Deploy Open WebUI

.gitattributes

@@ -33,3 +33,22 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSans-Bold.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSans-Italic.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSans-Regular.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSans-Variable.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSansJP-Regular.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSansJP-Variable.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSansKR-Regular.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSansKR-Variable.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSansSC-Regular.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/NotoSansSC-Variable.ttf filter=lfs diff=lfs merge=lfs -text
+backend/open_webui/static/fonts/Twemoji.ttf filter=lfs diff=lfs merge=lfs -text
+static/assets/fonts/Archivo-Variable.ttf filter=lfs diff=lfs merge=lfs -text
+static/assets/fonts/Inter-Variable.ttf filter=lfs diff=lfs merge=lfs -text
+static/assets/fonts/Mona-Sans.woff2 filter=lfs diff=lfs merge=lfs -text
+static/assets/fonts/Vazirmatn-Variable.ttf filter=lfs diff=lfs merge=lfs -text
+static/assets/images/adam.jpg filter=lfs diff=lfs merge=lfs -text
+static/assets/images/earth.jpg filter=lfs diff=lfs merge=lfs -text
+static/assets/images/galaxy.jpg filter=lfs diff=lfs merge=lfs -text
+static/assets/images/space.jpg filter=lfs diff=lfs merge=lfs -text

Dockerfile

@@ -1,17 +1,208 @@
-# Read the doc: https://huggingface.co/docs/hub/spaces-sdks-docker
-# you will also find guides on how best to write your Dockerfile
+# syntax=docker/dockerfile:1
+# Initialize device type args
+# use build args in the docker build command with --build-arg="BUILDARG=true"
+ARG USE_CUDA=false
+ARG USE_OLLAMA=false
+ARG USE_SLIM=false
+ARG USE_PERMISSION_HARDENING=false
+# Tested with cu117 for CUDA 11 and cu121 for CUDA 12 (default)
+ARG USE_CUDA_VER=cu128
+# any sentence transformer model; models to use can be found at https://huggingface.co/models?library=sentence-transformers
+# Leaderboard: https://huggingface.co/spaces/mteb/leaderboard 
+# for better performance and multilangauge support use "intfloat/multilingual-e5-large" (~2.5GB) or "intfloat/multilingual-e5-base" (~1.5GB)
+# IMPORTANT: If you change the embedding model (sentence-transformers/all-MiniLM-L6-v2) and vice versa, you aren't able to use RAG Chat with your previous documents loaded in the WebUI! You need to re-embed them.
+ARG USE_EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
+ARG USE_RERANKING_MODEL=""
+ARG USE_AUXILIARY_EMBEDDING_MODEL=TaylorAI/bge-micro-v2
 
-FROM python:3.12
+# Tiktoken encoding name; models to use can be found at https://huggingface.co/models?library=tiktoken
+ARG USE_TIKTOKEN_ENCODING_NAME="cl100k_base"
 
-RUN useradd -m -u 1000 user
-USER user
-ENV PATH="/home/user/.local/bin:$PATH"
+ARG BUILD_HASH=dev-build
+# Override at your own risk - non-root configurations are untested
+ARG UID=0
+ARG GID=0
+
+######## WebUI frontend ########
+FROM --platform=$BUILDPLATFORM node:22-alpine3.20 AS build
+ARG BUILD_HASH
+
+# Set Node.js options (heap limit Allocation failed - JavaScript heap out of memory)
+# ENV NODE_OPTIONS="--max-old-space-size=4096"
 
 WORKDIR /app
 
-COPY --chown=user ./requirements.txt requirements.txt
-RUN pip install --no-cache-dir --upgrade -r requirements.txt
+# to store git revision in build
+RUN apk add --no-cache git
+
+COPY package.json package-lock.json ./
+RUN npm ci --force
+
+COPY . .
+ENV APP_BUILD_HASH=${BUILD_HASH}
+RUN npm run build
+
+######## WebUI backend ########
+FROM python:3.11.14-slim-bookworm AS base
+
+# Use args
+ARG USE_CUDA
+ARG USE_OLLAMA
+ARG USE_CUDA_VER
+ARG USE_SLIM
+ARG USE_PERMISSION_HARDENING
+ARG USE_EMBEDDING_MODEL
+ARG USE_RERANKING_MODEL
+ARG USE_AUXILIARY_EMBEDDING_MODEL
+ARG UID
+ARG GID
+
+# Python settings
+ENV PYTHONUNBUFFERED=1
+
+## Basis ##
+ENV ENV=prod \
+    PORT=8080 \
+    # pass build args to the build
+    USE_OLLAMA_DOCKER=${USE_OLLAMA} \
+    USE_CUDA_DOCKER=${USE_CUDA} \
+    USE_SLIM_DOCKER=${USE_SLIM} \
+    USE_CUDA_DOCKER_VER=${USE_CUDA_VER} \
+    USE_EMBEDDING_MODEL_DOCKER=${USE_EMBEDDING_MODEL} \
+    USE_RERANKING_MODEL_DOCKER=${USE_RERANKING_MODEL} \
+    USE_AUXILIARY_EMBEDDING_MODEL_DOCKER=${USE_AUXILIARY_EMBEDDING_MODEL}
+
+## Basis URL Config ##
+ENV OLLAMA_BASE_URL="/ollama" \
+    OPENAI_API_BASE_URL=""
+
+## API Key and Security Config ##
+ENV OPENAI_API_KEY="" \
+    WEBUI_SECRET_KEY="" \
+    SCARF_NO_ANALYTICS=true \
+    DO_NOT_TRACK=true \
+    ANONYMIZED_TELEMETRY=false
+
+#### Other models #########################################################
+## whisper TTS model settings ##
+ENV WHISPER_MODEL="base" \
+    WHISPER_MODEL_DIR="/app/backend/data/cache/whisper/models"
+
+## RAG Embedding model settings ##
+ENV RAG_EMBEDDING_MODEL="$USE_EMBEDDING_MODEL_DOCKER" \
+    RAG_RERANKING_MODEL="$USE_RERANKING_MODEL_DOCKER" \
+    AUXILIARY_EMBEDDING_MODEL="$USE_AUXILIARY_EMBEDDING_MODEL_DOCKER" \
+    SENTENCE_TRANSFORMERS_HOME="/app/backend/data/cache/embedding/models"
+
+## Tiktoken model settings ##
+ENV TIKTOKEN_ENCODING_NAME="cl100k_base" \
+    TIKTOKEN_CACHE_DIR="/app/backend/data/cache/tiktoken"
+
+## Hugging Face download cache ##
+ENV HF_HOME="/app/backend/data/cache/embedding/models"
+
+## Torch Extensions ##
+# ENV TORCH_EXTENSIONS_DIR="/.cache/torch_extensions"
+
+#### Other models ##########################################################
+
+WORKDIR /app/backend
+
+ENV HOME=/root
+# Create user and group if not root
+RUN if [ $UID -ne 0 ]; then \
+    if [ $GID -ne 0 ]; then \
+    addgroup --gid $GID app; \
+    fi; \
+    adduser --uid $UID --gid $GID --home $HOME --disabled-password --no-create-home app; \
+    fi
+
+RUN mkdir -p $HOME/.cache/chroma
+RUN echo -n 00000000-0000-0000-0000-000000000000 > $HOME/.cache/chroma/telemetry_user_id
+
+# Make sure the user has access to the app and root directory
+RUN chown -R $UID:$GID /app $HOME
+
+# Install common system dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git build-essential pandoc gcc netcat-openbsd curl jq \
+    libmariadb-dev \
+    python3-dev \
+    ffmpeg libsm6 libxext6 zstd \
+    && rm -rf /var/lib/apt/lists/*
+
+# install python dependencies
+COPY --chown=$UID:$GID ./backend/requirements.txt ./requirements.txt
+
+# Set UV_LINK_MODE to copy to prevent 0-byte file corruption in QEMU arm64 cross-builds
+ENV UV_LINK_MODE=copy
+
+RUN set -e; \
+    pip3 install --no-cache-dir uv; \
+    if [ "$USE_CUDA" = "true" ]; then \
+    # If you use CUDA the whisper and embedding model will be downloaded on first use
+    # fix: pin torch<=2.9.1 - torch 2.10.0 aarch64 wheels cause SIGILL on ARM devices (RPi 4 Cortex-A72) #21349
+    pip3 install 'torch<=2.9.1' torchvision torchaudio --index-url https://download.pytorch.org/whl/$USE_CUDA_DOCKER_VER --no-cache-dir; \
+    uv pip install --system -r requirements.txt --no-cache-dir; \
+    python -c "import os; from sentence_transformers import SentenceTransformer; SentenceTransformer(os.environ['RAG_EMBEDDING_MODEL'], device='cpu')"; \
+    python -c "import os; from sentence_transformers import SentenceTransformer; SentenceTransformer(os.environ.get('AUXILIARY_EMBEDDING_MODEL', 'TaylorAI/bge-micro-v2'), device='cpu')"; \
+    python -c "import os; from faster_whisper import WhisperModel; WhisperModel(os.environ['WHISPER_MODEL'], device='cpu', compute_type='int8', download_root=os.environ['WHISPER_MODEL_DIR'])"; \
+    python -c "import os; import tiktoken; tiktoken.get_encoding(os.environ['TIKTOKEN_ENCODING_NAME'])"; \
+    python -c "import nltk; nltk.download('punkt_tab')"; \
+    else \
+    pip3 install 'torch<=2.9.1' torchvision torchaudio --index-url https://download.pytorch.org/whl/cpu --no-cache-dir; \
+    uv pip install --system -r requirements.txt --no-cache-dir; \
+    if [ "$USE_SLIM" != "true" ]; then \
+    python -c "import os; from sentence_transformers import SentenceTransformer; SentenceTransformer(os.environ['RAG_EMBEDDING_MODEL'], device='cpu')"; \
+    python -c "import os; from sentence_transformers import SentenceTransformer; SentenceTransformer(os.environ.get('AUXILIARY_EMBEDDING_MODEL', 'TaylorAI/bge-micro-v2'), device='cpu')"; \
+    python -c "import os; from faster_whisper import WhisperModel; WhisperModel(os.environ['WHISPER_MODEL'], device='cpu', compute_type='int8', download_root=os.environ['WHISPER_MODEL_DIR'])"; \
+    python -c "import os; import tiktoken; tiktoken.get_encoding(os.environ['TIKTOKEN_ENCODING_NAME'])"; \
+    python -c "import nltk; nltk.download('punkt_tab')"; \
+    fi; \
+    fi; \
+    mkdir -p /app/backend/data; chown -R $UID:$GID /app/backend/data/; \
+    rm -rf /var/lib/apt/lists/*;
+
+# Install Ollama if requested
+RUN if [ "$USE_OLLAMA" = "true" ]; then \
+    date +%s > /tmp/ollama_build_hash && \
+    echo "Cache broken at timestamp: `cat /tmp/ollama_build_hash`" && \
+    curl -fsSL https://ollama.com/install.sh | sh && \
+    rm -rf /var/lib/apt/lists/*; \
+    fi
+
+# copy embedding weight from build
+# RUN mkdir -p /root/.cache/chroma/onnx_models/all-MiniLM-L6-v2
+# COPY --from=build /app/onnx /root/.cache/chroma/onnx_models/all-MiniLM-L6-v2/onnx
+
+# copy built frontend files
+COPY --chown=$UID:$GID --from=build /app/build /app/build
+COPY --chown=$UID:$GID --from=build /app/CHANGELOG.md /app/CHANGELOG.md
+COPY --chown=$UID:$GID --from=build /app/package.json /app/package.json
+
+# copy backend files
+COPY --chown=$UID:$GID ./backend .
+
+EXPOSE 8080
+
+HEALTHCHECK CMD curl --silent --fail http://localhost:${PORT:-8080}/health | jq -ne 'input.status == true' || exit 1
+
+# Minimal, atomic permission hardening for OpenShift (arbitrary UID):
+# - Group 0 owns /app and /root
+# - Directories are group-writable and have SGID so new files inherit GID 0
+RUN if [ "$USE_PERMISSION_HARDENING" = "true" ]; then \
+    set -eux; \
+    chgrp -R 0 /app /root || true; \
+    chmod -R g+rwX /app /root || true; \
+    find /app -type d -exec chmod g+s {} + || true; \
+    find /root -type d -exec chmod g+s {} + || true; \
+    fi
+
+USER $UID:$GID
 
-COPY --chown=user . /app
-CMD ["open-webui", "serve", "--host", "0.0.0.0", "--port", "7860"]
+ARG BUILD_HASH
+ENV WEBUI_BUILD_VERSION=${BUILD_HASH}
+ENV DOCKER=true
 
+CMD [ "bash", "start.sh"]

README.md

@@ -1,4 +1,4 @@
----
+
 title: Open Webui
 emoji: ♥︎
 colorFrom: green
@@ -6,6 +6,3 @@ colorTo: blue
 sdk: docker
 pinned: false
 license: mit
----
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference

backend/.dockerignore

@@ -0,0 +1,14 @@
+__pycache__
+.env
+_old
+uploads
+.ipynb_checkpoints
+*.db
+_test
+!/data
+/data/*
+!/data/litellm
+/data/litellm/*
+!data/litellm/config.yaml
+
+!data/config.json

backend/.gitignore

@@ -0,0 +1,12 @@
+__pycache__
+.env
+_old
+uploads
+.ipynb_checkpoints
+*.db
+_test
+Pipfile
+!/data
+/data/*
+/open_webui/data/*
+.webui_secret_key

backend/dev.sh

@@ -0,0 +1,3 @@
+export CORS_ALLOW_ORIGIN="http://localhost:5173;http://localhost:8080"
+PORT="${PORT:-8080}"
+uvicorn open_webui.main:app --port $PORT --host 0.0.0.0 --forwarded-allow-ips "${FORWARDED_ALLOW_IPS:-*}" --reload

backend/open_webui/__init__.py

@@ -0,0 +1,96 @@
+import base64
+import os
+import random
+from pathlib import Path
+from typing import Annotated
+
+import typer
+import uvicorn
+
+app = typer.Typer()
+
+KEY_FILE = Path.cwd() / '.webui_secret_key'
+
+
+def version_callback(value: bool) -> None:
+    if value:
+        from open_webui.env import VERSION
+
+        typer.echo(f'Open WebUI version: {VERSION}')
+        raise typer.Exit()
+
+
+@app.command()
+def main(
+    version: Annotated[bool | None, typer.Option('--version', callback=version_callback)] = None,
+):
+    pass
+
+
+@app.command()
+def serve(
+    host: str = '0.0.0.0',
+    port: int = 8080,
+):
+    os.environ['FROM_INIT_PY'] = 'true'
+    if os.getenv('WEBUI_SECRET_KEY') is None:
+        typer.echo('Loading WEBUI_SECRET_KEY from file, not provided as an environment variable.')
+        if not KEY_FILE.exists():
+            typer.echo(f'Generating a new secret key and saving it to {KEY_FILE}')
+            KEY_FILE.write_bytes(base64.b64encode(random.randbytes(12)))
+        typer.echo(f'Loading WEBUI_SECRET_KEY from {KEY_FILE}')
+        os.environ['WEBUI_SECRET_KEY'] = KEY_FILE.read_text()
+
+    if os.getenv('USE_CUDA_DOCKER', 'false') == 'true':
+        typer.echo('CUDA is enabled, appending LD_LIBRARY_PATH to include torch/cudnn & cublas libraries.')
+        LD_LIBRARY_PATH = os.getenv('LD_LIBRARY_PATH', '').split(':')
+        os.environ['LD_LIBRARY_PATH'] = ':'.join(
+            LD_LIBRARY_PATH
+            + [
+                '/usr/local/lib/python3.11/site-packages/torch/lib',
+                '/usr/local/lib/python3.11/site-packages/nvidia/cudnn/lib',
+            ]
+        )
+        try:
+            import torch
+
+            assert torch.cuda.is_available(), 'CUDA not available'
+            typer.echo('CUDA seems to be working')
+        except Exception as e:
+            typer.echo(
+                'Error when testing CUDA but USE_CUDA_DOCKER is true. '
+                'Resetting USE_CUDA_DOCKER to false and removing '
+                f'LD_LIBRARY_PATH modifications: {e}'
+            )
+            os.environ['USE_CUDA_DOCKER'] = 'false'
+            os.environ['LD_LIBRARY_PATH'] = ':'.join(LD_LIBRARY_PATH)
+
+    import open_webui.main  # noqa: F401
+    from open_webui.env import UVICORN_WORKERS  # Import the workers setting
+
+    uvicorn.run(
+        'open_webui.main:app',
+        host=host,
+        port=port,
+        forwarded_allow_ips='*',
+        workers=UVICORN_WORKERS,
+    )
+
+
+@app.command()
+def dev(
+    host: str = '0.0.0.0',
+    port: int = 8080,
+    reload: bool = True,
+):
+    uvicorn.run(
+        'open_webui.main:app',
+        host=host,
+        port=port,
+        reload=reload,
+        forwarded_allow_ips='*',
+    )
+
+
+if __name__ == '__main__':
+    app()

backend/open_webui/alembic.ini

@@ -0,0 +1,114 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = migrations
+
+# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
+# Uncomment the line below if you want the files to be prepended with date and time
+# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+
+# sys.path path, will be prepended to sys.path if present.
+# defaults to the current working directory.
+prepend_sys_path = ..
+
+# timezone to use when rendering the date within the migration file
+# as well as the filename.
+# If specified, requires the python>=3.9 or backports.zoneinfo library.
+# Any required deps can installed by adding `alembic[tz]` to the pip requirements
+# string value is passed to ZoneInfo()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the
+# "slug" field
+# truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version location specification; This defaults
+# to migrations/versions.  When using multiple version
+# directories, initial revisions must be specified with --version-path.
+# The path separator used here should be the separator specified by "version_path_separator" below.
+# version_locations = %(here)s/bar:%(here)s/bat:migrations/versions
+
+# version path separator; As mentioned above, this is the character used to split
+# version_locations. The default within new alembic.ini files is "os", which uses os.pathsep.
+# If this key is omitted entirely, it falls back to the legacy behavior of splitting on spaces and/or commas.
+# Valid values for version_path_separator are:
+#
+# version_path_separator = :
+# version_path_separator = ;
+# version_path_separator = space
+version_path_separator = os  # Use os.pathsep. Default configuration used for new projects.
+
+# set to 'true' to search source files recursively
+# in each "version_locations" directory
+# new in Alembic version 1.10
+# recursive_version_locations = false
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+# sqlalchemy.url = REPLACE_WITH_DATABASE_URL
+
+
+[post_write_hooks]
+# post_write_hooks defines scripts or Python functions that are run
+# on newly generated revision scripts.  See the documentation for further
+# detail and examples
+
+# format using "black" - use the console_scripts runner, against the "black" entrypoint
+# hooks = black
+# black.type = console_scripts
+# black.entrypoint = black
+# black.options = -l 79 REVISION_SCRIPT_FILENAME
+
+# lint with attempts to fix using "ruff" - use the exec runner, execute a binary
+# hooks = ruff
+# ruff.type = exec
+# ruff.executable = %(here)s/.venv/bin/ruff
+# ruff.options = --fix REVISION_SCRIPT_FILENAME
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

