statements that have SQLite/UUID compatibility issues in the test environment.
-# The SQL migration tests above (test_migrate_user_sql_type_handling, etc.) verify
-# the SQL operations work correctly with proper type handling.

enterprise/tests/unit/utils/__init__.py

@@ -1 +0,0 @@
-# Tests for enterprise server utils

enterprise/tests/unit/utils/test_url_utils.py

@@ -1,425 +0,0 @@
-"""Tests for URL utility functions that prevent URL hijacking attacks."""
-
-from unittest.mock import MagicMock, patch
-
-import pytest
-
-
-class TestGetWebUrl:
-    """Tests for get_web_url function."""
-
-    @pytest.fixture
-    def mock_request(self):
-        """Create a mock FastAPI request object."""
-        request = MagicMock()
-        request.url = MagicMock()
-        return request
-
-    def test_configured_web_url_is_used(self, mock_request):
-        """When web_url is configured, it should be used instead of request URL."""
-        from server.utils.url_utils import get_web_url
-
-        mock_request.url.hostname = 'evil-attacker.com'
-        mock_request.url.netloc = 'evil-attacker.com:443'
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://app.all-hands.dev'
-
-        with patch(
-            'server.utils.url_utils.get_global_config', return_value=mock_config
-        ):
-            result = get_web_url(mock_request)
-
-        assert result == 'https://app.all-hands.dev'
-        # Should not use any info from the potentially poisoned request
-        assert 'evil-attacker.com' not in result
-
-    def test_configured_web_url_trailing_slash_stripped(self, mock_request):
-        """Configured web_url should have trailing slashes stripped."""
-        from server.utils.url_utils import get_web_url
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://app.all-hands.dev/'
-
-        with patch(
-            'server.utils.url_utils.get_global_config', return_value=mock_config
-        ):
-            result = get_web_url(mock_request)
-
-        assert result == 'https://app.all-hands.dev'
-        assert not result.endswith('/')
-
-    def test_unconfigured_web_url_localhost_uses_http(self, mock_request):
-        """When web_url is not configured and hostname is localhost, use http."""
-        from server.utils.url_utils import get_web_url
-
-        mock_request.url.hostname = 'localhost'
-        mock_request.url.netloc = 'localhost:3000'
-
-        mock_config = MagicMock()
-        mock_config.web_url = None
-
-        with patch(
-            'server.utils.url_utils.get_global_config', return_value=mock_config
-        ):
-            result = get_web_url(mock_request)
-
-        assert result == 'http://localhost:3000'
-
-    def test_unconfigured_web_url_non_localhost_uses_https(self, mock_request):
-        """When web_url is not configured and hostname is not localhost, use https."""
-        from server.utils.url_utils import get_web_url
-
-        mock_request.url.hostname = 'example.com'
-        mock_request.url.netloc = 'example.com:443'
-
-        mock_config = MagicMock()
-        mock_config.web_url = None
-
-        with patch(
-            'server.utils.url_utils.get_global_config', return_value=mock_config
-        ):
-            result = get_web_url(mock_request)
-
-        assert result == 'https://example.com:443'
-
-    def test_unconfigured_web_url_empty_string_fallback(self, mock_request):
-        """Empty string web_url should trigger fallback."""
-        from server.utils.url_utils import get_web_url
-
-        mock_request.url.hostname = 'localhost'
-        mock_request.url.netloc = 'localhost:3000'
-
-        mock_config = MagicMock()
-        mock_config.web_url = ''
-
-        with patch(
-            'server.utils.url_utils.get_global_config', return_value=mock_config
-        ):
-            result = get_web_url(mock_request)
-
-        assert result == 'http://localhost:3000'
-
-
-class TestGetCookieDomain:
-    """Tests for get_cookie_domain function."""
-
-    def test_production_with_configured_web_url(self):
-        """In production with web_url configured, should return hostname."""
-        from server.utils.url_utils import get_cookie_domain
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://app.all-hands.dev'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_domain()
-
-        assert result == 'app.all-hands.dev'
-
-    def test_production_without_web_url_returns_none(self):
-        """In production without web_url configured, should return None."""
-        from server.utils.url_utils import get_cookie_domain
-
-        mock_config = MagicMock()
-        mock_config.web_url = None
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_domain()
-
-        assert result is None
-
-    def test_local_env_returns_none(self):
-        """In local environment, should return None for cookie domain."""
-        from server.utils.url_utils import get_cookie_domain
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://app.all-hands.dev'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', True),
-        ):
-            result = get_cookie_domain()
-
-        assert result is None
-
-    def test_staging_env_returns_none(self):
-        """In staging environment, should return None for cookie domain."""
-        from server.utils.url_utils import get_cookie_domain
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://staging.all-hands.dev'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', True),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_domain()
-
-        assert result is None
-
-    def test_feature_env_returns_none(self):
-        """In feature environment, should return None for cookie domain."""
-        from server.utils.url_utils import get_cookie_domain
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://feature-123.staging.all-hands.dev'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', True),
-            patch('server.utils.url_utils.IS_STAGING_ENV', True),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_domain()
-
-        assert result is None
-
-
-class TestGetCookieSamesite:
-    """Tests for get_cookie_samesite function."""
-
-    def test_production_with_configured_web_url_returns_strict(self):
-        """In production with web_url configured, should return 'strict'."""
-        from server.utils.url_utils import get_cookie_samesite
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://app.all-hands.dev'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_samesite()
-
-        assert result == 'strict'
-
-    def test_production_without_web_url_returns_lax(self):
-        """In production without web_url configured, should return 'lax'."""
