test: replace test_should_ naming with test_verb_noun_context convention

.github/workflows/ghcr-build.yml

@@ -108,7 +108,7 @@ jobs:
       packages: write
     steps:
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -202,7 +202,7 @@ jobs:
           echo "EOF" >> "$GITHUB_OUTPUT"
       - name: Build and push runtime image ${{ matrix.base_image.image }}
         if: github.event.pull_request.head.repo.fork != true
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           push: true
           tags: ${{ env.DOCKER_TAGS }}
@@ -215,7 +215,7 @@ jobs:
       # Forked repos can't push to GHCR, so we just build in order to populate the cache for rebuilding
       - name: Build runtime image ${{ matrix.base_image.image }} for fork
         if: github.event.pull_request.head.repo.fork
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
           context: containers/runtime
@@ -236,7 +236,7 @@ jobs:
       packages: write
     steps:
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -324,7 +324,7 @@ jobs:
       # Also compute base tags (no arch suffix) for the merge job output
       - name: Extract base metadata for merge
         id: meta_base
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/openhands/enterprise-server
           tags: |
@@ -350,7 +350,7 @@ jobs:
           # rather than a mutable branch tag like "main" which can serve stale cached layers.
           echo "OPENHANDS_DOCKER_TAG=${RELEVANT_SHA}" >> $GITHUB_ENV
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: enterprise/Dockerfile
@@ -375,7 +375,7 @@ jobs:
     if: github.event.pull_request.head.repo.fork != true
     steps:
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/openhands-resolver.yml

@@ -192,7 +192,7 @@ jobs:
           echo "TARGET_BRANCH=${{ inputs.target_branch || 'main' }}" >> $GITHUB_ENV
 
       - name: Comment on issue with start message
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           github-token: ${{ secrets.PAT_TOKEN || github.token }}
           script: |
@@ -206,7 +206,7 @@ jobs:
 
       - name: Install OpenHands
         id: install_openhands
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         env:
           COMMENT_BODY: ${{ github.event.comment.body || '' }}
           REVIEW_BODY: ${{ github.event.review.body || '' }}
@@ -305,7 +305,7 @@ jobs:
 
       # Step leaves comment for when agent is invoked on PR
       - name: Analyze Push Logs (Updated PR or No Changes) # Skip comment if PR update was successful OR leave comment if the agent made no code changes
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         if: always()
         env:
           AGENT_RESPONDED: ${{ env.AGENT_RESPONDED || 'false' }}
@@ -341,7 +341,7 @@ jobs:
 
       # Step leaves comment for when agent is invoked on issue
       - name: Comment on issue # Comment link to either PR or branch created by agent
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         if: always() # Comment on issue even if the previous steps fail
         env:
           AGENT_RESPONDED: ${{ env.AGENT_RESPONDED || 'false' }}
@@ -416,7 +416,7 @@ jobs:
 
       # Leave error comment when both PR/Issue comment handling fail
       - name: Fallback Error Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         if: ${{ env.AGENT_RESPONDED == 'false' }} # Only run if no conditions were met in previous steps
         env:
           ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}

.github/workflows/pr-artifacts.yml

@@ -59,7 +59,7 @@ jobs:
 
             - name: Update PR comment after cleanup
               if: steps.check-fork.outputs.is_fork == 'false' && steps.remove.outputs.removed == 'true'
-              uses: actions/github-script@v7
+              uses: actions/github-script@v9
               with:
                   script: |
                       const marker = '<!-- pr-artifacts-notice -->';
@@ -107,7 +107,7 @@ jobs:
 
             - name: Post or update PR comment
               if: steps.check.outputs.exists == 'true'
-              uses: actions/github-script@v7
+              uses: actions/github-script@v9
               with:
                   script: |
                       const marker = '<!-- pr-artifacts-notice -->';

.github/workflows/py-tests.yml

@@ -115,7 +115,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v8
         id: download
         with:
           pattern: coverage-*

.github/workflows/welcome-good-first-issue.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Check if welcome comment already exists
         id: check_comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           result-encoding: string
           script: |
@@ -33,7 +33,7 @@ jobs:
 
       - name: Leave welcome comment
         if: steps.check_comment.outputs.result == 'false'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const repoUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}`;

AGENTS.md

@@ -226,6 +226,7 @@ Each integration follows a consistent pattern with service classes, storage mode
 - Database changes require careful migration planning in `enterprise/migrations/`
 - Always test changes in both OpenHands and enterprise contexts
 - Use the enterprise-specific Makefile commands for development
+- When the `openhands-ai` package (root project) version has been updated, run `poetry lock` in the `enterprise/` folder to update the version in the enterprise poetry lockfile.
 