backend/open_webui/constants.py

@@ -0,0 +1,119 @@
+from enum import Enum
+
+
+class MESSAGES(str, Enum):
+    DEFAULT = lambda msg='': f'{msg if msg else ""}'
+    MODEL_ADDED = lambda model='': f"The model '{model}' has been added successfully."
+    MODEL_DELETED = lambda model='': f"The model '{model}' has been deleted successfully."
+
+
+class WEBHOOK_MESSAGES(str, Enum):
+    DEFAULT = lambda msg='': f'{msg if msg else ""}'
+    USER_SIGNUP = lambda username='': f'New user signed up: {username}' if username else 'New user signed up'
+
+
+class ERROR_MESSAGES(str, Enum):
+    def __str__(self) -> str:
+        return super().__str__()
+
+    DEFAULT = lambda err='': f'{"Something went wrong :/" if err == "" else "[ERROR: " + str(err) + "]"}'
+    ENV_VAR_NOT_FOUND = 'Required environment variable not found. Terminating now.'
+    CREATE_USER_ERROR = 'Oops! Something went wrong while creating your account. Please try again later. If the issue persists, contact support for assistance.'
+    DELETE_USER_ERROR = 'Oops! Something went wrong. We encountered an issue while trying to delete the user. Please give it another shot.'
+    EMAIL_MISMATCH = 'Uh-oh! This email does not match the email your provider is registered with. Please check your email and try again.'
+    EMAIL_TAKEN = 'Uh-oh! This email is already registered. Sign in with your existing account or choose another email to start anew.'
+    USERNAME_TAKEN = 'Uh-oh! This username is already registered. Please choose another username.'
+    PASSWORD_TOO_LONG = (
+        'Uh-oh! The password you entered is too long. Please make sure your password is less than 72 bytes long.'
+    )
+    COMMAND_TAKEN = 'Uh-oh! This command is already registered. Please choose another command string.'
+    FILE_EXISTS = 'Uh-oh! This file is already registered. Please choose another file.'
+
+    ID_TAKEN = 'Uh-oh! This id is already registered. Please choose another id string.'
+    MODEL_ID_TAKEN = 'Uh-oh! This model id is already registered. Please choose another model id string.'
+    NAME_TAG_TAKEN = 'Uh-oh! This name tag is already registered. Please choose another name tag string.'
+    MODEL_ID_TOO_LONG = 'The model id is too long. Please make sure your model id is less than 256 characters long.'
+
+    INVALID_TOKEN = 'Your session has expired or the token is invalid. Please sign in again.'
+    INVALID_CRED = 'The email or password provided is incorrect. Please check for typos and try logging in again.'
+    INVALID_EMAIL_FORMAT = "The email format you entered is invalid. Please double-check and make sure you're using a valid email address (e.g., yourname@example.com)."
+    INCORRECT_PASSWORD = 'The password provided is incorrect. Please check for typos and try again.'
+    INVALID_TRUSTED_HEADER = (
+        'Your provider has not provided a trusted header. Please contact your administrator for assistance.'
+    )
+
+    EXISTING_USERS = "You can't turn off authentication because there are existing users. If you want to disable WEBUI_AUTH, make sure your web interface doesn't have any existing users and is a fresh installation."
+
+    UNAUTHORIZED = '401 Unauthorized'
+    ACCESS_PROHIBITED = (
+        'You do not have permission to access this resource. Please contact your administrator for assistance.'
+    )
+    ACTION_PROHIBITED = 'The requested action has been restricted as a security measure.'
+
+    FILE_NOT_SENT = 'FILE_NOT_SENT'
+    FILE_NOT_SUPPORTED = "Oops! It seems like the file format you're trying to upload is not supported. Please upload a file with a supported format and try again."
+
+    NOT_FOUND = "We could not find what you're looking for :/"
+    USER_NOT_FOUND = "We could not find what you're looking for :/"
+    API_KEY_NOT_FOUND = "Oops! It looks like there's a hiccup. The API key is missing. Please make sure to provide a valid API key to access this feature."
+    API_KEY_NOT_ALLOWED = 'Use of API key is not enabled in the environment.'
+
+    MALICIOUS = 'Unusual activities detected, please try again in a few minutes.'
+
+    PANDOC_NOT_INSTALLED = 'Pandoc is not installed on the server. Please contact your administrator for assistance.'
+    INCORRECT_FORMAT = lambda err='': f'Invalid format. Please use the correct format{err}'
+    RATE_LIMIT_EXCEEDED = 'API rate limit exceeded'
+
+    MODEL_NOT_FOUND = lambda name='': f"Model '{name}' was not found"
+    OPENAI_NOT_FOUND = lambda name='': 'OpenAI API was not found'
+    OLLAMA_NOT_FOUND = 'WebUI could not connect to Ollama'
+    CREATE_API_KEY_ERROR = 'Oops! Something went wrong while creating your API key. Please try again later. If the issue persists, contact support for assistance.'
+    API_KEY_CREATION_NOT_ALLOWED = 'API key creation is not allowed in the environment.'
+
+    EMPTY_CONTENT = 'The content provided is empty. Please ensure that there is text or data present before proceeding.'
+
+    DB_NOT_SQLITE = 'This feature is only available when running with SQLite databases.'
+
+    INVALID_URL = 'Oops! The URL you provided is invalid. Please double-check and try again.'
+
+    WEB_SEARCH_ERROR = lambda err='': f'{err if err else "Oops! Something went wrong while searching the web."}'
+
+    OLLAMA_API_DISABLED = 'The Ollama API is disabled. Please enable it to use this feature.'
+
+    FILE_TOO_LARGE = lambda size='': (
+        f"Oops! The file you're trying to upload is too large. Please upload a file that is less than {size}."
+    )
+
+    DUPLICATE_CONTENT = 'Duplicate content detected. Please provide unique content to proceed.'
+    FILE_NOT_PROCESSED = (
+        'Extracted content is not available for this file. Please ensure that the file is processed before proceeding.'
+    )
+
+    INVALID_PASSWORD = lambda err='': err if err else 'The password does not meet the required validation criteria.'
+
+    AUTOMATION_LIMIT_EXCEEDED = lambda size='': f'Automation limit reached ({size})'
+    AUTOMATION_TOO_FREQUENT = lambda interval='': f'Schedule too frequent. Minimum interval is {interval} seconds.'
+    AUTOMATION_INVALID_RRULE = lambda err='': f'Invalid RRULE: {err}'
+    AUTOMATION_NO_FUTURE_RUNS = 'RRULE has no future occurrences'
+
+    FEATURE_DISABLED = lambda name='': f'{name} is disabled'
+    INPUT_TOO_LONG = lambda size='': f'Input prompt exceeds maximum length of {size}'
+    SERVER_CONNECTION_ERROR = 'Open WebUI: Server Connection Error'
+    REQUIRED_FIELD_EMPTY = lambda name='': f'Required field {name} is empty'
+    OAUTH_NOT_CONFIGURED = lambda name='': f"Provider '{name}' is not configured"
+
+
+class TASKS(str, Enum):
+    def __str__(self) -> str:
+        return super().__str__()
+
+    DEFAULT = lambda task='': f'{task if task else "generation"}'
+    TITLE_GENERATION = 'title_generation'
+    FOLLOW_UP_GENERATION = 'follow_up_generation'
+    TAGS_GENERATION = 'tags_generation'
+    EMOJI_GENERATION = 'emoji_generation'
+    QUERY_GENERATION = 'query_generation'
+    IMAGE_PROMPT_GENERATION = 'image_prompt_generation'
+    AUTOCOMPLETE_GENERATION = 'autocomplete_generation'
+    FUNCTION_CALLING = 'function_calling'
+    MOA_RESPONSE_GENERATION = 'moa_response_generation'