-        from server.utils.url_utils import get_cookie_samesite
-
-        mock_config = MagicMock()
-        mock_config.web_url = None
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_samesite()
-
-        assert result == 'lax'
-
-    def test_local_env_returns_lax(self):
-        """In local environment, should return 'lax'."""
-        from server.utils.url_utils import get_cookie_samesite
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'http://localhost:3000'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', True),
-        ):
-            result = get_cookie_samesite()
-
-        assert result == 'lax'
-
-    def test_staging_env_returns_lax(self):
-        """In staging environment, should return 'lax'."""
-        from server.utils.url_utils import get_cookie_samesite
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://staging.all-hands.dev'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', True),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_samesite()
-
-        assert result == 'lax'
-
-    def test_feature_env_returns_lax(self):
-        """In feature environment, should return 'lax'."""
-        from server.utils.url_utils import get_cookie_samesite
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://feature-xyz.staging.all-hands.dev'
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', True),
-            patch('server.utils.url_utils.IS_STAGING_ENV', True),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_samesite()
-
-        assert result == 'lax'
-
-    def test_empty_web_url_returns_lax(self):
-        """Empty web_url should be treated as unconfigured and return 'lax'."""
-        from server.utils.url_utils import get_cookie_samesite
-
-        mock_config = MagicMock()
-        mock_config.web_url = ''
-
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            result = get_cookie_samesite()
-
-        assert result == 'lax'
-
-
-class TestSecurityScenarios:
-    """Tests for security-critical scenarios."""
-
-    @pytest.fixture
-    def mock_request(self):
-        """Create a mock FastAPI request object."""
-        request = MagicMock()
-        request.url = MagicMock()
-        return request
-
-    def test_header_poisoning_attack_blocked_when_configured(self, mock_request):
-        """
-        When web_url is configured, X-Forwarded-* header poisoning should not affect
-        the returned URL.
-        """
-        from server.utils.url_utils import get_web_url
-
-        # Simulate a poisoned request where attacker controls headers
-        mock_request.url.hostname = 'evil.com'
-        mock_request.url.netloc = 'evil.com:443'
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://app.all-hands.dev'
-
-        with patch(
-            'server.utils.url_utils.get_global_config', return_value=mock_config
-        ):
-            result = get_web_url(mock_request)
-
-        # Should use configured web_url, not the poisoned request data
-        assert result == 'https://app.all-hands.dev'
-        assert 'evil' not in result
-
-    def test_cookie_domain_not_set_in_dev_environments(self):
-        """
-        Cookie domain should not be set in development environments to prevent
-        cookies from leaking to other subdomains.
-        """
-        from server.utils.url_utils import get_cookie_domain
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://my-feature.staging.all-hands.dev'
-
-        # Test each dev environment
-        for env_name, env_config in [
-            (
-                'local',
-                {
-                    'IS_LOCAL_ENV': True,
-                    'IS_STAGING_ENV': False,
-                    'IS_FEATURE_ENV': False,
-                },
-            ),
-            (
-                'staging',
-                {
-                    'IS_LOCAL_ENV': False,
-                    'IS_STAGING_ENV': True,
-                    'IS_FEATURE_ENV': False,
-                },
-            ),
-            (
-                'feature',
-                {'IS_LOCAL_ENV': False, 'IS_STAGING_ENV': True, 'IS_FEATURE_ENV': True},
-            ),
-        ]:
-            with (
-                patch(
-                    'server.utils.url_utils.get_global_config', return_value=mock_config
-                ),
-                patch(
-                    'server.utils.url_utils.IS_FEATURE_ENV',
-                    env_config['IS_FEATURE_ENV'],
-                ),
-                patch(
-                    'server.utils.url_utils.IS_STAGING_ENV',
-                    env_config['IS_STAGING_ENV'],
-                ),
-                patch(
-                    'server.utils.url_utils.IS_LOCAL_ENV', env_config['IS_LOCAL_ENV']
-                ),
-            ):
-                result = get_cookie_domain()
-                assert result is None, f'Expected None for {env_name} environment'
-
-    def test_strict_samesite_only_in_production(self):
-        """
-        SameSite=strict should only be set in production to ensure proper
-        security without breaking OAuth flows in development.
-        """
-        from server.utils.url_utils import get_cookie_samesite
-
-        mock_config = MagicMock()
-        mock_config.web_url = 'https://app.all-hands.dev'
-
-        # Production should be strict
-        with (
-            patch('server.utils.url_utils.get_global_config', return_value=mock_config),
-            patch('server.utils.url_utils.IS_FEATURE_ENV', False),
-            patch('server.utils.url_utils.IS_STAGING_ENV', False),
-            patch('server.utils.url_utils.IS_LOCAL_ENV', False),
-        ):
-            assert get_cookie_samesite() == 'strict'
-
-        # Dev environments should be lax
-        for env_config in [
-            {'IS_LOCAL_ENV': True, 'IS_STAGING_ENV': False, 'IS_FEATURE_ENV': False},
-            {'IS_LOCAL_ENV': False, 'IS_STAGING_ENV': True, 'IS_FEATURE_ENV': False},
-            {'IS_LOCAL_ENV': False, 'IS_STAGING_ENV': True, 'IS_FEATURE_ENV': True},
-        ]:
-            with (
-                patch(
-                    'server.utils.url_utils.get_global_config', return_value=mock_config
-                ),
-                patch(
-                    'server.utils.url_utils.IS_FEATURE_ENV',
-                    env_config['IS_FEATURE_ENV'],
-                ),
-                patch(
-                    'server.utils.url_utils.IS_STAGING_ENV',
-                    env_config['IS_STAGING_ENV'],
-                ),
-                patch(
-                    'server.utils.url_utils.IS_LOCAL_ENV', env_config['IS_LOCAL_ENV']
-                ),
-            ):
-                assert get_cookie_samesite() == 'lax'