 **Enterprise Testing Best Practices:**
 

enterprise/server/routes/users_v1.py

@@ -12,7 +12,10 @@
 from server.auth.saas_user_auth import SaasUserAuth
 from server.models.user_models import SaasUserInfo
 
-from openhands.app_server.config import depends_user_context
+from openhands.app_server.config import (
+    depends_user_context,
+    resolve_provider_llm_base_url,
+)
 from openhands.app_server.sandbox.session_auth import validate_session_key_ownership
 from openhands.app_server.user.auth_user_context import AuthUserContext
 from openhands.app_server.user.user_context import UserContext
@@ -42,8 +45,9 @@ def _inject_sdk_compat_fields(
     """
     agent_settings = content.get('agent_settings') or {}
     llm = agent_settings.get('llm') or {}
-    content['llm_model'] = llm.get('model')
-    content['llm_base_url'] = llm.get('base_url')
+    model = llm.get('model')
+    content['llm_model'] = model
+    content['llm_base_url'] = resolve_provider_llm_base_url(model, llm.get('base_url'))
     if include_api_key:
         content['llm_api_key'] = llm.get('api_key')
     content['mcp_config'] = agent_settings.get('mcp_config')

enterprise/tests/unit/test_auth_routes.py

@@ -1281,7 +1281,7 @@ class TestKeycloakCallbackRecaptcha:
     """Tests for reCAPTCHA integration in keycloak_callback()."""
 
     @pytest.mark.asyncio
-    async def test_should_verify_recaptcha_and_allow_login_when_score_is_high(
+    async def test_login_allows_when_recaptcha_score_is_high(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that login proceeds when reCAPTCHA score is high."""
@@ -1369,7 +1369,7 @@ async def test_should_verify_recaptcha_and_allow_login_when_score_is_high(
             mock_recaptcha_service.create_assessment.assert_called_once()
 
     @pytest.mark.asyncio
-    async def test_should_block_login_when_recaptcha_score_is_low(
+    async def test_login_blocks_when_recaptcha_score_is_low(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that login is blocked and redirected when reCAPTCHA score is low."""
@@ -1439,7 +1439,7 @@ async def test_should_block_login_when_recaptcha_score_is_low(
             assert 'recaptcha_blocked=true' in result.headers['location']
 
     @pytest.mark.asyncio
-    async def test_should_extract_ip_from_x_forwarded_for_header(
+    async def test_login_extracts_ip_from_x_forwarded_for(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that IP is extracted from X-Forwarded-For header when present."""
@@ -1528,7 +1528,7 @@ async def test_should_extract_ip_from_x_forwarded_for_header(
             assert call_args[1]['user_ip'] == '192.168.1.1'
 
     @pytest.mark.asyncio
-    async def test_should_use_client_host_when_x_forwarded_for_missing(
+    async def test_login_uses_client_host_when_x_forwarded_for_missing(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that client.host is used when X-Forwarded-For is missing."""
@@ -1618,7 +1618,7 @@ async def test_should_use_client_host_when_x_forwarded_for_missing(
             assert call_args[1]['user_ip'] == '192.168.1.2'
 
     @pytest.mark.asyncio
-    async def test_should_use_unknown_ip_when_client_is_none(
+    async def test_login_uses_unknown_ip_when_client_is_none(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that 'unknown' IP is used when client is None."""
@@ -1707,7 +1707,7 @@ async def test_should_use_unknown_ip_when_client_is_none(
             assert call_args[1]['user_ip'] == 'unknown'
 
     @pytest.mark.asyncio
-    async def test_should_include_email_in_assessment_when_available(
+    async def test_login_includes_email_in_assessment(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that email is included in assessment when available."""
@@ -1793,7 +1793,7 @@ async def test_should_include_email_in_assessment_when_available(
             assert call_args[1]['email'] == 'user@example.com'
 
     @pytest.mark.asyncio
-    async def test_should_skip_recaptcha_when_site_key_not_configured(
+    async def test_login_skips_recaptcha_when_site_key_not_configured(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that reCAPTCHA is skipped when RECAPTCHA_SITE_KEY is not configured."""
@@ -1870,7 +1870,7 @@ async def test_should_skip_recaptcha_when_site_key_not_configured(
             mock_recaptcha_service.create_assessment.assert_not_called()
 
     @pytest.mark.asyncio
-    async def test_should_skip_recaptcha_when_token_is_missing(
+    async def test_login_skips_recaptcha_when_token_is_missing(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that reCAPTCHA is skipped when token is missing from state."""
@@ -1941,7 +1941,7 @@ async def test_should_skip_recaptcha_when_token_is_missing(
             mock_recaptcha_service.create_assessment.assert_not_called()
 
     @pytest.mark.asyncio
-    async def test_should_fail_open_when_recaptcha_service_throws_exception(
+    async def test_login_fails_open_when_recaptcha_raises(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that login proceeds (fail open) when reCAPTCHA service throws exception."""
@@ -2029,7 +2029,7 @@ async def test_should_fail_open_when_recaptcha_service_throws_exception(
             assert len(recaptcha_error_calls) > 0
 
     @pytest.mark.asyncio
-    async def test_should_log_warning_when_recaptcha_blocks_user(
+    async def test_login_logs_warning_when_recaptcha_blocks(
         self, mock_request, create_keycloak_user_info
     ):
         """Test that warning is logged when reCAPTCHA blocks user."""