backend/open_webui/env.py

@@ -0,0 +1,1058 @@
+import importlib.metadata
+import json
+import logging
+import os
+import pkgutil
+import sys
+import shutil
+import traceback
+from datetime import datetime, timezone
+from typing import Any
+from uuid import uuid4
+from pathlib import Path
+from cryptography.hazmat.primitives import serialization
+import re
+
+
+import markdown
+from bs4 import BeautifulSoup
+from open_webui.constants import ERROR_MESSAGES
+
+####################################
+# Load .env file
+####################################
+
+# Use .resolve() to get the canonical path, removing any '..' or '.' components
+ENV_FILE_PATH = Path(__file__).resolve()
+
+# OPEN_WEBUI_DIR should be the directory where env.py resides (open_webui/)
+OPEN_WEBUI_DIR = ENV_FILE_PATH.parent
+
+# BACKEND_DIR is the parent of OPEN_WEBUI_DIR (backend/)
+BACKEND_DIR = OPEN_WEBUI_DIR.parent
+
+# BASE_DIR is the parent of BACKEND_DIR (open-webui-dev/)
+BASE_DIR = BACKEND_DIR.parent
+
+try:
+    from dotenv import find_dotenv, load_dotenv
+
+    load_dotenv(find_dotenv(str(BASE_DIR / '.env')))
+except ImportError:
+    print('dotenv not installed, skipping...')
+
+DOCKER = os.environ.get('DOCKER', 'False').lower() == 'true'
+
+# device type embedding models - "cpu" (default), "cuda" (nvidia gpu required) or "mps" (apple silicon) - choosing this right can lead to better performance
+USE_CUDA = os.environ.get('USE_CUDA_DOCKER', 'false')
+
+if USE_CUDA.lower() == 'true':
+    try:
+        import torch
+
+        assert torch.cuda.is_available(), 'CUDA not available'
+        DEVICE_TYPE = 'cuda'
+    except Exception as e:
+        cuda_error = f'Error when testing CUDA but USE_CUDA_DOCKER is true. Resetting USE_CUDA_DOCKER to false: {e}'
+        os.environ['USE_CUDA_DOCKER'] = 'false'
+        USE_CUDA = 'false'
+        DEVICE_TYPE = 'cpu'
+else:
+    DEVICE_TYPE = 'cpu'
+
+if sys.platform == 'darwin':
+    try:
+        import torch
+
+        if torch.backends.mps.is_available() and torch.backends.mps.is_built():
+            DEVICE_TYPE = 'mps'
+    except Exception:
+        pass
+
+####################################
+# LOGGING
+####################################
+
+_LEVEL_MAP = {
+    'DEBUG': 'debug',
+    'INFO': 'info',
+    'WARNING': 'warn',
+    'ERROR': 'error',
+    'CRITICAL': 'fatal',
+}
+
+
+class JSONFormatter(logging.Formatter):
+    """Format log records as single-line JSON objects for structured logging."""
+
+    def format(self, record: logging.LogRecord) -> str:
+        log_entry: dict[str, Any] = {
+            'ts': datetime.fromtimestamp(record.created, tz=timezone.utc).isoformat(timespec='milliseconds'),
+            'level': _LEVEL_MAP.get(record.levelname, record.levelname.lower()),
+            'msg': record.getMessage(),
+            'caller': record.name,
+        }
+
+        if record.exc_info and record.exc_info[0] is not None:
+            log_entry['error'] = ''.join(traceback.format_exception(*record.exc_info)).rstrip()
+        elif record.exc_text:
+            log_entry['error'] = record.exc_text
+
+        if record.stack_info:
+            log_entry['stacktrace'] = record.stack_info
+
+        return json.dumps(log_entry, ensure_ascii=False, default=str)
+
+
+LOG_FORMAT = os.environ.get('LOG_FORMAT', '').lower()
+
+GLOBAL_LOG_LEVEL = os.environ.get('GLOBAL_LOG_LEVEL', '').upper()
+if GLOBAL_LOG_LEVEL in logging.getLevelNamesMapping():
+    if LOG_FORMAT == 'json':
+        _handler = logging.StreamHandler(sys.stdout)
+        _handler.setFormatter(JSONFormatter())
+        logging.basicConfig(handlers=[_handler], level=GLOBAL_LOG_LEVEL, force=True)
+    else:
+        logging.basicConfig(stream=sys.stdout, level=GLOBAL_LOG_LEVEL, force=True)
+else:
+    GLOBAL_LOG_LEVEL = 'INFO'
+
+log = logging.getLogger(__name__)
+log.info(f'GLOBAL_LOG_LEVEL: {GLOBAL_LOG_LEVEL}')
+
+if 'cuda_error' in locals():
+    log.exception(cuda_error)
+    del cuda_error
+
+SRC_LOG_LEVELS = {}  # Legacy variable, do not remove
+
+WEBUI_NAME = os.environ.get('WEBUI_NAME', 'Open WebUI')
+if WEBUI_NAME != 'Open WebUI':
+    WEBUI_NAME += ' (Open WebUI)'
+
+WEBUI_FAVICON_URL = 'https://openwebui.com/favicon.png'
+
+TRUSTED_SIGNATURE_KEY = os.environ.get('TRUSTED_SIGNATURE_KEY', '')
+
+####################################
+# ENV (dev,test,prod)
+####################################
+
+ENV = os.environ.get('ENV', 'dev')
+
+FROM_INIT_PY = os.environ.get('FROM_INIT_PY', 'False').lower() == 'true'
+
+if FROM_INIT_PY:
+    PACKAGE_DATA = {'version': importlib.metadata.version('open-webui')}
+else:
+    try:
+        PACKAGE_DATA = json.loads((BASE_DIR / 'package.json').read_text())
+    except Exception:
+        PACKAGE_DATA = {'version': '0.0.0'}
+
+VERSION = PACKAGE_DATA['version']
+
+
+DEPLOYMENT_ID = os.environ.get('DEPLOYMENT_ID', '')
+INSTANCE_ID = os.environ.get('INSTANCE_ID', str(uuid4()))
+
+ENABLE_DB_MIGRATIONS = os.environ.get('ENABLE_DB_MIGRATIONS', 'True').lower() == 'true'
+
+
+# Function to parse each section
+def parse_section(section):
+    items = []
+    for li in section.find_all('li'):
+        # Extract raw HTML string
+        raw_html = str(li)
+
+        # Extract text without HTML tags
+        text = li.get_text(separator=' ', strip=True)
+
+        # Split into title and content
+        parts = text.split(': ', 1)
+        title = parts[0].strip() if len(parts) > 1 else ''
+        content = parts[1].strip() if len(parts) > 1 else text
+
+        items.append({'title': title, 'content': content, 'raw': raw_html})
+    return items
+
+
+try:
+    changelog_path = BASE_DIR / 'CHANGELOG.md'
+    with open(str(changelog_path.absolute()), 'r', encoding='utf8') as file:
+        changelog_content = file.read()
+
+except Exception:
+    changelog_content = (pkgutil.get_data('open_webui', 'CHANGELOG.md') or b'').decode()
+
+# Convert markdown content to HTML
+html_content = markdown.markdown(changelog_content)
+
+# Parse the HTML content
+soup = BeautifulSoup(html_content, 'html.parser')
+
+# Initialize JSON structure
+changelog_json = {}
+
+# Iterate over each version
+for version in soup.find_all('h2'):
+    version_number = version.get_text().strip().split(' - ')[0][1:-1]  # Remove brackets
+    date = version.get_text().strip().split(' - ')[1]
+
+    version_data = {'date': date}
+
+    # Find the next sibling that is a h3 tag (section title)
+    current = version.find_next_sibling()
+
+    while current and current.name != 'h2':
+        if current.name == 'h3':
+            section_title = current.get_text().lower()  # e.g., "added", "fixed"
+            section_items = parse_section(current.find_next_sibling('ul'))
+            version_data[section_title] = section_items
+
+        # Move to the next element
+        current = current.find_next_sibling()
+
+    changelog_json[version_number] = version_data
+
+CHANGELOG = changelog_json
+
+####################################
+# SAFE_MODE
+####################################
+
+SAFE_MODE = os.environ.get('SAFE_MODE', 'false').lower() == 'true'
+
+
+####################################
+# ENABLE_FORWARD_USER_INFO_HEADERS
+####################################
+
+ENABLE_FORWARD_USER_INFO_HEADERS = os.environ.get('ENABLE_FORWARD_USER_INFO_HEADERS', 'False').lower() == 'true'
+
+# Header names for user info forwarding (customizable via environment variables)
+FORWARD_USER_INFO_HEADER_USER_NAME = os.environ.get('FORWARD_USER_INFO_HEADER_USER_NAME', 'X-OpenWebUI-User-Name')
+FORWARD_USER_INFO_HEADER_USER_ID = os.environ.get('FORWARD_USER_INFO_HEADER_USER_ID', 'X-OpenWebUI-User-Id')
+FORWARD_USER_INFO_HEADER_USER_EMAIL = os.environ.get('FORWARD_USER_INFO_HEADER_USER_EMAIL', 'X-OpenWebUI-User-Email')
+FORWARD_USER_INFO_HEADER_USER_ROLE = os.environ.get('FORWARD_USER_INFO_HEADER_USER_ROLE', 'X-OpenWebUI-User-Role')
+
+# Header name for chat ID forwarding (customizable via environment variable)
+FORWARD_SESSION_INFO_HEADER_MESSAGE_ID = os.environ.get(
+    'FORWARD_SESSION_INFO_HEADER_MESSAGE_ID', 'X-OpenWebUI-Message-Id'
+)
+FORWARD_SESSION_INFO_HEADER_CHAT_ID = os.environ.get('FORWARD_SESSION_INFO_HEADER_CHAT_ID', 'X-OpenWebUI-Chat-Id')
+
+# Experimental feature, may be removed in future
+ENABLE_STAR_SESSIONS_MIDDLEWARE = os.environ.get('ENABLE_STAR_SESSIONS_MIDDLEWARE', 'False').lower() == 'true'
+
+ENABLE_EASTER_EGGS = os.environ.get('ENABLE_EASTER_EGGS', 'True').lower() == 'true'
+
+####################################
+# WEBUI_BUILD_HASH
+####################################
+
+WEBUI_BUILD_HASH = os.environ.get('WEBUI_BUILD_HASH', 'dev-build')
+
+####################################
+# DATA/FRONTEND BUILD DIR
+####################################
+
+DATA_DIR = Path(os.getenv('DATA_DIR', BACKEND_DIR / 'data')).resolve()
+
+if FROM_INIT_PY:
+    NEW_DATA_DIR = Path(os.getenv('DATA_DIR', OPEN_WEBUI_DIR / 'data')).resolve()
+    NEW_DATA_DIR.mkdir(parents=True, exist_ok=True)
+
+    # Check if the data directory exists in the package directory
+    if DATA_DIR.exists() and DATA_DIR != NEW_DATA_DIR:
+        log.info(f'Moving {DATA_DIR} to {NEW_DATA_DIR}')
+        for item in DATA_DIR.iterdir():
+            dest = NEW_DATA_DIR / item.name
+            if item.is_dir():
+                shutil.copytree(item, dest, dirs_exist_ok=True)
+            else:
+                shutil.copy2(item, dest)
+
+        # Zip the data directory
+        shutil.make_archive(DATA_DIR.parent / 'open_webui_data', 'zip', DATA_DIR)
+
+        # Remove the old data directory
+        shutil.rmtree(DATA_DIR)
+
+    DATA_DIR = Path(os.getenv('DATA_DIR', OPEN_WEBUI_DIR / 'data'))
+
+STATIC_DIR = Path(os.getenv('STATIC_DIR', OPEN_WEBUI_DIR / 'static'))
+
+FONTS_DIR = Path(os.getenv('FONTS_DIR', OPEN_WEBUI_DIR / 'static' / 'fonts'))
+
+FRONTEND_BUILD_DIR = Path(os.getenv('FRONTEND_BUILD_DIR', BASE_DIR / 'build')).resolve()
+
+if FROM_INIT_PY:
+    FRONTEND_BUILD_DIR = Path(os.getenv('FRONTEND_BUILD_DIR', OPEN_WEBUI_DIR / 'frontend')).resolve()
+
+####################################
+# Database
+####################################
+
+# Check if the file exists
+if os.path.exists(f'{DATA_DIR}/ollama.db'):
+    # Rename the file
+    os.rename(f'{DATA_DIR}/ollama.db', f'{DATA_DIR}/webui.db')
+    log.info('Database migrated from Ollama-WebUI successfully.')
+else:
+    pass
+
+DATABASE_URL = os.environ.get('DATABASE_URL', f'sqlite:///{DATA_DIR}/webui.db')
+
+DATABASE_TYPE = os.environ.get('DATABASE_TYPE')
+DATABASE_USER = os.environ.get('DATABASE_USER')
+DATABASE_PASSWORD = os.environ.get('DATABASE_PASSWORD')
+
+DATABASE_CRED = ''
+if DATABASE_USER:
+    DATABASE_CRED += f'{DATABASE_USER}'
+if DATABASE_PASSWORD:
+    DATABASE_CRED += f':{DATABASE_PASSWORD}'
+
+DB_VARS = {
+    'db_type': DATABASE_TYPE,
+    'db_cred': DATABASE_CRED,
+    'db_host': os.environ.get('DATABASE_HOST'),
+    'db_port': os.environ.get('DATABASE_PORT'),
+    'db_name': os.environ.get('DATABASE_NAME'),
+}
+
+if all(DB_VARS.values()):
+    DATABASE_URL = (
+        f'{DB_VARS["db_type"]}://{DB_VARS["db_cred"]}@{DB_VARS["db_host"]}:{DB_VARS["db_port"]}/{DB_VARS["db_name"]}'
+    )
+elif DATABASE_TYPE == 'sqlite+sqlcipher' and not os.environ.get('DATABASE_URL'):
+    # Handle SQLCipher with local file when DATABASE_URL wasn't explicitly set
+    DATABASE_URL = f'sqlite+sqlcipher:///{DATA_DIR}/webui.db'
+
+# Replace the postgres:// with postgresql://
+if 'postgres://' in DATABASE_URL:
+    DATABASE_URL = DATABASE_URL.replace('postgres://', 'postgresql://')
+
+DATABASE_SCHEMA = os.environ.get('DATABASE_SCHEMA', None)
+
+DATABASE_POOL_SIZE = os.environ.get('DATABASE_POOL_SIZE', None)
+
+if DATABASE_POOL_SIZE != None:
+    try:
+        DATABASE_POOL_SIZE = int(DATABASE_POOL_SIZE)
+    except Exception:
+        DATABASE_POOL_SIZE = None
+
+DATABASE_POOL_MAX_OVERFLOW = os.environ.get('DATABASE_POOL_MAX_OVERFLOW', 0)
+
+if DATABASE_POOL_MAX_OVERFLOW == '':
+    DATABASE_POOL_MAX_OVERFLOW = 0
+else:
+    try:
+        DATABASE_POOL_MAX_OVERFLOW = int(DATABASE_POOL_MAX_OVERFLOW)
+    except Exception:
+        DATABASE_POOL_MAX_OVERFLOW = 0
+
+DATABASE_POOL_TIMEOUT = os.environ.get('DATABASE_POOL_TIMEOUT', 30)
+
+if DATABASE_POOL_TIMEOUT == '':
+    DATABASE_POOL_TIMEOUT = 30
+else:
+    try:
+        DATABASE_POOL_TIMEOUT = int(DATABASE_POOL_TIMEOUT)
+    except Exception:
+        DATABASE_POOL_TIMEOUT = 30
+
+DATABASE_POOL_RECYCLE = os.environ.get('DATABASE_POOL_RECYCLE', 3600)
+
+if DATABASE_POOL_RECYCLE == '':
+    DATABASE_POOL_RECYCLE = 3600
+else:
+    try:
+        DATABASE_POOL_RECYCLE = int(DATABASE_POOL_RECYCLE)
+    except Exception:
+        DATABASE_POOL_RECYCLE = 3600
+
+DATABASE_ENABLE_SQLITE_WAL = os.environ.get('DATABASE_ENABLE_SQLITE_WAL', 'True').lower() == 'true'
+
+# SQLite PRAGMA tuning — these defaults are optimised for WAL-mode web-server
+# workloads.  Each can be overridden via its environment variable.
+# Set any value to an empty string to skip that PRAGMA entirely.
+
+# PRAGMA synchronous: NORMAL (1) is safe with WAL and avoids an fsync per
+# transaction.  Valid values: OFF (0), NORMAL (1), FULL (2), EXTRA (3).
+DATABASE_SQLITE_PRAGMA_SYNCHRONOUS = os.environ.get('DATABASE_SQLITE_PRAGMA_SYNCHRONOUS', 'NORMAL')
+
+# PRAGMA busy_timeout (ms): how long a connection waits for a write lock
+# before raising SQLITE_BUSY.
+DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT = os.environ.get('DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT', '5000')
+
+# PRAGMA cache_size: negative value = KiB.  -65536 ≈ 64 MB page cache.
+DATABASE_SQLITE_PRAGMA_CACHE_SIZE = os.environ.get('DATABASE_SQLITE_PRAGMA_CACHE_SIZE', '-65536')
+
+# PRAGMA temp_store: MEMORY (2) keeps temp tables and indices in RAM.
+# Valid values: DEFAULT (0), FILE (1), MEMORY (2).
+DATABASE_SQLITE_PRAGMA_TEMP_STORE = os.environ.get('DATABASE_SQLITE_PRAGMA_TEMP_STORE', 'MEMORY')
+
+# PRAGMA mmap_size (bytes): memory-mapped I/O size.  268435456 ≈ 256 MB.
+# Set to 0 to disable mmap.
+DATABASE_SQLITE_PRAGMA_MMAP_SIZE = os.environ.get('DATABASE_SQLITE_PRAGMA_MMAP_SIZE', '268435456')
+
+# PRAGMA journal_size_limit (bytes): caps the WAL file size after checkpoint.
+# Without this the WAL grows unbounded during write bursts and is never
+# truncated.  67108864 ≈ 64 MB.  Set to -1 for no limit (SQLite default).
+DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT = os.environ.get('DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT', '67108864')
+
+DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL = os.environ.get('DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL', None)
+if DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL is not None:
+    try:
+        DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL = float(DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL)
+    except Exception:
+        DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL = 0.0
+
+# When enabled, get_db_context reuses existing sessions; set to False to always create new sessions
+DATABASE_ENABLE_SESSION_SHARING = os.environ.get('DATABASE_ENABLE_SESSION_SHARING', 'False').lower() == 'true'
+
+# Enable public visibility of active user count (when disabled, only admins can see it)
+ENABLE_PUBLIC_ACTIVE_USERS_COUNT = os.environ.get('ENABLE_PUBLIC_ACTIVE_USERS_COUNT', 'True').lower() == 'true'
+
+RESET_CONFIG_ON_START = os.environ.get('RESET_CONFIG_ON_START', 'False').lower() == 'true'
+
+ENABLE_REALTIME_CHAT_SAVE = os.environ.get('ENABLE_REALTIME_CHAT_SAVE', 'False').lower() == 'true'
+
+ENABLE_QUERIES_CACHE = os.environ.get('ENABLE_QUERIES_CACHE', 'False').lower() == 'true'
+
+RAG_SYSTEM_CONTEXT = os.environ.get('RAG_SYSTEM_CONTEXT', 'False').lower() == 'true'
+
+####################################
+# REDIS
+####################################
+
+REDIS_URL = os.environ.get('REDIS_URL', '')
+REDIS_CLUSTER = os.environ.get('REDIS_CLUSTER', 'False').lower() == 'true'
+
+REDIS_KEY_PREFIX = os.environ.get('REDIS_KEY_PREFIX', 'open-webui')
+
+REDIS_SENTINEL_HOSTS = os.environ.get('REDIS_SENTINEL_HOSTS', '')
+REDIS_SENTINEL_PORT = os.environ.get('REDIS_SENTINEL_PORT', '26379')
+
+# Maximum number of retries for Redis operations when using Sentinel fail-over
+REDIS_SENTINEL_MAX_RETRY_COUNT = os.environ.get('REDIS_SENTINEL_MAX_RETRY_COUNT', '2')
+try:
+    REDIS_SENTINEL_MAX_RETRY_COUNT = int(REDIS_SENTINEL_MAX_RETRY_COUNT)
+    if REDIS_SENTINEL_MAX_RETRY_COUNT < 1:
+        REDIS_SENTINEL_MAX_RETRY_COUNT = 2
+except ValueError:
+    REDIS_SENTINEL_MAX_RETRY_COUNT = 2
+
+
+REDIS_SOCKET_CONNECT_TIMEOUT = os.environ.get('REDIS_SOCKET_CONNECT_TIMEOUT', '')
+try:
+    REDIS_SOCKET_CONNECT_TIMEOUT = float(REDIS_SOCKET_CONNECT_TIMEOUT)
+except ValueError:
+    REDIS_SOCKET_CONNECT_TIMEOUT = None
+
+# Whether to enable TCP SO_KEEPALIVE on Redis client sockets. Opt-in:
+# defaults to off so behavior is unchanged for existing deployments. When
+# enabled, the kernel sends TCP keepalive probes on idle connections so
+# half-closed sockets (e.g. after a silent firewall/LB reset or a NIC
+# flap) are detected before the next command lands on them.
+REDIS_SOCKET_KEEPALIVE = os.environ.get('REDIS_SOCKET_KEEPALIVE', 'False').lower() == 'true'
+
+# How often (in seconds) redis-py should PING an idle pooled connection
+# before reusing it. Opt-in: defaults to unset (empty string) so behavior
+# is unchanged for existing deployments. When set, should be shorter than
+# the Redis server `timeout` setting and any firewall/LB idle timeout on
+# the path to Redis, so stale connections are detected before a real
+# command lands on them. Set to 0 or empty to disable.
+REDIS_HEALTH_CHECK_INTERVAL = os.environ.get('REDIS_HEALTH_CHECK_INTERVAL', '')
+try:
+    REDIS_HEALTH_CHECK_INTERVAL = int(REDIS_HEALTH_CHECK_INTERVAL)
+    if REDIS_HEALTH_CHECK_INTERVAL <= 0:
+        REDIS_HEALTH_CHECK_INTERVAL = None
+except ValueError:
+    REDIS_HEALTH_CHECK_INTERVAL = None
+
+REDIS_RECONNECT_DELAY = os.environ.get('REDIS_RECONNECT_DELAY', '')
+
+if REDIS_RECONNECT_DELAY == '':
+    REDIS_RECONNECT_DELAY = None
+else:
+    try:
+        REDIS_RECONNECT_DELAY = float(REDIS_RECONNECT_DELAY)
+        if REDIS_RECONNECT_DELAY < 0:
+            REDIS_RECONNECT_DELAY = None
+    except Exception:
+        REDIS_RECONNECT_DELAY = None
+
+####################################
+# UVICORN WORKERS
+####################################
+
+# Number of uvicorn worker processes for handling requests
+UVICORN_WORKERS = os.environ.get('UVICORN_WORKERS', '1')
+try:
+    UVICORN_WORKERS = int(UVICORN_WORKERS)
+    if UVICORN_WORKERS < 1:
+        UVICORN_WORKERS = 1
+except ValueError:
+    UVICORN_WORKERS = 1
+    log.info(f'Invalid UVICORN_WORKERS value, defaulting to {UVICORN_WORKERS}')
+
+####################################
+# WEBUI_AUTH (Required for security)
+####################################
+
+WEBUI_AUTH = os.environ.get('WEBUI_AUTH', 'True').lower() == 'true'
+
+ENABLE_INITIAL_ADMIN_SIGNUP = os.environ.get('ENABLE_INITIAL_ADMIN_SIGNUP', 'False').lower() == 'true'
+ENABLE_SIGNUP_PASSWORD_CONFIRMATION = os.environ.get('ENABLE_SIGNUP_PASSWORD_CONFIRMATION', 'False').lower() == 'true'
+
+####################################
+# Admin Account Runtime Creation
+####################################
+
+# Optional env vars for creating an admin account on startup
+# Useful for headless/automated deployments
+WEBUI_ADMIN_EMAIL = os.environ.get('WEBUI_ADMIN_EMAIL', '')
+WEBUI_ADMIN_PASSWORD = os.environ.get('WEBUI_ADMIN_PASSWORD', '')
+WEBUI_ADMIN_NAME = os.environ.get('WEBUI_ADMIN_NAME', 'Admin')
+
+WEBUI_AUTH_TRUSTED_EMAIL_HEADER = os.environ.get('WEBUI_AUTH_TRUSTED_EMAIL_HEADER', None)
+WEBUI_AUTH_TRUSTED_NAME_HEADER = os.environ.get('WEBUI_AUTH_TRUSTED_NAME_HEADER', None)
+WEBUI_AUTH_TRUSTED_GROUPS_HEADER = os.environ.get('WEBUI_AUTH_TRUSTED_GROUPS_HEADER', None)
+WEBUI_AUTH_TRUSTED_ROLE_HEADER = os.environ.get('WEBUI_AUTH_TRUSTED_ROLE_HEADER', None)
+
+# Custom header name for API key authentication.  Defaults to 'x-api-key'.
+# Useful when Open WebUI sits behind a reverse proxy / API gateway that
+# already uses the Authorization header for its own authentication — set
+# this to a unique header (e.g. 'X-OpenWebUI-Key') so the middleware
+# checks the custom header instead and avoids the 401 short-circuit.
+CUSTOM_API_KEY_HEADER = os.environ.get('CUSTOM_API_KEY_HEADER', 'x-api-key')
+
+ENABLE_PASSWORD_VALIDATION = os.environ.get('ENABLE_PASSWORD_VALIDATION', 'False').lower() == 'true'
+PASSWORD_VALIDATION_REGEX_PATTERN = os.environ.get(
+    'PASSWORD_VALIDATION_REGEX_PATTERN',
+    r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$',
+)
+
+
+try:
+    PASSWORD_VALIDATION_REGEX_PATTERN = rf'{PASSWORD_VALIDATION_REGEX_PATTERN}'
+    PASSWORD_VALIDATION_REGEX_PATTERN = re.compile(PASSWORD_VALIDATION_REGEX_PATTERN)
+except Exception as e:
+    log.error(f'Invalid PASSWORD_VALIDATION_REGEX_PATTERN: {e}')
+    PASSWORD_VALIDATION_REGEX_PATTERN = re.compile(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$')
+
+PASSWORD_VALIDATION_HINT = os.environ.get('PASSWORD_VALIDATION_HINT', '')
+
+
+BYPASS_MODEL_ACCESS_CONTROL = os.environ.get('BYPASS_MODEL_ACCESS_CONTROL', 'False').lower() == 'true'
+
+# When enabled, skips pydub-based preprocessing (format conversion, compression,
+# and chunked splitting) before sending files to processing engines. Useful when
+# the upstream provider handles these steps or when ffmpeg is unavailable.
+BYPASS_PYDUB_PREPROCESSING = os.environ.get('BYPASS_PYDUB_PREPROCESSING', 'False').lower() == 'true'
+
+# When disabled (default), the OpenAI catch-all proxy endpoint (/{path:path})
+# is blocked. Enable only if you need direct passthrough to upstream OpenAI-
+# compatible APIs for endpoints not natively handled by Open WebUI.
+ENABLE_OPENAI_API_PASSTHROUGH = os.environ.get('ENABLE_OPENAI_API_PASSTHROUGH', 'False').lower() == 'true'
+
+WEBUI_AUTH_SIGNOUT_REDIRECT_URL = os.environ.get('WEBUI_AUTH_SIGNOUT_REDIRECT_URL', None)
+
+####################################
+# WEBUI_SECRET_KEY
+####################################
+
+WEBUI_SECRET_KEY = os.environ.get(
+    'WEBUI_SECRET_KEY',
+    os.environ.get('WEBUI_JWT_SECRET_KEY', 't0p-s3cr3t'),  # DEPRECATED: remove at next major version
+)
+
+WEBUI_SESSION_COOKIE_SAME_SITE = os.environ.get('WEBUI_SESSION_COOKIE_SAME_SITE', 'lax')
+
+WEBUI_SESSION_COOKIE_SECURE = os.environ.get('WEBUI_SESSION_COOKIE_SECURE', 'false').lower() == 'true'
+
+WEBUI_AUTH_COOKIE_SAME_SITE = os.environ.get('WEBUI_AUTH_COOKIE_SAME_SITE', WEBUI_SESSION_COOKIE_SAME_SITE)
+
+WEBUI_AUTH_COOKIE_SECURE = (
+    os.environ.get(
+        'WEBUI_AUTH_COOKIE_SECURE',
+        os.environ.get('WEBUI_SESSION_COOKIE_SECURE', 'false'),
+    ).lower()
+    == 'true'
+)
+
+if WEBUI_AUTH and WEBUI_SECRET_KEY == '':
+    raise ValueError(ERROR_MESSAGES.ENV_VAR_NOT_FOUND)
+
+ENABLE_COMPRESSION_MIDDLEWARE = os.environ.get('ENABLE_COMPRESSION_MIDDLEWARE', 'True').lower() == 'true'
+
+####################################
+# OAUTH Configuration
+####################################
+ENABLE_OAUTH_EMAIL_FALLBACK = os.environ.get('ENABLE_OAUTH_EMAIL_FALLBACK', 'False').lower() == 'true'
+
+ENABLE_OAUTH_ID_TOKEN_COOKIE = os.environ.get('ENABLE_OAUTH_ID_TOKEN_COOKIE', 'True').lower() == 'true'
+
+OAUTH_CLIENT_INFO_ENCRYPTION_KEY = os.environ.get('OAUTH_CLIENT_INFO_ENCRYPTION_KEY', WEBUI_SECRET_KEY)
+
+OAUTH_SESSION_TOKEN_ENCRYPTION_KEY = os.environ.get('OAUTH_SESSION_TOKEN_ENCRYPTION_KEY', WEBUI_SECRET_KEY)
+
+# Maximum number of concurrent OAuth sessions per user per provider
+# This prevents unbounded session growth while allowing multi-device usage
+OAUTH_MAX_SESSIONS_PER_USER = int(os.environ.get('OAUTH_MAX_SESSIONS_PER_USER', '10'))
+
+# Token Exchange Configuration
+# Allows external apps to exchange OAuth tokens for OpenWebUI tokens
+ENABLE_OAUTH_TOKEN_EXCHANGE = os.environ.get('ENABLE_OAUTH_TOKEN_EXCHANGE', 'False').lower() == 'true'
+
+# Back-Channel Logout Configuration
+# When enabled, exposes POST /oauth/backchannel-logout for IdP-initiated logout
+# per OpenID Connect Back-Channel Logout 1.0 spec.
+# Requires Redis for JWT revocation.
+ENABLE_OAUTH_BACKCHANNEL_LOGOUT = os.environ.get('ENABLE_OAUTH_BACKCHANNEL_LOGOUT', 'False').lower() == 'true'
+
+####################################
+# SCIM Configuration
+####################################
+
+ENABLE_SCIM = os.environ.get('ENABLE_SCIM', os.environ.get('SCIM_ENABLED', 'False')).lower() == 'true'
+SCIM_TOKEN = os.environ.get('SCIM_TOKEN', '')
+SCIM_AUTH_PROVIDER = os.environ.get('SCIM_AUTH_PROVIDER', '')
+
+if ENABLE_SCIM and not SCIM_AUTH_PROVIDER:
+    log.warning(
+        'SCIM is enabled but SCIM_AUTH_PROVIDER is not set. '
+        "Set SCIM_AUTH_PROVIDER to the OAuth provider name (e.g. 'microsoft', 'oidc') "
+        'to enable externalId storage.'
+    )
+
+####################################
+# LICENSE_KEY
+####################################
+
+LICENSE_KEY = os.environ.get('LICENSE_KEY', '')
+
+LICENSE_BLOB = None
+LICENSE_BLOB_PATH = os.environ.get('LICENSE_BLOB_PATH', DATA_DIR / 'l.data')
+if LICENSE_BLOB_PATH and os.path.exists(LICENSE_BLOB_PATH):
+    with open(LICENSE_BLOB_PATH, 'rb') as f:
+        LICENSE_BLOB = f.read()
+
+LICENSE_PUBLIC_KEY = os.environ.get('LICENSE_PUBLIC_KEY', '')
+
+pk = None
+if LICENSE_PUBLIC_KEY:
+    pk = serialization.load_pem_public_key(
+        f"""
+-----BEGIN PUBLIC KEY-----
+{LICENSE_PUBLIC_KEY}
+-----END PUBLIC KEY-----
+""".encode('utf-8')
+    )
+
+
+####################################
+# MODELS
+####################################
+
+ENABLE_CUSTOM_MODEL_FALLBACK = os.environ.get('ENABLE_CUSTOM_MODEL_FALLBACK', 'False').lower() == 'true'
+
+MODELS_CACHE_TTL = os.environ.get('MODELS_CACHE_TTL', '1')
+if MODELS_CACHE_TTL == '':
+    MODELS_CACHE_TTL = None
+else:
+    try:
+        MODELS_CACHE_TTL = int(MODELS_CACHE_TTL)
+    except Exception:
+        MODELS_CACHE_TTL = 1
+
+
+####################################
+# CHAT
+####################################
+
+ENABLE_CHAT_RESPONSE_BASE64_IMAGE_URL_CONVERSION = (
+    os.environ.get('ENABLE_CHAT_RESPONSE_BASE64_IMAGE_URL_CONVERSION', 'False').lower() == 'true'
+)
+
+# When enabled, uses a hardcoded extension-to-MIME dictionary as a last-resort
+# fallback when both mimetypes.guess_type() and file.meta.content_type fail to
+# determine the content type. This can help on minimal container images (e.g.
+# wolfi-base) that lack /etc/mime.types AND have legacy files without stored
+# content_type metadata.
+ENABLE_IMAGE_CONTENT_TYPE_EXTENSION_FALLBACK = (
+    os.environ.get('ENABLE_IMAGE_CONTENT_TYPE_EXTENSION_FALLBACK', 'False').lower() == 'true'
+)
+
+CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE = os.environ.get('CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE', '1')
+
+if CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE == '':
+    CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE = 1
+else:
+    try:
+        CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE = int(CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE)
+    except Exception:
+        CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE = 1
+
+
+CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES = os.environ.get('CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES', '30')
+
+if CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES == '':
+    CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES = 30
+else:
+    try:
+        CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES = int(CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES)
+    except Exception:
+        CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES = 30
+
+
+# WARNING: Experimental. Only enable if your upstream Responses API endpoint
+# supports stateful sessions (i.e. server-side response storage with
+# previous_response_id anchoring). Most proxies and third-party endpoints
+# are stateless and will break if this is enabled.
+ENABLE_RESPONSES_API_STATEFUL = os.environ.get('ENABLE_RESPONSES_API_STATEFUL', 'False').lower() == 'true'
+
+
+CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE = os.environ.get('CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE', '')
+
+if CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE == '':
+    CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE = None
+else:
+    try:
+        CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE = int(CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE)
+    except Exception:
+        CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE = None
+
+
+####################################
+# WEBSOCKET SUPPORT
+####################################
+
+ENABLE_WEBSOCKET_SUPPORT = os.environ.get('ENABLE_WEBSOCKET_SUPPORT', 'True').lower() == 'true'
+
+
+WEBSOCKET_MANAGER = os.environ.get('WEBSOCKET_MANAGER', '')
+
+WEBSOCKET_REDIS_OPTIONS = os.environ.get('WEBSOCKET_REDIS_OPTIONS', '')
+
+
+if WEBSOCKET_REDIS_OPTIONS == '':
+    if REDIS_SOCKET_CONNECT_TIMEOUT:
+        WEBSOCKET_REDIS_OPTIONS = {'socket_connect_timeout': REDIS_SOCKET_CONNECT_TIMEOUT}
+    else:
+        log.debug('No WEBSOCKET_REDIS_OPTIONS provided, defaulting to None')
+        WEBSOCKET_REDIS_OPTIONS = None
+else:
+    try:
+        WEBSOCKET_REDIS_OPTIONS = json.loads(WEBSOCKET_REDIS_OPTIONS)
+    except Exception:
+        log.warning('Invalid WEBSOCKET_REDIS_OPTIONS, defaulting to None')
+        WEBSOCKET_REDIS_OPTIONS = None
+
+WEBSOCKET_REDIS_URL = os.environ.get('WEBSOCKET_REDIS_URL', REDIS_URL)
+WEBSOCKET_REDIS_CLUSTER = os.environ.get('WEBSOCKET_REDIS_CLUSTER', str(REDIS_CLUSTER)).lower() == 'true'
+
+websocket_redis_lock_timeout = os.environ.get('WEBSOCKET_REDIS_LOCK_TIMEOUT', '60')
+
+try:
+    WEBSOCKET_REDIS_LOCK_TIMEOUT = int(websocket_redis_lock_timeout)
+except ValueError:
+    WEBSOCKET_REDIS_LOCK_TIMEOUT = 60
+
+WEBSOCKET_SENTINEL_HOSTS = os.environ.get('WEBSOCKET_SENTINEL_HOSTS', '')
+WEBSOCKET_SENTINEL_PORT = os.environ.get('WEBSOCKET_SENTINEL_PORT', '26379')
+WEBSOCKET_SERVER_LOGGING = os.environ.get('WEBSOCKET_SERVER_LOGGING', 'False').lower() == 'true'
+WEBSOCKET_SERVER_ENGINEIO_LOGGING = (
+    os.environ.get(
+        'WEBSOCKET_SERVER_ENGINEIO_LOGGING',
+        os.environ.get('WEBSOCKET_SERVER_LOGGING', 'False'),
+    ).lower()
+    == 'true'
+)
+WEBSOCKET_SERVER_PING_TIMEOUT = os.environ.get('WEBSOCKET_SERVER_PING_TIMEOUT', '20')
+try:
+    WEBSOCKET_SERVER_PING_TIMEOUT = int(WEBSOCKET_SERVER_PING_TIMEOUT)
+except ValueError:
+    WEBSOCKET_SERVER_PING_TIMEOUT = 20
+
+WEBSOCKET_SERVER_PING_INTERVAL = os.environ.get('WEBSOCKET_SERVER_PING_INTERVAL', '25')
+try:
+    WEBSOCKET_SERVER_PING_INTERVAL = int(WEBSOCKET_SERVER_PING_INTERVAL)
+except ValueError:
+    WEBSOCKET_SERVER_PING_INTERVAL = 25
+
+WEBSOCKET_EVENT_CALLER_TIMEOUT = os.environ.get('WEBSOCKET_EVENT_CALLER_TIMEOUT', '')
+
+if WEBSOCKET_EVENT_CALLER_TIMEOUT == '':
+    WEBSOCKET_EVENT_CALLER_TIMEOUT = None
+else:
+    try:
+        WEBSOCKET_EVENT_CALLER_TIMEOUT = int(WEBSOCKET_EVENT_CALLER_TIMEOUT)
+    except ValueError:
+        WEBSOCKET_EVENT_CALLER_TIMEOUT = 300
+
+
+REQUESTS_VERIFY = os.environ.get('REQUESTS_VERIFY', 'True').lower() == 'true'
+
+AIOHTTP_CLIENT_TIMEOUT = os.environ.get('AIOHTTP_CLIENT_TIMEOUT', '')
+
+if AIOHTTP_CLIENT_TIMEOUT == '':
+    AIOHTTP_CLIENT_TIMEOUT = None
+else:
+    try:
+        AIOHTTP_CLIENT_TIMEOUT = int(AIOHTTP_CLIENT_TIMEOUT)
+    except Exception:
+        AIOHTTP_CLIENT_TIMEOUT = 300
+
+
+AIOHTTP_CLIENT_SESSION_SSL = os.environ.get('AIOHTTP_CLIENT_SESSION_SSL', 'True').lower() == 'true'
+
+AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST = os.environ.get(
+    'AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST',
+    os.environ.get('AIOHTTP_CLIENT_TIMEOUT_OPENAI_MODEL_LIST', '10'),
+)
+
+if AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST == '':
+    AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST = None
+else:
+    try:
+        AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST = int(AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST)
+    except Exception:
+        AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST = 10
+
+
+AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA = os.environ.get('AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA', '10')
+
+if AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA == '':
+    AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA = None
+else:
+    try:
+        AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA = int(AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA)
+    except Exception:
+        AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA = 10
+
+
+AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL = (
+    os.environ.get('AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL', 'True').lower() == 'true'
+)
+
+AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER = os.environ.get('AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER', '')
+
+if AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER == '':
+    AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER = AIOHTTP_CLIENT_TIMEOUT
+else:
+    try:
+        AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER = int(AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER)
+    except Exception:
+        AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER = AIOHTTP_CLIENT_TIMEOUT
+
+
+####################################
+# AIOHTTP Connection Pool
+####################################
+
+AIOHTTP_POOL_CONNECTIONS = os.environ.get('AIOHTTP_POOL_CONNECTIONS', '')
+if AIOHTTP_POOL_CONNECTIONS == '':
+    AIOHTTP_POOL_CONNECTIONS = None
+else:
+    try:
+        AIOHTTP_POOL_CONNECTIONS = int(AIOHTTP_POOL_CONNECTIONS)
+    except ValueError:
+        AIOHTTP_POOL_CONNECTIONS = None
+
+AIOHTTP_POOL_CONNECTIONS_PER_HOST = os.environ.get('AIOHTTP_POOL_CONNECTIONS_PER_HOST', '')
+if AIOHTTP_POOL_CONNECTIONS_PER_HOST == '':
+    AIOHTTP_POOL_CONNECTIONS_PER_HOST = None
+else:
+    try:
+        AIOHTTP_POOL_CONNECTIONS_PER_HOST = int(AIOHTTP_POOL_CONNECTIONS_PER_HOST)
+    except ValueError:
+        AIOHTTP_POOL_CONNECTIONS_PER_HOST = None
+
+AIOHTTP_POOL_DNS_TTL = os.environ.get('AIOHTTP_POOL_DNS_TTL', '300')
+try:
+    AIOHTTP_POOL_DNS_TTL = int(AIOHTTP_POOL_DNS_TTL)
+    if AIOHTTP_POOL_DNS_TTL < 0:
+        AIOHTTP_POOL_DNS_TTL = 300
+except ValueError:
+    AIOHTTP_POOL_DNS_TTL = 300
+
+RAG_EMBEDDING_TIMEOUT = os.environ.get('RAG_EMBEDDING_TIMEOUT', '')
+
+if RAG_EMBEDDING_TIMEOUT == '':
+    RAG_EMBEDDING_TIMEOUT = None
+else:
+    try:
+        RAG_EMBEDDING_TIMEOUT = int(RAG_EMBEDDING_TIMEOUT)
+    except Exception:
+        RAG_EMBEDDING_TIMEOUT = None
+
+
+####################################
+# SENTENCE TRANSFORMERS
+####################################
+
+
+SENTENCE_TRANSFORMERS_BACKEND = os.environ.get('SENTENCE_TRANSFORMERS_BACKEND', '')
+if SENTENCE_TRANSFORMERS_BACKEND == '':
+    SENTENCE_TRANSFORMERS_BACKEND = 'torch'
+
+
+SENTENCE_TRANSFORMERS_MODEL_KWARGS = os.environ.get('SENTENCE_TRANSFORMERS_MODEL_KWARGS', '')
+if SENTENCE_TRANSFORMERS_MODEL_KWARGS == '':
+    SENTENCE_TRANSFORMERS_MODEL_KWARGS = None
+else:
+    try:
+        SENTENCE_TRANSFORMERS_MODEL_KWARGS = json.loads(SENTENCE_TRANSFORMERS_MODEL_KWARGS)
+    except Exception:
+        SENTENCE_TRANSFORMERS_MODEL_KWARGS = None
+
+
+SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND = os.environ.get('SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND', '')
+if SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND == '':
+    SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND = 'torch'
+
+
+SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS = os.environ.get(
+    'SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS', ''
+)
+if SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS == '':
+    SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS = None
+else:
+    try:
+        SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS = json.loads(SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS)
+    except Exception:
+        SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS = None
+
+# Whether to apply sigmoid normalization to CrossEncoder reranking scores.
+# When enabled (default), scores are normalized to 0-1 range for proper
+# relevance threshold behavior with MS MARCO models.
+SENTENCE_TRANSFORMERS_CROSS_ENCODER_SIGMOID_ACTIVATION_FUNCTION = (
+    os.environ.get('SENTENCE_TRANSFORMERS_CROSS_ENCODER_SIGMOID_ACTIVATION_FUNCTION', 'True').lower() == 'true'
+)
+
+####################################
+# OFFLINE_MODE
+####################################
+
+ENABLE_VERSION_UPDATE_CHECK = os.environ.get('ENABLE_VERSION_UPDATE_CHECK', 'true').lower() == 'true'
+OFFLINE_MODE = os.environ.get('OFFLINE_MODE', 'false').lower() == 'true'
+
+if OFFLINE_MODE:
+    os.environ['HF_HUB_OFFLINE'] = '1'
+    ENABLE_VERSION_UPDATE_CHECK = False
+
+####################################
+# AUDIT LOGGING
+####################################
+
+
+ENABLE_AUDIT_STDOUT = os.getenv('ENABLE_AUDIT_STDOUT', 'False').lower() == 'true'
+ENABLE_AUDIT_LOGS_FILE = os.getenv('ENABLE_AUDIT_LOGS_FILE', 'True').lower() == 'true'
+
+# Where to store log file
+# Defaults to the DATA_DIR/audit.log. To set AUDIT_LOGS_FILE_PATH you need to
+# provide the whole path, like: /app/audit.log
+AUDIT_LOGS_FILE_PATH = os.getenv('AUDIT_LOGS_FILE_PATH', f'{DATA_DIR}/audit.log')
+# Maximum size of a file before rotating into a new log file
+AUDIT_LOG_FILE_ROTATION_SIZE = os.getenv('AUDIT_LOG_FILE_ROTATION_SIZE', '10MB')
+
+# Comma separated list of logger names to use for audit logging
+# Default is "uvicorn.access" which is the access log for Uvicorn
+# You can add more logger names to this list if you want to capture more logs
+AUDIT_UVICORN_LOGGER_NAMES = os.getenv('AUDIT_UVICORN_LOGGER_NAMES', 'uvicorn.access').split(',')
+
+# METADATA | REQUEST | REQUEST_RESPONSE
+AUDIT_LOG_LEVEL = os.getenv('AUDIT_LOG_LEVEL', 'NONE').upper()
+try:
+    MAX_BODY_LOG_SIZE = int(os.environ.get('MAX_BODY_LOG_SIZE') or 2048)
+except ValueError:
+    MAX_BODY_LOG_SIZE = 2048
+
+# Comma separated list for urls to exclude from audit
+AUDIT_EXCLUDED_PATHS = os.getenv('AUDIT_EXCLUDED_PATHS', '/chats,/chat,/folders').split(',')
+AUDIT_EXCLUDED_PATHS = [path.strip() for path in AUDIT_EXCLUDED_PATHS]
+AUDIT_EXCLUDED_PATHS = [path.lstrip('/') for path in AUDIT_EXCLUDED_PATHS]
+
+# Comma separated list of urls to include in audit (whitelist mode)
+# When set, only these paths are audited and AUDIT_EXCLUDED_PATHS is ignored
+AUDIT_INCLUDED_PATHS = os.getenv('AUDIT_INCLUDED_PATHS', '').split(',')
+AUDIT_INCLUDED_PATHS = [path.strip() for path in AUDIT_INCLUDED_PATHS]
+AUDIT_INCLUDED_PATHS = [path.lstrip('/') for path in AUDIT_INCLUDED_PATHS if path]
+
+# When enabled, GET requests are also audited (disabled by default to avoid log noise)
+ENABLE_AUDIT_GET_REQUESTS = os.getenv('ENABLE_AUDIT_GET_REQUESTS', 'False').lower() == 'true'
+
+
+####################################
+# OPENTELEMETRY
+####################################
+
+ENABLE_OTEL = os.environ.get('ENABLE_OTEL', 'False').lower() == 'true'
+ENABLE_OTEL_TRACES = os.environ.get('ENABLE_OTEL_TRACES', 'False').lower() == 'true'
+ENABLE_OTEL_METRICS = os.environ.get('ENABLE_OTEL_METRICS', 'False').lower() == 'true'
+ENABLE_OTEL_LOGS = os.environ.get('ENABLE_OTEL_LOGS', 'False').lower() == 'true'
+
+OTEL_EXPORTER_OTLP_ENDPOINT = os.environ.get('OTEL_EXPORTER_OTLP_ENDPOINT', 'http://localhost:4317')
+OTEL_METRICS_EXPORTER_OTLP_ENDPOINT = os.environ.get('OTEL_METRICS_EXPORTER_OTLP_ENDPOINT', OTEL_EXPORTER_OTLP_ENDPOINT)
+OTEL_LOGS_EXPORTER_OTLP_ENDPOINT = os.environ.get('OTEL_LOGS_EXPORTER_OTLP_ENDPOINT', OTEL_EXPORTER_OTLP_ENDPOINT)
+OTEL_EXPORTER_OTLP_INSECURE = os.environ.get('OTEL_EXPORTER_OTLP_INSECURE', 'False').lower() == 'true'
+OTEL_METRICS_EXPORTER_OTLP_INSECURE = (
+    os.environ.get('OTEL_METRICS_EXPORTER_OTLP_INSECURE', str(OTEL_EXPORTER_OTLP_INSECURE)).lower() == 'true'
+)
+OTEL_LOGS_EXPORTER_OTLP_INSECURE = (
+    os.environ.get('OTEL_LOGS_EXPORTER_OTLP_INSECURE', str(OTEL_EXPORTER_OTLP_INSECURE)).lower() == 'true'
+)
+OTEL_SERVICE_NAME = os.environ.get('OTEL_SERVICE_NAME', 'open-webui')
+OTEL_RESOURCE_ATTRIBUTES = os.environ.get('OTEL_RESOURCE_ATTRIBUTES', '')  # e.g. key1=val1,key2=val2
+OTEL_TRACES_SAMPLER = os.environ.get('OTEL_TRACES_SAMPLER', 'parentbased_always_on').lower()
+OTEL_BASIC_AUTH_USERNAME = os.environ.get('OTEL_BASIC_AUTH_USERNAME', '')
+OTEL_BASIC_AUTH_PASSWORD = os.environ.get('OTEL_BASIC_AUTH_PASSWORD', '')
+OTEL_METRICS_EXPORT_INTERVAL_MILLIS = int(os.environ.get('OTEL_METRICS_EXPORT_INTERVAL_MILLIS', '10000'))
+
+OTEL_METRICS_BASIC_AUTH_USERNAME = os.environ.get('OTEL_METRICS_BASIC_AUTH_USERNAME', OTEL_BASIC_AUTH_USERNAME)
+OTEL_METRICS_BASIC_AUTH_PASSWORD = os.environ.get('OTEL_METRICS_BASIC_AUTH_PASSWORD', OTEL_BASIC_AUTH_PASSWORD)
+OTEL_LOGS_BASIC_AUTH_USERNAME = os.environ.get('OTEL_LOGS_BASIC_AUTH_USERNAME', OTEL_BASIC_AUTH_USERNAME)
+OTEL_LOGS_BASIC_AUTH_PASSWORD = os.environ.get('OTEL_LOGS_BASIC_AUTH_PASSWORD', OTEL_BASIC_AUTH_PASSWORD)
+
+OTEL_OTLP_SPAN_EXPORTER = os.environ.get('OTEL_OTLP_SPAN_EXPORTER', 'grpc').lower()  # grpc or http
+
+OTEL_METRICS_OTLP_SPAN_EXPORTER = os.environ.get(
+    'OTEL_METRICS_OTLP_SPAN_EXPORTER', OTEL_OTLP_SPAN_EXPORTER
+).lower()  # grpc or http
+
+OTEL_LOGS_OTLP_SPAN_EXPORTER = os.environ.get(
+    'OTEL_LOGS_OTLP_SPAN_EXPORTER', OTEL_OTLP_SPAN_EXPORTER
+).lower()  # grpc or http
+
+####################################
+# TOOLS/FUNCTIONS PIP OPTIONS
+####################################
+
+ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS = (
+    os.environ.get('ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS', 'True').lower() == 'true'
+)
+
+PIP_OPTIONS = os.getenv('PIP_OPTIONS', '').split()
+PIP_PACKAGE_INDEX_OPTIONS = os.getenv('PIP_PACKAGE_INDEX_OPTIONS', '').split()
+
+
+####################################
+# PROGRESSIVE WEB APP OPTIONS
+####################################
+
+EXTERNAL_PWA_MANIFEST_URL = os.environ.get('EXTERNAL_PWA_MANIFEST_URL')
+
+####################################
+# GROUP DEFAULTS
+####################################
+
+# Controls the default "Who can share to this group" setting for new groups.
+# Env var values: "true" (anyone), "false" (no one), "members" (only group members).
+_default_group_share = os.environ.get('DEFAULT_GROUP_SHARE_PERMISSION', 'members').strip().lower()
+DEFAULT_GROUP_SHARE_PERMISSION = 'members' if _default_group_share == 'members' else _default_group_share == 'true'