frontend/.gitignore

@@ -8,4 +8,3 @@ node_modules/
 /blob-report/
 /playwright/.cache/
 .react-router/
-ralph/

frontend/__tests__/api/v1-conversation-service.test.ts

@@ -1,5 +1,4 @@
-import { describe, expect, it, vi, beforeEach, afterEach, Mock } from "vitest";
-import axios from "axios";
+import { describe, expect, it, vi } from "vitest";
 import V1ConversationService from "#/api/conversation-service/v1-conversation-service.api";
 
 const { mockGet } = vi.hoisted(() => ({ mockGet: vi.fn() }));
@@ -7,8 +6,6 @@ vi.mock("#/api/open-hands-axios", () => ({
   openHands: { get: mockGet },
 }));
 
-vi.mock("axios");
-
 describe("V1ConversationService", () => {
   describe("readConversationFile", () => {
     it("uses default plan path when filePath is not provided", async () => {
@@ -27,91 +24,4 @@ describe("V1ConversationService", () => {
       );
     });
   });
-
-  describe("uploadFile", () => {
-    beforeEach(() => {
-      vi.clearAllMocks();
-      (axios.post as Mock).mockResolvedValue({ data: {} });
-    });
-
-    afterEach(() => {
-      vi.resetAllMocks();
-    });
-
-    it("uses query params for file upload path", async () => {
-      // Arrange
-      const conversationUrl = "http://localhost:54928/api/conversations/conv-123";
-      const sessionApiKey = "test-api-key";
-      const file = new File(["test content"], "test.txt", { type: "text/plain" });
-      const uploadPath = "/workspace/custom/path.txt";
-
-      // Act
-      await V1ConversationService.uploadFile(
-        conversationUrl,
-        sessionApiKey,
-        file,
-        uploadPath,
-      );
-
-      // Assert
-      expect(axios.post).toHaveBeenCalledTimes(1);
-      const callUrl = (axios.post as Mock).mock.calls[0][0] as string;
-
-      // Verify URL uses query params format
-      expect(callUrl).toContain("/api/file/upload?");
-      expect(callUrl).toContain("path=%2Fworkspace%2Fcustom%2Fpath.txt");
-
-      // Verify it's NOT using path params format
-      expect(callUrl).not.toContain("/api/file/upload/%2F");
-    });
-
-    it("uses default workspace path when no path provided", async () => {
-      // Arrange
-      const conversationUrl = "http://localhost:54928/api/conversations/conv-123";
-      const sessionApiKey = "test-api-key";
-      const file = new File(["test content"], "myfile.txt", { type: "text/plain" });
-
-      // Act
-      await V1ConversationService.uploadFile(
-        conversationUrl,
-        sessionApiKey,
-        file,
-      );
-
-      // Assert
-      expect(axios.post).toHaveBeenCalledTimes(1);
-      const callUrl = (axios.post as Mock).mock.calls[0][0] as string;
-
-      // Default path should be /workspace/{filename}
-      expect(callUrl).toContain("path=%2Fworkspace%2Fmyfile.txt");
-    });
-
-    it("sends file as FormData with correct headers", async () => {
-      // Arrange
-      const conversationUrl = "http://localhost:54928/api/conversations/conv-123";
-      const sessionApiKey = "test-api-key";
-      const file = new File(["test content"], "test.txt", { type: "text/plain" });
-
-      // Act
-      await V1ConversationService.uploadFile(
-        conversationUrl,
-        sessionApiKey,
-        file,
-      );
-
-      // Assert
-      expect(axios.post).toHaveBeenCalledTimes(1);
-      const callArgs = (axios.post as Mock).mock.calls[0];
-
-      // Verify FormData is sent
-      const formData = callArgs[1];
-      expect(formData).toBeInstanceOf(FormData);
-      expect(formData.get("file")).toBe(file);
-
-      // Verify headers include session API key and content type
-      const headers = callArgs[2].headers;
-      expect(headers).toHaveProperty("X-Session-API-Key", sessionApiKey);
-      expect(headers).toHaveProperty("Content-Type", "multipart/form-data");
-    });
-  });
 });

frontend/__tests__/components/buttons/copyable-content-wrapper.test.tsx

@@ -1,60 +0,0 @@
-import { render, screen, waitFor } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import { describe, it, expect } from "vitest";
-import { CopyableContentWrapper } from "#/components/shared/buttons/copyable-content-wrapper";
-
-describe("CopyableContentWrapper", () => {
-  it("should hide the copy button by default", () => {
-    render(
-      <CopyableContentWrapper text="hello">
-        <p>content</p>
-      </CopyableContentWrapper>,
-    );
-
-    expect(screen.getByTestId("copy-to-clipboard")).not.toBeVisible();
-  });
-
-  it("should show the copy button on hover", async () => {
-    const user = userEvent.setup();
-    render(
-      <CopyableContentWrapper text="hello">
-        <p>content</p>
-      </CopyableContentWrapper>,
-    );
-
-    await user.hover(screen.getByText("content"));
-
-    expect(screen.getByTestId("copy-to-clipboard")).toBeVisible();
-  });
-
-  it("should copy text to clipboard on click", async () => {
-    const user = userEvent.setup();
-    render(
-      <CopyableContentWrapper text="copy me">
-        <p>content</p>
-      </CopyableContentWrapper>,
-    );
-
-    await user.click(screen.getByTestId("copy-to-clipboard"));
-
-    await waitFor(() =>
-      expect(navigator.clipboard.readText()).resolves.toBe("copy me"),
-    );
-  });
-
-  it("should show copied state after clicking", async () => {
-    const user = userEvent.setup();
-    render(
-      <CopyableContentWrapper text="hello">
-        <p>content</p>
-      </CopyableContentWrapper>,
-    );
-
-    await user.click(screen.getByTestId("copy-to-clipboard"));
-
-    expect(screen.getByTestId("copy-to-clipboard")).toHaveAttribute(
-      "aria-label",
-      "BUTTON$COPIED",
-    );
-  });
-});

frontend/__tests__/components/chat/expandable-message.test.tsx

@@ -113,7 +113,7 @@ describe("ExpandableMessage", () => {
 
   it("should render the out of credits message when the user is out of credits", async () => {
     const getConfigSpy = vi.spyOn(OptionService, "getConfig");
-    // @ts-expect-error - partial mock for testing
+    // @ts-expect-error - We only care about the app_mode and feature_flags fields
     getConfigSpy.mockResolvedValue({
       app_mode: "saas",
       feature_flags: {

frontend/__tests__/components/context-menu/account-settings-context-menu.test.tsx