backend/open_webui/functions.py

@@ -0,0 +1,348 @@
+import logging
+import sys
+import inspect
+import json
+import asyncio
+
+from pydantic import BaseModel
+from typing import AsyncGenerator, Generator, Iterator
+from fastapi import (
+    Depends,
+    FastAPI,
+    File,
+    Form,
+    HTTPException,
+    Request,
+    UploadFile,
+    status,
+)
+from starlette.responses import Response, StreamingResponse
+
+
+from open_webui.constants import ERROR_MESSAGES
+from open_webui.socket.main import (
+    get_event_call,
+    get_event_emitter,
+)
+
+
+from open_webui.models.users import UserModel
+from open_webui.models.functions import Functions
+from open_webui.models.models import Models
+
+from open_webui.utils.plugin import (
+    load_function_module_by_id,
+    get_function_module_from_cache,
+)
+from open_webui.utils.access_control import check_model_access
+
+from open_webui.env import GLOBAL_LOG_LEVEL, BYPASS_MODEL_ACCESS_CONTROL
+from open_webui.config import BYPASS_ADMIN_ACCESS_CONTROL
+
+from open_webui.utils.misc import (
+    add_or_update_system_message,
+    get_last_user_message,
+    prepend_to_first_user_message_content,
+    openai_chat_chunk_message_template,
+    openai_chat_completion_message_template,
+)
+from open_webui.utils.payload import (
+    apply_model_params_to_body_openai,
+    apply_system_prompt_to_body,
+)
+
+logging.basicConfig(stream=sys.stdout, level=GLOBAL_LOG_LEVEL)
+log = logging.getLogger(__name__)
+
+
+async def get_function_module_by_id(request: Request, pipe_id: str):
+    function_module, _, _ = await get_function_module_from_cache(request, pipe_id)
+
+    if hasattr(function_module, 'valves') and hasattr(function_module, 'Valves'):
+        Valves = function_module.Valves
+        valves = await Functions.get_function_valves_by_id(pipe_id)
+
+        if valves:
+            try:
+                function_module.valves = Valves(**{k: v for k, v in valves.items() if v is not None})
+            except Exception as e:
+                log.exception(f'Error loading valves for function {pipe_id}: {e}')
+                raise e
+        else:
+            function_module.valves = Valves()
+
+    return function_module
+
+
+async def get_function_models(request):
+    pipes = await Functions.get_functions_by_type('pipe', active_only=True)
+    pipe_models = []
+
+    for pipe in pipes:
+        try:
+            function_module = await get_function_module_by_id(request, pipe.id)
+
+            has_user_valves = False
+            if hasattr(function_module, 'UserValves'):
+                has_user_valves = True
+
+            # Check if function is a manifold
+            if hasattr(function_module, 'pipes'):
+                sub_pipes = []
+
+                # Handle pipes being a list, sync function, or async function
+                try:
+                    if callable(function_module.pipes):
+                        if asyncio.iscoroutinefunction(function_module.pipes):
+                            sub_pipes = await function_module.pipes()
+                        else:
+                            sub_pipes = function_module.pipes()
+                    else:
+                        sub_pipes = function_module.pipes
+                except Exception as e:
+                    log.exception(e)
+                    sub_pipes = []
+
+                log.debug(f"get_function_models: function '{pipe.id}' is a manifold of {sub_pipes}")
+
+                for p in sub_pipes:
+                    sub_pipe_id = f'{pipe.id}.{p["id"]}'
+                    sub_pipe_name = p['name']
+
+                    if hasattr(function_module, 'name'):
+                        sub_pipe_name = f'{function_module.name}{sub_pipe_name}'
+
+                    pipe_flag = {'type': pipe.type}
+
+                    pipe_models.append(
+                        {
+                            'id': sub_pipe_id,
+                            'name': sub_pipe_name,
+                            'object': 'model',
+                            'created': pipe.created_at,
+                            'owned_by': 'openai',
+                            'pipe': pipe_flag,
+                            'has_user_valves': has_user_valves,
+                        }
+                    )
+            else:
+                pipe_flag = {'type': 'pipe'}
+
+                log.debug(
+                    f"get_function_models: function '{pipe.id}' is a single pipe {{ 'id': {pipe.id}, 'name': {pipe.name} }}"
+                )
+
+                pipe_models.append(
+                    {
+                        'id': pipe.id,
+                        'name': pipe.name,
+                        'object': 'model',
+                        'created': pipe.created_at,
+                        'owned_by': 'openai',
+                        'pipe': pipe_flag,
+                        'has_user_valves': has_user_valves,
+                    }
+                )
+        except Exception as e:
+            log.exception(e)
+            continue
+
+    return pipe_models
+
+
+async def generate_function_chat_completion(request, form_data, user, models: dict = {}):
+    async def execute_pipe(pipe, params):
+        if inspect.iscoroutinefunction(pipe):
+            return await pipe(**params)
+        else:
+            return pipe(**params)
+
+    async def get_message_content(res: str | Generator | AsyncGenerator) -> str:
+        if isinstance(res, str):
+            return res
+        if isinstance(res, Generator):
+            return ''.join(map(str, res))
+        if isinstance(res, AsyncGenerator):
+            return ''.join([str(stream) async for stream in res])
+
+    def process_line(form_data: dict, line):
+        if isinstance(line, BaseModel):
+            line = line.model_dump_json()
+            line = f'data: {line}'
+        if isinstance(line, dict):
+            line = f'data: {json.dumps(line)}'
+
+        try:
+            line = line.decode('utf-8')
+        except Exception:
+            pass
+
+        if line.startswith('data:'):
+            return f'{line}\n\n'
+        else:
+            line = openai_chat_chunk_message_template(form_data['model'], line)
+            return f'data: {json.dumps(line)}\n\n'
+
+    def get_pipe_id(form_data: dict) -> str:
+        pipe_id = form_data['model']
+        if '.' in pipe_id:
+            pipe_id, _ = pipe_id.split('.', 1)
+        return pipe_id
+
+    async def get_function_params(function_module, form_data, user, extra_params=None):
+        if extra_params is None:
+            extra_params = {}
+
+        pipe_id = get_pipe_id(form_data)
+
+        # Get the signature of the function
+        sig = inspect.signature(function_module.pipe)
+        params = {'body': form_data} | {k: v for k, v in extra_params.items() if k in sig.parameters}
+
+        if '__user__' in params and hasattr(function_module, 'UserValves'):
+            user_valves = await Functions.get_user_valves_by_id_and_user_id(pipe_id, user.id)
+            try:
+                params['__user__']['valves'] = function_module.UserValves(**user_valves)
+            except Exception as e:
+                log.exception(e)
+                params['__user__']['valves'] = function_module.UserValves()
+
+        return params
+
+    model_id = form_data.get('model')
+    model_info = await Models.get_model_by_id(model_id)
+
+    metadata = form_data.pop('metadata', {})
+
+    files = metadata.get('files', [])
+    tool_ids = metadata.get('tool_ids', [])
+    # Check if tool_ids is None
+    if tool_ids is None:
+        tool_ids = []
+
+    __event_emitter__ = None
+    __event_call__ = None
+    __task__ = None
+    __task_body__ = None
+
+    if metadata:
+        if all(k in metadata for k in ('session_id', 'chat_id', 'message_id')):
+            __event_emitter__ = await get_event_emitter(metadata)
+            __event_call__ = await get_event_call(metadata)
+        __task__ = metadata.get('task', None)
+        __task_body__ = metadata.get('task_body', None)
+
+    oauth_token = None
+    try:
+        oauth_session_id = request.cookies.get('oauth_session_id', None)
+        if oauth_session_id:
+            oauth_token = await request.app.state.oauth_manager.get_oauth_token(
+                user.id,
+                oauth_session_id,
+            )
+
+        # Fallback: no cookie (automation, API key, etc.) — use most recent session
+        if oauth_token is None:
+            from open_webui.models.oauth_sessions import OAuthSessions
+
+            sessions = await OAuthSessions.get_sessions_by_user_id(user.id)
+            if sessions:
+                best = max(sessions, key=lambda s: s.updated_at)
+                oauth_token = await request.app.state.oauth_manager.get_oauth_token(
+                    user.id,
+                    best.id,
+                )
+    except Exception as e:
+        log.error(f'Error getting OAuth token: {e}')
+
+    extra_params = {
+        '__event_emitter__': __event_emitter__,
+        '__event_call__': __event_call__,
+        '__chat_id__': metadata.get('chat_id', None),
+        '__session_id__': metadata.get('session_id', None),
+        '__message_id__': metadata.get('message_id', None),
+        '__task__': __task__,
+        '__task_body__': __task_body__,
+        '__files__': files,
+        '__user__': user.model_dump() if isinstance(user, UserModel) else {},
+        '__metadata__': metadata,
+        '__oauth_token__': oauth_token,
+        '__request__': request,
+    }
+    extra_params['__tools__'] = metadata.get('tools', {})
+
+    if model_info:
+        if model_info.base_model_id:
+            form_data['model'] = model_info.base_model_id
+
+        if not BYPASS_MODEL_ACCESS_CONTROL:
+            bypass = isinstance(user, UserModel) and user.role == 'admin' and BYPASS_ADMIN_ACCESS_CONTROL
+            await check_model_access(user if isinstance(user, UserModel) else UserModel(**user), model_info, bypass)
+
+        params = model_info.params.model_dump()
+
+        if params:
+            system = params.pop('system', None)
+            form_data = apply_model_params_to_body_openai(params, form_data)
+            form_data = apply_system_prompt_to_body(system, form_data, metadata, user)
+
+    pipe_id = get_pipe_id(form_data)
+    function_module = await get_function_module_by_id(request, pipe_id)
+
+    pipe = function_module.pipe
+    params = await get_function_params(function_module, form_data, user, extra_params)
+
+    if form_data.get('stream', False):
+
+        async def stream_content():
+            try:
+                res = await execute_pipe(pipe, params)
+
+                # Directly return if the response is a StreamingResponse
+                if isinstance(res, StreamingResponse):
+                    async for data in res.body_iterator:
+                        yield data
+                    return
+                if isinstance(res, dict):
+                    yield f'data: {json.dumps(res)}\n\n'
+                    return
+
+            except Exception as e:
+                log.error(f'Error: {e}')
+                yield f'data: {json.dumps({"error": {"detail": str(e)}})}\n\n'
+                return
+
+            if isinstance(res, str):
+                message = openai_chat_chunk_message_template(form_data['model'], res)
+                yield f'data: {json.dumps(message)}\n\n'
+
+            if isinstance(res, Iterator):
+                for line in res:
+                    yield process_line(form_data, line)
+
+            if isinstance(res, AsyncGenerator):
+                async for line in res:
+                    yield process_line(form_data, line)
+
+            if isinstance(res, str) or isinstance(res, Generator):
+                finish_message = openai_chat_chunk_message_template(form_data['model'], '')
+                finish_message['choices'][0]['finish_reason'] = 'stop'
+                yield f'data: {json.dumps(finish_message)}\n\n'
+                yield 'data: [DONE]'
+
+        return StreamingResponse(stream_content(), media_type='text/event-stream')
+    else:
+        try:
+            res = await execute_pipe(pipe, params)
+
+        except Exception as e:
+            log.error(f'Error: {e}')
+            return {'error': {'detail': str(e)}}
+
+        if isinstance(res, StreamingResponse) or isinstance(res, dict):
+            return res
+        if isinstance(res, BaseModel):
+            return res.model_dump()
+
+        message = await get_message_content(res)
+        return openai_chat_completion_message_template(form_data['model'], message)