@@ -0,0 +1,214 @@
+import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { afterEach, beforeEach, describe, expect, it, test, vi } from "vitest";
+import { AccountSettingsContextMenu } from "#/components/features/context-menu/account-settings-context-menu";
+import { MemoryRouter } from "react-router";
+import { renderWithProviders } from "../../../test-utils";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { createMockWebClientConfig } from "../../helpers/mock-config";
+
+const mockTrackAddTeamMembersButtonClick = vi.fn();
+
+vi.mock("#/hooks/use-tracking", () => ({
+  useTracking: () => ({
+    trackAddTeamMembersButtonClick: mockTrackAddTeamMembersButtonClick,
+  }),
+}));
+
+// Mock posthog feature flag
+vi.mock("posthog-js/react", () => ({
+  useFeatureFlagEnabled: vi.fn(),
+}));
+
+// Import the mocked module to get access to the mock
+import * as posthog from "posthog-js/react";
+
+describe("AccountSettingsContextMenu", () => {
+  const user = userEvent.setup();
+  const onClickAccountSettingsMock = vi.fn();
+  const onLogoutMock = vi.fn();
+  const onCloseMock = vi.fn();
+
+  let queryClient: QueryClient;
+
+  beforeEach(() => {
+    queryClient = new QueryClient({
+      defaultOptions: { queries: { retry: false } },
+    });
+    // Set default feature flag to false
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(false);
+  });
+
+  // Create a wrapper with MemoryRouter and renderWithProviders
+  const renderWithRouter = (ui: React.ReactElement) => {
+    return renderWithProviders(<MemoryRouter>{ui}</MemoryRouter>);
+  };
+
+  const renderWithSaasConfig = (ui: React.ReactElement, options?: { analyticsConsent?: boolean }) => {
+    queryClient.setQueryData(["web-client-config"], createMockWebClientConfig({ app_mode: "saas" }));
+    queryClient.setQueryData(["settings"], { user_consents_to_analytics: options?.analyticsConsent ?? true });
+    return render(
+      <QueryClientProvider client={queryClient}>
+        <MemoryRouter>{ui}</MemoryRouter>
+      </QueryClientProvider>
+    );
+  };
+
+  const renderWithOssConfig = (ui: React.ReactElement) => {
+    queryClient.setQueryData(["web-client-config"], createMockWebClientConfig({ app_mode: "oss" }));
+    return render(
+      <QueryClientProvider client={queryClient}>
+        <MemoryRouter>{ui}</MemoryRouter>
+      </QueryClientProvider>
+    );
+  };
+
+  afterEach(() => {
+    onClickAccountSettingsMock.mockClear();
+    onLogoutMock.mockClear();
+    onCloseMock.mockClear();
+    mockTrackAddTeamMembersButtonClick.mockClear();
+    vi.mocked(posthog.useFeatureFlagEnabled).mockClear();
+  });
+
+  it("should always render the right options", () => {
+    renderWithRouter(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    expect(
+      screen.getByTestId("account-settings-context-menu"),
+    ).toBeInTheDocument();
+    expect(screen.getByText("SIDEBAR$DOCS")).toBeInTheDocument();
+    expect(screen.getByText("ACCOUNT_SETTINGS$LOGOUT")).toBeInTheDocument();
+  });
+
+  it("should render Documentation link with correct attributes", () => {
+    renderWithRouter(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    const documentationLink = screen.getByText("SIDEBAR$DOCS").closest("a");
+    expect(documentationLink).toHaveAttribute("href", "https://docs.openhands.dev");
+    expect(documentationLink).toHaveAttribute("target", "_blank");
+    expect(documentationLink).toHaveAttribute("rel", "noopener noreferrer");
+  });
+
+  it("should call onLogout when the logout option is clicked", async () => {
+    renderWithRouter(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    const logoutOption = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
+    await user.click(logoutOption);
+
+    expect(onLogoutMock).toHaveBeenCalledOnce();
+  });
+
+  test("logout button is always enabled", async () => {
+    renderWithRouter(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    const logoutOption = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
+    await user.click(logoutOption);
+
+    expect(onLogoutMock).toHaveBeenCalledOnce();
+  });
+
+  it("should call onClose when clicking outside of the element", async () => {
+    renderWithRouter(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    const accountSettingsButton = screen.getByText("ACCOUNT_SETTINGS$LOGOUT");
+    await user.click(accountSettingsButton);
+    await user.click(document.body);
+
+    expect(onCloseMock).toHaveBeenCalledOnce();
+  });
+
+  it("should show Add Team Members button in SaaS mode when feature flag is enabled", () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true);
+    renderWithSaasConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    expect(screen.getByTestId("add-team-members-button")).toBeInTheDocument();
+    expect(screen.getByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).toBeInTheDocument();
+  });
+
+  it("should not show Add Team Members button in SaaS mode when feature flag is disabled", () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(false);
+    renderWithSaasConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    expect(screen.queryByTestId("add-team-members-button")).not.toBeInTheDocument();
+    expect(screen.queryByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).not.toBeInTheDocument();
+  });
+
+  it("should not show Add Team Members button in OSS mode even when feature flag is enabled", () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true);
+    renderWithOssConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    expect(screen.queryByTestId("add-team-members-button")).not.toBeInTheDocument();
+    expect(screen.queryByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).not.toBeInTheDocument();
+  });
+
+  it("should not show Add Team Members button when analytics consent is disabled", () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true);
+    renderWithSaasConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+      { analyticsConsent: false },
+    );
+
+    expect(screen.queryByTestId("add-team-members-button")).not.toBeInTheDocument();
+    expect(screen.queryByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).not.toBeInTheDocument();
+  });
+
+  it("should call tracking function and onClose when Add Team Members button is clicked", async () => {
+    vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true);
+    renderWithSaasConfig(
+      <AccountSettingsContextMenu
+        onLogout={onLogoutMock}
+        onClose={onCloseMock}
+      />,
+    );
+
+    const addTeamMembersButton = screen.getByTestId("add-team-members-button");
+    await user.click(addTeamMembersButton);
+
+    expect(mockTrackAddTeamMembersButtonClick).toHaveBeenCalledOnce();
+    expect(onCloseMock).toHaveBeenCalledOnce();
+  });
+});

frontend/__tests__/components/context-menu/context-menu-container.test.tsx

@@ -1,78 +0,0 @@
-import { render, screen } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import { describe, expect, it, vi } from "vitest";
-import { ContextMenuContainer } from "#/components/features/context-menu/context-menu-container";
-
-describe("ContextMenuContainer", () => {
-  const user = userEvent.setup();
-  const onCloseMock = vi.fn();
-
-  it("should render children", () => {
-    render(
-      <ContextMenuContainer onClose={onCloseMock}>
-        <div data-testid="child-1">Child 1</div>
-        <div data-testid="child-2">Child 2</div>
-      </ContextMenuContainer>,
-    );
-
-    expect(screen.getByTestId("child-1")).toBeInTheDocument();
-    expect(screen.getByTestId("child-2")).toBeInTheDocument();
-  });
-
-  it("should apply consistent base styling", () => {
-    render(
-      <ContextMenuContainer onClose={onCloseMock} testId="test-container">
-        <div>Content</div>
-      </ContextMenuContainer>,
-    );
-
-    const container = screen.getByTestId("test-container");
-    expect(container).toHaveClass("bg-[#050505]");
-    expect(container).toHaveClass("border");
-    expect(container).toHaveClass("border-[#242424]");
-    expect(container).toHaveClass("rounded-[12px]");
-    expect(container).toHaveClass("p-[25px]");
-    expect(container).toHaveClass("context-menu-box-shadow");
-  });
-
-  it("should call onClose when clicking outside", async () => {
-    render(
-      <ContextMenuContainer onClose={onCloseMock} testId="test-container">
-        <div>Content</div>
-      </ContextMenuContainer>,
-    );
-
-    await user.click(document.body);
-    expect(onCloseMock).toHaveBeenCalledOnce();
-  });
-
-  it("should render children in a flex row layout", () => {
-    render(
-      <ContextMenuContainer onClose={onCloseMock} testId="test-container">
-        <div data-testid="child-1">Child 1</div>
-        <div data-testid="child-2">Child 2</div>
-      </ContextMenuContainer>,
-    );
-
-    const container = screen.getByTestId("test-container");
-    const innerDiv = container.firstChild as HTMLElement;
-    expect(innerDiv).toHaveClass("flex");
-    expect(innerDiv).toHaveClass("flex-row");
-    expect(innerDiv).toHaveClass("gap-4");
-  });
-
-  it("should apply additional className when provided", () => {
-    render(
-      <ContextMenuContainer
-        onClose={onCloseMock}
-        testId="test-container"
-        className="custom-class"
-      >
-        <div>Content</div>
-      </ContextMenuContainer>,
-    );
-
-    const container = screen.getByTestId("test-container");
-    expect(container).toHaveClass("custom-class");
-  });
-});