backend/open_webui/internal/db.py

@@ -0,0 +1,409 @@
+import os
+import json
+import logging
+from contextlib import asynccontextmanager, contextmanager
+from typing import Any, Optional
+from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
+
+from open_webui.internal.wrappers import register_connection
+from open_webui.env import (
+    OPEN_WEBUI_DIR,
+    DATABASE_URL,
+    DATABASE_SCHEMA,
+    DATABASE_POOL_MAX_OVERFLOW,
+    DATABASE_POOL_RECYCLE,
+    DATABASE_POOL_SIZE,
+    DATABASE_POOL_TIMEOUT,
+    DATABASE_ENABLE_SQLITE_WAL,
+    DATABASE_ENABLE_SESSION_SHARING,
+    DATABASE_SQLITE_PRAGMA_SYNCHRONOUS,
+    DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT,
+    DATABASE_SQLITE_PRAGMA_CACHE_SIZE,
+    DATABASE_SQLITE_PRAGMA_TEMP_STORE,
+    DATABASE_SQLITE_PRAGMA_MMAP_SIZE,
+    DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT,
+    ENABLE_DB_MIGRATIONS,
+)
+from peewee_migrate import Router
+from sqlalchemy import Dialect, create_engine, MetaData, event, types
+from sqlalchemy.ext.asyncio import create_async_engine, AsyncSession, async_sessionmaker
+from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy.orm import scoped_session, sessionmaker, Session
+from sqlalchemy.pool import QueuePool, NullPool
+from sqlalchemy.sql.type_api import _T
+from typing_extensions import Self
+
+log = logging.getLogger(__name__)
+
+
+# ── SSL URL normalization (used by sync engine & Alembic migrations) ─
+#
+# psycopg2 (sync) needs ``sslmode=`` in the connection string (it does
+# not recognise the bare ``ssl=`` key that some ORMs emit).  The helpers
+# below strip all SSL-related query params, normalise them, and
+# reattach them in the canonical libpq form.
+#
+# The **async** engine now uses psycopg (v3), which speaks libpq
+# natively, so it needs no translation at all — the DATABASE_URL is
+# passed through as-is.
+# ─────────────────────────────────────────────────────────────────────
+
+
+def _pop_first(params: dict[str, list[str]], key: str) -> str | None:
+    """Pop a single-valued query param, returning ``None`` if absent."""
+    values = params.pop(key, None)
+    return values[0] if values else None
+
+
+def _is_postgres_url(url: str) -> bool:
+    """Return True if *url* looks like a PostgreSQL connection string."""
+    return bool(url) and any(url.startswith(p) for p in ('postgresql://', 'postgresql+', 'postgres://'))
+
+
+def extract_ssl_params_from_url(url: str) -> tuple[str, dict[str, str]]:
+    """Strip SSL query-string parameters from a PostgreSQL URL.
+
+    Returns ``(url_without_ssl, ssl_dict)`` where *ssl_dict* maps
+    canonical libpq key names (``sslmode``, ``sslrootcert``, …) to
+    their values.  Non-PostgreSQL URLs are returned unchanged with an
+    empty dict.
+    """
+    if not _is_postgres_url(url):
+        return url, {}
+
+    parsed = urlparse(url)
+    qp = parse_qs(parsed.query, keep_blank_values=True)
+
+    # Prefer sslmode (libpq canonical) over the bare ``ssl`` key.
+    sslmode_val = _pop_first(qp, 'sslmode')
+    ssl_val = _pop_first(qp, 'ssl')
+    ssl_mode = sslmode_val or ssl_val
+
+    ssl_dict: dict[str, str] = {}
+    if ssl_mode:
+        ssl_dict['sslmode'] = ssl_mode
+    for key in ('sslrootcert', 'sslcert', 'sslkey', 'sslcrl'):
+        val = _pop_first(qp, key)
+        if val:
+            ssl_dict[key] = val
+
+    if not ssl_dict:
+        return url, ssl_dict
+
+    cleaned_query = urlencode(qp, doseq=True)
+    return urlunparse(parsed._replace(query=cleaned_query)), ssl_dict
+
+
+def reattach_ssl_params_to_url(url_without_ssl: str, ssl_dict: dict[str, str]) -> str:
+    """Re-append SSL query-string parameters to a cleaned PostgreSQL URL.
+
+    Used for psycopg2/libpq consumers that expect ``sslmode`` and the
+    certificate-file keys in the connection string.
+    """
+    if not ssl_dict:
+        return url_without_ssl
+
+    parts = [f'{k}={v}' for k, v in ssl_dict.items() if v]
+    if not parts:
+        return url_without_ssl
+
+    sep = '&' if '?' in url_without_ssl else '?'
+    return f'{url_without_ssl}{sep}{"&".join(parts)}'
+
+
+# Backwards-compatible aliases for external callers.
+extract_ssl_mode_from_url = extract_ssl_params_from_url
+reattach_ssl_mode_to_url = reattach_ssl_params_to_url
+
+
+class JSONField(types.TypeDecorator):
+    impl = types.Text
+    cache_ok = True
+
+    def process_bind_param(self, value: Optional[_T], dialect: Dialect) -> Any:
+        return json.dumps(value)
+
+    def process_result_value(self, value: Optional[_T], dialect: Dialect) -> Any:
+        if value is not None:
+            return json.loads(value)
+
+    def copy(self, **kw: Any) -> Self:
+        return JSONField(self.impl.length)
+
+    def db_value(self, value):
+        return json.dumps(value)
+
+    def python_value(self, value):
+        if value is not None:
+            return json.loads(value)
+
+
+# Workaround to handle the peewee migration
+# This is required to ensure the peewee migration is handled before the alembic migration
+def handle_peewee_migration(DATABASE_URL):
+    db = None
+    try:
+        # Normalize SSL params so psycopg2 always sees `sslmode=` (never `ssl=`)
+        # and cert-file params are preserved in the connection string.
+        url_without_ssl, ssl_params = extract_ssl_params_from_url(DATABASE_URL)
+        normalized_url = reattach_ssl_params_to_url(url_without_ssl, ssl_params)
+
+        # Replace the postgresql:// with postgres:// to handle the peewee migration
+        db = register_connection(normalized_url.replace('postgresql://', 'postgres://'))
+        migrate_dir = OPEN_WEBUI_DIR / 'internal' / 'migrations'
+        router = Router(db, logger=log, migrate_dir=migrate_dir)
+        router.run()
+        db.close()
+
+    except Exception as e:
+        log.error(f'Failed to initialize the database connection: {e}')
+        log.warning('Hint: If your database password contains special characters, you may need to URL-encode it.')
+        raise
+    finally:
+        # Properly closing the database connection
+        if db and not db.is_closed():
+            db.close()
+
+        # Assert if db connection has been closed
+        if db is not None:
+            assert db.is_closed(), 'Database connection is still open.'
+
+
+if ENABLE_DB_MIGRATIONS:
+    handle_peewee_migration(DATABASE_URL)
+
+
+# Normalize SSL params from the URL once; the sync engine needs them
+# reattached in canonical libpq form for psycopg2.
+_url_without_ssl, _ssl_dict = extract_ssl_params_from_url(DATABASE_URL)
+
+# For psycopg2 (sync engine), re-append sslmode + cert-file params.
+SQLALCHEMY_DATABASE_URL = reattach_ssl_params_to_url(_url_without_ssl, _ssl_dict) if _ssl_dict else DATABASE_URL
+
+
+def _make_async_url(url: str) -> str:
+    """Convert a sync database URL to its async driver equivalent.
+
+    The async engine uses psycopg (v3) which speaks libpq natively,
+    so all standard connection-string parameters (``sslmode``,
+    ``options``, ``target_session_attrs``, etc.) are passed through
+    without any translation.
+    """
+    if url.startswith('sqlite+sqlcipher://'):
+        raise ValueError(
+            'sqlite+sqlcipher:// URLs are not supported with async engine. '
+            'Use standard sqlite:// or postgresql:// instead.'
+        )
+    if url.startswith('sqlite:///') or url.startswith('sqlite://'):
+        return url.replace('sqlite://', 'sqlite+aiosqlite://', 1)
+    # psycopg v3 — auto-selects async mode with create_async_engine
+    if url.startswith('postgresql+psycopg2://'):
+        return url.replace('postgresql+psycopg2://', 'postgresql+psycopg://', 1)
+    if url.startswith('postgresql://'):
+        return url.replace('postgresql://', 'postgresql+psycopg://', 1)
+    if url.startswith('postgres://'):
+        return url.replace('postgres://', 'postgresql+psycopg://', 1)
+    # For other dialects, return as-is and let SQLAlchemy handle it
+    return url
+
+
+# ============================================================
+# SYNC ENGINE (used only for: startup migrations, config loading,
+#              Alembic, peewee migration, health checks)
+# ============================================================
+
+# Handle SQLCipher URLs
+if SQLALCHEMY_DATABASE_URL.startswith('sqlite+sqlcipher://'):
+    database_password = os.environ.get('DATABASE_PASSWORD')
+    if not database_password or database_password.strip() == '':
+        raise ValueError('DATABASE_PASSWORD is required when using sqlite+sqlcipher:// URLs')
+
+    # Extract database path from SQLCipher URL
+    db_path = SQLALCHEMY_DATABASE_URL.replace('sqlite+sqlcipher://', '')
+
+    # Create a custom creator function that uses sqlcipher3
+    def create_sqlcipher_connection():
+        import sqlcipher3
+
+        conn = sqlcipher3.connect(db_path, check_same_thread=False)
+        conn.execute(f"PRAGMA key = '{database_password}'")
+        return conn
+
+    # The dummy "sqlite://" URL would cause SQLAlchemy to auto-select
+    # SingletonThreadPool, which non-deterministically closes in-use
+    # connections when thread count exceeds pool_size, leading to segfaults
+    # in the native sqlcipher3 C library. Use NullPool by default for safety,
+    # or QueuePool if DATABASE_POOL_SIZE is explicitly configured.
+    if isinstance(DATABASE_POOL_SIZE, int) and DATABASE_POOL_SIZE > 0:
+        engine = create_engine(
+            'sqlite://',
+            creator=create_sqlcipher_connection,
+            pool_size=DATABASE_POOL_SIZE,
+            max_overflow=DATABASE_POOL_MAX_OVERFLOW,
+            pool_timeout=DATABASE_POOL_TIMEOUT,
+            pool_recycle=DATABASE_POOL_RECYCLE,
+            pool_pre_ping=True,
+            poolclass=QueuePool,
+            echo=False,
+        )
+    else:
+        engine = create_engine(
+            'sqlite://',
+            creator=create_sqlcipher_connection,
+            poolclass=NullPool,
+            echo=False,
+        )
+
+    log.info('Connected to encrypted SQLite database using SQLCipher')
+
+elif 'sqlite' in SQLALCHEMY_DATABASE_URL:
+    engine = create_engine(SQLALCHEMY_DATABASE_URL, connect_args={'check_same_thread': False})
+
+    def _apply_sqlite_pragmas(dbapi_connection):
+        """Apply all configured SQLite PRAGMAs to a raw DBAPI connection."""
+        cursor = dbapi_connection.cursor()
+        if DATABASE_ENABLE_SQLITE_WAL:
+            cursor.execute('PRAGMA journal_mode=WAL')
+        else:
+            cursor.execute('PRAGMA journal_mode=DELETE')
+
+        # Each PRAGMA is skipped when its env var is empty, allowing opt-out.
+        if DATABASE_SQLITE_PRAGMA_SYNCHRONOUS:
+            cursor.execute(f'PRAGMA synchronous={DATABASE_SQLITE_PRAGMA_SYNCHRONOUS}')
+        if DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT:
+            cursor.execute(f'PRAGMA busy_timeout={DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT}')
+        if DATABASE_SQLITE_PRAGMA_CACHE_SIZE:
+            cursor.execute(f'PRAGMA cache_size={DATABASE_SQLITE_PRAGMA_CACHE_SIZE}')
+        if DATABASE_SQLITE_PRAGMA_TEMP_STORE:
+            cursor.execute(f'PRAGMA temp_store={DATABASE_SQLITE_PRAGMA_TEMP_STORE}')
+        if DATABASE_SQLITE_PRAGMA_MMAP_SIZE:
+            cursor.execute(f'PRAGMA mmap_size={DATABASE_SQLITE_PRAGMA_MMAP_SIZE}')
+        if DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT:
+            cursor.execute(f'PRAGMA journal_size_limit={DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT}')
+        cursor.close()
+
+    def on_connect(dbapi_connection, connection_record):
+        _apply_sqlite_pragmas(dbapi_connection)
+
+    event.listen(engine, 'connect', on_connect)
+else:
+    if isinstance(DATABASE_POOL_SIZE, int):
+        if DATABASE_POOL_SIZE > 0:
+            engine = create_engine(
+                SQLALCHEMY_DATABASE_URL,
+                pool_size=DATABASE_POOL_SIZE,
+                max_overflow=DATABASE_POOL_MAX_OVERFLOW,
+                pool_timeout=DATABASE_POOL_TIMEOUT,
+                pool_recycle=DATABASE_POOL_RECYCLE,
+                pool_pre_ping=True,
+                poolclass=QueuePool,
+            )
+        else:
+            engine = create_engine(SQLALCHEMY_DATABASE_URL, pool_pre_ping=True, poolclass=NullPool)
+    else:
+        engine = create_engine(SQLALCHEMY_DATABASE_URL, pool_pre_ping=True)
+
+
+# Sync session — used ONLY for startup config loading (config.py runs at import time)
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine, expire_on_commit=False)
+metadata_obj = MetaData(schema=DATABASE_SCHEMA)
+Base = declarative_base(metadata=metadata_obj)
+ScopedSession = scoped_session(SessionLocal)
+
+
+def get_session():
+    """Sync session generator — used ONLY for startup/config operations."""
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
+
+
+get_db = contextmanager(get_session)
+
+
+# ============================================================
+# ASYNC ENGINE (used for ALL runtime database operations)
+# ============================================================
+
+# psycopg (v3) speaks libpq natively — the full DATABASE_URL is passed
+# through as-is.  SSL params, ``options``, ``target_session_attrs``, etc.
+# all work without any stripping or translation.
+ASYNC_SQLALCHEMY_DATABASE_URL = _make_async_url(SQLALCHEMY_DATABASE_URL)
+
+if 'sqlite' in ASYNC_SQLALCHEMY_DATABASE_URL:
+    # Generous default — async coroutines + no session sharing = high connection demand.
+    _sqlite_pool_size = DATABASE_POOL_SIZE if isinstance(DATABASE_POOL_SIZE, int) and DATABASE_POOL_SIZE > 0 else 512
+    async_engine = create_async_engine(
+        ASYNC_SQLALCHEMY_DATABASE_URL,
+        connect_args={'check_same_thread': False},
+        pool_size=_sqlite_pool_size,
+        pool_timeout=DATABASE_POOL_TIMEOUT,
+        pool_recycle=DATABASE_POOL_RECYCLE,
+        pool_pre_ping=True,
+    )
+
+    @event.listens_for(async_engine.sync_engine, 'connect')
+    def _set_sqlite_pragmas(dbapi_connection, connection_record):
+        _apply_sqlite_pragmas(dbapi_connection)
+else:
+    if isinstance(DATABASE_POOL_SIZE, int):
+        if DATABASE_POOL_SIZE > 0:
+            async_engine = create_async_engine(
+                ASYNC_SQLALCHEMY_DATABASE_URL,
+                pool_size=DATABASE_POOL_SIZE,
+                max_overflow=DATABASE_POOL_MAX_OVERFLOW,
+                pool_timeout=DATABASE_POOL_TIMEOUT,
+                pool_recycle=DATABASE_POOL_RECYCLE,
+                pool_pre_ping=True,
+            )
+        else:
+            async_engine = create_async_engine(
+                ASYNC_SQLALCHEMY_DATABASE_URL,
+                pool_pre_ping=True,
+                poolclass=NullPool,
+            )
+    else:
+        async_engine = create_async_engine(
+            ASYNC_SQLALCHEMY_DATABASE_URL,
+            pool_pre_ping=True,
+        )
+
+
+AsyncSessionLocal = async_sessionmaker(
+    bind=async_engine,
+    class_=AsyncSession,
+    autocommit=False,
+    autoflush=False,
+    expire_on_commit=False,
+)
+
+
+async def get_async_session():
+    """Async session generator for FastAPI Depends()."""
+    async with AsyncSessionLocal() as db:
+        try:
+            yield db
+        finally:
+            await db.close()
+
+
+@asynccontextmanager
+async def get_async_db():
+    """Async context manager for use outside of FastAPI dependency injection."""
+    async with AsyncSessionLocal() as db:
+        try:
+            yield db
+        finally:
+            await db.close()
+
+
+@asynccontextmanager
+async def get_async_db_context(db: Optional[AsyncSession] = None):
+    """Async context manager that reuses an existing session if provided and session sharing is enabled."""
+    if isinstance(db, AsyncSession) and DATABASE_ENABLE_SESSION_SHARING:
+        yield db
+    else:
+        async with get_async_db() as session:
+            yield session

backend/open_webui/internal/migrations/001_initial_schema.py

@@ -0,0 +1,253 @@
+"""Peewee migrations -- 001_initial_schema.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    # We perform different migrations for SQLite and other databases
+    # This is because SQLite is very loose with enforcing its schema, and trying to migrate other databases like SQLite
+    # will require per-database SQL queries.
+    # Instead, we assume that because external DB support was added at a later date, it is safe to assume a newer base
+    # schema instead of trying to migrate from an older schema.
+    if isinstance(database, pw.SqliteDatabase):
+        migrate_sqlite(migrator, database, fake=fake)
+    else:
+        migrate_external(migrator, database, fake=fake)
+
+
+def migrate_sqlite(migrator: Migrator, database: pw.Database, *, fake=False):
+    @migrator.create_model
+    class Auth(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        email = pw.CharField(max_length=255)
+        password = pw.CharField(max_length=255)
+        active = pw.BooleanField()
+
+        class Meta:
+            table_name = 'auth'
+
+    @migrator.create_model
+    class Chat(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        user_id = pw.CharField(max_length=255)
+        title = pw.CharField()
+        chat = pw.TextField()
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'chat'
+
+    @migrator.create_model
+    class ChatIdTag(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        tag_name = pw.CharField(max_length=255)
+        chat_id = pw.CharField(max_length=255)
+        user_id = pw.CharField(max_length=255)
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'chatidtag'
+
+    @migrator.create_model
+    class Document(pw.Model):
+        id = pw.AutoField()
+        collection_name = pw.CharField(max_length=255, unique=True)
+        name = pw.CharField(max_length=255, unique=True)
+        title = pw.CharField()
+        filename = pw.CharField()
+        content = pw.TextField(null=True)
+        user_id = pw.CharField(max_length=255)
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'document'
+
+    @migrator.create_model
+    class Modelfile(pw.Model):
+        id = pw.AutoField()
+        tag_name = pw.CharField(max_length=255, unique=True)
+        user_id = pw.CharField(max_length=255)
+        modelfile = pw.TextField()
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'modelfile'
+
+    @migrator.create_model
+    class Prompt(pw.Model):
+        id = pw.AutoField()
+        command = pw.CharField(max_length=255, unique=True)
+        user_id = pw.CharField(max_length=255)
+        title = pw.CharField()
+        content = pw.TextField()
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'prompt'
+
+    @migrator.create_model
+    class Tag(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        name = pw.CharField(max_length=255)
+        user_id = pw.CharField(max_length=255)
+        data = pw.TextField(null=True)
+
+        class Meta:
+            table_name = 'tag'
+
+    @migrator.create_model
+    class User(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        name = pw.CharField(max_length=255)
+        email = pw.CharField(max_length=255)
+        role = pw.CharField(max_length=255)
+        profile_image_url = pw.CharField(max_length=255)
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'user'
+
+
+def migrate_external(migrator: Migrator, database: pw.Database, *, fake=False):
+    @migrator.create_model
+    class Auth(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        email = pw.CharField(max_length=255)
+        password = pw.TextField()
+        active = pw.BooleanField()
+
+        class Meta:
+            table_name = 'auth'
+
+    @migrator.create_model
+    class Chat(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        user_id = pw.CharField(max_length=255)
+        title = pw.TextField()
+        chat = pw.TextField()
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'chat'
+
+    @migrator.create_model
+    class ChatIdTag(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        tag_name = pw.CharField(max_length=255)
+        chat_id = pw.CharField(max_length=255)
+        user_id = pw.CharField(max_length=255)
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'chatidtag'
+
+    @migrator.create_model
+    class Document(pw.Model):
+        id = pw.AutoField()
+        collection_name = pw.CharField(max_length=255, unique=True)
+        name = pw.CharField(max_length=255, unique=True)
+        title = pw.TextField()
+        filename = pw.TextField()
+        content = pw.TextField(null=True)
+        user_id = pw.CharField(max_length=255)
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'document'
+
+    @migrator.create_model
+    class Modelfile(pw.Model):
+        id = pw.AutoField()
+        tag_name = pw.CharField(max_length=255, unique=True)
+        user_id = pw.CharField(max_length=255)
+        modelfile = pw.TextField()
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'modelfile'
+
+    @migrator.create_model
+    class Prompt(pw.Model):
+        id = pw.AutoField()
+        command = pw.CharField(max_length=255, unique=True)
+        user_id = pw.CharField(max_length=255)
+        title = pw.TextField()
+        content = pw.TextField()
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'prompt'
+
+    @migrator.create_model
+    class Tag(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        name = pw.CharField(max_length=255)
+        user_id = pw.CharField(max_length=255)
+        data = pw.TextField(null=True)
+
+        class Meta:
+            table_name = 'tag'
+
+    @migrator.create_model
+    class User(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        name = pw.CharField(max_length=255)
+        email = pw.CharField(max_length=255)
+        role = pw.CharField(max_length=255)
+        profile_image_url = pw.TextField()
+        timestamp = pw.BigIntegerField()
+
+        class Meta:
+            table_name = 'user'
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_model('user')
+
+    migrator.remove_model('tag')
+
+    migrator.remove_model('prompt')
+
+    migrator.remove_model('modelfile')
+
+    migrator.remove_model('document')
+
+    migrator.remove_model('chatidtag')
+
+    migrator.remove_model('chat')
+
+    migrator.remove_model('auth')