frontend/__tests__/components/context-menu/context-menu-cta.test.tsx

@@ -1,60 +0,0 @@
-import { render, screen } from "@testing-library/react";
-import { describe, expect, it, vi } from "vitest";
-import userEvent from "@testing-library/user-event";
-import { ContextMenuCTA } from "#/components/features/context-menu/context-menu-cta";
-
-// Mock useTracking hook
-const mockTrackSaasSelfhostedInquiry = vi.fn();
-vi.mock("#/hooks/use-tracking", () => ({
-  useTracking: () => ({
-    trackSaasSelfhostedInquiry: mockTrackSaasSelfhostedInquiry,
-  }),
-}));
-
-describe("ContextMenuCTA", () => {
-  it("should render the CTA component", () => {
-    render(<ContextMenuCTA />);
-
-    expect(screen.getByText("CTA$ENTERPRISE_TITLE")).toBeInTheDocument();
-    expect(screen.getByText("CTA$ENTERPRISE_DESCRIPTION")).toBeInTheDocument();
-    expect(screen.getByText("CTA$LEARN_MORE")).toBeInTheDocument();
-  });
-
-  it("should call trackSaasSelfhostedInquiry with location 'context_menu' when Learn More is clicked", async () => {
-    const user = userEvent.setup();
-    render(<ContextMenuCTA />);
-
-    const learnMoreLink = screen.getByRole("link", {
-      name: "CTA$LEARN_MORE",
-    });
-    await user.click(learnMoreLink);
-
-    expect(mockTrackSaasSelfhostedInquiry).toHaveBeenCalledWith({
-      location: "context_menu",
-    });
-  });
-
-  it("should render Learn More as a link with correct href and target", () => {
-    render(<ContextMenuCTA />);
-
-    const learnMoreLink = screen.getByRole("link", {
-      name: "CTA$LEARN_MORE",
-    });
-    expect(learnMoreLink).toHaveAttribute(
-      "href",
-      "https://openhands.dev/enterprise/",
-    );
-    expect(learnMoreLink).toHaveAttribute("target", "_blank");
-    expect(learnMoreLink).toHaveAttribute("rel", "noopener noreferrer");
-  });
-
-  it("should render the stacked icon", () => {
-    render(<ContextMenuCTA />);
-
-    const contentContainer = screen.getByTestId("context-menu-cta-content");
-    const icon = contentContainer.querySelector("svg");
-    expect(icon).toBeInTheDocument();
-    expect(icon).toHaveAttribute("width", "40");
-    expect(icon).toHaveAttribute("height", "40");
-  });
-});

frontend/__tests__/components/context-menu/tools-context-menu.test.tsx

@@ -44,7 +44,6 @@ describe("SystemMessage UI Rendering", () => {
       <ToolsContextMenu
         onClose={() => {}}
         onShowSkills={() => {}}
-        onShowHooks={() => {}}
         onShowAgentTools={() => {}}
       />,
     );

frontend/__tests__/components/features/analytics/analytics-consent-form-modal.test.tsx

@@ -1,16 +1,11 @@
 import userEvent from "@testing-library/user-event";
-import { describe, expect, it, vi, beforeEach } from "vitest";
+import { describe, expect, it, vi } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import { AnalyticsConsentFormModal } from "#/components/features/analytics/analytics-consent-form-modal";
 import SettingsService from "#/api/settings-service/settings-service.api";
-import { useSelectedOrganizationStore } from "#/stores/selected-organization-store";
 
 describe("AnalyticsConsentFormModal", () => {
-  beforeEach(() => {
-    useSelectedOrganizationStore.setState({ organizationId: "test-org-id" });
-  });
-
   it("should call saveUserSettings with consent", async () => {
     const user = userEvent.setup();
     const onCloseMock = vi.fn();

frontend/__tests__/components/features/auth/login-content.test.tsx

@@ -15,7 +15,6 @@ vi.mock("#/hooks/use-auth-url", () => ({
       bitbucket: "https://bitbucket.org/site/oauth2/authorize",
       bitbucket_data_center:
         "https://bitbucket-dc.example.com/site/oauth2/authorize",
-      enterprise_sso: "https://auth.example.com/realms/test/protocol/openid-connect/auth",
     };
     if (config.appMode === "saas") {
       return urls[config.identityProvider] || null;
@@ -49,17 +48,9 @@ vi.mock("#/utils/custom-toast-handlers", () => ({
   displayErrorToast: vi.fn(),
 }));
 
-// Mock feature flags - we'll control the return value in each test
-const mockEnableProjUserJourney = vi.fn(() => true);
-vi.mock("#/utils/feature-flags", () => ({
-  ENABLE_PROJ_USER_JOURNEY: () => mockEnableProjUserJourney(),
-}));
-
 describe("LoginContent", () => {
   beforeEach(() => {
     vi.stubGlobal("location", { href: "" });
-    // Reset mock to return true by default
-    mockEnableProjUserJourney.mockReturnValue(true);
   });
 
   afterEach(() => {
@@ -126,74 +117,6 @@ describe("LoginContent", () => {
     ).not.toBeInTheDocument();
   });
 
-  it("should display Enterprise SSO button when configured", () => {
-    render(
-      <MemoryRouter>
-        <LoginContent
-          githubAuthUrl="https://github.com/oauth/authorize"
-          appMode="saas"
-          authUrl="https://auth.example.com"
-          providersConfigured={["enterprise_sso"]}
-        />
-      </MemoryRouter>,
-    );
-
-    expect(
-      screen.getByRole("button", { name: /ENTERPRISE_SSO\$CONNECT_TO_ENTERPRISE_SSO/i }),
-    ).toBeInTheDocument();
-  });
-
-  it("should display Enterprise SSO alongside other providers when all configured", () => {
-    render(
-      <MemoryRouter>
-        <LoginContent
-          githubAuthUrl="https://github.com/oauth/authorize"
-          appMode="saas"
-          authUrl="https://auth.example.com"
-          providersConfigured={["github", "gitlab", "bitbucket", "enterprise_sso"]}
-        />
-      </MemoryRouter>,
-    );
-
-    expect(
-      screen.getByRole("button", { name: "GITHUB$CONNECT_TO_GITHUB" }),
-    ).toBeInTheDocument();
-    expect(
-      screen.getByRole("button", { name: "GITLAB$CONNECT_TO_GITLAB" }),
-    ).toBeInTheDocument();
-    expect(
-      screen.getByRole("button", { name: /BITBUCKET\$CONNECT_TO_BITBUCKET/i }),
-    ).toBeInTheDocument();
-    expect(
-      screen.getByRole("button", { name: /ENTERPRISE_SSO\$CONNECT_TO_ENTERPRISE_SSO/i }),
-    ).toBeInTheDocument();
-  });
-
-  it("should redirect to Enterprise SSO auth URL when Enterprise SSO button is clicked", async () => {
-    const user = userEvent.setup();
-    const mockUrl = "https://auth.example.com/realms/test/protocol/openid-connect/auth";
-
-    render(
-      <MemoryRouter>
-        <LoginContent
-          githubAuthUrl="https://github.com/oauth/authorize"
-          appMode="saas"
-          authUrl="https://auth.example.com"
-          providersConfigured={["enterprise_sso"]}
-        />
-      </MemoryRouter>,
-    );
-
-    const enterpriseSsoButton = screen.getByRole("button", {
-      name: /ENTERPRISE_SSO\$CONNECT_TO_ENTERPRISE_SSO/i,
-    });
-    await user.click(enterpriseSsoButton);
-
-    await waitFor(() => {
-      expect(window.location.href).toContain(mockUrl);
-    });
-  });
-
   it("should display message when no providers are configured", () => {
     render(
       <MemoryRouter>
@@ -282,65 +205,6 @@ describe("LoginContent", () => {
     expect(screen.getByTestId("terms-and-privacy-notice")).toBeInTheDocument();
   });
 
-  it("should display the enterprise LoginCTA component when appMode is saas and feature flag enabled", () => {
-    render(
-      <MemoryRouter>
-        <LoginContent
-          githubAuthUrl="https://github.com/oauth/authorize"
-          appMode="saas"
-          providersConfigured={["github"]}
-        />
-      </MemoryRouter>,
-    );
-
-    expect(screen.getByTestId("login-cta")).toBeInTheDocument();
-  });
-
-  it("should not display the enterprise LoginCTA component when appMode is oss even with feature flag enabled", () => {
-    render(
-      <MemoryRouter>
-        <LoginContent
-          githubAuthUrl="https://github.com/oauth/authorize"
-          appMode="oss"
-          providersConfigured={["github"]}
-        />
-      </MemoryRouter>,
-    );
-
-    expect(screen.queryByTestId("login-cta")).not.toBeInTheDocument();
-  });
-
-  it("should not display the enterprise LoginCTA component when appMode is null", () => {
-    render(
-      <MemoryRouter>
-        <LoginContent
-          githubAuthUrl="https://github.com/oauth/authorize"
-          appMode={null}
-          providersConfigured={["github"]}
-        />
-      </MemoryRouter>,
-    );
-
-    expect(screen.queryByTestId("login-cta")).not.toBeInTheDocument();
-  });
-
-  it("should not display the enterprise LoginCTA component when feature flag is disabled", () => {
-    // Disable the feature flag
-    mockEnableProjUserJourney.mockReturnValue(false);
-
-    render(
-      <MemoryRouter>
-        <LoginContent
-          githubAuthUrl="https://github.com/oauth/authorize"
-          appMode="saas"
-          providersConfigured={["github"]}
-        />
-      </MemoryRouter>,
-    );
-
-    expect(screen.queryByTestId("login-cta")).not.toBeInTheDocument();
-  });
-
   it("should display invitation pending message when hasInvitation is true", () => {
     render(
       <MemoryRouter>

frontend/__tests__/components/features/auth/login-cta.test.tsx

@@ -1,63 +0,0 @@
-import { render, screen } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
-import userEvent from "@testing-library/user-event";
-import { LoginCTA } from "#/components/features/auth/login-cta";
-
-// Mock useTracking hook
-const mockTrackSaasSelfhostedInquiry = vi.fn();
-vi.mock("#/hooks/use-tracking", () => ({
-  useTracking: () => ({
-    trackSaasSelfhostedInquiry: mockTrackSaasSelfhostedInquiry,
-  }),
-}));
-
-describe("LoginCTA", () => {
-  afterEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("should render enterprise CTA with title and description", () => {
-    render(<LoginCTA />);
-
-    expect(screen.getByTestId("login-cta")).toBeInTheDocument();
-    expect(screen.getByText("CTA$ENTERPRISE")).toBeInTheDocument();
-    expect(screen.getByText("CTA$ENTERPRISE_DEPLOY")).toBeInTheDocument();
-  });
-
-  it("should render all enterprise feature list items", () => {
-    render(<LoginCTA />);
-
-    expect(screen.getByText("CTA$FEATURE_ON_PREMISES")).toBeInTheDocument();
-    expect(screen.getByText("CTA$FEATURE_DATA_CONTROL")).toBeInTheDocument();
-    expect(screen.getByText("CTA$FEATURE_COMPLIANCE")).toBeInTheDocument();
-    expect(screen.getByText("CTA$FEATURE_SUPPORT")).toBeInTheDocument();
-  });
-
-  it("should render Learn More as a link with correct href and target", () => {
-    render(<LoginCTA />);
-
-    const learnMoreLink = screen.getByRole("link", {
-      name: "CTA$LEARN_MORE",
-    });
-    expect(learnMoreLink).toHaveAttribute(
-      "href",
-      "https://openhands.dev/enterprise/",
-    );
-    expect(learnMoreLink).toHaveAttribute("target", "_blank");
-    expect(learnMoreLink).toHaveAttribute("rel", "noopener noreferrer");
-  });
-
-  it("should call trackSaasSelfhostedInquiry with location 'login_page' when Learn More is clicked", async () => {
-    const user = userEvent.setup();
-    render(<LoginCTA />);
-
-    const learnMoreLink = screen.getByRole("link", {
-      name: "CTA$LEARN_MORE",
-    });
-    await user.click(learnMoreLink);
-
-    expect(mockTrackSaasSelfhostedInquiry).toHaveBeenCalledWith({
-      location: "login_page",
-    });
-  });
-});

frontend/__tests__/components/features/chat/messages.test.tsx

@@ -10,12 +10,9 @@ import {
 import { OpenHandsObservation } from "#/types/core/observations";
 import ConversationService from "#/api/conversation-service/conversation-service.api";
 import { Conversation } from "#/api/open-hands.types";
-import { useSelectedOrganizationStore } from "#/stores/selected-organization-store";
 