backend/open_webui/internal/migrations/002_add_local_sharing.py

@@ -0,0 +1,45 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    migrator.add_fields('chat', share_id=pw.CharField(max_length=255, null=True, unique=True))
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_fields('chat', 'share_id')

backend/open_webui/internal/migrations/003_add_auth_api_key.py

@@ -0,0 +1,45 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    migrator.add_fields('user', api_key=pw.CharField(max_length=255, null=True, unique=True))
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_fields('user', 'api_key')

backend/open_webui/internal/migrations/004_add_archived.py

@@ -0,0 +1,45 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    migrator.add_fields('chat', archived=pw.BooleanField(default=False))
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_fields('chat', 'archived')

backend/open_webui/internal/migrations/005_add_updated_at.py

@@ -0,0 +1,125 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    if isinstance(database, pw.SqliteDatabase):
+        migrate_sqlite(migrator, database, fake=fake)
+    else:
+        migrate_external(migrator, database, fake=fake)
+
+
+def migrate_sqlite(migrator: Migrator, database: pw.Database, *, fake=False):
+    # Adding fields created_at and updated_at to the 'chat' table
+    migrator.add_fields(
+        'chat',
+        created_at=pw.DateTimeField(null=True),  # Allow null for transition
+        updated_at=pw.DateTimeField(null=True),  # Allow null for transition
+    )
+
+    # Populate the new fields from an existing 'timestamp' field
+    migrator.sql('UPDATE chat SET created_at = timestamp, updated_at = timestamp WHERE timestamp IS NOT NULL')
+
+    # Now that the data has been copied, remove the original 'timestamp' field
+    migrator.remove_fields('chat', 'timestamp')
+
+    # Update the fields to be not null now that they are populated
+    migrator.change_fields(
+        'chat',
+        created_at=pw.DateTimeField(null=False),
+        updated_at=pw.DateTimeField(null=False),
+    )
+
+
+def migrate_external(migrator: Migrator, database: pw.Database, *, fake=False):
+    # Adding fields created_at and updated_at to the 'chat' table
+    migrator.add_fields(
+        'chat',
+        created_at=pw.BigIntegerField(null=True),  # Allow null for transition
+        updated_at=pw.BigIntegerField(null=True),  # Allow null for transition
+    )
+
+    # Populate the new fields from an existing 'timestamp' field
+    migrator.sql('UPDATE chat SET created_at = timestamp, updated_at = timestamp WHERE timestamp IS NOT NULL')
+
+    # Now that the data has been copied, remove the original 'timestamp' field
+    migrator.remove_fields('chat', 'timestamp')
+
+    # Update the fields to be not null now that they are populated
+    migrator.change_fields(
+        'chat',
+        created_at=pw.BigIntegerField(null=False),
+        updated_at=pw.BigIntegerField(null=False),
+    )
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    if isinstance(database, pw.SqliteDatabase):
+        rollback_sqlite(migrator, database, fake=fake)
+    else:
+        rollback_external(migrator, database, fake=fake)
+
+
+def rollback_sqlite(migrator: Migrator, database: pw.Database, *, fake=False):
+    # Recreate the timestamp field initially allowing null values for safe transition
+    migrator.add_fields('chat', timestamp=pw.DateTimeField(null=True))
+
+    # Copy the earliest created_at date back into the new timestamp field
+    # This assumes created_at was originally a copy of timestamp
+    migrator.sql('UPDATE chat SET timestamp = created_at')
+
+    # Remove the created_at and updated_at fields
+    migrator.remove_fields('chat', 'created_at', 'updated_at')
+
+    # Finally, alter the timestamp field to not allow nulls if that was the original setting
+    migrator.change_fields('chat', timestamp=pw.DateTimeField(null=False))
+
+
+def rollback_external(migrator: Migrator, database: pw.Database, *, fake=False):
+    # Recreate the timestamp field initially allowing null values for safe transition
+    migrator.add_fields('chat', timestamp=pw.BigIntegerField(null=True))
+
+    # Copy the earliest created_at date back into the new timestamp field
+    # This assumes created_at was originally a copy of timestamp
+    migrator.sql('UPDATE chat SET timestamp = created_at')
+
+    # Remove the created_at and updated_at fields
+    migrator.remove_fields('chat', 'created_at', 'updated_at')
+
+    # Finally, alter the timestamp field to not allow nulls if that was the original setting
+    migrator.change_fields('chat', timestamp=pw.BigIntegerField(null=False))

backend/open_webui/internal/migrations/006_migrate_timestamps_and_charfields.py

@@ -0,0 +1,129 @@
+"""Peewee migrations -- 006_migrate_timestamps_and_charfields.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    # Alter the tables with timestamps
+    migrator.change_fields(
+        'chatidtag',
+        timestamp=pw.BigIntegerField(),
+    )
+    migrator.change_fields(
+        'document',
+        timestamp=pw.BigIntegerField(),
+    )
+    migrator.change_fields(
+        'modelfile',
+        timestamp=pw.BigIntegerField(),
+    )
+    migrator.change_fields(
+        'prompt',
+        timestamp=pw.BigIntegerField(),
+    )
+    migrator.change_fields(
+        'user',
+        timestamp=pw.BigIntegerField(),
+    )
+    # Alter the tables with varchar to text where necessary
+    migrator.change_fields(
+        'auth',
+        password=pw.TextField(),
+    )
+    migrator.change_fields(
+        'chat',
+        title=pw.TextField(),
+    )
+    migrator.change_fields(
+        'document',
+        title=pw.TextField(),
+        filename=pw.TextField(),
+    )
+    migrator.change_fields(
+        'prompt',
+        title=pw.TextField(),
+    )
+    migrator.change_fields(
+        'user',
+        profile_image_url=pw.TextField(),
+    )
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    if isinstance(database, pw.SqliteDatabase):
+        # Alter the tables with timestamps
+        migrator.change_fields(
+            'chatidtag',
+            timestamp=pw.DateField(),
+        )
+        migrator.change_fields(
+            'document',
+            timestamp=pw.DateField(),
+        )
+        migrator.change_fields(
+            'modelfile',
+            timestamp=pw.DateField(),
+        )
+        migrator.change_fields(
+            'prompt',
+            timestamp=pw.DateField(),
+        )
+        migrator.change_fields(
+            'user',
+            timestamp=pw.DateField(),
+        )
+    migrator.change_fields(
+        'auth',
+        password=pw.CharField(max_length=255),
+    )
+    migrator.change_fields(
+        'chat',
+        title=pw.CharField(),
+    )
+    migrator.change_fields(
+        'document',
+        title=pw.CharField(),
+        filename=pw.CharField(),
+    )
+    migrator.change_fields(
+        'prompt',
+        title=pw.CharField(),
+    )
+    migrator.change_fields(
+        'user',
+        profile_image_url=pw.CharField(),
+    )

backend/open_webui/internal/migrations/007_add_user_last_active_at.py

@@ -0,0 +1,78 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    # Adding fields created_at and updated_at to the 'user' table
+    migrator.add_fields(
+        'user',
+        created_at=pw.BigIntegerField(null=True),  # Allow null for transition
+        updated_at=pw.BigIntegerField(null=True),  # Allow null for transition
+        last_active_at=pw.BigIntegerField(null=True),  # Allow null for transition
+    )
+
+    # Populate the new fields from an existing 'timestamp' field
+    migrator.sql(
+        'UPDATE "user" SET created_at = timestamp, updated_at = timestamp, last_active_at = timestamp WHERE timestamp IS NOT NULL'
+    )
+
+    # Now that the data has been copied, remove the original 'timestamp' field
+    migrator.remove_fields('user', 'timestamp')
+
+    # Update the fields to be not null now that they are populated
+    migrator.change_fields(
+        'user',
+        created_at=pw.BigIntegerField(null=False),
+        updated_at=pw.BigIntegerField(null=False),
+        last_active_at=pw.BigIntegerField(null=False),
+    )
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    # Recreate the timestamp field initially allowing null values for safe transition
+    migrator.add_fields('user', timestamp=pw.BigIntegerField(null=True))
+
+    # Copy the earliest created_at date back into the new timestamp field
+    # This assumes created_at was originally a copy of timestamp
+    migrator.sql('UPDATE "user" SET timestamp = created_at')
+
+    # Remove the created_at and updated_at fields
+    migrator.remove_fields('user', 'created_at', 'updated_at', 'last_active_at')
+
+    # Finally, alter the timestamp field to not allow nulls if that was the original setting
+    migrator.change_fields('user', timestamp=pw.BigIntegerField(null=False))

backend/open_webui/internal/migrations/008_add_memory.py

@@ -0,0 +1,52 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    @migrator.create_model
+    class Memory(pw.Model):
+        id = pw.CharField(max_length=255, unique=True)
+        user_id = pw.CharField(max_length=255)
+        content = pw.TextField(null=False)
+        updated_at = pw.BigIntegerField(null=False)
+        created_at = pw.BigIntegerField(null=False)
+
+        class Meta:
+            table_name = 'memory'
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_model('memory')

backend/open_webui/internal/migrations/009_add_models.py

@@ -0,0 +1,60 @@
+"""Peewee migrations -- 009_add_models.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    @migrator.create_model
+    class Model(pw.Model):
+        id = pw.TextField(unique=True)
+        user_id = pw.TextField()
+        base_model_id = pw.TextField(null=True)
+
+        name = pw.TextField()
+
+        meta = pw.TextField()
+        params = pw.TextField()
+
+        created_at = pw.BigIntegerField(null=False)
+        updated_at = pw.BigIntegerField(null=False)
+
+        class Meta:
+            table_name = 'model'
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_model('model')

backend/open_webui/internal/migrations/010_migrate_modelfiles_to_models.py

@@ -0,0 +1,130 @@
+"""Peewee migrations -- 009_add_models.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+import json
+
+from open_webui.utils.misc import parse_ollama_modelfile
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    # Fetch data from 'modelfile' table and insert into 'model' table
+    migrate_modelfile_to_model(migrator, database)
+    # Drop the 'modelfile' table
+    migrator.remove_model('modelfile')
+
+
+def migrate_modelfile_to_model(migrator: Migrator, database: pw.Database):
+    ModelFile = migrator.orm['modelfile']
+    Model = migrator.orm['model']
+
+    modelfiles = ModelFile.select()
+
+    for modelfile in modelfiles:
+        # Extract and transform data in Python
+
+        modelfile.modelfile = json.loads(modelfile.modelfile)
+        meta = json.dumps(
+            {
+                'description': modelfile.modelfile.get('desc'),
+                'profile_image_url': modelfile.modelfile.get('imageUrl'),
+                'ollama': {'modelfile': modelfile.modelfile.get('content')},
+                'suggestion_prompts': modelfile.modelfile.get('suggestionPrompts'),
+                'categories': modelfile.modelfile.get('categories'),
+                'user': {**modelfile.modelfile.get('user', {}), 'community': True},
+            }
+        )
+
+        info = parse_ollama_modelfile(modelfile.modelfile.get('content'))
+
+        # Insert the processed data into the 'model' table
+        Model.create(
+            id=f'ollama-{modelfile.tag_name}',
+            user_id=modelfile.user_id,
+            base_model_id=info.get('base_model_id'),
+            name=modelfile.modelfile.get('title'),
+            meta=meta,
+            params=json.dumps(info.get('params', {})),
+            created_at=modelfile.timestamp,
+            updated_at=modelfile.timestamp,
+        )
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    recreate_modelfile_table(migrator, database)
+    move_data_back_to_modelfile(migrator, database)
+    migrator.remove_model('model')
+
+
+def recreate_modelfile_table(migrator: Migrator, database: pw.Database):
+    query = """
+    CREATE TABLE IF NOT EXISTS modelfile (
+        user_id TEXT,
+        tag_name TEXT,
+        modelfile JSON,
+        timestamp BIGINT
+    )
+    """
+    migrator.sql(query)
+
+
+def move_data_back_to_modelfile(migrator: Migrator, database: pw.Database):
+    Model = migrator.orm['model']
+    Modelfile = migrator.orm['modelfile']
+
+    models = Model.select()
+
+    for model in models:
+        # Extract and transform data in Python
+        meta = json.loads(model.meta)
+
+        modelfile_data = {
+            'title': model.name,
+            'desc': meta.get('description'),
+            'imageUrl': meta.get('profile_image_url'),
+            'content': meta.get('ollama', {}).get('modelfile'),
+            'suggestionPrompts': meta.get('suggestion_prompts'),
+            'categories': meta.get('categories'),
+            'user': {k: v for k, v in meta.get('user', {}).items() if k != 'community'},
+        }
+
+        # Insert the processed data back into the 'modelfile' table
+        Modelfile.create(
+            user_id=model.user_id,
+            tag_name=model.id,
+            modelfile=modelfile_data,
+            timestamp=model.created_at,
+        )

backend/open_webui/internal/migrations/011_add_user_settings.py

@@ -0,0 +1,47 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    # Adding fields settings to the 'user' table
+    migrator.add_fields('user', settings=pw.TextField(null=True))
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    # Remove the settings field
+    migrator.remove_fields('user', 'settings')

backend/open_webui/internal/migrations/012_add_tools.py

@@ -0,0 +1,60 @@
+"""Peewee migrations -- 009_add_models.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    @migrator.create_model
+    class Tool(pw.Model):
+        id = pw.TextField(unique=True)
+        user_id = pw.TextField()
+
+        name = pw.TextField()
+        content = pw.TextField()
+        specs = pw.TextField()
+
+        meta = pw.TextField()
+
+        created_at = pw.BigIntegerField(null=False)
+        updated_at = pw.BigIntegerField(null=False)
+
+        class Meta:
+            table_name = 'tool'
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_model('tool')

backend/open_webui/internal/migrations/013_add_user_info.py

@@ -0,0 +1,47 @@
+"""Peewee migrations -- 002_add_local_sharing.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    # Adding fields info to the 'user' table
+    migrator.add_fields('user', info=pw.TextField(null=True))
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    # Remove the settings field
+    migrator.remove_fields('user', 'info')

backend/open_webui/internal/migrations/014_add_files.py

@@ -0,0 +1,54 @@
+"""Peewee migrations -- 009_add_models.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    @migrator.create_model
+    class File(pw.Model):
+        id = pw.TextField(unique=True)
+        user_id = pw.TextField()
+        filename = pw.TextField()
+        meta = pw.TextField()
+        created_at = pw.BigIntegerField(null=False)
+
+        class Meta:
+            table_name = 'file'
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_model('file')

backend/open_webui/internal/migrations/015_add_functions.py

@@ -0,0 +1,60 @@
+"""Peewee migrations -- 009_add_models.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    @migrator.create_model
+    class Function(pw.Model):
+        id = pw.TextField(unique=True)
+        user_id = pw.TextField()
+
+        name = pw.TextField()
+        type = pw.TextField()
+
+        content = pw.TextField()
+        meta = pw.TextField()
+
+        created_at = pw.BigIntegerField(null=False)
+        updated_at = pw.BigIntegerField(null=False)
+
+        class Meta:
+            table_name = 'function'
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_model('function')

backend/open_webui/internal/migrations/016_add_valves_and_is_active.py

@@ -0,0 +1,49 @@
+"""Peewee migrations -- 009_add_models.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    migrator.add_fields('tool', valves=pw.TextField(null=True))
+    migrator.add_fields('function', valves=pw.TextField(null=True))
+    migrator.add_fields('function', is_active=pw.BooleanField(default=False))
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_fields('tool', 'valves')
+    migrator.remove_fields('function', 'valves')
+    migrator.remove_fields('function', 'is_active')

backend/open_webui/internal/migrations/017_add_user_oauth_sub.py

@@ -0,0 +1,44 @@
+"""Peewee migrations -- 017_add_user_oauth_sub.py.
+Some examples (model - class or model name)::
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    migrator.add_fields(
+        'user',
+        oauth_sub=pw.TextField(null=True, unique=True),
+    )
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_fields('user', 'oauth_sub')

backend/open_webui/internal/migrations/018_add_function_is_global.py

@@ -0,0 +1,48 @@
+"""Peewee migrations -- 017_add_user_oauth_sub.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    migrator.add_fields(
+        'function',
+        is_global=pw.BooleanField(default=False),
+    )
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.remove_fields('function', 'is_global')

backend/open_webui/internal/wrappers.py

@@ -0,0 +1,84 @@
+import logging
+import os
+from contextvars import ContextVar
+
+from peewee import *
+from peewee import InterfaceError as PeeWeeInterfaceError
+from peewee import PostgresqlDatabase
+from playhouse.db_url import connect, parse
+from playhouse.shortcuts import ReconnectMixin
+
+log = logging.getLogger(__name__)
+
+db_state_default = {'closed': None, 'conn': None, 'ctx': None, 'transactions': None}
+db_state = ContextVar('db_state', default=db_state_default.copy())
+
+
+class PeeweeConnectionState(object):
+    def __init__(self, **kwargs):
+        super().__setattr__('_state', db_state)
+        super().__init__(**kwargs)
+
+    def __setattr__(self, name, value):
+        self._state.get()[name] = value
+
+    def __getattr__(self, name):
+        value = self._state.get()[name]
+        return value
+
+
+class CustomReconnectMixin(ReconnectMixin):
+    reconnect_errors = (
+        # psycopg2
+        (OperationalError, 'termin'),
+        (InterfaceError, 'closed'),
+        # peewee
+        (PeeWeeInterfaceError, 'closed'),
+    )
+
+
+class ReconnectingPostgresqlDatabase(CustomReconnectMixin, PostgresqlDatabase):
+    pass
+
+
+def register_connection(db_url):
+    # Check if using SQLCipher protocol
+    if db_url.startswith('sqlite+sqlcipher://'):
+        database_password = os.environ.get('DATABASE_PASSWORD')
+        if not database_password or database_password.strip() == '':
+            raise ValueError('DATABASE_PASSWORD is required when using sqlite+sqlcipher:// URLs')
+        from playhouse.sqlcipher_ext import SqlCipherDatabase
+
+        # Parse the database path from SQLCipher URL
+        # Convert sqlite+sqlcipher:///path/to/db.sqlite to /path/to/db.sqlite
+        db_path = db_url.replace('sqlite+sqlcipher://', '')
+
+        # Use Peewee's native SqlCipherDatabase with encryption
+        db = SqlCipherDatabase(db_path, passphrase=database_password)
+        db.autoconnect = True
+        db.reuse_if_open = True
+        log.info('Connected to encrypted SQLite database using SQLCipher')
+
+    else:
+        # Standard database connection (existing logic)
+        db = connect(db_url, unquote_user=True, unquote_password=True)
+        if isinstance(db, PostgresqlDatabase):
+            # Enable autoconnect for SQLite databases, managed by Peewee
+            db.autoconnect = True
+            db.reuse_if_open = True
+            log.info('Connected to PostgreSQL database')
+
+            # Get the connection details
+            connection = parse(db_url, unquote_user=True, unquote_password=True)
+
+            # Use our custom database class that supports reconnection
+            db = ReconnectingPostgresqlDatabase(**connection)
+            db.connect(reuse_if_open=True)
+        elif isinstance(db, SqliteDatabase):
+            # Enable autoconnect for SQLite databases, managed by Peewee
+            db.autoconnect = True
+            db.reuse_if_open = True
+            log.info('Connected to SQLite database')
+        else:
+            raise ValueError('Unsupported database connection')
+    return db

backend/open_webui/migrations/README

@@ -0,0 +1,4 @@
+Generic single-database configuration.
+
+Create new migrations with
+DATABASE_URL=<replace with actual url> alembic revision --autogenerate -m "a description"

backend/open_webui/migrations/env.py

@@ -0,0 +1,120 @@
+import logging
+from logging.config import fileConfig
+
+from alembic import context
+from open_webui.models.auths import Auth
+from open_webui.models.calendar import Calendar, CalendarEvent, CalendarEventAttendee  # noqa: F401
+from open_webui.env import DATABASE_URL, DATABASE_PASSWORD, LOG_FORMAT
+from open_webui.internal.db import extract_ssl_params_from_url, reattach_ssl_params_to_url
+from sqlalchemy import engine_from_config, pool, create_engine
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name, disable_existing_loggers=False)
+
+# Re-apply JSON formatter after fileConfig replaces handlers.
+if LOG_FORMAT == 'json':
+    from open_webui.env import JSONFormatter
+
+    for handler in logging.root.handlers:
+        handler.setFormatter(JSONFormatter())
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+# from myapp import mymodel
+# target_metadata = mymodel.Base.metadata
+target_metadata = Auth.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+DB_URL = DATABASE_URL
+
+# Normalize SSL query params for psycopg2 (Alembic uses psycopg2 for sync migrations).
+url_without_ssl, ssl_params = extract_ssl_params_from_url(DB_URL)
+DB_URL = reattach_ssl_params_to_url(url_without_ssl, ssl_params) if ssl_params else DB_URL
+
+if DB_URL:
+    config.set_main_option('sqlalchemy.url', DB_URL.replace('%', '%%'))
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option('sqlalchemy.url')
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={'paramstyle': 'named'},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    # Handle SQLCipher URLs
+    if DB_URL and DB_URL.startswith('sqlite+sqlcipher://'):
+        if not DATABASE_PASSWORD or DATABASE_PASSWORD.strip() == '':
+            raise ValueError('DATABASE_PASSWORD is required when using sqlite+sqlcipher:// URLs')
+
+        # Extract database path from SQLCipher URL
+        db_path = DB_URL.replace('sqlite+sqlcipher://', '')
+        if db_path.startswith('/'):
+            db_path = db_path[1:]  # Remove leading slash for relative paths
+
+        # Create a custom creator function that uses sqlcipher3
+        def create_sqlcipher_connection():
+            import sqlcipher3
+
+            conn = sqlcipher3.connect(db_path, check_same_thread=False)
+            conn.execute(f"PRAGMA key = '{DATABASE_PASSWORD}'")
+            return conn
+
+        connectable = create_engine(
+            'sqlite://',  # Dummy URL since we're using creator
+            creator=create_sqlcipher_connection,
+            echo=False,
+        )
+    else:
+        # Standard database connection (existing logic)
+        connectable = engine_from_config(
+            config.get_section(config.config_ini_section, {}),
+            prefix='sqlalchemy.',
+            poolclass=pool.NullPool,
+        )
+
+    with connectable.connect() as connection:
+        context.configure(connection=connection, target_metadata=target_metadata)
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