-vi.mock("react-router", async (importOriginal) => ({
-  ...(await importOriginal<typeof import("react-router")>()),
+vi.mock("react-router", () => ({
   useParams: () => ({ conversationId: "123" }),
-  useRevalidator: () => ({ revalidate: vi.fn() }),
 }));
 
 let queryClient: QueryClient;
@@ -50,7 +47,6 @@ const renderMessages = ({
 describe("Messages", () => {
   beforeEach(() => {
     queryClient = new QueryClient();
-    useSelectedOrganizationStore.setState({ organizationId: "test-org-id" });
   });
 
   const assistantMessage: AssistantMessageAction = {

frontend/__tests__/components/features/conversation-panel/hooks-modal.test.tsx

@@ -1,207 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { render, screen, within } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import React from "react";
-import { HookEventItem } from "#/components/features/conversation-panel/hook-event-item";
-import { HooksEmptyState } from "#/components/features/conversation-panel/hooks-empty-state";
-import { HooksLoadingState } from "#/components/features/conversation-panel/hooks-loading-state";
-import { HooksModalHeader } from "#/components/features/conversation-panel/hooks-modal-header";
-import { HookEvent } from "#/api/conversation-service/v1-conversation-service.types";
-
-// Mock react-i18next
-vi.mock("react-i18next", async () => {
-  const actual = await vi.importActual("react-i18next");
-  return {
-    ...actual,
-    useTranslation: () => ({
-      t: (key: string, params?: Record<string, unknown>) => {
-        const translations: Record<string, string> = {
-          HOOKS_MODAL$TITLE: "Available Hooks",
-          HOOKS_MODAL$HOOK_COUNT: `${params?.count ?? 0} hooks`,
-          HOOKS_MODAL$EVENT_PRE_TOOL_USE: "Pre Tool Use",
-          HOOKS_MODAL$EVENT_POST_TOOL_USE: "Post Tool Use",
-          HOOKS_MODAL$EVENT_USER_PROMPT_SUBMIT: "User Prompt Submit",
-          HOOKS_MODAL$EVENT_SESSION_START: "Session Start",
-          HOOKS_MODAL$EVENT_SESSION_END: "Session End",
-          HOOKS_MODAL$EVENT_STOP: "Stop",
-          HOOKS_MODAL$MATCHER: "Matcher",
-          HOOKS_MODAL$COMMANDS: "Commands",
-          HOOKS_MODAL$TYPE: `Type: ${params?.type ?? ""}`,
-          HOOKS_MODAL$TIMEOUT: `Timeout: ${params?.timeout ?? 0}s`,
-          HOOKS_MODAL$ASYNC: "Async",
-          COMMON$FETCH_ERROR: "Failed to fetch data",
-          CONVERSATION$NO_HOOKS: "No hooks configured",
-          BUTTON$REFRESH: "Refresh",
-        };
-        return translations[key] || key;
-      },
-      i18n: {
-        changeLanguage: () => new Promise(() => {}),
-      },
-    }),
-  };
-});
-
-describe("HooksLoadingState", () => {
-  it("should render loading spinner", () => {
-    render(<HooksLoadingState />);
-    const spinner = document.querySelector(".animate-spin");
-    expect(spinner).toBeInTheDocument();
-  });
-});
-
-describe("HooksEmptyState", () => {
-  it("should render no hooks message when not error", () => {
-    render(<HooksEmptyState isError={false} />);
-    expect(screen.getByText("No hooks configured")).toBeInTheDocument();
-  });
-
-  it("should render error message when isError is true", () => {
-    render(<HooksEmptyState isError={true} />);
-    expect(screen.getByText("Failed to fetch data")).toBeInTheDocument();
-  });
-});
-
-describe("HooksModalHeader", () => {
-  const defaultProps = {
-    isAgentReady: true,
-    isLoading: false,
-    isRefetching: false,
-    onRefresh: vi.fn(),
-  };
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("should render title", () => {
-    render(<HooksModalHeader {...defaultProps} />);
-    expect(screen.getByText("Available Hooks")).toBeInTheDocument();
-  });
-
-  it("should render refresh button when agent is ready", () => {
-    render(<HooksModalHeader {...defaultProps} />);
-    expect(screen.getByTestId("refresh-hooks")).toBeInTheDocument();
-  });
-
-  it("should not render refresh button when agent is not ready", () => {
-    render(<HooksModalHeader {...defaultProps} isAgentReady={false} />);
-    expect(screen.queryByTestId("refresh-hooks")).not.toBeInTheDocument();
-  });
-
-  it("should call onRefresh when refresh button is clicked", async () => {
-    const user = userEvent.setup();
-    const onRefresh = vi.fn();
-    render(<HooksModalHeader {...defaultProps} onRefresh={onRefresh} />);
-
-    await user.click(screen.getByTestId("refresh-hooks"));
-    expect(onRefresh).toHaveBeenCalledTimes(1);
-  });
-
-  it("should disable refresh button when loading", () => {
-    render(<HooksModalHeader {...defaultProps} isLoading={true} />);
-    expect(screen.getByTestId("refresh-hooks")).toBeDisabled();
-  });
-
-  it("should disable refresh button when refetching", () => {
-    render(<HooksModalHeader {...defaultProps} isRefetching={true} />);
-    expect(screen.getByTestId("refresh-hooks")).toBeDisabled();
-  });
-});
-
-describe("HookEventItem", () => {
-  const mockHookEvent: HookEvent = {
-    event_type: "stop",
-    matchers: [
-      {
-        matcher: "*",
-        hooks: [
-          {
-            type: "command",
-            command: ".openhands/hooks/on_stop.sh",
-            timeout: 30,
-            async: true,
-          },
-        ],
-      },
-    ],
-  };
-
-  const defaultProps = {
-    hookEvent: mockHookEvent,
-    isExpanded: false,
-    onToggle: vi.fn(),
-  };
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("should render event type label using i18n", () => {
-    render(<HookEventItem {...defaultProps} />);
-    expect(screen.getByText("Stop")).toBeInTheDocument();
-  });
-
-  it("should render hook count", () => {
-    render(<HookEventItem {...defaultProps} />);
-    expect(screen.getByText("1 hooks")).toBeInTheDocument();
-  });
-
-  it("should call onToggle when clicked", async () => {
-    const user = userEvent.setup();
-    const onToggle = vi.fn();
-    render(<HookEventItem {...defaultProps} onToggle={onToggle} />);
-
-    await user.click(screen.getByRole("button"));
-    expect(onToggle).toHaveBeenCalledWith("stop");
-  });
-
-  it("should show collapsed state by default", () => {
-    render(<HookEventItem {...defaultProps} isExpanded={false} />);
-    // Matcher content should not be visible when collapsed
-    expect(screen.queryByText("*")).not.toBeInTheDocument();
-  });
-
-  it("should show expanded state with matcher content", () => {
-    render(<HookEventItem {...defaultProps} isExpanded={true} />);
-    // Matcher content should be visible when expanded
-    expect(screen.getByText("*")).toBeInTheDocument();
-  });
-
-  it("should render async badge for async hooks", () => {
-    render(<HookEventItem {...defaultProps} isExpanded={true} />);
-    expect(screen.getByText("Async")).toBeInTheDocument();
-  });
-
-  it("should render different event types with correct i18n labels", () => {
-    const eventTypes = [
-      { type: "pre_tool_use", label: "Pre Tool Use" },
-      { type: "post_tool_use", label: "Post Tool Use" },
-      { type: "user_prompt_submit", label: "User Prompt Submit" },
-      { type: "session_start", label: "Session Start" },
-      { type: "session_end", label: "Session End" },
-      { type: "stop", label: "Stop" },
-    ];
-
-    eventTypes.forEach(({ type, label }) => {
-      const { unmount } = render(
-        <HookEventItem
-          {...defaultProps}
-          hookEvent={{ ...mockHookEvent, event_type: type }}
-        />,
-      );
-      expect(screen.getByText(label)).toBeInTheDocument();
-      unmount();
-    });
-  });
-
-  it("should fallback to event_type when no i18n key exists", () => {
-    render(
-      <HookEventItem
-        {...defaultProps}
-        hookEvent={{ ...mockHookEvent, event_type: "unknown_event" }}
-      />,
-    );
-    expect(screen.getByText("unknown_event")).toBeInTheDocument();
-  });
-});