backend/open_webui/migrations/script.py.mako

@@ -0,0 +1,27 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import open_webui.internal.db
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}

backend/open_webui/migrations/util.py

@@ -0,0 +1,15 @@
+from alembic import op
+from sqlalchemy import Inspector
+
+
+def get_existing_tables():
+    con = op.get_bind()
+    inspector = Inspector.from_engine(con)
+    tables = set(inspector.get_table_names())
+    return tables
+
+
+def get_revision_id():
+    import uuid
+
+    return str(uuid.uuid4()).replace('-', '')[:12]

backend/open_webui/migrations/versions/018012973d35_add_indexes.py

@@ -0,0 +1,46 @@
+"""Add indexes
+
+Revision ID: 018012973d35
+Revises: d31026856c01
+Create Date: 2025-08-13 03:00:00.000000
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+revision = '018012973d35'
+down_revision = 'd31026856c01'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Chat table indexes
+    op.create_index('folder_id_idx', 'chat', ['folder_id'])
+    op.create_index('user_id_pinned_idx', 'chat', ['user_id', 'pinned'])
+    op.create_index('user_id_archived_idx', 'chat', ['user_id', 'archived'])
+    op.create_index('updated_at_user_id_idx', 'chat', ['updated_at', 'user_id'])
+    op.create_index('folder_id_user_id_idx', 'chat', ['folder_id', 'user_id'])
+
+    # Tag table index
+    op.create_index('user_id_idx', 'tag', ['user_id'])
+
+    # Function table index
+    op.create_index('is_global_idx', 'function', ['is_global'])
+
+
+def downgrade():
+    # Chat table indexes
+    op.drop_index('folder_id_idx', table_name='chat')
+    op.drop_index('user_id_pinned_idx', table_name='chat')
+    op.drop_index('user_id_archived_idx', table_name='chat')
+    op.drop_index('updated_at_user_id_idx', table_name='chat')
+    op.drop_index('folder_id_user_id_idx', table_name='chat')
+
+    # Tag table index
+    op.drop_index('user_id_idx', table_name='tag')
+
+    # Function table index
+
+    op.drop_index('is_global_idx', table_name='function')

backend/open_webui/migrations/versions/1af9b942657b_migrate_tags.py

@@ -0,0 +1,140 @@
+"""Migrate tags
+
+Revision ID: 1af9b942657b
+Revises: 242a2047eae0
+Create Date: 2024-10-09 21:02:35.241684
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.sql import table, select, update, column
+from sqlalchemy.engine.reflection import Inspector
+
+import json
+
+revision = '1af9b942657b'
+down_revision = '242a2047eae0'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Setup an inspection on the existing table to avoid issues
+    conn = op.get_bind()
+    inspector = Inspector.from_engine(conn)
+
+    # Clean up potential leftover temp table from previous failures
+    conn.execute(sa.text('DROP TABLE IF EXISTS _alembic_tmp_tag'))
+
+    # Check if the 'tag' table exists
+    tables = inspector.get_table_names()
+
+    # Step 1: Modify Tag table using batch mode for SQLite support
+    if 'tag' in tables:
+        # Get the current columns in the 'tag' table
+        columns = [col['name'] for col in inspector.get_columns('tag')]
+
+        # Get any existing unique constraints on the 'tag' table
+        current_constraints = inspector.get_unique_constraints('tag')
+
+        with op.batch_alter_table('tag', schema=None) as batch_op:
+            # Check if the unique constraint already exists
+            if not any(constraint['name'] == 'uq_id_user_id' for constraint in current_constraints):
+                # Create unique constraint if it doesn't exist
+                batch_op.create_unique_constraint('uq_id_user_id', ['id', 'user_id'])
+
+            # Check if the 'data' column exists before trying to drop it
+            if 'data' in columns:
+                batch_op.drop_column('data')
+
+            # Check if the 'meta' column needs to be created
+            if 'meta' not in columns:
+                # Add the 'meta' column if it doesn't already exist
+                batch_op.add_column(sa.Column('meta', sa.JSON(), nullable=True))
+
+    tag = table(
+        'tag',
+        column('id', sa.String()),
+        column('name', sa.String()),
+        column('user_id', sa.String()),
+        column('meta', sa.JSON()),
+    )
+
+    # Step 2: Migrate tags
+    conn = op.get_bind()
+    result = conn.execute(sa.select(tag.c.id, tag.c.name, tag.c.user_id))
+
+    tag_updates = {}
+    for row in result:
+        new_id = row.name.replace(' ', '_').lower()
+        tag_updates[row.id] = new_id
+
+    for tag_id, new_tag_id in tag_updates.items():
+        print(f'Updating tag {tag_id} to {new_tag_id}')
+        if new_tag_id == 'pinned':
+            # delete tag
+            delete_stmt = sa.delete(tag).where(tag.c.id == tag_id)
+            conn.execute(delete_stmt)
+        else:
+            # Check if the new_tag_id already exists in the database
+            existing_tag_query = sa.select(tag.c.id).where(tag.c.id == new_tag_id)
+            existing_tag_result = conn.execute(existing_tag_query).fetchone()
+
+            if existing_tag_result:
+                # Handle duplicate case: the new_tag_id already exists
+                print(f'Tag {new_tag_id} already exists. Removing current tag with ID {tag_id} to avoid duplicates.')
+                # Option 1: Delete the current tag if an update to new_tag_id would cause duplication
+                delete_stmt = sa.delete(tag).where(tag.c.id == tag_id)
+                conn.execute(delete_stmt)
+            else:
+                update_stmt = sa.update(tag).where(tag.c.id == tag_id)
+                update_stmt = update_stmt.values(id=new_tag_id)
+                conn.execute(update_stmt)
+
+    # Add columns `pinned` and `meta` to 'chat'
+    op.add_column('chat', sa.Column('pinned', sa.Boolean(), nullable=True))
+    op.add_column('chat', sa.Column('meta', sa.JSON(), nullable=False, server_default='{}'))
+
+    chatidtag = table('chatidtag', column('chat_id', sa.String()), column('tag_name', sa.String()))
+    chat = table(
+        'chat',
+        column('id', sa.String()),
+        column('pinned', sa.Boolean()),
+        column('meta', sa.JSON()),
+    )
+
+    # Fetch existing tags
+    conn = op.get_bind()
+    result = conn.execute(sa.select(chatidtag.c.chat_id, chatidtag.c.tag_name))
+
+    chat_updates = {}
+    for row in result:
+        chat_id = row.chat_id
+        tag_name = row.tag_name.replace(' ', '_').lower()
+
+        if tag_name == 'pinned':
+            # Specifically handle 'pinned' tag
+            if chat_id not in chat_updates:
+                chat_updates[chat_id] = {'pinned': True, 'meta': {}}
+            else:
+                chat_updates[chat_id]['pinned'] = True
+        else:
+            if chat_id not in chat_updates:
+                chat_updates[chat_id] = {'pinned': False, 'meta': {'tags': [tag_name]}}
+            else:
+                tags = chat_updates[chat_id]['meta'].get('tags', [])
+                tags.append(tag_name)
+
+                chat_updates[chat_id]['meta']['tags'] = list(set(tags))
+
+    # Update chats based on accumulated changes
+    for chat_id, updates in chat_updates.items():
+        update_stmt = sa.update(chat).where(chat.c.id == chat_id)
+        update_stmt = update_stmt.values(meta=updates.get('meta', {}), pinned=updates.get('pinned', False))
+        conn.execute(update_stmt)
+    pass
+
+
+def downgrade():
+    pass

backend/open_webui/migrations/versions/242a2047eae0_update_chat_table.py

@@ -0,0 +1,97 @@
+"""Update chat table
+
+Revision ID: 242a2047eae0
+Revises: 6a39f3d8e55c
+Create Date: 2024-10-09 21:02:35.241684
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.sql import table, select, update
+
+import json
+
+revision = '242a2047eae0'
+down_revision = '6a39f3d8e55c'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
+    columns = inspector.get_columns('chat')
+    column_dict = {col['name']: col for col in columns}
+
+    chat_column = column_dict.get('chat')
+    old_chat_exists = 'old_chat' in column_dict
+
+    if chat_column:
+        if isinstance(chat_column['type'], sa.Text):
+            print("Converting 'chat' column to JSON")
+
+            if old_chat_exists:
+                print("Dropping old 'old_chat' column")
+                op.drop_column('chat', 'old_chat')
+
+            # Step 1: Rename current 'chat' column to 'old_chat'
+            print("Renaming 'chat' column to 'old_chat'")
+            op.alter_column('chat', 'chat', new_column_name='old_chat', existing_type=sa.Text())
+
+            # Step 2: Add new 'chat' column of type JSON
+            print("Adding new 'chat' column of type JSON")
+            op.add_column('chat', sa.Column('chat', sa.JSON(), nullable=True))
+        else:
+            # If the column is already JSON, no need to do anything
+            pass
+
+    # Step 3: Migrate data from 'old_chat' to 'chat'
+    chat_table = table(
+        'chat',
+        sa.Column('id', sa.String(), primary_key=True),
+        sa.Column('old_chat', sa.Text()),
+        sa.Column('chat', sa.JSON()),
+    )
+
+    # - Selecting all data from the table
+    connection = op.get_bind()
+    results = connection.execute(select(chat_table.c.id, chat_table.c.old_chat))
+    for row in results:
+        try:
+            # Convert text JSON to actual JSON object, assuming the text is in JSON format
+            json_data = json.loads(row.old_chat)
+        except json.JSONDecodeError:
+            json_data = None  # Handle cases where the text cannot be converted to JSON
+
+        connection.execute(sa.update(chat_table).where(chat_table.c.id == row.id).values(chat=json_data))
+
+    # Step 4: Drop 'old_chat' column
+    print("Dropping 'old_chat' column")
+    op.drop_column('chat', 'old_chat')
+
+
+def downgrade():
+    # Step 1: Add 'old_chat' column back as Text
+    op.add_column('chat', sa.Column('old_chat', sa.Text(), nullable=True))
+
+    # Step 2: Convert 'chat' JSON data back to text and store in 'old_chat'
+    chat_table = table(
+        'chat',
+        sa.Column('id', sa.String(), primary_key=True),
+        sa.Column('chat', sa.JSON()),
+        sa.Column('old_chat', sa.Text()),
+    )
+
+    connection = op.get_bind()
+    results = connection.execute(select(chat_table.c.id, chat_table.c.chat))
+    for row in results:
+        text_data = json.dumps(row.chat) if row.chat is not None else None
+        connection.execute(sa.update(chat_table).where(chat_table.c.id == row.id).values(old_chat=text_data))
+
+    # Step 3: Remove the new 'chat' JSON column
+    op.drop_column('chat', 'chat')
+
+    # Step 4: Rename 'old_chat' back to 'chat'
+    op.alter_column('chat', 'old_chat', new_column_name='chat', existing_type=sa.Text())

backend/open_webui/migrations/versions/2f1211949ecc_update_message_and_channel_member_table.py

@@ -0,0 +1,94 @@
+"""Update messages and channel member table
+
+Revision ID: 2f1211949ecc
+Revises: 37f288994c47
+Create Date: 2025-11-27 03:07:56.200231
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import open_webui.internal.db
+
+# revision identifiers, used by Alembic.
+revision: str = '2f1211949ecc'
+down_revision: Union[str, None] = '37f288994c47'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # New columns to be added to channel_member table
+    op.add_column('channel_member', sa.Column('status', sa.Text(), nullable=True))
+    op.add_column(
+        'channel_member',
+        sa.Column(
+            'is_active',
+            sa.Boolean(),
+            nullable=False,
+            default=True,
+            server_default=sa.sql.expression.true(),
+        ),
+    )
+
+    op.add_column(
+        'channel_member',
+        sa.Column(
+            'is_channel_muted',
+            sa.Boolean(),
+            nullable=False,
+            default=False,
+            server_default=sa.sql.expression.false(),
+        ),
+    )
+    op.add_column(
+        'channel_member',
+        sa.Column(
+            'is_channel_pinned',
+            sa.Boolean(),
+            nullable=False,
+            default=False,
+            server_default=sa.sql.expression.false(),
+        ),
+    )
+
+    op.add_column('channel_member', sa.Column('data', sa.JSON(), nullable=True))
+    op.add_column('channel_member', sa.Column('meta', sa.JSON(), nullable=True))
+
+    op.add_column('channel_member', sa.Column('joined_at', sa.BigInteger(), nullable=False))
+    op.add_column('channel_member', sa.Column('left_at', sa.BigInteger(), nullable=True))
+
+    op.add_column('channel_member', sa.Column('last_read_at', sa.BigInteger(), nullable=True))
+
+    op.add_column('channel_member', sa.Column('updated_at', sa.BigInteger(), nullable=True))
+
+    # New columns to be added to message table
+    op.add_column(
+        'message',
+        sa.Column(
+            'is_pinned',
+            sa.Boolean(),
+            nullable=False,
+            default=False,
+            server_default=sa.sql.expression.false(),
+        ),
+    )
+    op.add_column('message', sa.Column('pinned_at', sa.BigInteger(), nullable=True))
+    op.add_column('message', sa.Column('pinned_by', sa.Text(), nullable=True))
+
+
+def downgrade() -> None:
+    op.drop_column('channel_member', 'updated_at')
+    op.drop_column('channel_member', 'last_read_at')
+
+    op.drop_column('channel_member', 'meta')
+    op.drop_column('channel_member', 'data')
+
+    op.drop_column('channel_member', 'is_channel_pinned')
+    op.drop_column('channel_member', 'is_channel_muted')
+
+    op.drop_column('message', 'pinned_by')
+    op.drop_column('message', 'pinned_at')
+    op.drop_column('message', 'is_pinned')

backend/open_webui/migrations/versions/374d2f66af06_add_prompt_history_table.py

@@ -0,0 +1,245 @@
+"""Add prompt history table
+
+Revision ID: 374d2f66af06
+Revises: c440947495f3
+Create Date: 2026-01-23 17:15:00.000000
+
+"""
+
+from typing import Sequence, Union
+import uuid
+
+from alembic import op
+import sqlalchemy as sa
+
+revision: str = '374d2f66af06'
+down_revision: Union[str, None] = 'c440947495f3'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    # Step 1: Read existing data from OLD table (schema likely command as PK)
+    # We use batch_alter previously, but we want to move to new table.
+    # We need to assume the OLD structure.
+
+    old_prompt_table = sa.table(
+        'prompt',
+        sa.column('command', sa.Text()),
+        sa.column('user_id', sa.Text()),
+        sa.column('title', sa.Text()),
+        sa.column('content', sa.Text()),
+        sa.column('timestamp', sa.BigInteger()),
+        sa.column('access_control', sa.JSON()),
+    )
+
+    # Check if table exists/read data
+    try:
+        existing_prompts = conn.execute(
+            sa.select(
+                old_prompt_table.c.command,
+                old_prompt_table.c.user_id,
+                old_prompt_table.c.title,
+                old_prompt_table.c.content,
+                old_prompt_table.c.timestamp,
+                old_prompt_table.c.access_control,
+            )
+        ).fetchall()
+    except Exception:
+        # Fallback if table doesn't exist (new install)
+        existing_prompts = []
+
+    # Step 2: Create new prompt table with 'id' as PRIMARY KEY
+    op.create_table(
+        'prompt_new',
+        sa.Column('id', sa.Text(), primary_key=True),
+        sa.Column('command', sa.String(), unique=True, index=True),
+        sa.Column('user_id', sa.String(), nullable=False),
+        sa.Column('name', sa.Text(), nullable=False),
+        sa.Column('content', sa.Text(), nullable=False),
+        sa.Column('data', sa.JSON(), nullable=True),
+        sa.Column('meta', sa.JSON(), nullable=True),
+        sa.Column('access_control', sa.JSON(), nullable=True),
+        sa.Column('is_active', sa.Boolean(), nullable=False, server_default='1'),
+        sa.Column('version_id', sa.Text(), nullable=True),
+        sa.Column('tags', sa.JSON(), nullable=True),
+        sa.Column('created_at', sa.BigInteger(), nullable=False),
+        sa.Column('updated_at', sa.BigInteger(), nullable=False),
+    )
+
+    # Step 3: Create prompt_history table
+    op.create_table(
+        'prompt_history',
+        sa.Column('id', sa.Text(), primary_key=True),
+        sa.Column('prompt_id', sa.Text(), nullable=False, index=True),
+        sa.Column('parent_id', sa.Text(), nullable=True),
+        sa.Column('snapshot', sa.JSON(), nullable=False),
+        sa.Column('user_id', sa.Text(), nullable=False),
+        sa.Column('commit_message', sa.Text(), nullable=True),
+        sa.Column('created_at', sa.BigInteger(), nullable=False),
+    )
+
+    # Step 4: Migrate data
+    prompt_new_table = sa.table(
+        'prompt_new',
+        sa.column('id', sa.Text()),
+        sa.column('command', sa.String()),
+        sa.column('user_id', sa.String()),
+        sa.column('name', sa.Text()),
+        sa.column('content', sa.Text()),
+        sa.column('data', sa.JSON()),
+        sa.column('meta', sa.JSON()),
+        sa.column('access_control', sa.JSON()),
+        sa.column('is_active', sa.Boolean()),
+        sa.column('version_id', sa.Text()),
+        sa.column('tags', sa.JSON()),
+        sa.column('created_at', sa.BigInteger()),
+        sa.column('updated_at', sa.BigInteger()),
+    )
+
+    prompt_history_table = sa.table(
+        'prompt_history',
+        sa.column('id', sa.Text()),
+        sa.column('prompt_id', sa.Text()),
+        sa.column('parent_id', sa.Text()),
+        sa.column('snapshot', sa.JSON()),
+        sa.column('user_id', sa.Text()),
+        sa.column('commit_message', sa.Text()),
+        sa.column('created_at', sa.BigInteger()),
+    )
+
+    for row in existing_prompts:
+        command = row[0]
+        user_id = row[1]
+        title = row[2]
+        content = row[3]
+        timestamp = row[4]
+        access_control = row[5]
+
+        new_uuid = str(uuid.uuid4())
+        history_uuid = str(uuid.uuid4())
+        clean_command = command[1:] if command and command.startswith('/') else command
+
+        # Insert into prompt_new
+        conn.execute(
+            sa.insert(prompt_new_table).values(
+                id=new_uuid,
+                command=clean_command,
+                user_id=user_id,
+                name=title,
+                content=content,
+                data={},
+                meta={},
+                access_control=access_control,
+                is_active=True,
+                version_id=history_uuid,
+                tags=[],
+                created_at=timestamp,
+                updated_at=timestamp,
+            )
+        )
+
+        # Create initial history entry
+        conn.execute(
+            sa.insert(prompt_history_table).values(
+                id=history_uuid,
+                prompt_id=new_uuid,
+                parent_id=None,
+                snapshot={
+                    'name': title,
+                    'content': content,
+                    'command': clean_command,
+                    'data': {},
+                    'meta': {},
+                    'access_control': access_control,
+                },
+                user_id=user_id,
+                commit_message=None,
+                created_at=timestamp,
+            )
+        )
+
+    # Step 5: Replace old table with new one
+    op.drop_table('prompt')
+    op.rename_table('prompt_new', 'prompt')
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+
+    # Step 1: Read new data
+    prompt_table = sa.table(
+        'prompt',
+        sa.column('command', sa.String()),
+        sa.column('name', sa.Text()),
+        sa.column('created_at', sa.BigInteger()),
+        sa.column('user_id', sa.Text()),
+        sa.column('content', sa.Text()),
+        sa.column('access_control', sa.JSON()),
+    )
+
+    try:
+        current_data = conn.execute(
+            sa.select(
+                prompt_table.c.command,
+                prompt_table.c.name,
+                prompt_table.c.created_at,
+                prompt_table.c.user_id,
+                prompt_table.c.content,
+                prompt_table.c.access_control,
+            )
+        ).fetchall()
+    except Exception:
+        current_data = []
+
+    # Step 2: Drop history and table
+    op.drop_table('prompt_history')
+    op.drop_table('prompt')
+
+    # Step 3: Recreate old table (command as PK?)
+    # Assuming old schema:
+    op.create_table(
+        'prompt',
+        sa.Column('command', sa.String(), primary_key=True),
+        sa.Column('user_id', sa.String()),
+        sa.Column('title', sa.Text()),
+        sa.Column('content', sa.Text()),
+        sa.Column('timestamp', sa.BigInteger()),
+        sa.Column('access_control', sa.JSON()),
+        sa.Column('id', sa.Integer(), nullable=True),
+    )
+
+    # Step 4: Restore data
+    old_prompt_table = sa.table(
+        'prompt',
+        sa.column('command', sa.String()),
+        sa.column('user_id', sa.String()),
+        sa.column('title', sa.Text()),
+        sa.column('content', sa.Text()),
+        sa.column('timestamp', sa.BigInteger()),
+        sa.column('access_control', sa.JSON()),
+    )
+
+    for row in current_data:
+        command = row[0]
+        name = row[1]
+        created_at = row[2]
+        user_id = row[3]
+        content = row[4]
+        access_control = row[5]
+
+        # Restore leading /
+        old_command = '/' + command if command and not command.startswith('/') else command
+
+        conn.execute(
+            sa.insert(old_prompt_table).values(
+                command=old_command,
+                user_id=user_id,
+                title=name,
+                content=content,
+                timestamp=created_at,
+                access_control=access_control,
+            )
+        )

backend/open_webui/migrations/versions/3781e22d8b01_update_message_table.py

@@ -0,0 +1,58 @@
+"""Update message & channel tables
+
+Revision ID: 3781e22d8b01
+Revises: 7826ab40b532
+Create Date: 2024-12-30 03:00:00.000000
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+revision = '3781e22d8b01'
+down_revision = '7826ab40b532'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Add 'type' column to the 'channel' table
+    op.add_column(
+        'channel',
+        sa.Column(
+            'type',
+            sa.Text(),
+            nullable=True,
+        ),
+    )
+
+    # Add 'parent_id' column to the 'message' table for threads
+    op.add_column(
+        'message',
+        sa.Column('parent_id', sa.Text(), nullable=True),
+    )
+
+    op.create_table(
+        'message_reaction',
+        sa.Column('id', sa.Text(), nullable=False, primary_key=True, unique=True),  # Unique reaction ID
+        sa.Column('user_id', sa.Text(), nullable=False),  # User who reacted
+        sa.Column('message_id', sa.Text(), nullable=False),  # Message that was reacted to
+        sa.Column('name', sa.Text(), nullable=False),  # Reaction name (e.g. "thumbs_up")
+        sa.Column('created_at', sa.BigInteger(), nullable=True),  # Timestamp of when the reaction was added
+    )
+
+    op.create_table(
+        'channel_member',
+        sa.Column('id', sa.Text(), nullable=False, primary_key=True, unique=True),  # Record ID for the membership row
+        sa.Column('channel_id', sa.Text(), nullable=False),  # Associated channel
+        sa.Column('user_id', sa.Text(), nullable=False),  # Associated user
+        sa.Column('created_at', sa.BigInteger(), nullable=True),  # Timestamp of when the user joined the channel
+    )
+
+
+def downgrade():
+    # Revert 'type' column addition to the 'channel' table
+    op.drop_column('channel', 'type')
+    op.drop_column('message', 'parent_id')
+    op.drop_table('message_reaction')
+    op.drop_table('channel_member')

backend/open_webui/migrations/versions/37f288994c47_add_group_member_table.py

@@ -0,0 +1,137 @@
+"""add_group_member_table
+
+Revision ID: 37f288994c47
+Revises: a5c220713937
+Create Date: 2025-11-17 03:45:25.123939
+
+"""
+
+import uuid
+import time
+import json
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision: str = '37f288994c47'
+down_revision: Union[str, None] = 'a5c220713937'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # 1. Create new table
+    op.create_table(
+        'group_member',
+        sa.Column('id', sa.Text(), primary_key=True, unique=True, nullable=False),
+        sa.Column(
+            'group_id',
+            sa.Text(),
+            sa.ForeignKey('group.id', ondelete='CASCADE'),
+            nullable=False,
+        ),
+        sa.Column(
+            'user_id',
+            sa.Text(),
+            sa.ForeignKey('user.id', ondelete='CASCADE'),
+            nullable=False,
+        ),
+        sa.Column('created_at', sa.BigInteger(), nullable=True),
+        sa.Column('updated_at', sa.BigInteger(), nullable=True),
+        sa.UniqueConstraint('group_id', 'user_id', name='uq_group_member_group_user'),
+    )
+
+    connection = op.get_bind()
+
+    # 2. Read existing group with user_ids JSON column
+    group_table = sa.Table(
+        'group',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+        sa.Column('user_ids', sa.JSON()),  # JSON stored as text in SQLite + PG
+    )
+
+    results = connection.execute(sa.select(group_table.c.id, group_table.c.user_ids)).fetchall()
+
+    print(results)
+
+    # 3. Insert members into group_member table
+    gm_table = sa.Table(
+        'group_member',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+        sa.Column('group_id', sa.Text()),
+        sa.Column('user_id', sa.Text()),
+        sa.Column('created_at', sa.BigInteger()),
+        sa.Column('updated_at', sa.BigInteger()),
+    )
+
+    now = int(time.time())
+    for group_id, user_ids in results:
+        if not user_ids:
+            continue
+
+        if isinstance(user_ids, str):
+            try:
+                user_ids = json.loads(user_ids)
+            except Exception:
+                continue  # skip invalid JSON
+
+        if not isinstance(user_ids, list):
+            continue
+
+        rows = [
+            {
+                'id': str(uuid.uuid4()),
+                'group_id': group_id,
+                'user_id': uid,
+                'created_at': now,
+                'updated_at': now,
+            }
+            for uid in user_ids
+        ]
+
+        if rows:
+            connection.execute(gm_table.insert(), rows)
+
+    # 4. Optionally drop the old column
+    with op.batch_alter_table('group') as batch:
+        batch.drop_column('user_ids')
+
+
+def downgrade():
+    # Reverse: restore user_ids column
+    with op.batch_alter_table('group') as batch:
+        batch.add_column(sa.Column('user_ids', sa.JSON()))
+
+    connection = op.get_bind()
+    gm_table = sa.Table(
+        'group_member',
+        sa.MetaData(),
+        sa.Column('group_id', sa.Text()),
+        sa.Column('user_id', sa.Text()),
+        sa.Column('created_at', sa.BigInteger()),
+        sa.Column('updated_at', sa.BigInteger()),
+    )
+
+    group_table = sa.Table(
+        'group',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+        sa.Column('user_ids', sa.JSON()),
+    )
+
+    # Build JSON arrays again
+    results = connection.execute(sa.select(group_table.c.id)).fetchall()
+
+    for (group_id,) in results:
+        members = connection.execute(sa.select(gm_table.c.user_id).where(gm_table.c.group_id == group_id)).fetchall()
+
+        member_ids = [m[0] for m in members]
+
+        connection.execute(group_table.update().where(group_table.c.id == group_id).values(user_ids=member_ids))
+
+    # Drop the new table
+    op.drop_table('group_member')

backend/open_webui/migrations/versions/38d63c18f30f_add_oauth_session_table.py

@@ -0,0 +1,75 @@
+"""Add oauth_session table
+
+Revision ID: 38d63c18f30f
+Revises: 3af16a1c9fb6
+Create Date: 2025-09-08 14:19:59.583921
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision: str = '38d63c18f30f'
+down_revision: Union[str, None] = '3af16a1c9fb6'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Ensure 'id' column in 'user' table is unique and primary key (ForeignKey constraint)
+    inspector = sa.inspect(op.get_bind())
+    columns = inspector.get_columns('user')
+
+    pk_columns = inspector.get_pk_constraint('user')['constrained_columns']
+    id_column = next((col for col in columns if col['name'] == 'id'), None)
+
+    if id_column and not id_column.get('unique', False):
+        unique_constraints = inspector.get_unique_constraints('user')
+        unique_columns = {tuple(u['column_names']) for u in unique_constraints}
+
+        with op.batch_alter_table('user') as batch_op:
+            # If primary key is wrong, drop it
+            if pk_columns and pk_columns != ['id']:
+                batch_op.drop_constraint(inspector.get_pk_constraint('user')['name'], type_='primary')
+
+            # Add unique constraint if missing
+            if ('id',) not in unique_columns:
+                batch_op.create_unique_constraint('uq_user_id', ['id'])
+
+            # Re-create correct primary key
+            batch_op.create_primary_key('pk_user_id', ['id'])
+
+    # Create oauth_session table
+    op.create_table(
+        'oauth_session',
+        sa.Column('id', sa.Text(), primary_key=True, nullable=False, unique=True),
+        sa.Column(
+            'user_id',
+            sa.Text(),
+            sa.ForeignKey('user.id', ondelete='CASCADE'),
+            nullable=False,
+        ),
+        sa.Column('provider', sa.Text(), nullable=False),
+        sa.Column('token', sa.Text(), nullable=False),
+        sa.Column('expires_at', sa.BigInteger(), nullable=False),
+        sa.Column('created_at', sa.BigInteger(), nullable=False),
+        sa.Column('updated_at', sa.BigInteger(), nullable=False),
+    )
+
+    # Create indexes for better performance
+    op.create_index('idx_oauth_session_user_id', 'oauth_session', ['user_id'])
+    op.create_index('idx_oauth_session_expires_at', 'oauth_session', ['expires_at'])
+    op.create_index('idx_oauth_session_user_provider', 'oauth_session', ['user_id', 'provider'])
+
+
+def downgrade() -> None:
+    # Drop indexes first
+    op.drop_index('idx_oauth_session_user_provider', table_name='oauth_session')
+    op.drop_index('idx_oauth_session_expires_at', table_name='oauth_session')
+    op.drop_index('idx_oauth_session_user_id', table_name='oauth_session')
+
+    # Drop the table
+    op.drop_table('oauth_session')

backend/open_webui/migrations/versions/3ab32c4b8f59_update_tags.py

@@ -0,0 +1,78 @@
+"""Update tags
+
+Revision ID: 3ab32c4b8f59
+Revises: 1af9b942657b
+Create Date: 2024-10-09 21:02:35.241684
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.sql import table, select, update, column
+from sqlalchemy.engine.reflection import Inspector
+
+import json
+
+revision = '3ab32c4b8f59'
+down_revision = '1af9b942657b'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    conn = op.get_bind()
+    inspector = Inspector.from_engine(conn)
+
+    # Inspecting the 'tag' table constraints and structure
+    existing_pk = inspector.get_pk_constraint('tag')
+    unique_constraints = inspector.get_unique_constraints('tag')
+    existing_indexes = inspector.get_indexes('tag')
+
+    print(f'Primary Key: {existing_pk}')
+    print(f'Unique Constraints: {unique_constraints}')
+    print(f'Indexes: {existing_indexes}')
+
+    with op.batch_alter_table('tag', schema=None) as batch_op:
+        # Drop existing primary key constraint if it exists
+        if existing_pk and existing_pk.get('constrained_columns'):
+            pk_name = existing_pk.get('name')
+            if pk_name:
+                print(f'Dropping primary key constraint: {pk_name}')
+                batch_op.drop_constraint(pk_name, type_='primary')
+
+        # Now create the new primary key with the combination of 'id' and 'user_id'
+        print("Creating new primary key with 'id' and 'user_id'.")
+        batch_op.create_primary_key('pk_id_user_id', ['id', 'user_id'])
+
+        # Drop unique constraints that could conflict with the new primary key
+        for constraint in unique_constraints:
+            if (
+                constraint['name'] == 'uq_id_user_id'
+            ):  # Adjust this name according to what is actually returned by the inspector
+                print(f'Dropping unique constraint: {constraint["name"]}')
+                batch_op.drop_constraint(constraint['name'], type_='unique')
+
+        for index in existing_indexes:
+            if index['unique']:
+                if not any(constraint['name'] == index['name'] for constraint in unique_constraints):
+                    # You are attempting to drop unique indexes
+                    print(f'Dropping unique index: {index["name"]}')
+                    batch_op.drop_index(index['name'])
+
+
+def downgrade():
+    conn = op.get_bind()
+    inspector = Inspector.from_engine(conn)
+
+    current_pk = inspector.get_pk_constraint('tag')
+
+    with op.batch_alter_table('tag', schema=None) as batch_op:
+        # Drop the current primary key first, if it matches the one we know we added in upgrade
+        if current_pk and 'pk_id_user_id' == current_pk.get('name'):
+            batch_op.drop_constraint('pk_id_user_id', type_='primary')
+
+        # Restore the original primary key
+        batch_op.create_primary_key('pk_id', ['id'])
+
+        # Since primary key on just 'id' is restored, we now add back any unique constraints if necessary
+        batch_op.create_unique_constraint('uq_id_user_id', ['id', 'user_id'])

backend/open_webui/migrations/versions/3af16a1c9fb6_update_user_table.py

@@ -0,0 +1,32 @@
+"""update user table
+
+Revision ID: 3af16a1c9fb6
+Revises: 018012973d35
+Create Date: 2025-08-21 02:07:18.078283
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision: str = '3af16a1c9fb6'
+down_revision: Union[str, None] = '018012973d35'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column('user', sa.Column('username', sa.String(length=50), nullable=True))
+    op.add_column('user', sa.Column('bio', sa.Text(), nullable=True))
+    op.add_column('user', sa.Column('gender', sa.Text(), nullable=True))
+    op.add_column('user', sa.Column('date_of_birth', sa.Date(), nullable=True))
+
+
+def downgrade() -> None:
+    op.drop_column('user', 'username')
+    op.drop_column('user', 'bio')
+    op.drop_column('user', 'gender')
+    op.drop_column('user', 'date_of_birth')

backend/open_webui/migrations/versions/3e0e00844bb0_add_knowledge_file_table.py

@@ -0,0 +1,161 @@
+"""Add knowledge_file table
+
+Revision ID: 3e0e00844bb0
+Revises: 90ef40d4714e
+Create Date: 2025-12-02 06:54:19.401334
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy import inspect
+import open_webui.internal.db
+
+import time
+import json
+import uuid
+
+# revision identifiers, used by Alembic.
+revision: str = '3e0e00844bb0'
+down_revision: Union[str, None] = '90ef40d4714e'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        'knowledge_file',
+        sa.Column('id', sa.Text(), primary_key=True),
+        sa.Column('user_id', sa.Text(), nullable=False),
+        sa.Column(
+            'knowledge_id',
+            sa.Text(),
+            sa.ForeignKey('knowledge.id', ondelete='CASCADE'),
+            nullable=False,
+        ),
+        sa.Column(
+            'file_id',
+            sa.Text(),
+            sa.ForeignKey('file.id', ondelete='CASCADE'),
+            nullable=False,
+        ),
+        sa.Column('created_at', sa.BigInteger(), nullable=False),
+        sa.Column('updated_at', sa.BigInteger(), nullable=False),
+        # indexes
+        sa.Index('ix_knowledge_file_knowledge_id', 'knowledge_id'),
+        sa.Index('ix_knowledge_file_file_id', 'file_id'),
+        sa.Index('ix_knowledge_file_user_id', 'user_id'),
+        # unique constraints
+        sa.UniqueConstraint(
+            'knowledge_id', 'file_id', name='uq_knowledge_file_knowledge_file'
+        ),  # prevent duplicate entries
+    )
+
+    connection = op.get_bind()
+
+    # 2. Read existing group with user_ids JSON column
+    knowledge_table = sa.Table(
+        'knowledge',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+        sa.Column('user_id', sa.Text()),
+        sa.Column('data', sa.JSON()),  # JSON stored as text in SQLite + PG
+    )
+
+    results = connection.execute(
+        sa.select(knowledge_table.c.id, knowledge_table.c.user_id, knowledge_table.c.data)
+    ).fetchall()
+
+    # 3. Insert members into group_member table
+    kf_table = sa.Table(
+        'knowledge_file',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+        sa.Column('user_id', sa.Text()),
+        sa.Column('knowledge_id', sa.Text()),
+        sa.Column('file_id', sa.Text()),
+        sa.Column('created_at', sa.BigInteger()),
+        sa.Column('updated_at', sa.BigInteger()),
+    )
+
+    file_table = sa.Table(
+        'file',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+    )
+
+    now = int(time.time())
+    for knowledge_id, user_id, data in results:
+        if not data:
+            continue
+
+        if isinstance(data, str):
+            try:
+                data = json.loads(data)
+            except Exception:
+                continue  # skip invalid JSON
+
+        if not isinstance(data, dict):
+            continue
+
+        file_ids = data.get('file_ids', [])
+
+        for file_id in file_ids:
+            file_exists = connection.execute(sa.select(file_table.c.id).where(file_table.c.id == file_id)).fetchone()
+
+            if not file_exists:
+                continue  # skip non-existing files
+
+            row = {
+                'id': str(uuid.uuid4()),
+                'user_id': user_id,
+                'knowledge_id': knowledge_id,
+                'file_id': file_id,
+                'created_at': now,
+                'updated_at': now,
+            }
+            connection.execute(kf_table.insert().values(**row))
+
+    with op.batch_alter_table('knowledge') as batch:
+        batch.drop_column('data')
+
+
+def downgrade() -> None:
+    # 1. Add back the old data column
+    op.add_column('knowledge', sa.Column('data', sa.JSON(), nullable=True))
+
+    connection = op.get_bind()
+
+    # 2. Read knowledge_file entries and reconstruct data JSON
+    knowledge_table = sa.Table(
+        'knowledge',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+        sa.Column('data', sa.JSON()),
+    )
+
+    kf_table = sa.Table(
+        'knowledge_file',
+        sa.MetaData(),
+        sa.Column('id', sa.Text()),
+        sa.Column('knowledge_id', sa.Text()),
+        sa.Column('file_id', sa.Text()),
+    )
+
+    results = connection.execute(sa.select(knowledge_table.c.id)).fetchall()
+
+    for (knowledge_id,) in results:
+        file_ids = connection.execute(
+            sa.select(kf_table.c.file_id).where(kf_table.c.knowledge_id == knowledge_id)
+        ).fetchall()
+
+        file_ids_list = [fid for (fid,) in file_ids]
+
+        data_json = {'file_ids': file_ids_list}
+
+        connection.execute(knowledge_table.update().where(knowledge_table.c.id == knowledge_id).values(data=data_json))
+
+    # 3. Drop the knowledge_file table
+    op.drop_table('knowledge_file')

backend/open_webui/migrations/versions/4ace53fd72c8_update_folder_table_datetime.py

@@ -0,0 +1,67 @@
+"""Update folder table and change DateTime to BigInteger for timestamp fields
+
+Revision ID: 4ace53fd72c8
+Revises: af906e964978
+Create Date: 2024-10-23 03:00:00.000000
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+revision = '4ace53fd72c8'
+down_revision = 'af906e964978'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Perform safe alterations using batch operation
+    with op.batch_alter_table('folder', schema=None) as batch_op:
+        # Step 1: Remove server defaults for created_at and updated_at
+        batch_op.alter_column(
+            'created_at',
+            server_default=None,  # Removing server default
+        )
+        batch_op.alter_column(
+            'updated_at',
+            server_default=None,  # Removing server default
+        )
+
+        # Step 2: Change the column types to BigInteger for created_at
+        batch_op.alter_column(
+            'created_at',
+            type_=sa.BigInteger(),
+            existing_type=sa.DateTime(),
+            existing_nullable=False,
+            postgresql_using='extract(epoch from created_at)::bigint',  # Conversion for PostgreSQL
+        )
+
+        # Change the column types to BigInteger for updated_at
+        batch_op.alter_column(
+            'updated_at',
+            type_=sa.BigInteger(),
+            existing_type=sa.DateTime(),
+            existing_nullable=False,
+            postgresql_using='extract(epoch from updated_at)::bigint',  # Conversion for PostgreSQL
+        )
+
+
+def downgrade():
+    # Downgrade: Convert columns back to DateTime and restore defaults
+    with op.batch_alter_table('folder', schema=None) as batch_op:
+        batch_op.alter_column(
+            'created_at',
+            type_=sa.DateTime(),
+            existing_type=sa.BigInteger(),
+            existing_nullable=False,
+            server_default=sa.func.now(),  # Restoring server default on downgrade
+        )
+        batch_op.alter_column(
+            'updated_at',
+            type_=sa.DateTime(),
+            existing_type=sa.BigInteger(),
+            existing_nullable=False,
+            server_default=sa.func.now(),  # Restoring server default on downgrade
+            onupdate=sa.func.now(),  # Restoring onupdate behavior if it was there
+        )

backend/open_webui/migrations/versions/56359461a091_add_calendar_tables.py

@@ -0,0 +1,83 @@
+"""add calendar tables
+
+Revision ID: 56359461a091
+Revises: c1d2e3f4a5b6
+Create Date: 2026-04-19 16:20:58.162045
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '56359461a091'
+down_revision: Union[str, None] = 'c1d2e3f4a5b6'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        'calendar',
+        sa.Column('id', sa.Text(), nullable=False),
+        sa.Column('user_id', sa.Text(), nullable=False),
+        sa.Column('name', sa.Text(), nullable=False),
+        sa.Column('color', sa.Text(), nullable=True),
+        sa.Column('is_default', sa.Boolean(), nullable=False),
+        sa.Column('data', sa.JSON(), nullable=True),
+        sa.Column('meta', sa.JSON(), nullable=True),
+        sa.Column('created_at', sa.BigInteger(), nullable=False),
+        sa.Column('updated_at', sa.BigInteger(), nullable=False),
+        sa.PrimaryKeyConstraint('id'),
+    )
+    op.create_index('ix_calendar_user', 'calendar', ['user_id'], unique=False)
+
+    op.create_table(
+        'calendar_event',
+        sa.Column('id', sa.Text(), nullable=False),
+        sa.Column('calendar_id', sa.Text(), nullable=False),
+        sa.Column('user_id', sa.Text(), nullable=False),
+        sa.Column('title', sa.Text(), nullable=False),
+        sa.Column('description', sa.Text(), nullable=True),
+        sa.Column('start_at', sa.BigInteger(), nullable=False),
+        sa.Column('end_at', sa.BigInteger(), nullable=True),
+        sa.Column('all_day', sa.Boolean(), nullable=False),
+        sa.Column('rrule', sa.Text(), nullable=True),
+        sa.Column('color', sa.Text(), nullable=True),
+        sa.Column('location', sa.Text(), nullable=True),
+        sa.Column('data', sa.JSON(), nullable=True),
+        sa.Column('meta', sa.JSON(), nullable=True),
+        sa.Column('is_cancelled', sa.Boolean(), nullable=False),
+        sa.Column('created_at', sa.BigInteger(), nullable=False),
+        sa.Column('updated_at', sa.BigInteger(), nullable=False),
+        sa.PrimaryKeyConstraint('id'),
+    )
+    op.create_index('ix_calendar_event_calendar', 'calendar_event', ['calendar_id', 'start_at'], unique=False)
+    op.create_index('ix_calendar_event_user_date', 'calendar_event', ['user_id', 'start_at'], unique=False)
+
+    op.create_table(
+        'calendar_event_attendee',
+        sa.Column('id', sa.Text(), nullable=False),
+        sa.Column('event_id', sa.Text(), nullable=False),
+        sa.Column('user_id', sa.Text(), nullable=False),
+        sa.Column('status', sa.Text(), nullable=False),
+        sa.Column('meta', sa.JSON(), nullable=True),
+        sa.Column('created_at', sa.BigInteger(), nullable=False),
+        sa.Column('updated_at', sa.BigInteger(), nullable=False),
+        sa.PrimaryKeyConstraint('id'),
+        sa.UniqueConstraint('event_id', 'user_id', name='uq_event_attendee'),
+    )
+    op.create_index('ix_calendar_event_attendee_user', 'calendar_event_attendee', ['user_id', 'status'], unique=False)
+
+
+def downgrade() -> None:
+    op.drop_index('ix_calendar_event_attendee_user', table_name='calendar_event_attendee')
+    op.drop_table('calendar_event_attendee')
+    op.drop_index('ix_calendar_event_user_date', table_name='calendar_event')
+    op.drop_index('ix_calendar_event_calendar', table_name='calendar_event')
+    op.drop_table('calendar_event')
+    op.drop_index('ix_calendar_user', table_name='calendar')
+    op.drop_table('calendar')