frontend/__tests__/components/features/conversation/conversation-name.test.tsx

@@ -72,7 +72,7 @@ vi.mock("react-i18next", async () => {
           CONVERSATION$SHOW_SKILLS: "Show Skills",
           BUTTON$DISPLAY_COST: "Display Cost",
           COMMON$CLOSE_CONVERSATION_STOP_RUNTIME:
-            "Close Conversation (Stop Sandbox)",
+            "Close Conversation (Stop Runtime)",
           COMMON$DELETE_CONVERSATION: "Delete Conversation",
           CONVERSATION$SHARE_PUBLICLY: "Share Publicly",
           CONVERSATION$LINK_COPIED: "Link copied to clipboard",
@@ -565,7 +565,7 @@ describe("ConversationNameContextMenu", () => {
       "Delete Conversation",
     );
     expect(screen.getByTestId("stop-button")).toHaveTextContent(
-      "Close Conversation (Stop Sandbox)",
+      "Close Conversation (Stop Runtime)",
     );
     expect(screen.getByTestId("display-cost-button")).toHaveTextContent(
       "Display Cost",

frontend/__tests__/components/features/device-verify/enterprise-banner.test.tsx

@@ -1,118 +0,0 @@
-import { screen } from "@testing-library/react";
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import userEvent from "@testing-library/user-event";
-import { renderWithProviders } from "test-utils";
-import { EnterpriseBanner } from "#/components/features/device-verify/enterprise-banner";
-
-const mockCapture = vi.fn();
-vi.mock("posthog-js/react", () => ({
-  usePostHog: () => ({
-    capture: mockCapture,
-  }),
-}));
-
-const { ENABLE_PROJ_USER_JOURNEY_MOCK } = vi.hoisted(() => ({
-  ENABLE_PROJ_USER_JOURNEY_MOCK: vi.fn(() => true),
-}));
-
-vi.mock("#/utils/feature-flags", () => ({
-  ENABLE_PROJ_USER_JOURNEY: () => ENABLE_PROJ_USER_JOURNEY_MOCK(),
-}));
-
-describe("EnterpriseBanner", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    ENABLE_PROJ_USER_JOURNEY_MOCK.mockReturnValue(true);
-  });
-
-  describe("Feature Flag", () => {
-    it("should not render when proj_user_journey feature flag is disabled", () => {
-      ENABLE_PROJ_USER_JOURNEY_MOCK.mockReturnValue(false);
-
-      const { container } = renderWithProviders(<EnterpriseBanner />);
-
-      expect(container.firstChild).toBeNull();
-      expect(screen.queryByText("ENTERPRISE$TITLE")).not.toBeInTheDocument();
-    });
-
-    it("should render when proj_user_journey feature flag is enabled", () => {
-      ENABLE_PROJ_USER_JOURNEY_MOCK.mockReturnValue(true);
-
-      renderWithProviders(<EnterpriseBanner />);
-
-      expect(screen.getByText("ENTERPRISE$TITLE")).toBeInTheDocument();
-    });
-  });
-
-  describe("Rendering", () => {
-    it("should render the self-hosted label", () => {
-      renderWithProviders(<EnterpriseBanner />);
-
-      expect(screen.getByText("ENTERPRISE$SELF_HOSTED")).toBeInTheDocument();
-    });
-
-    it("should render the enterprise title", () => {
-      renderWithProviders(<EnterpriseBanner />);
-
-      expect(screen.getByText("ENTERPRISE$TITLE")).toBeInTheDocument();
-    });
-
-    it("should render the enterprise description", () => {
-      renderWithProviders(<EnterpriseBanner />);
-
-      expect(screen.getByText("ENTERPRISE$DESCRIPTION")).toBeInTheDocument();
-    });
-
-    it("should render all four enterprise feature items", () => {
-      renderWithProviders(<EnterpriseBanner />);
-
-      expect(
-        screen.getByText("ENTERPRISE$FEATURE_DATA_PRIVACY"),
-      ).toBeInTheDocument();
-      expect(
-        screen.getByText("ENTERPRISE$FEATURE_DEPLOYMENT"),
-      ).toBeInTheDocument();
-      expect(screen.getByText("ENTERPRISE$FEATURE_SSO")).toBeInTheDocument();
-      expect(
-        screen.getByText("ENTERPRISE$FEATURE_SUPPORT"),
-      ).toBeInTheDocument();
-    });
-
-    it("should render the learn more link", () => {
-      renderWithProviders(<EnterpriseBanner />);
-
-      const link = screen.getByRole("link", {
-        name: "ENTERPRISE$LEARN_MORE_ARIA",
-      });
-      expect(link).toBeInTheDocument();
-      expect(link).toHaveTextContent("ENTERPRISE$LEARN_MORE");
-      expect(link).toHaveAttribute("href", "https://openhands.dev/enterprise");
-      expect(link).toHaveAttribute("target", "_blank");
-      expect(link).toHaveAttribute("rel", "noopener noreferrer");
-    });
-  });
-
-  describe("Learn More Link Interaction", () => {
-    it("should capture PostHog event when learn more link is clicked", async () => {
-      const user = userEvent.setup();
-      renderWithProviders(<EnterpriseBanner />);
-
-      const link = screen.getByRole("link", {
-        name: "ENTERPRISE$LEARN_MORE_ARIA",
-      });
-      await user.click(link);
-
-      expect(mockCapture).toHaveBeenCalledWith("saas_selfhosted_inquiry");
-    });
-
-    it("should have correct href attribute for opening in new tab", () => {
-      renderWithProviders(<EnterpriseBanner />);
-
-      const link = screen.getByRole("link", {
-        name: "ENTERPRISE$LEARN_MORE_ARIA",
-      });
-      expect(link).toHaveAttribute("href", "https://openhands.dev/enterprise");
-      expect(link).toHaveAttribute("target", "_blank");
-    });
-  });
-});